Key Takeaways
- A coordinated hacking campaign has been targeting Palo Alto Networks GlobalProtect services and Cisco SSL VPNs.
- The campaign uses automated scripted login attempts, with over 1.7 million sessions observed in a 16-hour period.
- The attacks originated from a centralized, cloud-hosted infrastructure, primarily from IP space associated with hosting provider 3xK GmbH.
- The targeted portals were mainly located in the U.S., Pakistan, and Mexico.
- The attacks were opportunistic, with a sharp increase in brute force login attempts targeting Cisco SSL VPNs.
Introduction to the Hacking Campaign
A recent surge in hacking activity has been targeting Palo Alto Networks GlobalProtect services and Cisco SSL VPNs, according to a blog post by GreyNoise. The threat activity, which occurred in mid-December, involves automated scripted login attempts over a two-day period. This campaign is notable for its scale, with over 1.7 million sessions observed targeting Palo Alto Networks GlobalProtect and PAN-OS profiles in just 16 hours. Furthermore, more than 10,000 unique IPs were detected trying to log into GlobalProtect portals on December 11, highlighting the coordinated nature of the attack.
Geographic Distribution and Infrastructure
The targeted portals were primarily located in the United States, Pakistan, and Mexico, indicating a global scope for the hacking campaign. Interestingly, almost all of the traffic originated from IP space associated with hosting provider 3xK GmbH, suggesting that the attacks were launched from a centralized, cloud-hosted infrastructure rather than from widely distributed end-users. This infrastructure-based approach allows the attackers to launch a large volume of attacks from a single location, making it easier to manage and coordinate their efforts.
Cisco SSL VPN Attacks
In addition to the Palo Alto Networks GlobalProtect attacks, researchers also observed a sharp increase in opportunistic brute force login attempts targeting Cisco SSL VPNs on December 12. The number of daily unique attacking IPs rose significantly, from a baseline of around 200 to 1,273 IPs. Much of this traffic was detected by GreyNoise’s vendor-agnostic Facade sensors, indicating that the attacks were more opportunistic than targeted. The fact that the Cisco attacks share tooling and infrastructure with the Palo Alto Networks attacks suggests a connection between the two campaigns.
Response from Palo Alto Networks and Cisco
A spokesperson for Palo Alto Networks acknowledged the threat activity, characterizing it as "automated credential probing" that did not compromise the company’s environment or exploit any vulnerabilities. The spokesperson noted that the company’s investigation confirmed that the attacks were scripted attempts to identify weak credentials. In contrast, a spokesperson for Cisco was not immediately available for comment. The similarity in tooling and infrastructure between the Palo Alto Networks and Cisco attacks suggests that the attackers may be using a common framework to launch their campaigns.
Previous Warnings and scanning Activity
GreyNoise had previously warned about scanning activity targeting Palo Alto Networks GlobalProtect over several months, including a major surge in November. On December 2, the researchers warned about a surge in traffic involving over 7,000 IPs targeting Palo Alto Networks GlobalProtect, and on December 3, they observed a similar surge targeting SonicWall SonicOS API endpoints. These previous warnings highlight the ongoing nature of the threat and the need for organizations to remain vigilant in protecting their networks and credentials.
Conclusion and Implications
The coordinated hacking campaign targeting Palo Alto Networks GlobalProtect services and Cisco SSL VPNs highlights the importance of robust credential management and security measures. The use of automated scripted login attempts and centralized infrastructure allows attackers to launch large-scale campaigns with relative ease. Organizations should prioritize protecting their networks and credentials, using measures such as multi-factor authentication and regular password updates to prevent weak credentials from being exploited. By staying informed about ongoing threats and taking proactive steps to secure their systems, organizations can reduce their risk of being targeted by similar hacking campaigns in the future.