Cybersecurity giant Cisco has issued an urgent security advisory warning customers about an ongoing campaign of password spraying attacks targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.
These attacks, which appear to be part of a broader reconnaissance effort, have also set their sights on other remote access VPN solutions from various vendors.
The Anatomy of Password-Spraying Attacks
In a password-spraying attack, threat actors employ a brute-force technique that involves attempting the same password across multiple user accounts. This approach increases the likelihood of success, especially when weak or reused passwords are involved.
Also Read: Achieving Zero Trust security for Active Directory: Best practices and implementation
Unlike traditional brute-force attacks that try multiple passwords on a single account, password-spraying reduces the risk of account lockouts while maximizing the potential for compromising valid credentials.
Indicators of Compromise
Cisco has provided a list of indicators of compromise (IoCs) to help organizations detect and mitigate these attacks. These signs include:
- Inability to establish VPN connections with Cisco Secure Client (AnyConnect) when Firewall Posture (HostScan) is enabled
- An unusual surge in authentication requests recorded in system logs, indicating potential brute-force attempts
Mitigation Strategies Recommended by Cisco
To defend against these persistent password-spraying attacks, Cisco has outlined several mitigation strategies:
- Enable logging to a remote syslog server to improve incident analysis and correlation capabilities.
- Secure unused default VPN connection profiles by pointing them to a sinkhole AAA (Authentication, Authorization, and Accounting) server, preventing unauthorized access.
- Leverage TCP shun (Transmission Control Protocol shun) to manually block malicious IP addresses attempting to brute-force credentials.
- Configure control-plane ACLs (Access Control Lists) to filter out unauthorized public IP addresses from initiating VPN sessions.
- Implement certificate-based authentication for RAVPN, providing a more secure authentication method than traditional username and password credentials.
The Brutus Botnet Connection
Security researcher Aaron Martin has shed light on a potential link between the activity observed by Cisco and an undocumented malware botnet he has dubbed “Brutus.” This connection is based on the specific targeting scope and attack patterns exhibited by the Brutus botnet.
According to Martin’s report, the Brutus botnet currently relies on over 20,000 IP addresses worldwide, spanning various infrastructures, including cloud services and residential IP addresses.
Also Read: How Cloudflare uses lava lamps to strengthen website encryption
Initially targeting SSL VPN (Secure Sockets Layer Virtual Private Network) appliances from vendors like Fortinet, Palo Alto, SonicWall, and Cisco, the botnet has now expanded its attacks to include web applications that use Active Directory for authentication.
The Brutus botnet employs evasive tactics to avoid detection and blocking, such as rotating its IP addresses every six attempts. Moreover, the botnet uses very specific, non-disclosed usernames that are not available in public data dumps.
This aspect of the attacks raises concerns about how these usernames were obtained and might indicate an undisclosed breach or the exploitation of a zero-day vulnerability.
Potential APT29 Involvement
Interestingly, Martin has identified two IP addresses associated with past activities of APT29 (also known as Midnight Blizzard, NOBELIUM, or Cozy Bear), a renowned Russian state-sponsored threat group believed to work for the Russian Foreign Intelligence Service (SVR).
However, the operators behind the Brutus botnet remain unknown.
As cyber threats continue to evolve and adopt more sophisticated tactics, organizations must remain vigilant and implement robust security measures to protect their remote access infrastructure and sensitive data.
By following Cisco’s recommendations and staying informed about emerging threats like the Brutus botnet, organizations can bolster their defenses against password-spraying attacks and other unauthorized access attempts.
