Coordinated Credential-Based Campaign Targets Cisco and Palo Alto Networks VPN Gateways

GreyNoise has identified a coordinated, automated credential-based campaign targeting enterprise VPN authentication infrastructure. The activity specifically focuses on Cisco SSL VPN and Palo Alto Networks GlobalProtect services, aiming to compromise remote access gateways through credential guessing or stuffing techniques. This campaign poses a high severity risk to organizations relying on these VPN solutions for secure remote connectivity, as successful authentication could lead to unauthorized network access and potential lateral movement. While no specific threat actor or malware family has been publicly attributed to this activity yet, the automated nature suggests a widespread scanning effort. Organizations are advised to enforce multi-factor authentication (MFA), monitor authentication logs for anomalous login attempts, and ensure VPN gateways are patched against known vulnerabilities. Immediate review of exposed VPN endpoints is crucial to mitigate the risk of unauthorized access stemming from compromised or weak credentials utilized in this coordinated campaign.

GreyNoise is tracking a coordinated, automated credential-based campaign targeting enterprise VPN authentication infrastructure, with activity observed against Cisco SSL VPN and Palo Alto Networks GlobalProtect services.

GreyNoise has identified a coordinated, automated credential-based campaign targeting enterprise VPN authentication infrastructure. The activity specifically focuses on Cisco SSL VPN and Palo Alto Networks GlobalProtect services, aiming to compromise remote access gateways through credential guessing or stuffing techniques. This campaign poses a high severity risk to organizations relying on these VPN solutions for secure remote connectivity, as successful authentication could lead to unauthorized network access and potential lateral movement. While no specific threat actor or malware family has been publicly attributed to this activity yet, the automated nature suggests a widespread scanning effort. Organizations are advised to enforce multi-factor authentication (MFA), monitor authentication logs for anomalous login attempts, and ensure VPN gateways are patched against known vulnerabilities. Immediate review of exposed VPN endpoints is crucial to mitigate the risk of unauthorized access stemming from compromised or weak credentials utilized in this coordinated campaign. GreyNoise is tracking a coordinated, automated credential-based campaign targeting enterprise VPN authentication infrastructure, with activity observed against Cisco SSL VPN and Palo Alto Networks GlobalProtect services. GreyNoise is tracking a coordinated, automated credential-based campaign targeting enterprise VPN authentication infrastructure, with activity observed against Cisco SSL VPN and Palo Alto Networks GlobalProtect services.