Cisco & Palo Alto VPNs: Stolen Passwords Fuel Attacks

0 comments

Coordinated Cyberattack Targets VPNs: Cisco and Palo Alto Networks Under Fire

A widespread, automated credential-stuffing campaign is currently targeting Virtual Private Network (VPN) authentication endpoints belonging to Cisco and Palo Alto Networks, security researchers have revealed. The attacks, observed over a brief two-day period in mid-December, represent a significant threat to organizations relying on these popular VPN solutions for secure remote access. This isn’t a novel exploit of software vulnerabilities, but a brute-force attempt to gain access using compromised username and password combinations.

The campaign, analyzed by GreyNoise, demonstrates a highly organized and centralized effort, leveraging over 10,000 unique attacking IP addresses to generate millions of login sessions. Crucially, GreyNoise has stated there is no apparent connection between this activity and the recent security incidents impacting Cisco Secure Email Gateway and Secure Email and Web Manager. This focused attack underscores the persistent danger of credential-based attacks and the critical need for robust authentication practices.

Palo Alto Networks GlobalProtect Services Experience Surge in Login Attempts

On December 11th, GreyNoise detected a substantial spike in automated login traffic directed at Palo Alto Networks GlobalProtect portals. Within a 16-hour timeframe, approximately 1.7 million sessions were recorded against emulated GlobalProtect and PAN-OS login endpoints. These “emulated” endpoints are decoys used by GreyNoise to monitor and analyze attack patterns, ensuring no actual customer VPNs were directly compromised during this observation period.

The geographically dispersed attacks primarily originated from the United States, Pakistan, and Mexico, with a striking concentration of traffic stemming from IP addresses associated with the German hosting provider, 3xk GmbH. Attackers exhibited a consistent pattern, utilizing common usernames and passwords and mimicking legitimate browser behavior by employing a Firefox user agent string. This uniformity strongly suggests a scripted attack, designed to identify vulnerable GlobalProtect installations rather than a random, opportunistic scan.

“The consistency of the user agent, request structure, and timing suggests scripted credential probing designed to identify exposed or weakly protected GlobalProtect portals, rather than interactive access attempts or vulnerability exploitation,” GreyNoise researchers noted. This methodical approach highlights the attackers’ intent to systematically test credentials across a wide range of targets.

Cisco SSL VPNs Become Secondary Target in Coordinated Attack

Just one day following the surge in attacks against GlobalProtect, the same infrastructure shifted its focus to Cisco’s SSL VPN endpoints. The number of unique attacking IP addresses jumped dramatically, from a typical daily average of under 200 to over 1200, signaling a significant escalation in brute-force login attempts. While the GlobalProtect activity was highly structured, the Cisco traffic was more broadly targeted, hitting vendor-agnostic facade sensors, indicating a wider probe for accessible endpoints.

Despite the difference in targeting approach, the underlying tactic remained consistent: automated credential-based authentication attempts. This suggests a single actor or coordinated group is responsible for both waves of attacks, systematically testing stolen or readily available credentials against popular VPN solutions. What motivates this persistent probing? Is it reconnaissance for larger attacks, or simply opportunistic access attempts?

Defenders are strongly advised to prioritize authentication security. GreyNoise recommends enforcing strong, unique passwords, implementing multi-factor authentication (MFA), regularly auditing exposed edge devices for suspicious login activity, and leveraging threat intelligence blocklists to filter malicious IP addresses at the network perimeter. Blocklists are available for both GreyNoise platform customers and general users: https://block.greynoise.io/?_ga=2.131481996.2060616448.1766126713-1807140631.1766126711. Further information on the campaign can be found in the GreyNoise blog post: https://www.greynoise.io/blog/credential-based-campaign-cisco-palo-alto-networks-vpn-gateways.

Pro Tip: Regularly review and update your VPN access policies. Limit access to only those users who require it, and enforce the principle of least privilege to minimize the potential impact of a successful breach.

Organizations should also consider implementing account lockout policies to mitigate the impact of brute-force attacks. This will temporarily disable accounts after a certain number of failed login attempts, hindering attackers’ efforts to guess valid credentials.

The ongoing campaign serves as a stark reminder that VPNs, while essential for secure remote access, are not immune to attack. Proactive security measures and a vigilant approach to authentication are paramount in protecting against these evolving threats.

Frequently Asked Questions About VPN Security

What is credential stuffing and how does it impact VPN security?

Credential stuffing is an attack method where attackers use lists of stolen usernames and passwords to attempt to gain unauthorized access to accounts on various services, including VPNs. It exploits the common practice of users reusing the same credentials across multiple platforms.

Why are Cisco and Palo Alto Networks VPNs being targeted in this campaign?

Cisco and Palo Alto Networks are leading providers of VPN solutions, making them attractive targets for attackers seeking to compromise a large number of systems. The widespread use of their products increases the likelihood of finding vulnerable accounts.

What is multi-factor authentication (MFA) and how does it help protect against these attacks?

Multi-factor authentication (MFA) adds an extra layer of security to the login process by requiring users to provide two or more verification factors, such as a password and a code from a mobile app. This makes it significantly harder for attackers to gain access even if they have stolen a user’s password. Learn more about MFA adoption rates.

How can organizations identify and block malicious IP addresses associated with this campaign?

Organizations can leverage threat intelligence blocklists, such as those provided by GreyNoise, to identify and block malicious IP addresses at the network perimeter. Regularly updating these blocklists is crucial to stay ahead of evolving attack patterns.

Is this VPN attack related to the recent Cisco Secure Email Gateway vulnerability?

According to GreyNoise, there is currently no evidence linking this credential-based VPN campaign to the recent zero-day exploitation of Cisco Secure Email Gateway and Secure Email and Web Manager. You can read more about the Cisco email security vulnerability here.

Staying informed about emerging threats and implementing robust security measures are essential for protecting your organization’s VPN infrastructure. What additional security layers are you implementing to safeguard your remote access solutions? How are you educating your users about the importance of strong passwords and MFA?

Share this article with your colleagues to raise awareness about this critical security threat and help protect your organization from potential attacks.


Discover more from Archyworldys

Subscribe to get the latest posts sent to your email.

You may also like