Starting October 3rd, GreyNoise noticed a sharp increase in the number of unique IP addresses scanning Palo Alto Networks PAN-OS GlobalProtect login portals. On October 7th, activity peaked at over 2,200 unique IP addresses.
On October 8, GreyNoise confirmed the correlation between three recent campaigns:
Scanning Cisco ASA devices.
Increased login attempts against Palo Alto login portals.
A spike in brute force attempts against Fortinet SSL VPNs.
This link is supported by a recurring fingerprint (shared TCP fingerprints), the use of the same subnets, and the simultaneous escalation of activities. The most frequently used subnets are linked to AS200373 (3xK Tech GmbH) and AS11878 (tzulo, Inc.).
Increased risk of zero-day vulnerabilities
The increased scanning is particularly concerning given previous observations by GreyNoise. Previous research in July indicated that spikes in brute force attempts against Fortinet VPNs are often followed by the public disclosure of new Fortinet VPN vulnerabilities within six weeks. While such a correlation has not yet been proven in Palo Alto, the current escalation calls for increased vigilance from defenders.
Furthermore, the rapid succession of login attempts against Palo Alto suggests that threat actors are attempting to test a large data set of stolen or leaked credentials.
Call for defense teams
Defense teams are strongly advised to immediately tighten their firewall and VPN security. This activity is classified as targeted reconnaissance and is clearly distinct from routine background scanning.
Organizations can take preventive measures by:
Instantly block IPs involved in Fortinet VPN brute forcing and Palo Alto scanning.
Implement additional layers of defense given the coordinated nature of the attacks across different technology platforms.
GreyNoise has published a list of usernames and passwords used in recent Palo Alto and Fortinet campaigns for defense teams to review. Threat actors appear to be broadening their focus, given the increase in unique autonomous systems (ASNs) involved in the scans.
