Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Late-August scanning surge against Cisco ASA and Cisco IOS Telnet/SSH

Target Trend
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

Late August 2025 saw a sharp rise in reconnaissance against Cisco ASA and related Cisco IOS Telnet/SSH exposure, increasing the risk that internet-facing remote-access services would be mapped for later abuse. The pattern included a wave of up to 25,000 unique IPs and a separate burst that reached 200,000 hits in 20 hours, showing broad automated probing rather than isolated noise. The activity concentrated on US targets but also reached the UK and Germany, making the trend relevant to defenders monitoring exposed edge devices.

Related Happenings

NCSC-UK joint advisory on covert botnets and proxy networks

Public Sector Action
First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...

Open Happening

Unattributed coordinated scanners linked across related activity clusters campaign shows victim surge

Campaign
First: 20.11.2025 19:08 Last: 20.11.2025 19:08 Sources 1

About this happening: A coordinated **malicious scanning campaign** against **Palo Alto Networks GlobalProtect** VPN login portals surged **40x** in 24 hours, pushing activity to a **90-day high**. Gre...

Open Happening

Unattributed operators campaign expands across multiple victims

Campaign
First: 19.11.2025 16:35 Last: 19.11.2025 16:35 Sources 1

About this happening: The **Operation WrtHug** campaign is hijacking **ASUS WRT routers** worldwide by exploiting **six vulnerabilities** and abusing **AiCloud**, creating a large pool of compromised d...

Open Happening

RondoDox edge-device exploitation wave

Exploitation Wave
First: 10.10.2025 22:22 Last: 10.10.2025 22:22 Sources 1

About this happening: **RondoDox** is broadening its **edge-device exploitation** wave, with Trend Micro reporting an **exploit shotgun** approach against **more than 50 vulnerabilities** across **over...

Latest development: 13.10.2025 13:12

Trend Micro says RondoDox expanded its targeting to more than 50 vulnerabilities across over 30 vendors, including routers, DVRs, NVRs, CCTV systems, web servers, and other internet-exposed network devices. The campaign also broadened distribution through a loader-as-a-service setup that co-packages RondoDox with Mirai/Morte payloads.

Open Happening

GreyNoise sees 500% surge in scanning against Palo Alto Networks login portals

Target Trend
First: 06.10.2025 13:00 Last: 06.10.2025 13:00 Sources 1

About this happening: **GreyNoise** says **Palo Alto Networks GlobalProtect** VPN login portals saw a **40x surge** in malicious scanning beginning **November 14, 2025**, reaching a **90-day high** wit...

Open Happening

Timeline

  1. 09.09.2025 00:44 1 articles · 8mo ago

    Low opportunistic scans begin probing Cisco ASA endpoints

    Campaign Scope Update

    Low opportunistic scans against Cisco ASA endpoints begin on July 31, 2025, starting an overlapping reconnaissance pattern that later escalates in mid-August and culminates on August 28, 2025.

    Show sources
    Open in new tab
  2. 09.09.2025 00:44 2 articles · 8mo ago

    Brazilian botnet drives a Cisco ASA and Cisco IOS scan wave

    Detection Ioc Update

    On August 26, 2025, a second scanning wave probes Cisco ASA login portals and Cisco IOS Telnet/SSH, with roughly 17,000 IPs and about 80% of the traffic attributed to a Brazilian botnet; overlapping Chrome-like user agents suggest a common origin.

    Show sources
    Open in new tab
  3. 09.09.2025 00:44 1 articles · 8mo ago

    Cisco ASA endpoints see 200,000 hits as scanning culminates

    Campaign Scope Update

    Overlapping reconnaissance against Cisco ASA endpoints culminates on August 28, 2025, with 200,000 hits within 20 hours and uniform 10k/IP traffic that appears highly automated; the activity is reported as coming from the Nybula, Cheapy-Host, and Global Connectivity Solutions LLP ASNs.

    Show sources
    Open in new tab
  4. 09.09.2025 00:44 1 articles · 8mo ago

    GreyNoise flags late-August scanning spikes against Cisco ASA and Cisco IOS

    Initial Disclosure

    GreyNoise records two significant scanning spikes in late August 2025 against Cisco ASA and Cisco IOS Telnet/SSH, warns that this kind of reconnaissance can precede disclosure of new vulnerabilities, and notes that the targeting concentrated on the United States while the UK and Germany were also hit.

    Show sources
    Open in new tab