A dangerous botnet changes IP addresses like gloves, just to avoid detection by security systems.
Cisco published recommendations for its customers on how to protect against password-guessing attacks targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.
The newly discovered malicious activity, according to the company, is part of a large-scale intelligence operation and is aimed not only at Cisco products, but also at other remote access services.
As part of these attacks, attackers try to use the same password for multiple accounts in an attempt to log in. The Cisco Mitigation guide lists Compromise Indicators (IoC) to help detect and block such attacks.
One of these indicators is the inability to establish a VPN connection with the Cisco Secure Client (AnyConnect) when the firewall (HostScan) is enabled, as well as an abnormally large number of authentication requests recorded in system logs.
Security researcher Aaron Martin links the activity observed by Cisco to an undocumented botnet, which he called "Brutus".
Martin published a report describing unusual attack techniques using "Brutus" that he and analyst Chris Grube have observed since March 15. In its work, the botnet uses about 20,000 IP addresses worldwide, including the infrastructure of cloud services and resident IP addresses.
The attacks identified by Martin initially targeted SSLVPN devices from Fortinet, Palo Alto, SonicWall, and Cisco, but then expanded to web applications that use Active Directory for authentication.
The Brutus botnet changes its IP addresses every six password entry attempts to avoid detection and blocking. In this case, very specific user names are used, and their data is not made public and is not available in open sources. This raises concerns about the way they are obtained and may indicate an undisclosed hack or exploitation of a zero-day vulnerability.
Cisco's recommendations for countering this malicious activity include the following:
All of the recommendations described above help you strengthen the security of your corporate infrastructure and protect it from malicious intruders. Administrators should not delay the protection of their systems, so as not to become another victim of insidious hackers.
Cisco published recommendations for its customers on how to protect against password-guessing attacks targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.
The newly discovered malicious activity, according to the company, is part of a large-scale intelligence operation and is aimed not only at Cisco products, but also at other remote access services.
As part of these attacks, attackers try to use the same password for multiple accounts in an attempt to log in. The Cisco Mitigation guide lists Compromise Indicators (IoC) to help detect and block such attacks.
One of these indicators is the inability to establish a VPN connection with the Cisco Secure Client (AnyConnect) when the firewall (HostScan) is enabled, as well as an abnormally large number of authentication requests recorded in system logs.
Security researcher Aaron Martin links the activity observed by Cisco to an undocumented botnet, which he called "Brutus".
Martin published a report describing unusual attack techniques using "Brutus" that he and analyst Chris Grube have observed since March 15. In its work, the botnet uses about 20,000 IP addresses worldwide, including the infrastructure of cloud services and resident IP addresses.
The attacks identified by Martin initially targeted SSLVPN devices from Fortinet, Palo Alto, SonicWall, and Cisco, but then expanded to web applications that use Active Directory for authentication.
The Brutus botnet changes its IP addresses every six password entry attempts to avoid detection and blocking. In this case, very specific user names are used, and their data is not made public and is not available in open sources. This raises concerns about the way they are obtained and may indicate an undisclosed hack or exploitation of a zero-day vulnerability.
Cisco's recommendations for countering this malicious activity include the following:
- Enabling logging to the remote syslog server. This facilitates incident analysis by collecting and analyzing logs.
- Protect remote access profiles by default. Unused connection profiles should be redirected to the sinkhole AAA server to prevent unauthorized access.
- Using TCP shun to manually block malicious IP addresses. Allows you to exclude addresses identified as attack sources from the network.
- Configure Access Control Lists (ACLs). Restricts access by filtering unauthorized IP addresses that attempt to initiate VPN sessions.
- Applying certificate-based authentication for RAVPN. Provides a more secure authentication method, increasing data and system protection.
All of the recommendations described above help you strengthen the security of your corporate infrastructure and protect it from malicious intruders. Administrators should not delay the protection of their systems, so as not to become another victim of insidious hackers.
