Skip to main content
close search
site logo

Surge of credential-based hacking targets Palo Alto Networks GlobalProtect

After weeks of unusual scanning activity, the same campaign took aim at Cisco SSL VPNs.

Published Dec. 18, 2025
David Jones's headshot
Reporter
Rendering of digital data code in safety security technology concept.
Getty Images

A coordinated, credential-based hacking campaign has been targeting Palo Alto Networks GlobalProtect services, as well as Cisco SSL VPNs, in a surge of mid-December attacks, according to a blog post Wednesday by GreyNoise

The threat activity does not involve targeting of any vulnerabilities, but uses automated scripted login attempts over two days. 

More than 1.7 million sessions were observed targeting Palo Alto Networks GlobalProtect and PAN-OS profiles over a 16-hour period, according to GreyNoise. More than 10,000 unique IPs were detected trying to log into GlobalProtect portals on Dec. 11.  

The targeted portals were located mainly in the U.S., Pakistan and Mexico, GreyNoise said. Almost all of the traffic originated from IP space associated with hosting provider 3xK GmbH, which indicates the activity used centralized, cloud-hosted infrastructure rather than widely distributed end-users.

Researchers saw a sharp increase in opportunistic brute force login attempts targeting Cisco SSL VPNs on Dec. 12. Daily unique attacking IPs rose from a regular baseline of about 200 to 1,273 IPs. GreyNoise said much of the traffic hit its vendor-agnostic Facade sensors. This indicates the attacks were more opportunistic than targeted.

A spokesperson for Palo Alto Networks said the company was aware of the threat activity, noting the process involved “automated credential probing” and did not compromise its environment or exploit any vulnerabilities linked to the company.

“Our investigation confirms that these are scripted attempts to identify weak credentials,” a spokesperson for Palo Alto Networks told Cybersecurity Dive via email.

The Cisco attacks share tooling and infrastructure linked to the Palo Alto Networks attacks, according to GreyNoise.

Those same researchers on Dec. 2 warned about a surge in traffic involving more than 7,000 IPs targeting Palo Alto Networks GlobalProtect. A similar surge on Dec. 3 targeted SonicWall SonicOS API endpoints. 

GreyNoise previously warned about scanning activity over several months targeting Palo Alto Networks GlobalProtect, including a major surge in November

A spokesperson for Cisco was not immediately available for comment.

Filed Under: Cyberattacks, Threats

Editors' picks

Company Announcements

View all | Post a press release
Flash Renews HITRUST Certification
From Flash
December 17, 2025
Flash logo
Cellebrite Completes Acquisition of Corellium, Extending the Industry’s Most AdvancedAI-Powere…
From Cellebrite
December 10, 2025
Black Hat MEA 2025: AI-Ready Visibility and Autonomous Edge Guardian Showcased by Genians and …
From Genians
December 01, 2025
Genians logo
BeyondTrust Announces the Availability of BeyondTrust + Ping Identity Unified Identity Securi…
From BeyondTrust
December 03, 2025
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.