Surge in Networks Scans Targeting Cisco ASA Devices Raise Concerns
Summary:
Security researchers are warning of a surge in network scans targeting Cisco ASA devices, with GreyNoise recording two significant scanning spikes in late August. In the first wave, 25,000 unique IPs scanned ASA login portals and Cisco IOS Telnet/SSH. The second wave, which was smaller (17,000 IPs) and primarily driven by a Brazilian botnet, repeated ASA probing, with subsets hitting both IOS Telnet/SSH and ASA software personas. In both cases, actors used overlapping client signatures and spoofed Chrome-like user-agents, suggesting a common origin. While this type of reconnaissance can sometimes indicate failed exploitation attempts of already-patched bugs, it can also be an effort to map and prepare for new attacks. GreyNoise has noted that in 80% of cases, such scanning precedes the public disclosure of a new vulnerability.
Security Officer Comments:
The scanning activity has primarily targeted the United States, with the United Kingdom and Germany also being targeted. A separate report by a system administrator who goes by the name NadSec – Rat5ak observed similar activity that began in late July, escalating in mid-August. This administrator observed 200,000 hits on Cisco ASA endpoints within 20 hours, with the traffic appearing highly automated. According to Rat5ak, this activity originated from three specific ASNs, including Nybula, Cheapy-Host, and Global Connectivity Solutions LLP.
Suggested Corrections:
https://www.bleepingcomputer.com/ne...s-targeting-cisco-asa-devices-raise-concerns/
Security researchers are warning of a surge in network scans targeting Cisco ASA devices, with GreyNoise recording two significant scanning spikes in late August. In the first wave, 25,000 unique IPs scanned ASA login portals and Cisco IOS Telnet/SSH. The second wave, which was smaller (17,000 IPs) and primarily driven by a Brazilian botnet, repeated ASA probing, with subsets hitting both IOS Telnet/SSH and ASA software personas. In both cases, actors used overlapping client signatures and spoofed Chrome-like user-agents, suggesting a common origin. While this type of reconnaissance can sometimes indicate failed exploitation attempts of already-patched bugs, it can also be an effort to map and prepare for new attacks. GreyNoise has noted that in 80% of cases, such scanning precedes the public disclosure of a new vulnerability.
Security Officer Comments:
The scanning activity has primarily targeted the United States, with the United Kingdom and Germany also being targeted. A separate report by a system administrator who goes by the name NadSec – Rat5ak observed similar activity that began in late July, escalating in mid-August. This administrator observed 200,000 hits on Cisco ASA endpoints within 20 hours, with the traffic appearing highly automated. According to Rat5ak, this activity originated from three specific ASNs, including Nybula, Cheapy-Host, and Global Connectivity Solutions LLP.
Suggested Corrections:
- Limit exposure: Avoid placing ASA web portals, Telnet, or SSH directly on the internet.
- Patch quickly if a new CVE emerges: ASA vulnerabilities have historically been exploited soon after disclosure.
- Require MFA: Strengthen remote access with multi-factor authentication.
https://www.bleepingcomputer.com/ne...s-targeting-cisco-asa-devices-raise-concerns/