Massive Credential-Stuffing Campaign Exploits Cisco and Palo Alto VPN Portals

In mid-December 2025, GreyNoise Intelligence detected a large-scale, automated credential-based campaign targeting enterprise VPN gateways, specifically Cisco SSL VPN and Palo Alto Networks GlobalProtect services. Unlike exploit-driven attacks, this campaign relied on scripted login attempts and password spraying, indicating an effort to identify weakly secured VPN portals rather than exploit software vulnerabilities. The campaign spanned multiple regions and platforms within a short timeframe, reflecting a coordinated, infrastructure-backed effort to compromise enterprise perimeter defenses.

Severity: High

Campaign Summary

• Type: Credential-based brute-force / password spraying
• Duration: Mid-December 2025 (observed over two days)
• Targets: Cisco SSL VPN and Palo Alto Networks GlobalProtect portals
• Motivation: Enumeration and access testing of VPN endpoints; credential harvesting
• No CVE exploitation or malware deployment observed

Attack Activity Breakdown

1. Palo Alto Networks GlobalProtect Phase
   • Volume: ~1.7 million login sessions within 16 hours
   • Unique IPs: Over 10,000
   • Timing: Peak activity on December 11, 2025
   • Traffic Origin: Predominantly from 3xK GmbH (Germany), using centralized, cloud-hosted servers
   • Target Regions: United States, Pakistan, and Mexico
   • Behavior:
     • Reuse of common usernames and passwords
     • Uniform Firefox user-agent string (simulating legitimate browsers)
     • Scripted, consistent request timing indicative of automation
2. Cisco SSL VPN Phase
   • Volume: Sharp increase in login attempts on December 12, 2025
   • Unique IPs: 1,273 (from a baseline <200)
   • Infrastructure: Same 3xK GmbH IP range and TCP fingerprint as the GlobalProtect campaign, confirming tooling and infrastructure linkage
   • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) – atypical for Cisco SSL VPN brute-force attempts
   • Behavior:
     • Automated login requests with CSRF token handling
     • Legitimate-looking SSL VPN form submissions (suggesting scripted credential stuffing)

Operational Impact

• Immediate Risk: Account compromise via reused or weak credentials
• Long-term Risk: Adversaries may use successful logins to:
  • Establish initial footholds in corporate networks
  • Harvest further credentials and escalate privileges
  • Deploy post-compromise malware or ransomware later

Recommendations

1. Enforce long, complex, non-reused passwords. Enforce MFA across all remote access portals (Cisco SSL VPN, Palo Alto GlobalProtect, and any other VPN endpoints).
2. Where MFA cannot be enforced (e.g., for legacy systems), restrict access to known IP ranges only.
3. Consistently audit Cisco and Palo Alto Networks appliances to assess whether or not login attempts are expected or require escalation.
4. Configure VPN gateways to generate alerts on excessive authentication failures or uniform user-agent usage (e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64)).
5. Keep Cisco ASA / FTD and Palo Alto PAN-OS devices patched to the latest stable releases.
6. Regularly review Cisco Talos and Palo Alto Unit 42 advisories for related or follow-on activity.
7. Educate employees about credential reuse risks and phishing-driven credential theft.
8. Reinforce best practices for VPN access and password management.
9. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/ffe0bb5a977804b1fbf620ca3e6a584ac2b194413af300eccd70bd17528743fa/iocs

Source:

• https://www.greynoise.io/blog/credential-based-campaign-cisco-palo-alto-networks-vpn-gateways

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.