Cisco has issued a warning about password-spraying attacks targeting Remote Access VPN services on Cisco Secure Firewall devices and other VPN services. These attacks are part of reconnaissance activities and involve trying the same password across multiple accounts. Cisco provided a mitigation guide with indicators of compromise and recommendations such as enabling logging, securing VPN profiles, leveraging TCP shun, configuring ACLs, and using certificate-based authentication. Security researcher Aaron Martin linked these attacks to the 'Brutus' botnet, which initially targeted SSLVPN appliances from various companies and has now expanded to web apps using Active Directory. The botnet uses 20,000 IP addresses worldwide and rotates IPs to avoid detection. Concerns are raised about the acquisition of specific usernames, suggesting a possible undisclosed breach or zero-day exploitation. Two IPs associated with Brutus have been linked to APT29, a Russian espionage group.