Cisco Adds Security Features to Thwart VPN Brute-Force Attacks

October 26, 2024

Cisco has rolled out new security features to its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) to combat brute-force and password spray attacks. These types of attacks aim at gaining unauthorized access to an online account by guessing its password. While password spray attacks try to use the same passwords across multiple accounts to bypass defenses, brute-force attacks repeatedly target a single account using different password attempts.

In April, Cisco revealed that unidentified threat actors were launching massive brute-force attacks against VPN accounts on various networking devices, including those from Cisco, Checkpoint, Fortinet, SonicWall, RD Web Services, Miktrotik, Draytek, and Ubiquiti. Cisco cautioned that successful attacks could result in unauthorized access, account lockouts, and denial-of-service states, depending on the targeted environment. These attacks led Cisco to identify and rectify a Denial of Service vulnerability, tagged as CVE-2024-20481, which drained resources on Cisco ASA and FTD devices when subjected to these types of attacks.

Following the attacks in April, Cisco unveiled new threat detection capabilities in its ASA and FTD that considerably lessen the impact of brute-force and password spray attacks. While these features have been accessible for some software versions since June, they were not available for all versions until recently. Unfortunately, some Cisco admins were not aware of these new features. However, those who were familiar with them reported significant success in mitigating VPN brute-force attacks when the features were activated. One Cisco admin shared on Reddit, 'It worked so magically that the hourly 500K failures lowered to 170! over last night!'.

These new features, part of the threat detection service, block various types of attacks. Cisco explained that client initiation attacks are typically conducted to consume resources, potentially putting the device in a denial-of-service state. To activate these new features, you must be running a supported version of Cisco ASA and FTD. If you are running a support software version, you can use specific commands to enable the new features.

A Cisco ASA admin shared a script on Reddit that can automatically remove all shunned IP addresses every seven days. An example of a complete configuration shared by Cisco that enables all three features was provided. An admin on Reddit further noted that the client initiation protections caused some false positives in their environment but performed better after reverting to the defaults. When asked if there is any downside to using these features if RAVPN is enabled, Cisco said there could be a potential for a performance impact. 'There is no expected "downside," but the potential for performance impact can exist when enabling new features based on existing device configuration and traffic load,' Cisco stated.

In conclusion, if your VPN accounts are targeted by threat actors attempting to brute force, it is highly recommended that you activate these features to counter these attacks. Compromised VPN credentials are often used to breach networks for ransomware attacks.

Latest News

• Fortinet FortiManager Flaw 'FortiJump' Exploited in Zero-Day Attacks
• 'Prometei' Botnet Continues its Global Cryptojacking Campaign
• U.S. CISA Adds Fortinet FortiManager Flaw to Known Exploited Vulnerabilities Catalog
• Lazarus Group Utilizes Chrome Zero-Day Exploit in Latest Cryptocurrency Heist
• CISA Adds Microsoft SharePoint Vulnerability to Known Exploited Vulnerabilities Catalogue; Active Exploitation Reported