Cisco alerts users to password-spraying attacks targeting VPN services

An abstract of data moving in a tunnel
(Image credit: Pixabay)

Networking giant Cisco has warned its users of an ongoing attack against its business VPN services.

In a security advisory, Cisco said it had been notified of an ongoing password-spraying attack against different third-party VPN concentrators. 

In this instance, it was Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall that were affected.

Russian attackers

“Depending on your environment, the attacks can cause accounts to be locked, resulting in Denial of Service (DoS)-like conditions,” Cisco explained, saying that the activity appears to be a reconnaissance effort. The threat actors were not named.

Password spraying is a type of attack in which the threat actor tries the same password with multiple accounts, until one combination works. 

Listing its set of defenses and mitigations, Cisco recommended enabling logging to a remote syslog server for improved correlation and auditing of network and security incidents across various network devices; securing default remote access VPN profiles by pointing unused default connection profiles to sinkhole AAA servers; leveraging TCP shun to manually bloc dangerous IP addresses, configuring control-place ACLs to block unauthorized public IP addresses from running VPN sessions; and using certificate-based authentication for RAVPN.

Security researcher Aaron Martin claims the attack was likely the work of an undocumented malware botnet named Brutus.

He made the connection after observing the malware’s targeting scope and attack patterns, it was said. In his analysis of the botnet, Martin said it counts some 20,000 IP addresses worldwide. At first, the attacks targeted SSLVPN appliances from Fortinet, Palo Alto, SonicWall, and Cisco, but have since evolved to include web apps using Active Directory for authentication, too.

To avoid raising any flags, Brutus rotates its IPs every six attempts.

Although inconclusive, some evidence points to Brutus being the work of APT29, an infamous Russian state-sponsored threat actor.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Huge cyber attack under way - 2.8 million IPs being used to target VPN devices
A padlock resting on a keyboard.
Massive botnet is targeting Microsoft 365 accounts across the world
China
Salt Typhoon hackers used this clever technique to attack US networks
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
Latest in VPN Privacy & Security
Swiss flag with view of Geneva city, Switzerland
Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know
Demonstrators protesting against the arrest of the Mayor of Istanbul Ekrem Imamoglu block Atatürk Boulevard on March 22, 2025 in Ankara, Türkiye.
Turkey's social media ban has been lifted, but VPN usage is still high
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
A stethoscope next to a laptop on a pink background
How to check if your VPN is working
Teenager playing on a gaming PC with two monitors
Is using a VPN while gaming cheating? 5 myths you shouldn't believe about gaming with a VPN
Latest in News
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon just experimented with renaming Echo speakers to Alexa Devices, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
Nintendo Virtual Game Card
Nintendo reveals the new Virtual Game Card feature, an easier way to manage your digital Switch games
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA