Threat Management, Identity, IAM Technologies, Threat Hunting, Endpoint/Device Security

Palo Alto, Cisco VPNs subjected to credential theft intrusions

(Adobe Stock)

BleepingComputer reports that automated credential-based intrusions were launched against Palo Alto Networks GlobalProtect and Cisco SSL VPN instances last week.

Attempted logins to GlobalProtect portals, primarily in the U.S., Mexico, and Pakistan, reached up to 1.7 million on Dec. 11, with most of the illicit IP addresses originating from German hosting provider 3xK GmbH, according to GreyNoise researchers, who also discovered attackers' repeated usage of common username and password combos.

Meanwhile, Cisco SSL VPN endpoints have been probed by malicious IP addresses from the same hosting provider with identical TCP fingerprints the following day, with typical SSL VPN authentication flows succeeded by login payloads.

"This activity reflects continued pressure against enterprise VPN authentication endpoints, a pattern GreyNoise has observed repeatedly during periods of heightened attacker activity," said researchers.

Such credential-based activity should prompt the adoption of robust passwords and multi-factor authentication, said Palo Alto Networks, which denied that the attacks involved software exploits or environment compromise.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds