Article Details
Scrape Timestamp (UTC): 2024-03-28 16:40:28.453
Original Article Text
Click to Toggle View
Cisco warns of password-spraying attacks targeting VPN services. Cisco has shared a set of recommendations for customers to mitigate password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices. The company says that the attacks have also been targeting other remote access VPN services and appear to be part of reconnaissance activity. During a password-spraying attack, an adversary tries the same password with multiple accounts in an attempt to log in. Cisco’s mitigation guide lists indicators of compromise (IoCs) for this activity to help detect the attacks and block them. This includes inability to establish VPN connections with Cisco Secure Client (AnyConnect) when Firewall Posture (HostScan) is enabled. Another sign is an unusual amount of authentication requests recorded by system logs. Cisco’s recommendations to defend against these attacks include: Links to Brutus botnet Security researcher Aaron Martin told BleepingComputer that the activity observed by Cisco is likely from an undocumented malware botnet he named ‘Brutus.’ The connection is based on the particular targeting scope and attack patterns. Martin has published a report on the Brutus botnet describing the unusual attack methods that he and analyst Chris Grube observed since March 15. The report notes that the botnet currently relies on 20,000 IP addresses worldwide, spanning various infrastructures from cloud services to residential IPs. The attacks that Martin observed initially targeted SSLVPN appliances from Fortinet, Palo Alto, SonicWall, and Cisco but have now expanded to also include web apps that use Active Directory for authentication. Brutus rotates its IPs every six attempts to evade detection and blocking, while it uses very specific non-disclosed usernames that are not available in public data dumps. This aspect of the attacks raises concerns about how these usernames were obtained and might indicate an undisclosed breach or exploitation of a zero-day vulnerability. Though the operators of Brutus are unknown, Martin has identified two IPs that have been associated with past activities of APT29 (Midnight Blizzard, NOBELIUM, Cozy Bear), an espionage threat group believed to be work for the Russian Foreign Intelligence Service (SVR).
Daily Brief Summary
Cisco issued an alert on password-spraying attacks aimed at Remote Access VPN (RAVPN) services on their Secure Firewall devices.
Password-spraying techniques involve using the same password to access multiple user accounts during unauthorized attempts.
Indicators of Compromise (IoCs) and mitigation steps have been provided by Cisco to help organizations recognize and defend against these incidents.
Security researcher Aaron Martin associates these attacks with the 'Brutus' malware botnet, involving 20,000 IP addresses across various global infrastructures.
The botnet has targeted VPN appliances from multiple vendors and has expanded to web apps using Active Directory, using rotating IPs and specific usernames not found in public data breaches.
There's concern over how the attackers obtained the usernames, suggesting a potential undisclosed breach or zero-day exploit.
Some IP addresses linked to the Brutus botnet's activities have past associations with APT29, a Russian-linked espionage group.