Password Spraying Attacks Targeting Cisco and PAN VPN Gateways

Recent automated campaigns have been observed targeting multiple VPN platforms, with a focus on credential-based attacks against Palo Alto Networks GlobalProtect and Cisco SSL VPN.

GreyNoise, a threat monitoring platform, reported a significant spike in login attempts aimed at GlobalProtect portals, reaching 1.7 million within a 16-hour period on December 11. These attacks originated from over 10,000 unique IP addresses and targeted infrastructure in the United States, Mexico, and Pakistan.

The majority of malicious traffic came from the 3xK GmbH (Germany) IP space, indicating a centralized cloud infrastructure. The threat actor behind these attacks primarily used common username and password combinations, with most requests originating from a Firefox user agent, which is uncommon for automated login activities through this provider.

According to GreyNoise, the consistent user agent, request structure, and timing suggest a scripted credential probing strategy to identify exposed or weakly protected GlobalProtect portals, rather than interactive access attempts or vulnerability exploitation.

This pattern of attacks against enterprise VPN authentication endpoints reflects ongoing pressure from threat actors, as observed by GreyNoise during periods of heightened attacker activity.

Subsequently, on December 12, GreyNoise detected activity from the same hosting provider targeting Cisco SSL VPN endpoints. The number of unique attack IPs rose to 1,273, significantly higher than the normal baseline of less than 200. This marked the first large-scale use of 3xK-hosted IPs against Cisco SSL VPNs in the past 12 weeks.

Similar to the GlobalProtect attacks, the login payloads in the Cisco SSL VPN probes followed standard SSL VPN authentication flows, including CSRF handling, indicating automated credential attacks rather than exploits.

See also  360-Degree Protection: Ring's Mobile Security Trailer Ensures Total Coverage On-The-Go

While Cisco recently warned about a zero-day vulnerability (CVE-2025-20393) actively exploited in attacks targeting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances, GreyNoise found no evidence linking the observed activity to this specific vulnerability.

A spokesperson from Palo Alto Networks acknowledged the reported credential-based activity targeting VPN gateways and emphasized the importance of using strong passwords and multi-factor authentication for protection against such attacks.

GreyNoise recommends administrators to conduct audits of network appliances, monitor for unexpected login attempts, and block known malicious IPs involved in these probing activities.

Broken IAM isn’t just an IT problem – the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.

Get the guide