Hospitals and healthcare providers face fresh cybersecurity warnings after researchers observed mass reconnaissance targeting Cisco ASA firewalls. GreyNoise detected two significant spikes in late August, with up to 25,000 unique IPs probing Cisco ASA login portals and Cisco IOS Telnet/SSH endpoints.
The second surge, on August 26, 2025, was largely driven by a Brazilian botnet controlling 17,000 IPs. Investigators noted overlapping Chrome-like user agents, suggesting a single coordinated operation. U.S. healthcare facilities were the main focus, with additional activity observed in the UK and Germany.
Cisco ASA routers. Source: cisco.com.
GreyNoise analysis shows that 80% of such scanning events are followed by new vulnerability disclosures. Even though Cisco products show a weaker correlation than some other vendors, the pattern still signals an elevated threat window for organizations that depend on ASA gateways to secure sensitive services like electronic health records and telemedicine portals.
A parallel report by system administrator “NadSec – Rat5ak” highlights similar escalation: by late August, 200,000 hits on ASA endpoints were logged within 20 hours. Automated probes from hosting providers Nybula, Cheapy-Host, and Global Connectivity Solutions LLP drove this surge. Such scale suggests adversaries are systematically mapping ASA exposures ahead of weaponization.
For healthcare organizations, a compromised ASA device could expose protected health information (PHI), disrupt patient care delivery, or create an entry point for ransomware. Given the sector’s reliance on secure remote access for telehealth, diagnostic platforms, and connected medical devices, the risks are particularly acute.
Healthcare security teams should urgently patch Cisco ASA devices, enforce MFA on all remote access logins, and ensure patient-facing portals are not exposed directly to the internet. Where external access is required, deploy reverse proxies or VPN concentrators to add extra safeguards. Monitor GreyNoise and Rat5ak indicators for early detection, and consider rate-limiting or geo-blocking to reduce exposure. Building layered defenses now can prevent attackers from turning reconnaissance into full-scale healthcare breaches.
