A Hidden Pattern Within Months of Credential-Based Attacks Against Palo Alto GlobalProtect

GreyNoise has identified a significant surge in credential-based attacks targeting Palo Alto GlobalProtect VPN portals, involving over 7,000 unique IP addresses. This activity shares fingerprints with concurrent SonicWall API scanning campaigns and previous Palo Alto exploitation attempts, indicating a coordinated or persistent threat pattern focused on initial access. While no specific threat actor or malware family has been publicly attributed to this surge, the scale suggests organized efforts to compromise network perimeters via valid account credentials. Organizations utilizing GlobalProtect or SonicWall appliances face elevated risks of unauthorized access and potential network intrusion. Immediate mitigation strategies include enforcing multi-factor authentication (MFA), monitoring for anomalous login attempts, and applying vendor security patches. Security teams should prioritize logging and alerting on authentication failures to detect brute-force or credential stuffing attempts before adversaries establish persistence within the environment.

GreyNoise detected a surge of 7,000+ IPs attempting to log into GlobalProtect, sharing fingerprints with a surge in SonicWall API scanning and earlier Palo Alto campaigns, exposing a persistent credential-based attack pattern.

GreyNoise has identified a significant surge in credential-based attacks targeting Palo Alto GlobalProtect VPN portals, involving over 7,000 unique IP addresses. This activity shares fingerprints with concurrent SonicWall API scanning campaigns and previous Palo Alto exploitation attempts, indicating a coordinated or persistent threat pattern focused on initial access. While no specific threat actor or malware family has been publicly attributed to this surge, the scale suggests organized efforts to compromise network perimeters via valid account credentials. Organizations utilizing GlobalProtect or SonicWall appliances face elevated risks of unauthorized access and potential network intrusion. Immediate mitigation strategies include enforcing multi-factor authentication (MFA), monitoring for anomalous login attempts, and applying vendor security patches. Security teams should prioritize logging and alerting on authentication failures to detect brute-force or credential stuffing attempts before adversaries establish persistence within the environment. GreyNoise detected a surge of 7,000+ IPs attempting to log into GlobalProtect, sharing fingerprints with a surge in SonicWall API scanning and earlier Palo Alto campaigns, exposing a persistent credential-based attack pattern. GreyNoise detected a surge of 7,000+ IPs attempting to log into GlobalProtect, sharing fingerprints with a surge in SonicWall API scanning and earlier Palo Alto campaigns, exposing a persistent credential-based attack pattern.