Cisco Company published set of recommendations and warned customers about password spray attacks that target Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices. Apparently, this activity is associated with the Brutus botnet.
Cisco says the attacks appear to target other VPN services and are part of intelligence efforts by unknown attackers.
Advertisement
During password spray attacks, hackers try to enter the same password into multiple accounts in an attempt to log into a system. Cisco guidance lists indicators of compromise (IoC) for this activity that can help you detect and block attacks. For example, this includes the inability to establish a VPN connection using Cisco Secure Client (AnyConnect) when Firewall Posture (HostScan) is enabled.
Another sign of malicious activity is an unusually high number of authentication requests recorded in system logs. Other Cisco recommendations for protecting against these attacks include:
- enable logging on a remote syslog server to improve analysis and track relationships between incidents;
- using TCP shun to manually block malicious IP addresses;
- setting up an ACL to filter out unauthorized public IP addresses when initiating VPN sessions;
- using certificate-based authentication for RAVPN, which is a more secure method than regular credentials.
Information security specialist Aaron Martin believes that this activity and Cisco warnings are most likely associated with a new botnet, which the researcher has named Brutus.
For the day Martin published a report on Brutus, which describes the attack methods he and his colleague Chris Grube have observed since March 15, 2024. The report notes that the botnet currently uses approximately 20,000 IP addresses worldwide, spanning infrastructure ranging from cloud services to residential IP addresses.
Advertisement
The botnet's attacks initially targeted SSLVPN devices from Fortinet, Palo Alto, SonicWall, and Cisco, but have now expanded to web applications that use Active Directory for authentication.
Brutus is known to change IP addresses every six attempts to avoid detection and blocking, and also uses very specific usernames that are not found in publicly available data dumps.
The use of unusual usernames leads researchers to speculate that this data could have been obtained through some kind of zero-day vulnerability or through a data breach that no one is yet aware of.
It is unclear who is behind these attacks, but Martin noted that a couple of the detected IP addresses are associated with the Russian-language hacking group APT29 (aka Midnight Blizzard, Nobelium and Cozy Bear).