Russian-Linked Bulletproof Hosting Networks Target Cisco ASA in Global Recon Campaign

Published Date: September 1, 2025
Category: ShadowOpsIntel
Share:

In late August 2025, security researchers observed a highly coordinated reconnaissance campaign targeting Cisco Adaptive Security Appliances (ASA). Unlike routine internet background noise, this wave was centrally managed, automated, and launched from abuse-tolerant bulletproof hosting networks. The operation represents a critical precursor to exploitation, mapping vulnerable ASA devices for subsequent denial-of-service, credential theft, and remote code execution attacks.

Severity Level: High

Campaign Characteristics

  • Scale & Timing: Nearly 350,000 ASA-related events logged in August 2025, peaking on August 28 with ~200,000 probes in just 20 hours.
  • Automation Fingerprints: 342 source IPs each delivered an identical workload (~10,102 requests), indicating scripted, centrally controlled scanning.
  • Recon Methods:
    • WebVPN probes (GET /+CSCOE+/, POST /+webvpn+/)
    • IKEv2 sweeps over UDP/500 & UDP/4500
    • Parameter fuzzing for version fingerprinting
  • Exploitation Mapping: Recon matched to known Cisco ASA CVEs,
    • DoS: CVE-2025-20182, CVE-2025-20134
    • Info Disclosure: CVE-2024-20353, CVE-2020-3452
    • RCE: CVE-2020-3452, CVE-2018-0101

Malicious Infrastructure

  1. AS401116 (NYBULA):
    • US-registered (Alaska) but uses Seychelles IP space.
    • Listed on Spamhaus ASN-DROP
    • Flagged by ThreatFox with 668 malware-related IOCs
    • Reported on AbuseIPDB for scanning and unauthorized access attempts.
    • Role in Campaign: The largest contributor to the reconnaissance wave (~70,707 hits), acting as the primary staging ground for automated scanning.
  2. AS401120 (CHEAPY-HOST)
    • US-registered (Virginia), Seychelles IP space. Created in May 2024.
    • Also, on Spamhaus ASN-DROP list
    • Flagged by ThreatFox with 769 malware-related IOCs
    • Role in Campaign: The second-largest contributor (~30,290 hits). Operationally linked to NYBULA, with shared upstream connectivity via AS401110.
  3. AS215540 (Global Connectivity Solutions LLP)
    • UK LLP backed by Seychelles shells. Linked to Yevgeniy Marinko (“dimetr50”) and Kirils Pestuns (Russian Laundromat).
    • Used for disinformation (Doppelganger) and Gamaredon/BoneSpy C2.
    • Smaller but high-value contributor (~9k hits).
  4. AS401110 (Sovy Cloud Services):
    The upstream provider for NYBULA and CHEAPY-HOST. Acts as the backbone enabling disposable malicious ASNs.

Strategic Intent

The campaign was not exploitation but target reconnaissance. By fingerprinting Cisco ASA appliances, attackers prepared a curated list of vulnerable systems for:

  • Denial of Service attacks for extortion/disruption.
  • Credential theft via VPN config disclosure.
  • Full device takeover (RCE) enabling lateral movement and ransomware.

Recommendations

  1. Ensure all ASA/FTD appliances are updated to the latest fixed releases, paying special attention to the IKEv2 and SSL/TLS advisories from May and August 2025.
  2. Add traffic to/from AS401116 (NYBULA), AS401120 (CHEAPY-HOST), and AS215540 (Global Connectivity Solutions LLP) to high-priority watchlists or block lists at firewalls, edge routers, or BGP filtering. These are confirmed abuse-tolerant bulletproof networks.
  3. Use the following example KQL queries to hunt for this activity in your own logs:
    • Hostile ASNs — geoip.asn: (401116 or 401120 or 215540)
    • ASA WebVPN Probes — geoip.asn: (401116 or 401120 or 215540) and destination.port: (443 or 8443) and payload_printable: (“GET /+CSCOE+/” or “POST /+webvpn+/”)
    • Query Fuzzing — geoip.asn: (401116 or 401120 or 215540) and payload_printable: ?
    • IKEv2 Sweeps — geoip.asn: (401116 or 401120 or 215540) and network.transport: udp and destination.port: (500 or 4500)
  4. Treat traffic from any ASN listed on Spamhaus ASN-DROP list as hostile by default.

Source:

  • https://medium.com/@Nadsec/honeypot-report-a-coordinated-reconnaissance-wave-against-cisco-asa-appliances-ddc49b6664ae
  • https://github.com/Rat5ak/Anatomy-of-a-Reconnaissance-Campaign-Deconstructing-Bullet-Proof-Host—AS401116-AS401120-AS215540/blob/main/README.md
  • https://bsky.app/profile/nadsec.online/post/3lxkjwjzhnk2v

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert