BleepingComputer reports that automated credential-based intrusions were launched against Palo Alto Networks GlobalProtect and Cisco SSL VPN instances last week.
Attempted logins to GlobalProtect portals, primarily in the U.S., Mexico, and Pakistan, reached up to 1.7 million on Dec. 11, with most of the illicit IP addresses originating from German hosting provider 3xK GmbH, according to GreyNoise researchers, who also discovered attackers' repeated usage of common username and password combos.
Meanwhile, Cisco SSL VPN endpoints have been probed by malicious IP addresses from the same hosting provider with identical TCP fingerprints the following day, with typical SSL VPN authentication flows succeeded by login payloads.
"This activity reflects continued pressure against enterprise VPN authentication endpoints, a pattern GreyNoise has observed repeatedly during periods of heightened attacker activity," said researchers.
Such credential-based activity should prompt the adoption of robust passwords and multi-factor authentication, said Palo Alto Networks, which denied that the attacks involved software exploits or environment compromise.
Attempted logins to GlobalProtect portals, primarily in the U.S., Mexico, and Pakistan, reached up to 1.7 million on Dec. 11, with most of the illicit IP addresses originating from German hosting provider 3xK GmbH, according to GreyNoise researchers, who also discovered attackers' repeated usage of common username and password combos.
Meanwhile, Cisco SSL VPN endpoints have been probed by malicious IP addresses from the same hosting provider with identical TCP fingerprints the following day, with typical SSL VPN authentication flows succeeded by login payloads.
"This activity reflects continued pressure against enterprise VPN authentication endpoints, a pattern GreyNoise has observed repeatedly during periods of heightened attacker activity," said researchers.
Such credential-based activity should prompt the adoption of robust passwords and multi-factor authentication, said Palo Alto Networks, which denied that the attacks involved software exploits or environment compromise.





