Security researchers at GreyNoise detected an extraordinary spike in scanning activity targeting Cisco Adaptive Security Appliances (ASA) in late August. The first wave involved approximately 25,000 unique IP addresses probing ASA login portals and Cisco IOS Telnet/SSH services—far beyond the usual fewer-than-500 daily IPs. A second, smaller wave followed days later, using the same spoofed “Chrome-like” user agents, indicating it was likely orchestrated using the same scanning toolkit and infrastructure.
Brazilian Botnet in the Spotlight
The August 26 wave was largely traced to a coordinated botnet originating in Brazil, responsible for about 80% of the approximately 17,000 IPs involved that day. These IPs shared unique client and TCP signatures, underscoring a unified botnet infrastructure behind the campaign. The scans predominantly targeted U.S. networks, with secondary focus on the U.K. and Germany.
Adding to the concern, independent data from system administrator “NadSec – Rat5ak” revealed parallel scanning patterns starting July 31, culminating in a massive 200,000 hits on Cisco ASA endpoints within a 20-hour window, each with about 10K traffic per IP. These scans came from three ASNs: Nybula, Cheapy-Host, and Global Connectivity Solutions LLP.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
What This Means and What You Can Do
Security experts have long noted that scanning spikes often precede disclosure of new vulnerabilities, GreyNoise’s research shows this happens in 80% of cases. While Cisco devices have shown a slightly weaker correlation, the surge still serves as an early warning and a call to action.
IT administrators are urged to take immediate measures:
- Apply the latest Cisco ASA patches and updates.
- Restrict or remove direct internet exposure of ASA login interfaces, WebVPN, Telnet, and SSH, use VPN concentrators or reverse proxies instead.
- Enforce multi-factor authentication (MFA) for any remote access.
- Utilize scanning intelligence signals from GreyNoise and Rat5ak to proactively block malicious activity.
- Consider geo-blocking or rate limiting traffic from high-risk regions.
This sweeping reconnaissance campaign, driven by a highly organized botnet, signals a potentially greater threat looming, a looming vulnerability or exploit may be just around the corner. Administrators must remain vigilant.