Cybersecurity Alert: Targeting of Palo Alto Networks and SonicWall Systems

A recent cyber campaign has been identified targeting Palo Alto GlobalProtect portals and SonicWall SonicOS API endpoints. The malicious activity, which started on December 2nd, originated from over 7,000 IP addresses associated with the German IT company 3xK GmbH.

The attackers initially focused on GlobalProtect portals, using bruteforce and login attempts. They later shifted their attention to scanning SonicWall API endpoints, as reported by threat intelligence company GreyNoise.

GlobalProtect, a vital component of Palo Alto Networks’ firewall platform, is widely used by large enterprises, government agencies, and service providers for VPN and remote access.

According to GreyNoise’s report, the attackers targeted specific profiles within the sensor network to capture scanning and exploitation activities passively.

The surge in activity involved using three client fingerprints previously seen in scanning attempts between late September and mid-October. This past activity, originating from four ASNs with no prior malicious history, generated over 9 million non-spoofable HTTP sessions primarily aimed at GlobalProtect portals.

In mid-November, GreyNoise also observed scanning activity from 3xK Tech GmbH’s infrastructure, with 2.3 million scan sessions targeting GlobalProtect VPN portals, most of which were sourced from IPs in Germany.

Based on the analyzed indicators, GreyNoise confidently attributes both sets of activities to the same threat actor.

On December 3rd, the same three client fingerprints were detected in scanning activity targeting SonicWall SonicOS API.

SonicOS, the operating system powering SonicWall firewalls, exposes API endpoints for configuration, remote management, and monitoring. Malicious scanning of these endpoints aims to identify vulnerabilities and misconfigurations, potentially paving the way for exploitation of future flaws.

Defenders are advised to monitor and block IPs associated with this type of scanning activity. Additionally, it is recommended to track authentication surfaces for abnormal velocity or repeated failures, monitor recurring client fingerprints, and implement dynamic, context-aware blocking measures.

Upon reaching out for comment, Palo Alto Networks acknowledged increased scanning directed at GlobalProtect interfaces. The company clarified that the activity constituted credential-based attacks rather than exploiting software vulnerabilities.

Palo Alto Networks recommends the implementation of Multi-Factor Authentication (MFA) as a protective measure against credential abuse.

Protecting Your Systems

Stay vigilant against cyber threats by monitoring and securing your network infrastructure. By proactively identifying and mitigating potential risks, you can protect your organization from malicious actors seeking to exploit vulnerabilities in your systems.

For any inquiries or assistance regarding cybersecurity measures, feel free to reach out to industry-leading experts such as Palo Alto Networks and SonicWall for guidance and support.