The targeted portals were geographically distributed, primarily in the United States, Pakistan, and Mexico, with the traffic almost exclusively originating from IP space linked to a single German hosting provider, 3xk GmbH. The login attempts followed a highly uniform pattern, reusing common usernames and passwords and even adopting a browser-like Firefox user agent string.
This is a telltale sign of scripted credential probes rather than opportunistic scanning, the researchers noted.
“This consistency of the user agent, request structure, and timing suggests scripted credential probing designed to identify exposed or weakly protected GlobalProtect portals, rather than interactive access attempts or vulnerability exploitation,” they said.
Brute-forcing Cisco’s SSL VPN follows
Just a day after the GlobalProtect surge, the same actor infrastructure pivoted to Cisco’s SSL VPN endpoints, with the same TCP fingerprint and hosting provider IP space. GreyNoise saw the number of unique attacking IPs jump from a typical daily baseline of fewer than 200 to over 1200, signalling a sharp rise in brute-force login attempts.
Unlike the more structured GlobalProtect activity, much of the Cisco traffic hit vendor-agnostic facade sensors. This indicated that attackers were probing broadly rather than holding a finely targeted list of known endpoints.
However, the underlying behavior remained automated credential-based authentication attempts.
