An unprecedented surge in malicious scanning activity targeting Cisco Adaptive Security Appliances (ASAs) occurred in late August 2025, with over 25,000 unique IP addresses participating in coordinated reconnaissance efforts.
GreyNoise, a threat intelligence company, observed two distinct scanning waves that represent a dramatic escalation from the typical baseline activity of fewer than 500 IPs per day. The August 22 spike involved approximately 25,000 unique addresses, followed by a smaller but related campaign days later.
Analysis reveals that the August 26 wave was primarily driven by a single botnet cluster concentrated in Brazil. Of the roughly 17,000 active IPs that day, more than 14,000, representing over 80% were tied to this coordinated botnet campaign.
The attackers used shared client signatures and spoofed Chrome-like user-agents, indicating deployment of common scanning toolkits across the infrastructure.
“The client signature was seen alongside a suite of closely related TCP signatures, suggesting all nodes share a common stack and tooling,” researchers noted, confirming the coordinated nature of the campaign.
Geographic Distribution and Targeting Patterns
Over the past 90 days, scanning activity has shown distinct geographic patterns. Brazil dominates source countries at 64%, followed by Argentina and the United States at 8% each.
However, the targeting is heavily focused on U.S. infrastructure, with 97% of attacks aimed at American networks, while the United Kingdom and Germany account for 5% and 3% respectively, GreyNoise observed.
Both scanning surges specifically targeted the ASA web login path /+CSCOE+/logon.html, a common reconnaissance marker used to identify exposed devices. Subsets of the same IP addresses also probed Cisco Telnet/SSH and ASA software personas, indicating a deliberate Cisco-focused campaign rather than opportunistic scanning.
The timing and scale of these scanning campaigns may signal an impending vulnerability disclosure. GreyNoise’s Early Warning Signals research has demonstrated that scanning spikes often precede the announcement of new Common Vulnerabilities and Exposures (CVEs). Historical data shows similar activity surges occurred shortly before previous Cisco ASA vulnerability disclosures.
Cisco ASA devices have been prime targets for sophisticated threat actors. The ArcaneDoor espionage campaign previously exploited two zero-day vulnerabilities in Cisco ASA systems to infiltrate government networks.
Ransomware groups, including Akira and LockBit, have also historically targeted these devices, while CVE-2020-3452 was weaponized globally within days of its disclosure.
Organizations running Cisco ASA infrastructure should immediately review their exposure, ensure systems are fully patched, and monitor for unusual authentication attempts.
Given the scale and coordination of this scanning activity, security teams should prepare for potential zero-day exploitation attempts and consider implementing additional monitoring around ASA devices.
The unprecedented scale of this reconnaissance campaign suggests threat actors may be positioning for a significant vulnerability exploitation wave, making immediate defensive preparations critical for organizations relying on Cisco ASA security appliances.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
