Redazione RHC : 10 September 2025 09:07
At the end of August, GreyNoise recorded a sharp increase in scanning activity targeting Cisco ASA devices. Experts warn that such surges often precede the discovery of new product vulnerabilities. This time, there were two spikes: in both cases, attackers heavily controlled ASA authorization pages and Telnet/SSH access in Cisco IOS.
On August 26, a particularly large attack was observed, initiated by a Brazilian botnet, which used approximately 17,000 unique addresses and handled up to 80% of the traffic. In total, up to 25,000 IP sources were observed. Interestingly, both waves used similar browser headers, disguised as Chrome, indicating a common infrastructure.
The United States was the primary target, but the United Kingdom and Germany were also monitored.
According to GreyNoise, approximately 80% of such scans result in the subsequent discovery of new security issues, although the statistical correlation is significantly weaker for Cisco than for other vendors. Nonetheless, such indicators allow administrators to strengthen their defenses in advance.
In some cases, these may be failed attempts to exploit already-closed bugs, but a large-scale campaign could also be aimed at mapping available services for further exploitation of vulnerabilities not yet disclosed.
An independent system administrator with the handle NadSec – Rat5ak reported similar activity that began in late July and continued until August 28. He recorded over 200,000 requests to ASA in 20 hours with a uniform load of 10,000 requests from each address, indicating deep automation. The sources were three standalone systems: Nybula, Cheapy-Host, and Global Connectivity Solutions LLP.
Administrators are advised to install the latest Cisco ASA updates as soon as possible to close known vulnerabilities, enable multi-factor authentication for all remote access, and not directly publish /+CSCOE+/logon.html, Web VPN, Telnet, or SSH pages.
In extreme cases, we recommend outsourcing access through a VPN concentrator, a reverse proxy, or a gateway with additional verification.
You can also use the attack indicators published by GreyNoise and Rat5ak to block suspicious requests at the perimeter and, if necessary, enable geoblocking and rate limiting. Cisco has not yet released a statement on this matter.
Redazione