New Cisco Security Features Combat Password Spraying Attacks
Cisco has introduced new security features for its ASA and Firepower Threat Defense (FTD) devices, aimed at defending against brute-force and password spraying attacks.
Password spraying attacks involve attempting a single password across multiple accounts to evade detection, while traditional brute-force attacks focus on trying different passwords for a single account.
In March, Cisco reported that attackers had been targeting VPN accounts en masse using this technique on network devices from various vendors, including Cisco, Checkpoint, Fortinet, and others. Successful attacks can result in unauthorized access, account lockouts, and resource exhaustion, ultimately leading to denial of service (DoS).
This wave of attacks enabled Cisco to identify a security vulnerability in its devices, causing failures during extensive password attempts. This vulnerability, designated CVE-2024-20481 with a CVSS score of 5.8, has been mitigated, enhancing ASA and FTD resilience against such attacks.
Since June, Cisco has begun implementing new threat detection features on ASA and FTD devices, with full availability of updates for all versions achieved in October. These features block repeated failed authentication attempts, multiple incomplete connections from a single host, and attempts to access certain embedded tunnel groups reserved exclusively for internal processes. Such hacker actions can consume device resources, potentially leading to denial of service.
Enabling these new protection features requires supported versions of ASA and FTD software. A sample configuration includes the following commands:
threat-detection service invalid-vpn-access
– prevents connection attempts to embedded tunnel groups.threat-detection service remote-access-client-initiations hold-down <minutes> threshold <count>
– blocks repeated authentication attempts from a single IP that remain incomplete.threat-detection service remote-access-authentication hold-down <minutes> threshold <count>
– prevents multiple login attempts from one IP address.
When threshold values are exceeded within the specified period, Cisco’s software blocks the attacker’s address, thwarting further intrusion attempts. Cisco has also noted that excessive use of these new features may impact device performance, depending on its current configuration and load.
Cisco recommends enabling these new protections against password-based attacks, as VPN account compromises are often exploited to breach corporate networks and spread malicious software, including ransomware.