Risk actors launched a coordinated brute-force marketing campaign in opposition to enterprise VPN gateways, hammering Palo Alto Networks GlobalProtect portals and Cisco SSL VPN endpoints with hundreds of thousands of automated login makes an attempt in mid-December 2025.
GreyNoise intelligence revealed the assaults stemmed from centralized infrastructure hosted by Germany’s 3xK GmbH, utilizing scripted credential stuffing somewhat than zero-day exploits. The operation pivoted quickly between distributors, underscoring persistent dangers to distant entry infrastructure.
Palo Alto GlobalProtect Underneath Assault
GreyNoise sensors detected an enormous surge on December 11, with over 1.7 million periods flooding emulated GlobalProtect portals in simply 16 hours.
Greater than 10,000 distinctive IPs participated, primarily geolocated to america, Pakistan, and Mexico, however originating virtually completely from 3xK’s cloud-hosted ranges.
Attackers deployed uniform request patterns, widespread username-password combos, and a Firefox consumer agent atypical for such automation, pointing to credential probing for weak or uncovered portals.
The sharp spike suggests a brand new stock effort or marketing campaign kickoff, as GreyNoise has tracked related waves throughout peak menace durations. No proof ties this to vulnerability exploitation; as a substitute, it mimics password spraying throughout doubtlessly huge stolen credential lists.
Cisco SSL VPN Hit Subsequent
Exercise shifted to Cisco SSL VPNs on December 12, spiking distinctive attacking IPs from beneath 200 to 1,273 in a day, a stark anomaly. Most site visitors hit GreyNoise’s facade sensors, indicating opportunistic scanning somewhat than exact focusing on.
Periods shared the identical TCP fingerprint and 3xK IP house because the Palo Alto wave, with a dominant Home windows NT 10.0 consumer agent, uncommon for this supplier’s previous conduct.
Request our bodies adopted customary SSL VPN login flaws, together with CSRF tokens and credential fields, confirming automated stuffing over exploits. This marks the primary large-scale 3xK deployment in opposition to Cisco SSL VPNs in 12 weeks.
Fingerprint overlaps in TCP signatures, timing, and internet hosting affirm a unified actor or toolset probing a number of VPNs. GreyNoise explicitly dominated out hyperlinks to Cisco Talos’ UAT-9686 marketing campaign in opposition to Safe E mail merchandise. Patterns echo prior surges GreyNoise flagged, usually previous CVEs, although right here brute-force dominates.
Enterprises ought to implement MFA, sturdy distinctive passwords, and routine audits of VPN logs for anomalies. GreyNoise recommends blocking tagged IPs by way of platform lists or free Block templates for Palo Alto Login Scanner and Cisco SSL VPN Bruteforcer. Distributors like Palo Alto urge the most recent PAN-OS variations amid recurring threats.
GreyNoise continues monitoring the assault marketing campaign. This marketing campaign highlights VPNs as prime footholds; speedy hygiene checks might thwart breaches.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
