Security researchers have detected a new wave of suspicious login and scanning activity aimed at enterprise VPN systems and firewall platforms.
The activity began on December two and targeted Palo Alto GlobalProtect portals with large scale login and brute force attempts. It later shifted focus to scanning SonicWall SonicOS API endpoints. The campaign originated from over seven thousand IP addresses linked to infrastructure operated by a German hosting provider that runs its own BGP network.
According to a threat intelligence report, the attackers first focused on GlobalProtect portals before moving to SonicWall systems. GlobalProtect is the VPN and remote access service used by large enterprises, government bodies, and service providers around the world.
Researchers said the login attempts against GlobalProtect were aimed at two monitoring profiles designed to capture scanning and attack behavior. The recent surge reused three client fingerprints that were previously seen in scanning activity between late September and mid October.
Earlier activity linked to the same fingerprints came from four different network operators with no prior record of malicious behavior. That wave generated more than nine million web sessions, mostly targeting GlobalProtect portals. In mid November, scanning was again seen from the same German infrastructure, with over two point three million scan sessions. Around sixty two percent of the attacking IP addresses were based in Germany.
On December three, the same fingerprints were also detected scanning SonicWall SonicOS API endpoints. SonicOS is the operating system that runs on SonicWall firewalls and exposes interfaces for configuration, monitoring, and remote management.
Such scanning is often used to look for exposed systems, weak security settings, and possible future vulnerabilities. Based on the patterns seen, researchers believe both waves of activity are linked to the same threat actor.
Security teams are advised to monitor for suspicious IPs, watch for repeated login failures, track recurring client fingerprints, and use dynamic blocking instead of only fixed reputation lists.
Palo Alto Networks confirmed the increased scanning activity and said it was linked to credential based attacks. The company stated, “Furthermore, our internal telemetry and Cortex XSIAM protection confirm this activity does not constitute a compromise of our products or services.”
Customers have been advised to enforce multi factor authentication to reduce the risk of credential abuse.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
