By NewsBlogger Cisco has issued recommendations for customers to defend against password-spraying attacks targeting Remote Access VPN services on Cisco Secure Firewall devices, with indicators of compromise provided to assist in detection and prevention, as security researcher Aaron Martin links the attacks to an undocumented malware botnet named ‘Brutus’ operating globally.
At a glance
- Cisco recommends defenses against password-spraying attacks on Remote Access VPN services.
- Attacks involve trying the same password across multiple accounts as reconnaissance.
- The mitigation guide includes indicators of compromise for detection and prevention.
- Signs of attacks include VPN connection issues and abnormal increase in authentication requests.
- Brutus botnet is linked to attacks that target SSLVPN appliances with undisclosed usernames.
The details
Cisco has recently issued recommendations for customers to defend against password-spraying attacks targeting Remote Access VPN services on Cisco Secure Firewall devices.
These attacks are categorized as reconnaissance activities, where attackers try the same password across multiple accounts.
To assist in detection and prevention, Cisco’s mitigation guide includes indicators of compromise for organizations to identify and block malicious activities.
Signs of the attacks include difficulties in establishing VPN connections with the Cisco Secure Client and an abnormal increase in authentication requests in system logs.
Security researcher Aaron Martin has linked these attacks to an undocumented malware botnet named ‘Brutus’, operating with around 20,000 IP addresses globally.
The botnet targets SSLVPN appliances from various companies.
The Brutus botnet rotates IP addresses every six attempts and uses specific undisclosed usernames, suggesting a potential breach or exploitation of a zero-day vulnerability to obtain this information.
Concerns arise regarding the origin of these usernames and how they were acquired.
Additionally, two IP addresses associated with previous activities of APT29, a known threat actor, have been identified in connection with the Brutus attacks.
This raises concerns about the sophistication and potential implications of these ongoing cyber threats.
Organizations using Cisco Secure Firewall devices and VPN services should remain vigilant and implement the recommended security measures to protect against these targeted attacks.
Article X-ray
Sources
Here are all the sources used to create this article:
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| bleepingcomputer.com |
|---|
| – Cisco has shared recommendations for customers to mitigate password-spraying attacks targeting Remote Access VPN services on Cisco Secure Firewall devices – The attacks are part of reconnaissance activity and involve trying the same password with multiple accounts – Cisco’s mitigation guide lists indicators of compromise to help detect and block the attacks – Signs of the attacks include inability to establish VPN connections with Cisco Secure Client and an unusual amount of authentication requests in system logs – Security researcher Aaron Martin believes the attacks are from an undocumented malware botnet named ‘Brutus’ – The Brutus botnet relies on 20,000 IP addresses worldwide and targets SSLVPN appliances from various companies – The botnet rotates IPs every six attempts and uses specific non-disclosed usernames not available in public data dumps – Concerns have been raised about how these usernames were obtained, potentially indicating an undisclosed breach or exploitation of a zero-day vulnerability – Two IPs associated with past activities of APT29 have been identified in connection with the Brutus attacks |
