Cisco ASA Devices See Spike in Network Scans, Raising Fears of Exploitable Vulnerabilities
A significant surge in network scans targeting Cisco ASA devices has prompted security researchers to warn of potential malicious activity preceding the discovery of new vulnerabilities. The scans, which peaked on August 28th, involved a massive 200,000 hits on Cisco ASA endpoints within a 20-hour period, originating from three Autonomous System Numbers (ASNs): Nybula, Cheapy-Host, and Global Connectivity solutions LLP.
Security intelligence firm GreyNoise observed a ample increase in reconnaissance attempts against Cisco ASA appliances beginning in mid-August. This activity aligns with a separate report from system administrator ‘nadsec – Rat5ak’ detailing a coordinated reconnaissance wave starting July 31st. Historically, such scanning activity has preceded the public disclosure of new vulnerabilities in scanned products approximately 80% of the time, suggesting attackers are actively probing for weaknesses that may not yet be publicly known.
While many of these scans appear to be failed exploitation attempts targeting already-patched vulnerabilities, experts caution they could also be preparatory steps for exploiting newly discovered flaws. Rat5ak’s report details the scans as highly automated, with a consistent 10,000 hits per IP address.Cisco has been contacted for comment.
Security recommendations include: applying the latest security updates to Cisco ASA devices, enforcing multi-factor authentication (MFA) for all remote ASA logins, and avoiding direct exposure of sensitive interfaces like /+CSCOE+/logon.html, WebVPN, Telnet, and SSH. Organizations are also advised to utilize indicators of compromise (IOCs) shared by GreyNoise and Rat5ak to proactively block malicious attempts, and consider implementing geo-blocking or rate limiting.
