Article Details

New Cisco ASA and FTD features block VPN brute-force password attacks. Cisco has added new security features that significantly mitigate brute-force and password spray attacks on Cisco ASA and Firepower Threat Defense (FTD), helping protect the network from breaches and reducing resource utilization on devices. Password spray and brute force attacks are similar in that they both attempt to gain unauthorized access to an online account by guessing a password. However, password spray attacks will attempt to simultaneously use the same passwords across multiple accounts to evade defenses. In contrast, brute force attacks repeatedly target a single account with different password attempts. In April, Cisco disclosed that threat actors were conducting massive brute-force attacks against VPN accounts on a variety of networking devices, including those from Cisco, Checkpoint, Fortinet, SonicWall, RD Web Services, Miktrotik, Draytek, and Ubiquiti. Cisco warned that successful attacks could lead to unauthorized access, account lockouts, and denial-of-service states depending on the targeted environment. These attacks allowed Cisco to discover and fix a Denial of Service vulnerability, tracked as CVE-2024-20481, that exhausted resources on Cisco ASA and FTD devices when hit with these types of attacks. New VPN brute-force attack protection features After being hit with the attacks in April, Cisco released new threat detection capabilities in Cisco ASA and Firewall Threat Defense (FTD) that significantly reduce the impact of brute-force and password spray attacks. While these features have been available for some software versions since June, they did not become available for all versions until this month. Unfortunately, when speaking to some Cisco admins, they were unaware of these new features. However, those who were, reported significant success in mitigating VPN brute-force attacks when the features are enabled. "It worked so magically that the hourly 500K failures lowered to 170! over last night!," a Cisco admin shared on Reddit. These new features are part of the threat detection service and block the following types of attacks: Cisco told BleepingComputer that client initiation attacks are usually conducted to consume resources, potentially putting the device in a denial of service state. To enable these new features, you must be running a supported version of Cisco ASA and FTD, which are listed below: ASA Software: FTD Software: If you are running a support software version, you can use the following commands to enable the new features. To prevent threat actors from attempting to connect to built-in tunnel groups that are not meant to usually be connected to, you would enter this command: To prevent repeated attempts from the same IP address to initiate an authentication request to the RAVPN service but never complete it, you would use this command: Finally, to prevent repeated authentication requests from the same IP address, you would use this command: For both the remote-access-client-initiations and remote-access-authentication features, the minutes and count variables have the following definitions: If IP addresses make too many connection or authentication requests in the defined period, then the Cisco ASA and FTD software will shun, or block, the IP address indefinitely until you manually remove it using the following command: A Cisco ASA admin shared a script that can automatically remove all shunned IP addresses every seven days on Reddit. An example of a complete configuration shared by Cisco that enables all three features is: An admin on Reddit further noted that the client initiation protections caused some false positives in their environment but performed better after reverting to the defaults of hold-down 10 and threshold 20. When BleepingComputer asked if there is any downside to utilizing these features if RAVPN is enabled, they said there could be a potential for a performance impact. "There is no expected "downside," but the potential for performance impact can exist when enabling new features based on existing device configuration and traffic load," Cisco told BleepingComputer. Overall, if you targeted by threat actors trying to brute force your VPN accounts, it is strongly recommended that you enable these features to mitigate these attacks as compromised VPN credentials are commonly utilized to breach networks for ransomware attacks.