InfoSecBulletin Cybersecurity for mankind
Since November 14, 2025, hackers launched over 2.3 million attacks on Palo Alto Networks’ GlobalProtect VPN portals, as reported by GreyNoise. A 40-fold increase in activity within 24 hours marks the highest level in 90 days, indicating rising risks to global remote access systems.
Attacks aim at the /global-protect/login.esp URI on Palo Alto PAN-OS and GlobalProtect systems, using brute-force methods to gain unauthorized access to corporate networks.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
GreyNoise researchers observed a surge in activity last week, driven by organizations relying on VPNs for secure remote work. This campaign poses a risk of data breaches and exposes ongoing vulnerabilities in popular network security tools.
Surge Linked to Coordinated Threat Actors:
Key indicators include consistent TCP and JA4t fingerprints across incidents, shared infrastructure via recurring Autonomous System Numbers (ASNs), and synchronized timing in activity spikes.
The patterns suggest a complex operation, possibly state-sponsored or linked to cybercrime, aimed at testing corporate security for vulnerabilities.
62% of the attack sessions come from AS200373 (3xK Tech GmbH), a German company, making it the main part of the infrastructure.
An extra 15% is linked to the same ASN but goes through Canadian clusters, suggesting efforts to avoid detection. There are also contributions from AS208885 (Noyobzoda Faridduni Saidilhom), showing a coordinated presence across continents.
Targets are concentrated in specific regions, with the United States, Mexico, and Pakistan receiving about the same number of login attempts. This might indicate that attackers are focusing on valuable areas or using stolen credential lists from various sources.
For defensive hunting, GreyNoise highlighted two JA4t fingerprints covering all observed activity: 65495_2-4-8-1-3_65495_7 and 33280_2-4-8-1-3_65495_7.
GreyNoise has noted that spikes in Fortinet VPN brute-force attacks typically happen within six weeks before vulnerability disclosures, a trend first observed in July 2025.
Surges affected Palo Alto portals in April and October 2025, leading to advisories tied to wider attacks on Cisco and Fortinet devices.
Organizations should review their exposed GlobalProtect portals, use multi-factor authentication, and keep an eye on these indicators to prevent potential exploits.
