Find notable cyber news and cases, enriched with sources, timelines, and signals.

Cisco SSL VPN and GlobalProtect credential-probing campaign

Campaign
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

A coordinated credential-based campaign is now probing Cisco SSL VPN and Palo Alto Networks GlobalProtect portals at scale, raising the risk of unauthorized access attempts across enterprise VPN infrastructure. The activity used common username and password combinations and was observed on December 11-12, 2025. More than 10,000 unique IPs were involved against GlobalProtect, while 1,273 IP addresses hit Cisco SSL VPN endpoints. The consistent timing and infrastructure suggest a single campaign pivoting across multiple VPN platforms.

Related Happenings

Check Point VPN CVE-2026-50751 targeted exploitation wave

Exploitation Wave
H score47 First: 08.06.2026 17:17 Last: 08.06.2026 17:17 Sources 1

About this happening: **CVE-2026-50751** is an **active exploitation wave** against **Check Point Remote Access VPN** and **Mobile Access** deployments that use **deprecated IKEv1**. The flaw is an **a...

Check Point Remote Access VPN and Mobile Access authentication bypass (CVE-2026-50751)

Vulnerability
H score47 First: 08.06.2026 16:05 Last: 08.06.2026 16:05 Sources 1

About this happening: **Check Point** warned that **CVE-2026-50751** is a **critical authentication bypass** in **Remote Access VPN** and **Mobile Access** deployments using **deprecated IKEv1**, letti...

First VPN Service as criminal VPN infrastructure for ransomware and fraud operators

Threat Actor Meta
H score18 First: 22.05.2026 20:35 Last: 22.05.2026 20:35 Sources 1

About this happening: **First VPN Service** functioned as a criminal VPN layer that let ransomware, fraud, and data theft operators hide their identities, expanding the reach and resilience of undergro...

NCSC-UK joint advisory on covert botnets and proxy networks

Public Sector Action
H score66 First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...

Residential proxy traffic evades IP reputation feeds across malicious edge sessions

Trend
H score30 First: 02.04.2026 18:21 Last: 02.04.2026 18:21 Sources 1

About this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...

Timeline

  1. 18.12.2025 06:10 1 articles · 6mo ago

    Cisco SSL VPN endpoints hit by brute-force attempts

    Campaign Scope Update

    Cisco SSL VPN endpoints saw a similar spike in opportunistic brute-force login attempts on 1,273 source IP addresses, with GreyNoise assessing the activity as large-scale scripted credential probing rather than vulnerability exploitation.

    Show sources
  2. 18.12.2025 06:10 2 articles · 6mo ago

    GreyNoise discloses multi-platform VPN credential-probing campaign

    Initial Disclosure

    GreyNoise disclosed a coordinated, automated credential-based campaign aimed at enterprise VPN authentication infrastructure, specifically probing exposed or weakly protected Cisco SSL VPN and Palo Alto Networks GlobalProtect portals, and said consistent infrastructure usage and timing indicated a single campaign pivoting across multiple VPN platforms.

    Show sources