Hackers Target Cisco ASA Devices in Massive Scan Across 25,000 IPs

Cybersecurity

Security researchers have identified extensive scanning campaigns targeting Cisco Adaptive Security Appliance (ASA) devices. These campaigns involve probing over 25,000 unique IP addresses, potentially indicating an impending vulnerability disclosure.

Cybersecurity researchers at GreyNoise observed two notable surges in scanning against Cisco ASA devices in late August. The first surge involved over 25,000 unique IP addresses in a single coordinated wave, followed by a smaller, related campaign.

These activities represent a significant increase from the typical baseline, which usually involves fewer than 500 IP addresses per day. The campaigns specifically targeted the ASA web login path at /+CSCOE+/logon.html, a common reconnaissance marker used to identify exposed devices.

Coordinated Botnet Campaign

Analysis indicates the wave on August 26 was primarily driven by a single botnet cluster concentrated in Brazil. Researchers identified a specific client fingerprint, revealing that approximately 14,000 of the 17,000 active IP addresses that day were associated with this coordinated botnet operation. The attackers employed shared client signatures and spoofed Chrome-like user-agents, suggesting the use of a common scanning toolkit across both events.

Subsets of the same IP addresses also targeted Cisco Telnet/SSH services, indicating a specific focus on Cisco infrastructure rather than opportunistic scanning.

Global Attack Pattern

In the past 90 days, scanning activity has shown distinct geographic patterns, with Brazil being the dominant source country, accounting for 64% of malicious traffic, followed by Argentina and the United States at 8% each. In contrast, the United States was the primary target, facing 97% of attacks, while the United Kingdom and Germany encountered 5% and 3%, respectively. This concentration suggests a targeted hunt for vulnerable Cisco ASA devices within American networks.

These massive scanning campaigns may serve as an early warning for upcoming vulnerability disclosures. GreyNoise research indicates that scanning spikes often precede new CVE announcements. Previous activity against Cisco ASA devices has increased shortly before new vulnerability disclosures, suggesting the potential significance of these August events.

Cisco ASA devices have historically been targeted by sophisticated threat actors. For instance, the ArcaneDoor espionage campaign exploited two zero-day vulnerabilities to infiltrate government networks. Ransomware groups, including Akira and LockBit, have also targeted these systems for initial network access.

Security Recommendations

Security teams should minimize exposure by avoiding direct internet placement of ASA web portals, Telnet, or SSH services. Organizations are advised to implement multi-factor authentication for remote access and prepare for rapid patching if new vulnerabilities emerge. Even fully patched organizations should consider blocking identified malicious IP addresses to reduce the likelihood of being targeted in future exploit campaigns.

Continuous monitoring of scanning activity can provide early warning of emerging threats against critical network infrastructure.