Ethical Hacking News
Attackers have launched a coordinated campaign targeting Palo Alto Networks' GlobalProtect portals and SonicWall APIs, using identical fingerprints across seemingly separate events. This attack highlights the importance of monitoring authentication surfaces and applying dynamic blocking measures to prevent unauthorized access. With its sophisticated tooling and cross-infrastructure relationships, this attack poses a significant threat to the security of critical systems. Stay vigilant and take proactive measures to protect against such attacks.
Attackers launched a dual campaign targeting Palo Alto Networks' GlobalProtect portals and SonicWall APIs. The attack originated from over 7,000 IPs tied to German hosting provider 3xK GmbH. The attackers reused three client fingerprints from a previous wave in September-October. The attack indicated a sophisticated and well-coordinated campaign with a clear rhythm of activity. Defenders should monitor authentication surfaces and apply dynamic, context-aware blocking to prevent unauthorized access.
Attackers have launched a dual campaign targeting Palo Alto Networks' GlobalProtect portals and SonicWall APIs, marking another significant threat to the cybersecurity landscape. According to reports from GreyNoise, a threat intelligence firm, the attack began on December 2, 2025, with a surge in login attempts and scanning of SonicWall API endpoints.
The activity was observed to originate from over 7,000 IPs tied to German hosting provider 3xK GmbH, which operates its own BGP network (AS200373). The company's infrastructure has been used to launch targeted attacks against various organizations, including Palo Alto Networks' GlobalProtect portals. This attack represents a sophisticated effort by attackers to gain unauthorized access to sensitive information and disrupt the operations of critical systems.
GreyNoise observed that the December traffic reused three client fingerprints previously seen in a late-September to mid-October wave. That earlier surge came from four typically non-malicious ASNs (Nforce Entertainment, Data Campus, Flyservers, and Internet Solutions & Innovations) which generated over 9 million legitimate HTTP sessions, mostly hitting GlobalProtect portals and authentication endpoints. The reappearance of identical fingerprints on new infrastructure signals consistent tooling across seemingly separate events.
The attack against SonicWall APIs followed a similar pattern, with the same three client fingerprints tied to the December 2 GlobalProtect login surge and the September-October brute-force wave. This indicates that the attackers have reused their tools and techniques in a coordinated manner, posing a significant threat to the security of SonicWall's API endpoints.
GreyNoise noted that the identical fingerprints reveal continuity in the attacker's tooling, suggesting a sophisticated and well-coordinated attack campaign. Telemetry shows a clear rhythm: intense login and brute-force activity from clean ASNs between late September and mid-October, a slowdown through late November, then the same client resurfacing on 3xK's infrastructure on December 2 to probe Palo Alto portals, followed by SonicWall API scans.
The report concludes that defenders should monitor authentication surfaces for abnormal velocity or repeated failures, track recurring client fingerprints to surface campaign continuity, and apply dynamic, context-aware blocking rather than static reputation lists. It also highlights the importance of fingerprint-level telemetry in exposing cross-infrastructure relationships that defenders might otherwise miss.
This attack against GlobalProtect portals and SonicWall APIs serves as a reminder of the evolving threat landscape and the need for robust cybersecurity measures to protect against such attacks. As attackers continue to adapt and refine their techniques, it is essential for organizations to stay vigilant and implement effective security controls to prevent unauthorized access and minimize damage.
Related Information:
https://www.ethicalhackingnews.com/articles/Attackers-Launch-Dual-Campaign-Targeting-GlobalProtect-Portals-and-SonicWall-APIs-A-Growing-Concern-for-Cybersecurity-ehn.shtml
https://securityaffairs.com/185382/hacking/attackers-launch-dual-campaign-on-globalprotect-portals-and-sonicwall-apis.html
Published: Sat Dec 6 10:46:09 2025 by llama3.2 3B Q4_K_M
