Brute-forcing Cisco’s SSL VPN follows: Just a day after the GlobalProtect surge, the same actor infrastructure pivoted to Cisco’s SSL VPN endpoints, with the same TCP fingerprint and hosting provider IP space. GreyNoise saw the number of unique attacking IPs jump from a typical daily baseline of fewer than 200 to over 1200, signalling a sharp rise in brute-force login attempts.Unlike the more structured GlobalProtect activity, much of the Cisco traffic hit vendor-agnostic facade sensors. This indicated that attackers were probing broadly rather than holding a finely targeted list of known endpoints.However, the underlying behavior remained automated credential-based authentication attempts.GreyNoise disclosure urges defenders to harden authentication hygiene, including enforcing strong passwords and multi-factor authentication (MFA), auditing exposed edge devices for unexpected login attempts, and leveraging threat intel blocklists to filter out malicious IPs at the perimeter. The disclosure shared blocklists for its platform customers as well as non-GreyNoise users.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4109488/attackers-bring-their-own-passwords-to-cisco-and-palo-alto-vpns.html
