Persistent Siege: Large-Scale Brute Force Attacks on Cisco ASA SSL WebVPN
Since December 2023, we've been closely monitoring large-scale brute force campaigns targeting Cisco ASA SSL WebVPN. By April 2024, Cisco Talos released an advisory detailing these malicious activities, highlighting the severity and persistence of the threat.
Attack Volume
The volume of these attacks, as tracked through Sphere, is significant. The daily attack attempts range from 1,000 to 8,000, indicating a highly active and sustained campaign. This high frequency poses a serious threat as it can potentially brute force RADIUS authentication servers, thereby blocking legitimate users from accessing WebVPN interfaces.
Source IPs
Our analysis shows that the attacks originate from a mix of residential proxies, VPNs, and suspicious hosting providers. This diversity in sources complicates mitigation efforts, as it makes it difficult to pinpoint and block the malicious IPs effectively.
Credentials and Attack Methods
The attackers use automated scripts to carry out these brute force attempts. These scripts first fingerprint WebVPN instances to identify potential targets. The login attempts predominantly use generic credentials such as 'training,' 'vpn,' 'support,' 'backup,' and similar simplistic passwords. This approach suggests the attackers rely on common, weak credentials that might be overlooked or unchanged in some systems.
Current Status
As of June 4, 2024, these attacks are ongoing, indicating that the threat actors remain active and persistent in their efforts.
Indicators of Compromise
For those seeking more detailed information on the malicious indicators involved in these attacks, including IPs, user agents, and specific username/password combinations, please refer to the repository linked below.
https://github.com/ALPHATECHS-AL/cisco_asa_bruteforce_campaigns
Further Reading
For a comprehensive understanding and additional details about these large-scale brute force activities targeting VPNs and recommendations please read the following article: