136.144.35.116

Summary (Bottom Line Up Front)

High-confidence credential stuffing attacks targeting Cisco ASA SSL VPN login interfaces have been observed from US-based infrastructure (AS396356 Latitude.sh) between March 17-23, 2026. The threat actor demonstrates specific knowledge of Cisco WebVPN authentication mechanisms and poses significant risk for initial network access if successful. Immediate review of VPN authentication logs and implementation of additional access controls is recommended.

TCP TCP/SYN TLS TLS/1.0 https https_tls_handshake
AUTH_ATTACK CREDENTIAL CREDENTIAL_THEFT
Activity Timeline
INITIAL REPORT2026-03-23T13:27:57Z
Source: Analyst Manual Entry
High-confidence credential stuffing attacks targeting Cisco ASA SSL VPN login interfaces have been observed from US-based infrastructure (AS396356 Latitude.sh) between March 17-23, 2026. The threat actor demonstrates specific knowledge of Cisco WebVPN authentication mechanisms and poses significant risk for initial network access if successful. Immediate review of VPN authentication logs and implementation of additional access controls is recommended.
Technical details
Attack Vector: HTTPS-based credential stuffing against Cisco ASA SSL VPN login pages using POST requests to `/+webvpn+/index.html` endpoint. Volume: 3,723 authentication attempts over 6-day period targeting single destination port (443/HTTPS). Techniques: MITRE T1110.001 (Password Spraying) with evidence of router default credential testing. Protocols: TLS 1.0, HTTPS with specific WebVPN session cookies (webvpnlogin=1; webvpnLang=en). IOCs: Source IP 136.144.35.116 (AbuseIPDB score 93/100), Chrome 143.0.0.0 user agent strings, systematic credential pair testing including username "gmoore" with seasonal password patterns.
IOCs
IP:136.144.35.116
ASN:396356
COUNTRY:US
Recommendations
  • Immediately block source IP 136.144.35.116 and monitor AS396356 (Latitude.sh) for additional malicious traffic
  • Review Cisco ASA SSL VPN authentication logs for successful logins during March 17-23, 2026 timeframe
  • Implement account lockout policies and rate limiting on VPN authentication endpoints to prevent credential stuffing
  • Enable multi-factor authentication for all VPN access if not already deployed
  • Audit VPN user accounts for weak or default credentials, particularly focusing on service accounts like "ntsupport"
Threat Assessment
Threat Level HIGH
AI Verdict HIGH
Confidence 85%
Total Events 3,302
AbuseIPDB 93/100
Indicators of Compromise
ip 136.144.35.116
asn 396356
country US
Captured Payloads (3)
high AUTH_ATTACK https:443 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36Accept: */*Connection: closeCookie: webvpnlogin=1; webvpnLang=enContent-Type: application/x-www-form-urlencodedContent-Length: 77tg
medium CREDENTIAL https:443 
username=gmoore&password=Winter2026%21&Login=Login
medium CREDENTIAL_THEFT https:443 
POST /+webvpn+/index.html HTTP/1.1Host: [SENSOR-IP]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36Accept: */*Connection: