Threat actors launched a coordinated brute-force campaign against enterprise VPN gateways, hammering Palo Alto Networks GlobalProtect portals and Cisco SSL VPN endpoints with millions of automated login attempts in mid-December 2025.
GreyNoise intelligence revealed the attacks stemmed from centralized infrastructure hosted by Germany’s 3xK GmbH, using scripted credential stuffing rather than zero-day exploits. The operation pivoted rapidly between vendors, underscoring persistent risks to remote access infrastructure.
Palo Alto GlobalProtect Under Attack
GreyNoise sensors detected a massive surge on December 11, with over 1.7 million sessions flooding emulated GlobalProtect portals in just 16 hours.
More than 10,000 unique IPs participated, primarily geolocated to the United States, Pakistan, and Mexico, but originating almost entirely from 3xK’s cloud-hosted ranges.
Attackers deployed uniform request patterns, common username-password combos, and a Firefox user agent atypical for such automation, pointing to credential probing for weak or exposed portals.
The sharp spike suggests a new inventory effort or campaign kickoff, as GreyNoise has tracked similar waves during peak threat periods. No evidence ties this to vulnerability exploitation; instead, it mimics password spraying across potentially massive stolen credential lists.
Cisco SSL VPN Hit Next
Activity shifted to Cisco SSL VPNs on December 12, spiking unique attacking IPs from under 200 to 1,273 in a day, a stark anomaly. Most traffic hit GreyNoise’s facade sensors, indicating opportunistic scanning rather than precise targeting.
Sessions shared the same TCP fingerprint and 3xK IP space as the Palo Alto wave, with a dominant Windows NT 10.0 user agent, unusual for this provider’s past behavior.
Request bodies followed standard SSL VPN login flaws, including CSRF tokens and credential fields, confirming automated stuffing over exploits. This marks the first large-scale 3xK deployment against Cisco SSL VPNs in 12 weeks.
Fingerprint overlaps in TCP signatures, timing, and hosting confirm a unified actor or toolset probing multiple VPNs. GreyNoise explicitly ruled out links to Cisco Talos’ UAT-9686 campaign against Secure Email products. Patterns echo prior surges GreyNoise flagged, often preceding CVEs, though here brute-force dominates.
Enterprises should enforce MFA, strong unique passwords, and routine audits of VPN logs for anomalies. GreyNoise recommends blocking tagged IPs via platform lists or free Block templates for Palo Alto Login Scanner and Cisco SSL VPN Bruteforcer. Vendors like Palo Alto urge the latest PAN-OS versions amid recurring threats.
GreyNoise continues tracking the attack campaign. This campaign highlights VPNs as prime footholds; rapid hygiene checks could thwart breaches.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
