Ethical Hacking News
A new wave of VPN login attempts has been observed targeting Palo Alto GlobalProtect portals, with attacks originating from over 7,000 IP addresses operated by a German IT company. The attackers employed bruteforce login attempts and scanning activity against SonicWall SonicOS API endpoints, suggesting a coordinated effort to compromise the security of affected organizations.
The Palo Alto GlobalProtect portals have been targeted by a new wave of malicious activity.The attacks originated from over 7,000 IP addresses operated by German IT company 3xK GmbH.The attackers initially focused on bruteforce login attempts against GlobalProtect portals using three client fingerprints.Attacks also targeted SonicWall SonicOS API endpoints, suggesting a coordinated effort to compromise security.GreyNoise advises defenders to monitor for associated IPs and block them, as well as track recurring client fingerprints and use dynamic blocking.Palo Alto Networks recommends enforcing Multi-Factor Authentication (MFA) to protect against credential abuse.
A new wave of malicious activity has been observed targeting Palo Alto GlobalProtect portals, a VPN and remote access component of Palo Alto Networks’ firewall platform. According to threat intelligence company GreyNoise, the campaign began on December 2nd and originated from more than 7,000 IP addresses operated by German IT company 3xK GmbH.
The attacks initially focused on bruteforce login attempts against GlobalProtect portals, with the attackers using three client fingerprints previously observed in scanning attempts recorded between late September and mid-October. These fingerprints were seen in over 9 million non-spoofable HTTP sessions, mostly targeting GlobalProtect portals. Most of the attacking IPs (62%) were located in Germany.
However, after pivoting to scanning SonicWall SonicOS API endpoints, the attackers employed a similar tactic. GreyNoise observed activity from 3xK Tech GmbH's infrastructure probing GlobalProtect VPN portals with 2.3 million scan sessions in mid-November. The same three fingerprints were seen again in scanning activity targeting SonicWall SonicOS API on December 3.
GlobalProtect is used by large enterprises, government agencies, and service providers to secure their networks and protect sensitive data. The fact that the attackers targeted these portals suggests a coordinated effort to compromise the security of these organizations.
GreyNoise notes that malicious scanning targeting SonicOS API endpoints is typically done to identify vulnerabilities and misconfigurations in the firewall system. However, this type of activity can also be used by attackers to discover exposed infrastructure in preparation for potential exploitation of upcoming flaws.
Defenders are advised to monitor for IPs associated with this type of activity and block them. It is also recommended to monitor authentication surfaces for abnormal velocity/repeated failures, track recurring client fingerprints, and use dynamic, context-aware blocking instead of static reputation lists.
Palo Alto Networks has confirmed that the activity detected represents credential-based attacks, not an exploit of a software vulnerability. The company recommends customers enforce Multi-Factor Authentication (MFA) to protect against credential abuse.
The incident highlights the importance of robust security measures for large enterprises and organizations using GlobalProtect portals. As attackers continue to evolve their tactics, it is essential for defenders to stay vigilant and implement effective countermeasures to prevent similar breaches in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Wave-of-VPN-Login-Attempts-Targets-Palo-Alto-GlobalProtect-Portals-ehn.shtml
Published: Sat Dec 6 12:41:42 2025 by llama3.2 3B Q4_K_M
