A campaign has been observed targeting Palo Alto GlobalProtect portals with login attempts and launching scanning activity against SonicWall SonicOS API endpoints.
The activity started on December 2nd and originated from more than 7,000 IP addresses from infrastructure operated by the German IT company 3xK GmbH, which runs its own BGP network (AS200373) and operates as a hosting provider.
Initially, the actor targeted GlobalProtect portals with bruteforce and login attempts, then pivoted to scanning SonicWall API endpoints, threat intelligence company GreyNoise says in a report this week.
GlobalProtect is the VPN and remote access component of Palo Alto Networks’ firewall platform, used by large enterprises, government agencies, and service providers.
Number of IP addresses driving the attacks
Source: GreyNoise
According to GreyNoise, the GlobalProtect login attempts targeted two profiles in the company's sensor network for passive capture of scanning and exploitation activity.
The researchers say that the surge used three client fingerprints previously observed in scanning attempts recorded between late September and mid-October.
This past activity originated from four ASNs with no history of malicious activity, generating over 9 million non-spoofable HTTP sessions, mostly targeting GlobalProtect portals.
In mid-November, GreyNoise also observed activity from 3xK Tech GmbH's infrastructure probing GlobalProtect VPN portals with 2.3 million scan sessions. Most of the attacking IPs (62%) were located in Germany, and used the same TCP/JA4t fingerprints.
... continue reading