A recent cyber campaign targeted Palo Alto GlobalProtect portals with brute-force login attempts and scanning activities, then shifted focus to SonicWall SonicOS API endpoints. The attacks originated from over 7,000 IP addresses operated by German hosting provider 3xK GmbH, highlighting ongoing credential-based threat activities. #GlobalProtect #SonicWallSonicOS #3xKGmbH
Keypoints
- The campaign involved extensive scanning activities against Palo Alto GlobalProtect and SonicWall APIs.
- The activity was traced back to over 7,000 IP addresses from German hosting infrastructure.
- Threat actors used consistent client fingerprints across different scanning campaigns.
- Activities are primarily credential-based, not exploiting software vulnerabilities, according to Palo Alto Networks.
- Defense recommendations include using Multi-Factor Authentication and monitoring for abnormal activity patterns.