Analysis of 81k Cisco Exploit Attempts Reveals Targeted Attacks and Vulnerability Exploitation

Over the past seven days, a dataset of 81,000 exploit attempts targeting Cisco devices has been collected from honeypots. These attempts originated from 241 unique IP addresses, utilizing both brute-force attacks and exploitation of the known vulnerability CVE-2022-20759. The residual data from these attempts includes numerous username and password combinations, often referencing Cisco products and AnyConnect, a Cisco VPN client. A significant portion of these IP addresses are from the range 178.130.45/24, associated with GLOBAL CONNECTIVITY SOLUTIONS LLP.

CVE-2022-20759 is a critical vulnerability that allows attackers to execute arbitrary code on affected Cisco devices. The exploitation of this vulnerability, combined with brute-force attacks, indicates a concerted effort by attackers to gain unauthorized access to Cisco devices. The presence of specific username and password combinations suggests that attackers may have access to leaked credentials or are targeting default credentials that have not been changed.

The concentration of IP addresses from a specific range suggests that this range may be compromised or used by a particular threat actor group. Network administrators should consider blocking traffic from this range if it is not essential for their operations. Additionally, it is crucial to ensure that all Cisco devices are patched against known vulnerabilities and that strong, unique credentials are used for all network devices.

The high volume of exploit attempts highlights the ongoing interest of attackers in targeting Cisco devices. This underscores the importance of maintaining robust cybersecurity practices, including regular patching, monitoring for suspicious activity, and implementing strong access controls.