In recent weeks, a series of cyberattacks targeting corporate VPNs has been detected, highlighting a reconnaissance strategy orchestrated by cybercriminals. These attacks exploit legitimate infrastructures to map exposed VPN access, once again underscoring the need for increased vigilance in protecting corporate networks.
The 3 key points not to miss
- Since early December, an increase in login attempts has been observed on Palo Alto’s GlobalProtect portals and SonicWall APIs.
- More than seven thousand IP addresses, originating from the infrastructure of 3xK GmbH, have been involved in these attacks.
- GreyNoise has identified recurring technical signatures, suggesting an ongoing operation to map VPN access and firewalls.
Attacks on VPN portals
In early December, a notable increase in login attempts was observed on GlobalProtect portals, a widely used VPN service in companies. These attacks mainly originated from the infrastructure of 3xK GmbH, a legitimate provider whose servers were hijacked to conduct this coordinated operation.
Although this may seem like an isolated incident, analysts quickly identified a recurring pattern, already observed between September and October. The same technical signatures were noted, despite a complete change of infrastructure, indicating a continuous reconnaissance effort by cybercriminals.
Expanded targeting to SonicWall firewalls
On December 3, the attacks evolved to also target the management interfaces of SonicWall firewalls. The same technical footprints were used, reinforcing the hypothesis of a single actor expanding its scope. This evolution highlights the growing interest of cybercriminals in online security devices.
The attacks do not reveal immediate vulnerabilities, but they highlight the essential role of VPNs and firewalls in network protection. This requires continuous monitoring to detect abnormal behaviors and adjust security policies accordingly.
Recommendations to strengthen security
In the face of this persistent threat, network administrators are encouraged to strengthen the control of their VPN and firewall authentication surfaces. Implementing multi-factor authentication is strongly recommended to reduce the effectiveness of attacks based on compromised credentials.
Furthermore, using unique and strong passwords can prevent the exploitation of credential leaks. Careful monitoring of repeated login attempts is crucial to early detection of this type of campaign and minimizing its potential impact.
Background and history of Palo Alto and SonicWall
Palo Alto Networks is an American company founded in 2005, specializing in cybersecurity. It is known for its innovative network protection solutions, including its firewalls and VPN services, which are widely adopted worldwide.
SonicWall, on the other hand, is a company that was established in 1991 and has become a major player in the field of IT security solutions. Its firewalls and intrusion prevention systems are used by many companies to protect their digital infrastructures against external threats.