New Wave of VPN Login Attempts Targets Palo Alto Globalprotect Portals
Summary:
A campaign has been observed targeting publicly exposed security devices, namely Palo Alto Networks GlobalProtect portals and SonicWall SonicOS API endpoints, starting on December 2nd. According to GreyNoise, this large-scale reconnaissance originated from over 7,000 distinct IP addresses within the infrastructure of German hosting provider 3xK GmbH (AS200373). The campaign initially focused on brute-force and login attempts against GlobalProtect VPNs, a credential-based attack confirmed by Palo Alto Networks, who found no evidence of a software vulnerability exploit or product compromise. Subsequently, GreyNoise reports that the actor pivoted to scanning SonicWall API endpoints, utilizing the same technical client fingerprints seen in earlier, related attacks. This continuity led the intelligence firm to confidently attribute both the current activity and a mid-November probing campaign to the same threat actor. Analysts advise monitoring this activity closely, especially since scanning SonicWall APIs often precedes the exploitation of newly discovered vulnerabilities, and recommend immediate defensive measures like enforcing MFA and tracking/blocking these recurrent client fingerprints and associated infrastructure.
Security Officer Comments:
This represents a high-confidence, persistent, and coordinated reconnaissance campaign attributed to a single actor using consistent technical tooling (identical client fingerprints) across multiple phases. The campaign started by targeting Palo Alto GlobalProtect portals with high-volume credential brute-forcing, then quickly pivoted to scanning SonicWall SonicOS API endpoints, a common pre-exploitation signal for identifying future vulnerabilities or misconfigurations. All activity currently originates from over 7,000 IP addresses within the infrastructure of German hosting provider 3xK GmbH (AS200373), suggesting the actor is deliberately using disposable hosting resources to evade static reputation-based blocks.
Suggested Corrections:
Defenders should:
Link(s):
https://www.bleepingcomputer.com/ne...mpts-targets-palo-alto-globalprotect-portals/
A campaign has been observed targeting publicly exposed security devices, namely Palo Alto Networks GlobalProtect portals and SonicWall SonicOS API endpoints, starting on December 2nd. According to GreyNoise, this large-scale reconnaissance originated from over 7,000 distinct IP addresses within the infrastructure of German hosting provider 3xK GmbH (AS200373). The campaign initially focused on brute-force and login attempts against GlobalProtect VPNs, a credential-based attack confirmed by Palo Alto Networks, who found no evidence of a software vulnerability exploit or product compromise. Subsequently, GreyNoise reports that the actor pivoted to scanning SonicWall API endpoints, utilizing the same technical client fingerprints seen in earlier, related attacks. This continuity led the intelligence firm to confidently attribute both the current activity and a mid-November probing campaign to the same threat actor. Analysts advise monitoring this activity closely, especially since scanning SonicWall APIs often precedes the exploitation of newly discovered vulnerabilities, and recommend immediate defensive measures like enforcing MFA and tracking/blocking these recurrent client fingerprints and associated infrastructure.
Security Officer Comments:
This represents a high-confidence, persistent, and coordinated reconnaissance campaign attributed to a single actor using consistent technical tooling (identical client fingerprints) across multiple phases. The campaign started by targeting Palo Alto GlobalProtect portals with high-volume credential brute-forcing, then quickly pivoted to scanning SonicWall SonicOS API endpoints, a common pre-exploitation signal for identifying future vulnerabilities or misconfigurations. All activity currently originates from over 7,000 IP addresses within the infrastructure of German hosting provider 3xK GmbH (AS200373), suggesting the actor is deliberately using disposable hosting resources to evade static reputation-based blocks.
Suggested Corrections:
Defenders should:
- Block Known Malicious Infrastructure: Immediately identify and block all IP ranges associated with 3xK GmbH (AS200373) that are tied to the GlobalProtect and SonicWall scanning activity.
- Enforce Multi-Factor Authentication (MFA): As the GlobalProtect attacks are credential-based, MFA must be enforced on all VPN and remote access portals to neutralize the risk of successful brute-forcing or credential stuffing.
- Monitor authentication surfaces for abnormal velocity or repeated failures.
- Track recurring client fingerprints to surface campaign continuity.
- Apply dynamic, context-aware blocking rather than static reputation lists.
- Fingerprint-level telemetry exposes cross-infrastructure relationships that defenders might otherwise miss.
Link(s):
https://www.bleepingcomputer.com/ne...mpts-targets-palo-alto-globalprotect-portals/