Surge of credential-based hacking targets Palo Alto Networks GlobalProtect
After weeks of unusual scanning activity, the same campaign took aim at Cisco SSL VPNs.
Published Dec. 18, 2025
David Jones
Reporter
Share
License
Add us on Google
Getty Images
A coordinated, credential-based hacking campaign has been targeting Palo Alto Networks GlobalProtect services, as well as Cisco SSL VPNs, in a surge of mid-December attacks, according to a blog post Wednesday by GreyNoise.
The threat activity does not involve targeting of any vulnerabilities, but uses automated scripted login attempts over two days.
More than 1.7 million sessions were observed targeting Palo Alto Networks GlobalProtect and PAN-OS profiles over a 16-hour period, according to GreyNoise. More than 10,000 unique IPs were detected trying to log into GlobalProtect portals on Dec. 11.
The targeted portals were located mainly in the U.S., Pakistan and Mexico, GreyNoise said. Almost all of the traffic originated from IP space associated with hosting provider 3xK GmbH, which indicates the activity used centralized, cloud-hosted infrastructure rather than widely distributed end-users.
Researchers saw a sharp increase in opportunistic brute force login attempts targeting Cisco SSL VPNs on Dec. 12. Daily unique attacking IPs rose from a regular baseline of about 200 to 1,273 IPs. GreyNoise said much of the traffic hit its vendor-agnostic Facade sensors. This indicates the attacks were more opportunistic than targeted.
A spokesperson for Palo Alto Networks said the company was aware of the threat activity, noting the process involved “automated credential probing” and did not compromise its environment or exploit any vulnerabilities linked to the company.
“Our investigation confirms that these are scripted attempts to identify weak credentials,” a spokesperson for Palo Alto Networks told Cybersecurity Dive via email.
The Cisco attacks share tooling and infrastructure linked to the Palo Alto Networks attacks, according to GreyNoise.
Those same researchers on Dec. 2 warned about a surge in traffic involving more than 7,000 IPs targeting Palo Alto Networks GlobalProtect. A similar surge on Dec. 3 targeted SonicWall SonicOS API endpoints.
GreyNoise previously warned about scanning activity over several months targeting Palo Alto Networks GlobalProtect, including a major surge in November.
A spokesperson for Cisco was not immediately available for comment.
Add us on Google
Share
PURCHASE LICENSING RIGHTS
Filed Under: Cyberattacks, Threats