GreyNoise on Oct. 8 assessed with “high confidence” that attacks on networking devices from Cisco, Palo Alto Networks, and Fortinet were part of a coordinated campaign driven by the same threat actor.The campaign included scanning of Cisco ASA devices, elevated login attempts against Palo Alto Networks login portals, and brute force attempts against Fortinet SSL VPNs.The researchers came to the conclusion that the attack was coordinated based on the following observations:MacKenzie Brown, vice president, Adversary Pursuit Group at Blackpoint Cyber, explained that these coordinated campaigns against major networking devices represent a shift from opportunistic and broad scanning to a more sophisticated and efficient approach to reconnaissance.“All these attacks originate from shared subnets and target different vendors, suggesting not just a high degree of coordination, but potentially shared infrastructure,” said Brown. “Adversaries are also leveraging generative AI to automate these attacks and adopt nation-state style tactics, and this cross-vendor campaign is a perfect example of a single set of resources to hit multiple targets.”Brown added that networking devices and VPNs are high-value targets as they represent the gateway to the network giving immediate foothold, often having privileged access to internal systems bypassing security controls. Brown added that as they have seen while conducting research at Blackpoint, attackers target industries for not just the data, but greater operational disruption such as manufacturing, industrials, and utilities, all for a faster payout.John Carberry, solution sleuth at Xcape, Inc., said GreyNoise's findings highlight the strategic importance of network devices to malicious actors. He said the fact that multiple exploitation campaigns against Cisco, Fortinet, and Palo Alto Networks products came from the same IP subnets strongly indicates a coordinated attack, not just random scanning.“Attackers are targeting the ‘front door’ of enterprise networks – firewalls and VPNs – because compromising these systems grants them privileged access, visibility, and the ability to persist within the environment,” said Carberry. “This cross-vendor campaign is especially concerning because many organizations use a combination of these technologies, and vulnerabilities in one can be combined with misconfigurations or delayed patching in others.”Carberry said this underscores the need for quick patching, continuous monitoring of the external attack surface, and strong network segmentation. He said administrators should also watch for unusual traffic to and from their perimeter devices, implement available mitigations immediately, and ensure robust logging and alerting.“This is a coordinated attack,” said Carberry. “Defenders must respond in kind.”
- Recurring fingerprint: shared TCP fingerprints across each campaign.
- Shared infrastructure: recurring subnets leveraged in each campaign.
- Temporal correlation: elevated activity at similar times across each campaign.
