Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cisco SSL VPN and GlobalProtect credential-probing campaign

Campaign
First reported
Last updated
Happening score
H score 49
1 unique sources, 1 articles

Summary

Hide ▲

A coordinated credential-based campaign is now probing Cisco SSL VPN and Palo Alto Networks GlobalProtect portals at scale, raising the risk of unauthorized access attempts across enterprise VPN infrastructure. The activity used common username and password combinations and was observed on December 11-12, 2025. More than 10,000 unique IPs were involved against GlobalProtect, while 1,273 IP addresses hit Cisco SSL VPN endpoints. The consistent timing and infrastructure suggest a single campaign pivoting across multiple VPN platforms.

Related Happenings

First VPN Service as criminal VPN infrastructure for ransomware and fraud operators

Threat Actor Meta
First: 22.05.2026 20:35 Last: 22.05.2026 20:35 Sources 1

About this happening: **First VPN Service** functioned as a criminal VPN layer that let ransomware, fraud, and data theft operators hide their identities, expanding the reach and resilience of undergro...

Open Happening

NCSC-UK joint advisory on covert botnets and proxy networks

Public Sector Action
First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...

Open Happening

Storm-2561 fake enterprise VPN Hyrax infostealer activity

Malware Activity
First: 13.03.2026 15:23 Last: 13.03.2026 15:23 Sources 1

About this happening: A fake enterprise VPN installer is now delivering **Hyrax infostealer** components that steal **VPN credentials** and maintain persistence on **Windows** systems. The operation ma...

Open Happening

Palo Alto GlobalProtect login-attempt and SonicWall SonicOS scanning campaign

Campaign
First: 06.12.2025 17:18 Last: 06.12.2025 17:18 Sources 1

About this happening: A **credential-based campaign** is hitting **Palo Alto GlobalProtect portals** and **SonicWall SonicOS API endpoints**, creating broad reconnaissance risk across remote-access and...

Open Happening

Unattributed coordinated scanners linked across related activity clusters campaign shows victim surge

Campaign
First: 20.11.2025 19:08 Last: 20.11.2025 19:08 Sources 1

About this happening: A coordinated **malicious scanning campaign** against **Palo Alto Networks GlobalProtect** VPN login portals surged **40x** in 24 hours, pushing activity to a **90-day high**. Gre...

Open Happening

Timeline

  2. 18.12.2025 06:10 1 articles · 5mo ago

    Cisco SSL VPN endpoints hit by brute-force attempts

    Campaign Scope Update

    Cisco SSL VPN endpoints saw a similar spike in opportunistic brute-force login attempts on 1,273 source IP addresses, with GreyNoise assessing the activity as large-scale scripted credential probing rather than vulnerability exploitation.

    Show sources
    Open in new tab
  3. 18.12.2025 06:10 2 articles · 5mo ago

    GreyNoise discloses multi-platform VPN credential-probing campaign

    Initial Disclosure

    GreyNoise disclosed a coordinated, automated credential-based campaign aimed at enterprise VPN authentication infrastructure, specifically probing exposed or weakly protected Cisco SSL VPN and Palo Alto Networks GlobalProtect portals, and said consistent infrastructure usage and timing indicated a single campaign pivoting across multiple VPN platforms.

    Show sources
    Open in new tab