Hackers exploit Palo Alto and SonicWall VPN login portals

Hackers exploit Palo Alto and SonicWall VPN login portals

Briefly

"Researchers at GreyNoise have identified a large-scale, ongoing campaign of login attempts targeting Palo Alto Networks and SonicWall VPN environments. According to the company, this is a coordinated attack in which the same tooling has been used over several months and across varying infrastructure. The campaign came to light after GreyNoise observed a spike on December 2 of more than 7,000 IP addresses attempting to log in to Palo Alto GlobalProtect portals."

"BleepingComputer reports that this party offers services via ASN AS200373. The spike itself was short-lived. However, analysis shows that the activity is part of a broader wave of attacks. GreyNoise found that the same technical attack signatures had already appeared between late September and mid-October, when millions of login attempts were made against GlobalProtect environments."

"This link is based on so-called client fingerprints, technical characteristics of network traffic that make specific attack tools recognizable. According to GreyNoise, the exact same three fingerprints reappeared in both the fall and December, despite the use of different infrastructure. This indicates that the same actor has remained active and is deliberately switching hosting environments. BleepingComputer also reports that GreyNoise saw additional activity from 3xK's infrastructure in mid-November, with approximately 2.3 million scan sessions directed at GlobalProtect portals."