“Brutus” Botnet Breaching VPNs: Cisco Issues Defense Guide

Cisco has published guidelines for its clients on safeguarding against password brute-force attacks targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.

The company describes the recently detected malicious activity as part of a comprehensive espionage operation, aiming not only at Cisco products but also at other remote access services.

These attacks involve malefactors attempting to use a single password across numerous accounts to gain system access. Cisco’s mitigation guide lists indicators of compromise (IoC) that aid in detecting and thwarting such attacks.

One such indicator is the failure to establish a VPN connection with Cisco Secure Client (AnyConnect) when the firewall (HostScan) is enabled, alongside an abnormally high volume of authentication requests recorded by system logs.

Security researcher Aaron Martin links the activity observed by Cisco to an undocumented botnet he has dubbed “Brutus.”

Martin’s report, co-observed with analyst Chris Grube since March 15, describes “Brutus”‘s unconventional attack methods. The botnet employs about 20,000 IP addresses worldwide, including cloud service infrastructures and residential IPs.

Initially, Martin’s documented attacks targeted SSLVPN devices from Fortinet, Palo Alto, SonicWall, and Cisco, later expanding to web applications utilizing Active Directory for authentication.

“Brutus” alters its IP addresses every six password attempts to evade detection and blocking. It uses highly specific usernames, the details of which are not publicly disclosed or accessible, raising concerns about their acquisition and suggesting potential undisclosed breaches or exploitation of zero-day vulnerabilities.

Among Cisco’s recommendations to combat this malicious activity are the following measures:

• Enabling logging to a remote syslog server facilitates incident analysis through the collection and examination of logs.
• Protecting default remote access profiles. Unused connection profiles should be redirected to an AAA server sinkhole to prevent unauthorized access.
• Utilizing TCP shun to manually block malicious IPs, effectively excluding identified attack sources from the network.
• Configuring Access Control Lists (ACL) to limit access by filtering unauthorized IP addresses attempting to initiate VPN sessions.
• Implementing certificate-based authentication for RAVPN provides a more secure authentication method, enhancing data and system protection.

Adhering to these recommendations strengthens corporate infrastructure security and shields it from malevolent incursions. Administrators are advised not to delay in securing their systems to avoid becoming the next target of cunning hackers.