A coordinated hacking campaign has launched widespread brute-force login attempts against GlobalProtect VPN portals from Palo Alto Networks, followed by a second wave of scanning that targeted SonicOS API endpoints used by SonicWall firewalls. The activity began December 2, 2025, and has been traced to over 7,000 IP addresses belonging to German hosting provider 3xK GmbH. Security researchers say the attacks reused fingerprints and infrastructure seen in previous campaigns back in September–October, suggesting the same actor is responsible. While no evidence yet indicates a breach of GlobalProtect itself, the surge has renewed calls for organizations to enforce multi-factor authentication and dynamic blocking to protect exposed VPN and firewall interfaces.
Sources: Bleeping Computer, Security Affairs
Key Takeaways
– Attackers used over 7,000 IP addresses from 3xK GmbH to carry out a coordinated brute-force campaign against GlobalProtect VPN portals, then pivoted to scanning SonicWall SonicOS APIs — pointing to a broad reconnaissance effort rather than a simple script-run attack.
– The campaign relies on repeated “client fingerprints,” matching patterns from earlier September–October login waves, indicating the same threat actor is likely behind ongoing assaults across multiple network products.
– No patches or zero-day exploits were used — the attacks are credential-based, highlighting the importance of multi-factor authentication, rate limiting, dynamic blocking, and vigilant exposure of VPN/firewall interfaces.
In-Depth
On December 2, 2025, cybersecurity researchers monitoring internet-wide scanning activity noticed a sudden surge of login attempts aimed at GlobalProtect portals operated by Palo Alto Networks. Within just a few hours, more than 7,000 IP addresses tied to a German hosting provider (3xK GmbH) attempted to brute-force credentials — triggering red flags across multiple threat-intel communities. The login attempts weren’t random: the traffic re-used three specific “client fingerprint” signatures tied to earlier September–October campaigns, suggesting these weren’t opportunistic actors, but a persistent adversary actively probing corporate VPN front doors.
What began as brute-force login activity didn’t stop there. On December 3, the same infrastructure and fingerprints appeared in scans targeting SonicWall SonicOS API endpoints — the management interfaces used to configure and monitor firewall devices. This pivot suggests the attacker is casting a wide net, probing both VPNs and firewall/API surfaces for potential vulnerabilities or misconfigurations. It may indicate a broad reconnaissance campaign in preparation for future attacks — or, at minimum, an attempt to build a comprehensive inventory of exposed network assets.
Despite the volume and scope of the activity, the vendor (Palo Alto Networks) says there’s no indication GlobalProtect was exploited — the attempts appear credential-based, not exploiting any known software vulnerability. But that’s little comfort if credentials are weak, reused, or otherwise compromised. In fact, the danger here is not a sudden zero-day exploit but the slow grind of credential stuffing and brute-force attacks against systems often exposed to the public internet.
Given how prevalent GlobalProtect and SonicWall are in enterprise, government, and service-provider contexts, the stakes are high: a successful login could grant an attacker remote access to internal networks, bypassing many perimeter defenses. As remote work remains widespread, VPN portals and firewall management APIs continue to serve as high-value — and high-risk — entry points.
It’s expected that the same group behind the earlier login waves is operating again with updated infrastructure, which complicates blocking efforts based on static blacklists: once a hosting provider is blocked, attackers can simply switch ASNs or IP ranges, evading detection.
That’s why security experts are doubling down on defenses that don’t rely on static reputation lists. Instead, organizations are urged to adopt: multi-factor authentication, rate-limiting and lockouts for repeated failures, dynamic and context-aware blocking tied to anomalous fingerprints/traffic patterns, regular auditing of exposed authentication surfaces, and strict segmentation — keeping VPN and admin interfaces invisible or heavily restricted when possible.
In short: the new wave of attacks reminds us that the biggest vulnerability isn’t always unpatched code — sometimes it’s the human element (weak or reused credentials), combined with exposed attack surfaces, and adversaries willing to exploit both through relentless automation.