Brute-force password attacks on VPN services

Brute force password attacks on VPN services are leading to users being locked out of their accounts. These attempts occur so rapidly that an account, once unlocked, can be locked again within 10 seconds or less. Blocking IP ranges offers only a temporary solution because attackers have control over numerous bots, allowing a new login attempt to originate from a different IP as soon as one IP or network is blocked.

Suggested Mitigation Techniques for Cisco FTD and ASA.

1) Move from SSL VPN to IPSec VPN

2) Disable SSL VPN if possible or enable keep out in FMC/FTD so the username/password prompt is not displayed.

(Disabling the service will prevent the FTD from being able to deploy new client updates. Another software distirbuiton method for the VPN client will be needed.)

3) Upgrade to supported FTD code and enable Threat Detection on Remote Access VPN

4) Enable MFA

More information

https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/

Configure Threat Detection for Remote Access VPN Services on Secure Firewall Threat Defense

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html#toc-hId-1334521269