The blog discusses a recent cybersecurity incident where multiple portals, including those in the United States, Pakistan, and Mexico, were targeted by scripted credential probes originating from a German hosting provider. The attackers used common usernames and passwords and mimicked a Firefox user agent string, indicating a systematic approach to identify vulnerable GlobalProtect portals.
Following the GlobalProtect attack, the same threat actors shifted their focus to Cisco’s SSL VPN endpoints, launching a surge of brute-force login attempts from a larger pool of attacking IPs. Unlike the targeted GlobalProtect activity, the Cisco attacks were more widespread, suggesting a broad probing strategy rather than a specific list of endpoints. Nevertheless, the attackers continued their automated credential-based authentication attempts.
The researchers noted that the consistent user agent, request structure, and timing of the attacks indicate a deliberate effort to identify exposed or weakly protected portals, rather than random scanning or vulnerability exploitation. This series of events underscores the importance of robust cybersecurity measures to defend against such automated attacks targeting VPN gateways.
