Min read

Persistent Siege: Large-Scale Brute Force Attacks on Cisco ASA SSL WebVPN

Published on 
Jun 4, 2024
Large-Scale Brute Force Attacks on Cisco ASA SSL WebVPN

Since December 2023, we've been closely monitoring large-scale brute force campaigns targeting Cisco ASA SSL WebVPN. By April 2024, Cisco Talos released an advisory detailing these malicious activities, highlighting the severity and persistence of the threat.

Attack Volume

The volume of these attacks, as tracked through Sphere, is significant. The daily attack attempts range from 1,000 to 8,000, indicating a highly active and sustained campaign. This high frequency poses a serious threat as it can potentially brute force RADIUS authentication servers, thereby blocking legitimate users from accessing WebVPN interfaces.

Source IPs

Our analysis shows that the attacks originate from a mix of residential proxies, VPNs, and suspicious hosting providers. This diversity in sources complicates mitigation efforts, as it makes it difficult to pinpoint and block the malicious IPs effectively.

Credentials and Attack Methods

The attackers use automated scripts to carry out these brute force attempts. These scripts first fingerprint WebVPN instances to identify potential targets. The login attempts predominantly use generic credentials such as 'training,' 'vpn,' 'support,' 'backup,' and similar simplistic passwords. This approach suggests the attackers rely on common, weak credentials that might be overlooked or unchanged in some systems.

Current Status

As of June 4, 2024, these attacks are ongoing, indicating that the threat actors remain active and persistent in their efforts.

Indicators of Compromise

For those seeking more detailed information on the malicious indicators involved in these attacks, including IPs, user agents, and specific username/password combinations, please refer to the repository linked below.

Further Reading

For a comprehensive understanding and additional details about these large-scale brute force activities targeting VPNs and recommendations please read the following article:

Other Articles