TLDR:
- Cisco warns of password spraying attacks targeting VPN services.
- Threat actors can gain unauthorized access to networks and sensitive data through compromised VPN accounts.
Cisco recently issued a warning about password spraying attacks that are targeting VPN services, including their own products and third-party VPN concentrators. Password spraying is a technique used by hackers to try common passwords across multiple accounts without triggering lockouts. Successful compromise of VPN accounts can lead to unauthorized access to sensitive data and further escalation of privileges within the breached environment. Cisco recommends enabling logging, securing default VPN profiles, and leveraging certificate-based authentication to mitigate the risk of such attacks.
The attacks reported by Cisco can lead to DoS-like conditions and have been linked to reconnaissance efforts. They highlight the vulnerability of VPN services, which provide remote access to internal networks. By using weak or reused passwords, threat actors can exploit vulnerabilities in VPN services to gain unauthorized entry and compromise sensitive information.
Recommendations
Below are the recommendations offered by cybersecurity analysts at Cisco:
- Enable Logging
- Secure Default Remote Access VPN Profiles
- Leverage TCP shun
- Configure Control-plane ACL
- Use Certificate-based authentication for RAVPN
IoCs
Unable to establish VPN connections with Cisco Secure Client (AnyConnect) when Firewall Posture (HostScan) is enabled Users attempting VPN connections with Cisco Secure Client encounter an error about Cisco Secure Desktop not being installed and this prevents the successful connections. Cisco secure client (Source – Cisco) This symptom seems a side effect of the DoS-like attacks but further investigation still continues. Unusual Amount of Authentication Requests The Cisco ASA or FTD VPN headends exhibit the symptoms of password spraying, with millions of rejected authentication attempts visible in the “syslogs.”