A wave of coordinated credential-based cyberattacks has been targeting popular remote access technologies, including Palo Alto Networks GlobalProtect and Cisco SSL VPNs. According to recent findings from GreyNoise, the activity intensified in mid-December and appears to be part of a large-scale, automated campaign rather than an exploit-driven breach.
Unlike traditional attacks that rely on software vulnerabilities, this campaign focuses on credential abuse. Attackers used automated scripts to repeatedly attempt logins, hoping to gain access through weak or reused passwords. Over a 16-hour period, researchers observed more than 1.7 million login attempts against Palo Alto Networks GlobalProtect and PAN-OS systems. In total, more than 10,000 unique IP addresses were involved in targeting GlobalProtect portals on December 11 alone.
The majority of affected systems were located in the United States, Pakistan, and Mexico. Analysis showed that much of the traffic originated from IP ranges associated with the hosting provider 3xK GmbH, suggesting the attackers relied on centralized, cloud-based infrastructure rather than compromised home networks or botnets.
A similar spike in malicious activity was detected the following day against Cisco SSL VPNs. The number of unique attacking IP addresses jumped from a typical daily average of around 200 to more than 1,270. GreyNoise noted that many of these attempts were captured by its vendor-agnostic Facade sensors, indicating broad, opportunistic scanning rather than a targeted campaign against specific organizations.
Palo Alto Networks acknowledged the activity, confirming that it involved automated credential probing rather than exploitation of product vulnerabilities. The company emphasized that there was no evidence of a breach within its own environment.
“Our investigation confirms that these were scripted attempts to identify weak credentials,” a Palo Alto Networks spokesperson said in a statement to Cybersecurity Dive.
GreyNoise also linked this activity to earlier spikes observed in early December, including a surge involving more than 7,000 IP addresses targeting GlobalProtect services, followed shortly by similar attempts against SonicWall SonicOS API endpoints.
The takeaway is clear: attackers continue to rely heavily on credential-based attacks against widely used remote access tools. Organizations should prioritize strong password policies, enforce multi-factor authentication, monitor unusual login activity, and regularly review access logs to reduce exposure to these increasingly automated threats.