InfoSecBulletin Cybersecurity for mankind
GreyNoise reported that login attempts on GlobalProtect portals surged to 1.7 million over 16 hours, targeting various VPNs, including Palo Alto Networks GlobalProtect and Cisco SSL VPN.
Data revealed that over 10,000 unique IP addresses targeted infrastructure in the United States, Mexico, and Pakistan. The malicious traffic originated almost entirely from the 3xK GmbH (Germany) IP space, indicating a centralized cloud infrastructure.
Bajaj Auto System Hit by a Ransomware Attack
Cisco Unified CM flaw CVE-2026-20230 exploited in attacks
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Researchers observed that the threat actor reused common username and password combinations, with most requests coming from a rarer Firefox user agent for automated logins with this provider.
Source: GreyNoise
“The consistency of the user agent, request structure, and timing suggests scripted credential probing designed to identify exposed or weakly protected GlobalProtect portals, rather than interactive access attempts or vulnerability exploitation,” GreyNoise explains.
“This activity reflects continued pressure against enterprise VPN authentication endpoints, a pattern GreyNoise has observed repeatedly during periods of heightened attacker activity.”
On December 12, probing activity from the same hosting provider targeting Cisco SSL VPNs began, with unique attack IPs rising to 1,273 compared to the usual fewer than 200. This marks the first major use of 3xK-hosted IPs against Cisco SSL VPNs in 12 weeks.
Palo Alto Networks confirmed to the media that they are aware of the situation. They advise users to use strong passwords and multi-factor authentication.
“We are aware of the credential-based activity reported by GreyNoise targeting VPN gateways, including GlobalProtect portals. This activity reflects automated credential probing and does not constitute a compromise of our environment or an exploitation of any Palo Alto Networks vulnerability,” the Palo Alto Networks spokesperson said.
“Our investigation confirms that these are scripted attempts to identify weak credentials,” they added. Grey Noise suggests checking network devices for unusual logins and blocking malicious IPs.
