Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
Cisco upgrades network security with a way to block hackers.
Cisco has added new security features for ASA and Firepower Threat Defense (FTD) devices to protect against brute force attacks and password spraying attacks.
Password spraying attacks attempt to use the same password for different accounts at the same time to avoid detection, while traditional brute force attacks aim to guess different passwords for the same account.
In March, Cisco reported that attackers massively attacked VPN accounts using a similar method on network devices from various manufacturers, including Cisco, Checkpoint, Fortinet, and others. Successful attacks can lead to unauthorized access, account lockouts, and resource overload, which ultimately causes a Denial of Service (DoS).
It was this wave of attacks that helped Cisco discover a vulnerability in the security of its devices, which led to a malfunction in the event of massive password brutes. This vulnerability was designated as CVE-2024-20481 (CVSS score: 5.8) and has already been fixed, providing increased resistance to ASA and FTD attacks.
Since June, Cisco has begun rolling out new threat detection features on ASA and FTD devices, and full availability of updates for all versions was achieved in October. The options block repeated failed authentication attempts, repeated connections from the same host that fail, and attempts to access certain built-in tunnel groups that are exclusively for internal processes. Hackers' actions like this can consume device resources, which can also cause a denial of service.
To activate the new security features, you must use the supported ASA and FTD software versions. The sample configuration includes the following commands:
If the thresholds are exceeded during the specified period, Cisco software blocks the attacker's address, preventing further intrusion attempts. Cisco also provided information that excessive use of new features can affect the performance of the device, depending on its current configuration and load.
Cisco recommends enabling new brute force attack protection features because compromised VPN accounts are often used to infiltrate corporate networks and spread malware such as ransomware.
Source
Cisco has added new security features for ASA and Firepower Threat Defense (FTD) devices to protect against brute force attacks and password spraying attacks.
Password spraying attacks attempt to use the same password for different accounts at the same time to avoid detection, while traditional brute force attacks aim to guess different passwords for the same account.
In March, Cisco reported that attackers massively attacked VPN accounts using a similar method on network devices from various manufacturers, including Cisco, Checkpoint, Fortinet, and others. Successful attacks can lead to unauthorized access, account lockouts, and resource overload, which ultimately causes a Denial of Service (DoS).
It was this wave of attacks that helped Cisco discover a vulnerability in the security of its devices, which led to a malfunction in the event of massive password brutes. This vulnerability was designated as CVE-2024-20481 (CVSS score: 5.8) and has already been fixed, providing increased resistance to ASA and FTD attacks.
Since June, Cisco has begun rolling out new threat detection features on ASA and FTD devices, and full availability of updates for all versions was achieved in October. The options block repeated failed authentication attempts, repeated connections from the same host that fail, and attempts to access certain built-in tunnel groups that are exclusively for internal processes. Hackers' actions like this can consume device resources, which can also cause a denial of service.
To activate the new security features, you must use the supported ASA and FTD software versions. The sample configuration includes the following commands:
- threat-detection service invalid-vpn-access – prevents attempts to connect to built-in tunnel groups.
- threat-detection service remote-access-client-initiations hold-down <minutes> threshold <count> – blocks repeated authentication attempts from the same IP that remain incomplete.
- threat-detection service remote-access-authentication hold-down <minutes> threshold <count> – prevents multiple authorization attempts from the same IP address.
If the thresholds are exceeded during the specified period, Cisco software blocks the attacker's address, preventing further intrusion attempts. Cisco also provided information that excessive use of new features can affect the performance of the device, depending on its current configuration and load.
Cisco recommends enabling new brute force attack protection features because compromised VPN accounts are often used to infiltrate corporate networks and spread malware such as ransomware.
Source
