Two scanning surges against Cisco Adaptive Security Appliance (ASA) devices were observed by GreyNoise in late August, prompting warnings that attacks on a new ASA vulnerability were forthcoming.GreyNoise reported on Sept. 4 that the first surge involved more than 25,000 unique IPs in a single burst, while a second smaller burst came days later.Both events targeted the ASA web login path (/+CSCOE+/logon.html), a common reconnaissance marker for exposed devices. According to GreyNoise, subsets of the same IPs also probed GreyNoise’s Cisco Telnet/SSH and ASA software personas, which signals a Cisco-focused campaign versus simply an opportunistic scanning.“When GreyNoise sees a surge in scans for specific devices like Cisco ASA, it's a clear pre-attack signal that highlights the information asymmetry between attackers and defenders,” explained Desired Effect CEO Evan Dornbush. “Attackers likely have exclusive knowledge of a zero-day flaw and are probing to build a target list, leaving defenders scrambling to catch-up.” Dornbush said teams must respond immediately by enhanced monitoring and restricting access if and where possible. Dornbush recommended teams prepare to apply a patch the moment it's released, as attackers will move to exploit networks with extreme speed.Jason Soroko, senior fellow at Sectigo, added that teams should expect reconnaissance to bleed into credential spraying and reuse of old Cisco CVEs while actors probe for a fresh pre auth path.Soroko’s advice: Monitor for spikes against ASA SSL VPN portals and IOS Telnet and SSH that share Chrome-like user agents and fast-changing sources. If a new flaw or proof of concept drops, the activity can pivot to mass exploit within hours.“The likely objective is remote access takeover, followed by data theft and lateral movement,” said Soroko. “Security teams need to reduce exposure now. Pull management off the internet and disable Telnet while constraining SSH to a jump host. Gate VPN portals with IP allow lists or zero trust access and use phishing resistant MFA or client certificates.”Justin Kikani, incident detection engineer at Blumira, said the sudden increase in external ASA scanning is worth following as a possible indicator of upcoming attacker activity, but security teams shouldn’t wait until a confirmed vulnerability disclosure to make sure the organization’s firewall is patched and up-to-date.“Prompt patching and limiting exposure of non-essential services are some of the most effective proactive steps teams can take to reduce the attack surface,” said Kikani.Here are some best practices Kikani said teams should keep in mind:
- Double-check that no management or admin interfaces are exposed to the outside, Cisco has had several recent vulnerabilities targeting these backend portals.
- Audit existing firewall rules, both for open services and those which can be deprecated or removed.
- Use tools like Tailscale, Twingate, or VPNs to restrict access.
- Rely on network intermediaries, implement reverse proxies (e.g., NGINX) to add an additional layer of defense.
- Enforce strong MFA for users and admins, following the principle of least privilege.
- Enable comprehensive logging and send logs to a SIEM if possible to maintain visibility, the first step in readiness and identifying risk early.
