Security researchers have flagged a coordinated credential-based campaign targeting VPN authentication endpoints from Cisco and Palo Alto Networks.
Over just two days in mid-December, attackers launched large-scale automated login attempts against Cisco’s SSL VPN and Palo Alto Networks’ GlobalProtect services.
A GreyNoise analysis noted that the campaign does not exploit software bugs, but instead relies on churning through username and password combos at scale.“Consistent infrastructure usage and timing indicate a single campaign pivoting across multiple VPN platforms,” the researchers said in a blog post.
GreyNoise confirmed millions of login sessions across more than 10,000 unique attacking IP addresses, pointing to a highly scripted and centralized campaign. It also clarified it has no evidence connecting the activity to the recent campaign targeting Cisco Secure Email Gateway and Secure Email and Web Manager.
Palo Alto portals hit with a wave of login traffic
GreyNoise reported a spike in automated login traffic targeting Palo Alto Networks GlobalProtect portals on December 11. Over a 16-hour window, roughly 1.7 million sessions were observed hitting emulated GlobalProtect and PAN-OS login endpoints.
“Emulated” refers to decoy or simulated VPN login pages that GreyNoise runs, not real customer VPNs.
The targeted portals were geographically distributed, primarily in the United States, Pakistan, and Mexico, with the traffic almost exclusively originating from IP space linked to a single German hosting provider, 3xk GmbH. The login attempts followed a highly uniform pattern, reusing common usernames and passwords and even adopting a browser-like Firefox user agent string.
This is a telltale sign of scripted credential probes rather than opportunistic scanning, the researchers noted.
“This consistency of the user agent, request structure, and timing suggests scripted credential probing designed to identify exposed or weakly protected GlobalProtect portals, rather than interactive access attempts or vulnerability exploitation,” they said.
Brute-forcing Cisco’s SSL VPN follows
Just a day after the GlobalProtect surge, the same actor infrastructure pivoted to Cisco’s SSL VPN endpoints, with the same TCP fingerprint and hosting provider IP space. GreyNoise saw the number of unique attacking IPs jump from a typical daily baseline of fewer than 200 to over 1200, signalling a sharp rise in brute-force login attempts.
Unlike the more structured GlobalProtect activity, much of the Cisco traffic hit vendor-agnostic facade sensors. This indicated that attackers were probing broadly rather than holding a finely targeted list of known endpoints.
However, the underlying behavior remained automated credential-based authentication attempts.
GreyNoise disclosure urges defenders to harden authentication hygiene, including enforcing strong passwords and multi-factor authentication (MFA), auditing exposed edge devices for unexpected login attempts, and leveraging threat intel blocklists to filter out malicious IPs at the perimeter. The disclosure shared blocklists for its platform customers as well as non-GreyNoise users.
No Responses