New Cisco ASA and FTD features block VPN brute-force password attacks

Cisco has added new security features that significantly mitigate brute-force and password spray attacks on Cisco ASA and Firepower Threat Defense (FTD), helping protect the network from breaches and reducing resource utilization on devices.

Password spray and brute force attacks are similar in that they both attempt to gain unauthorized access to an online account by guessing a password.

However, password spray attacks will attempt to simultaneously use the same passwords across multiple accounts to evade defenses. In contrast, brute force attacks repeatedly target a single account with different password attempts.

In April, Cisco disclosed that threat actors were conducting massive brute-force attacks against VPN accounts on a variety of networking devices, including those from Cisco, Checkpoint, Fortinet, SonicWall, RD Web Services, Miktrotik, Draytek, and Ubiquiti.

Cisco warned that successful attacks could lead to unauthorized access, account lockouts, and denial-of-service states depending on the targeted environment.

These attacks allowed Cisco to discover and fix a Denial of Service vulnerability, tracked as CVE-2024-20481, that exhausted resources on Cisco ASA and FTD devices when hit with these types of attacks.

New VPN brute-force attack protection features

After being hit with the attacks in April, Cisco released new threat detection capabilities in Cisco ASA and Firewall Threat Defense (FTD) that significantly reduce the impact of brute-force and password spray attacks.

While these features have been available for some software versions since June, they did not become available for all versions until this month.

Unfortunately, when speaking to some Cisco admins, they were unaware of these new features. However, those who were, reported significant success in mitigating VPN brute-force attacks when the features are enabled.

“It worked so magically that the hourly 500K failures lowered to 170! over last night!,” a Cisco admin shared on Reddit.

These new features are part of the threat detection service and block the following types of attacks:

• Repeated failed authentication attempts to remote access VPN services (brute-force username/password scanning attacks).
• Client initiation attacks, where the attacker starts but does not complete the connection attempts to a remote access VPN headend repeated times from a single host.
• Connection attempts to invalid remote access VPN services. That is, when attackers try to connect to specific built-in tunnel groups intended solely for the internal functioning of the device. Legitimate endpoints should never attempt to connect to these tunnel groups.

Cisco told BleepingComputer that client initiation attacks are usually conducted to consume resources, potentially putting the device in a denial of service state.

To enable these new features, you must be running a supported version of Cisco ASA and FTD, which are listed below:

If you are running a support software version, you can use the following commands to enable the new features.

To prevent threat actors from attempting to connect to built-in tunnel groups that are not meant to usually be connected to, you would enter this command:

threat-detection service invalid-vpn-access

To prevent repeated attempts from the same IP address to initiate an authentication request to the RAVPN service but never complete it, you would use this command:

threat-detection service remote-access-client-initiations hold-down  threshold 

Finally, to prevent repeated authentication requests from the same IP address, you would use this command:

threat-detection service remote-access-authentication hold-down  threshold 

For both the remote-access-client-initiations and remote-access-authentication features, the minutes and count variables have the following definitions:

• hold-down defines the period after the last initiation attempt during which consecutive connection attempts are counted. If the number of consecutive connection attempts meets the configured threshold within this period, the attacker’s IPv4 address is shunned. You can set this period between 1 and 1440 minutes. 
• threshold is the number of connection attempts required within the hold-down period to trigger a shun. You can set the threshold between 5 and 100.

If IP addresses make too many connection or authentication requests in the defined period, then the Cisco ASA and FTD software will shun, or block, the IP address indefinitely until you manually remove it using the following command:

no shun source_ip [ vlan vlan_id]

A Cisco ASA admin shared a script that can automatically remove all shunned IP addresses every seven days on Reddit.

An example of a complete configuration shared by Cisco that enables all three features is:

threat-detection service invalid-vpn-access
threat-detection service remote-access-client-initiations hold-down 10 threshold 20
threat-detection service remote-access-authentication hold-down 10 threshold 20

An admin on Reddit further noted that the client initiation protections caused some false positives in their environment but performed better after reverting to the defaults of hold-down 10 and threshold 20.

When BleepingComputer asked if there is any downside to utilizing these features if RAVPN is enabled, they said there could be a potential for a performance impact.

“There is no expected “downside,” but the potential for performance impact can exist when enabling new features based on existing device configuration and traffic load,” Cisco told BleepingComputer.

Overall, if you targeted by threat actors trying to brute force your VPN accounts, it is strongly recommended that you enable these features to mitigate these attacks as compromised VPN credentials are commonly utilized to breach networks for ransomware attacks.