Cisco Issues Recommendations to Mitigate Password-Spraying Attacks on VPN Services


Cisco has provided a series of suggestions for customers to counter password-spraying attacks targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.

The company notes that these attacks, which also target other remote access VPN services, are likely part of reconnaissance activities.

In a password-spraying attack, adversaries attempt the same password across multiple accounts to gain unauthorized access.

Cisco's mitigation guide includes indicators of compromise (IoCs) to aid in detecting and blocking these attacks. Signs of compromise include difficulties in establishing VPN connections with Cisco Secure Client (AnyConnect) when Firewall Posture (HostScan) is enabled, as well as an unusual volume of authentication requests recorded in system logs.

Recommendations from Cisco to defend against these attacks include:

  • Enabling logging to a remote syslog server for improved incident analysis.
  • Securing default remote access VPN profiles by redirecting unused default connection profiles to a sinkhole AAA server to prevent unauthorized access.
  • Leveraging TCP shun to manually block malicious IPs.
  • Configuring control-plane ACLs to filter out unauthorized public IP addresses from initiating VPN sessions.
  • Employing certificate-based authentication for RAVPN for a more secure authentication method.

Security researcher Aaron Martin suggests that the observed activity, as reported by Cisco, likely stems from an undocumented malware botnet named 'Brutus.' Martin, along with analyst Chris Grube, observed unusual attack methods since March 15.

The Brutus botnet currently operates using 20,000 IP addresses worldwide, spanning various infrastructures from cloud services to residential IPs.

Initially targeting SSLVPN appliances from Fortinet, Palo Alto, SonicWall, and Cisco, the attacks have expanded to include web apps using Active Directory for authentication.

To evade detection and blocking, Brutus rotates its IPs every six attempts and employs specific non-disclosed usernames not available in public data dumps.

The use of these usernames raises concerns about potential breaches or zero-day vulnerabilities exploitation.

While the operators behind Brutus remain unidentified, Martin has linked two IPs associated with past activities of APT29 (Midnight Blizzard, NOBELIUM, Cozy Bear), an espionage threat group believed to work for the Russian Foreign Intelligence Service (SVR).