Pierluigi Paganini March 29, 2024

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services of Cisco Secure Firewall devices.

Cisco is warning customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.

The company published a document containing recommendations against password spray attacks aimed at Remote Access VPN (RAVPN) services. The IT giant pointed out that the attacks are also targeting third-party VPN concentrators.

“Cisco was made aware of multiple reports related to password spraying attacks aimed at RAVPN services. It has been noted by Talos that these attacks are not limited to Cisco products but also third-party VPN concentrators.” reads the report. “Depending on your environment, the attacks can cause accounts to be locked, resulting in Denial of Service (DoS)-like conditions.”

Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the application. For example, an attacker will use one password (say, Secure@123) against many different accounts on the application to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.

The company shared Indicators of Compromise (IoC) for these attacks, including:

• Unable to establish VPN connections with Cisco Secure Client (AnyConnect) when Firewall Posture (HostScan) is enabled;
• Unusual Amount of Authentication Requests;

Below is the list of recommendations to defend against these attacks:

• Enabling logging to a remote syslog server for improved correlation and auditing of network and security incidents across various network devices.
• Securing Default Remote Access VPN Profiles when the default remote access VPN connection profiles/tunnel groups DefaultRAGroup and DefaultWEBVPNGroup are not used. The company urge to to prevent authentication attempts and remote access VPN session establishment using these default connection profiles/tunnel groups by pointing them to a sinkhole AAA server.
• Leveraging TCP shun to block a malicious IP. This activity must be done manually. 
• Configuring Control-plance ACL on the ASA/FTD to filter out unauthorized public IP addresses and prevent them from initiating remote VPN sessions.
• Use Certificate-based authentication for RAVPN
• Using certificates for authentication because provide a more robust approach compared to the use of credentials. To harden your environment, you can change the authentication method for RAVPN to be based on certificates.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, password-spraying attacks)