GreyNoise observed two scanning surges against Cisco Adaptive Security Appliance (ASA) devices in late August. The first involved more than 25,000 unique IPs in a single burst; the second, smaller but related, followed days later. This activity represents a significant elevation above baseline, typically registering at less than 500 IPs per day.
Both events targeted the ASA web login path (/+CSCOE+/logon.html), a common reconnaissance marker for exposed devices. Subsets of the same IPs also probed GreyNoise’s Cisco Telnet/SSH and ASA software personas, signaling a Cisco-focused campaign rather than purely opportunistic scanning.
The Two Spikes
- Spike One: ~25,000 IPs scanned ASA login portals; a subset also targeted Cisco IOS Telnet/SSH.
- Spike Two: A smaller wave repeated ASA probing, with subsets hitting both IOS Telnet/SSH and ASA software personas.
- Shared traits: Overlapping client signatures and spoofed Chrome-like user-agents, indicating a common scanning toolkit used across both events.
.png)
Geographic Context
In the past 90 days, GreyNoise has observed traffic triggering its Cisco ASA Scanner tag originating from and targeting the following countries:
Top Source Countries:
- Brazil (64%)
- Argentina (8%)
- United States (8%)
Top Target Countries:
- United States (97%)
- United Kingdom (5%)
- Germany (3%)
Note: Target country percent sum may exceed 100% due to one source IP targeting several IPs based in different countries.
Brazil-Heavy Botnet Behind August 26 Wave
Analysis of the August 26 wave shows that it was driven primarily by a single botnet cluster concentrated in Brazil. By isolating a specific client fingerprint, and reviewing two months of activity, GreyNoise determined that this fingerprint was used exclusively to scan for Cisco ASA devices.
On August 26:
- 16,794 IPs were observed scanning ASA devices.
- 2,858 did not match this client signature.
- Meaning roughly 14,000 of the ~17,000 IPs active that day — more than 80% — were tied to this botnet.
The client signature was seen alongside a suite of closely related TCP signatures, suggesting all nodes share a common stack and tooling. This makes the August 26 spike attributable to a coordinated botnet campaign dominated by Brazil-sourced infrastructure.
Could Indicate Upcoming Cisco ASA Vulnerability Disclosure
GreyNoise’s Early Warning Signals research shows that scanning spikes often precede disclosure of new CVEs. In past cases, activity against GreyNoise’s Cisco ASA Scanner tag surged shortly before a new ASA vulnerability was disclosed (see last row in chart below). The late-August spikes may represent a similar early warning signal.
Even if organizations are fully patched, blocking these IPs now may reduce the likelihood of appearing on target lists used to exploit new CVEs in the future.
Related Real-World Precedent
- Espionage: The ArcaneDoor campaign used two zero-days in Cisco ASA (Line Dancer, Line Runner) to infiltrate government networks.
- Ransomware: The Akira and LockBit ransomware groups have historically targeted Cisco ASA systems.
- Global Campaign: CVE-2020-3452 was weaponized worldwide soon after disclosure, with exploitation attempts observed within days.
Defender Takeaways
- Limit exposure: Avoid placing ASA web portals, Telnet, or SSH directly on the internet.
- Patch quickly if a new CVE emerges: ASA vulnerabilities have historically been exploited soon after disclosure.
- Require MFA: Strengthen remote access with multi-factor authentication.
Monitor GreyNoise’s Cisco ASA tags for real-time scanning and exploitation activity:
- Cisco ASA Scanner
- Cisco ASA CVE-2020-3259 Information Disclosure Attempt
- Cisco ASA Information Disclosure Attempt
- Cisco ASA XSS Attempt
- Cisco ASA Arbitrary File Retrieval Attempt
GreyNoise will continue monitoring the situation and update this blog as necessary. Concentrated reconnaissance bursts, such as those in August, should be treated as potential early indicators of future vulnerability disclosures.
Please contact your GreyNoise support team if you are interested in the JA4+ signatures in this investigation.
GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.
— — —
This research and discovery was a collaborative effort between Towne Besel and Noah Stone.
