Networking giant Cisco has warned its users of an ongoing attack on its business VPN services.
In a security advisory, Cisco said it had been made aware of an ongoing password attack on several third-party VPN concentrators.
In this case, it was the Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall that were affected.
Russian attackers
“Depending on your environment, the attacks can cause accounts to be locked out, resulting in Denial of Service (DoS)-like conditions,” Cisco explains, saying the activity appears to be a reconnaissance effort. The threat actors were not named.
Password spraying is a type of attack in which the threat actor tries the same password with multiple accounts until one combination works.
In listing its suite of defenses and solutions, Cisco recommended enabling logging to a remote syslog server for better correlation and control of network and security incidents across different network devices; securing default VPN profiles for remote access by pointing unused default connection profiles to sinkhole AAA servers; leverage TCP shun to manually block dangerous IP addresses, and configure ACLs at control points to prevent unauthorized public IP addresses from running VPN sessions; and using certificate-based authentication for RAVPN.
Security researcher Aaron Martin claims that the attack was likely the work of an undocumented malware botnet called Brutus.
He made the connection after observing the malware’s reach and attack patterns, it was said. In his analysis of the botnet, Martin said it has about 20,000 IP addresses worldwide. Initially, the attacks targeted SSLVPN devices from Fortinet, Palo Alto, SonicWall and Cisco, but have since added web apps that use Active Directory for authentication.
To avoid raising flags, Brutus rotates his IPs every six attempts.
Although inconclusive, some evidence points to Brutus being the work of APT29, a notorious Russian state-sponsored threat actor.
Through BleepingComputer