Researchers at GreyNoise have identified a large-scale, ongoing campaign of login attempts targeting Palo Alto Networks and SonicWall VPN environments. According to the company, this is a coordinated attack in which the same tooling has been used over several months and across varying infrastructure.
The campaign came to light after GreyNoise observed a spike on December 2 of more than 7,000 IP addresses attempting to log in to Palo Alto GlobalProtect portals. The traffic originated from the infrastructure of the German IT company 3xK GmbH, which operates as a hosting provider with its own autonomous system. BleepingComputer reports that this party offers services via ASN AS200373.
The spike itself was short-lived. However, analysis shows that the activity is part of a broader wave of attacks. GreyNoise found that the same technical attack signatures had already appeared between late September and mid-October, when millions of login attempts were made against GlobalProtect environments. During that period, there were more than nine million non-spoofed HTTP sessions, mostly originating from networks with no known reputation for malicious traffic.
This link is based on so-called client fingerprints, technical characteristics of network traffic that make specific attack tools recognizable. According to GreyNoise, the exact same three fingerprints reappeared in both the fall and December, despite the use of different infrastructure. This indicates that the same actor has remained active and is deliberately switching hosting environments.
BleepingComputer also reports that GreyNoise saw additional activity from 3xK’s infrastructure in mid-November, with approximately 2.3 million scan sessions directed at GlobalProtect portals. Approximately 62 percent of the IP addresses used at that time were located in Germany. Identical TCP and JA4T fingerprints were also identified during that phase, further strengthening the attribution to a single party.
SonicWall was also under attack
One day after the renewed GlobalProtect activity, on December 3, attention shifted to SonicWall environments. GreyNoise observed scans targeting SonicOS API endpoints, again with exactly the same fingerprints. SonicOS is the operating system of SonicWall firewalls and provides management access via APIs for configuration and monitoring. Such scans are often used to identify vulnerabilities, configuration errors, or potential future attack points.
Palo Alto Networks confirms that it recorded increased scanning and login activity targeting GlobalProtect interfaces. The company states that these are credential-based attacks and emphatically not the exploitation of a software vulnerability. According to Palo Alto Networks, based on internal telemetry, there has been no compromise of products or services, BleepingComputer reports.