Major Firewall Vendors Hit in Coordinated Cyberattack
▼ Summary
– GreyNoise discovered three exploitation campaigns targeting Cisco, Palo Alto Networks, and Fortinet devices originating from IPs on the same subnets.
– The campaigns include attacks on Cisco ASA devices using zero-day vulnerabilities linked to the ArcaneDoor espionage campaign attributed to China-based hackers.
– Scanning activity for Palo Alto Networks GlobalProtect login portals surged by 500% over two days, involving over 1.3 million unique login attempts.
– GreyNoise warns that spikes in firewall and VPN scanning often precede vulnerability disclosures within six weeks, recommending defensive hardening.
– The three campaigns share TCP fingerprints, subnets, and timing, indicating they are likely driven by the same threat actor(s).
A significant and coordinated cyberattack is currently targeting the network security infrastructure of three major technology firms. Threat intelligence researchers at GreyNoise have identified that three separate exploitation campaigns aimed at Cisco and Palo Alto Networks firewalls, alongside Fortinet VPNs, are all originating from IP addresses located on identical subnets. This discovery strongly suggests a unified threat actor is behind these widespread attacks.
The activity began in early September when GreyNoise first detected scanning attempts directed at Cisco ASA devices. This occurred approximately three weeks before Cisco publicly announced two zero-day vulnerabilities. These security flaws, identified as CVE-2025-20333 and CVE-2025-20362, were actively exploited in the ArcaneDoor espionage campaign, an operation cybersecurity experts have linked to hackers based in China.
Shortly after, GreyNoise observed a dramatic surge in scanning focused on Palo Alto Networks GlobalProtect login portals. The firm reported a 500% increase in scanning activity over just 48 hours, with the initial wave coming from about 1,300 unique IP addresses. That number quickly ballooned to 2,200 as more malicious actors appeared to join the effort. In the past week alone, researchers documented over 1.3 million unique login attempts targeting these Palo Alto Networks firewalls and have since released a list of the specific credentials used in the campaign.
The connection between these events became clear last Thursday. GreyNoise confirmed that the scanning campaigns for both Cisco and Palo Alto Networks firewalls not only come from the same subnets but are also directly linked to brute-force attacks targeting Fortinet VPNs. The company issued a stark warning based on historical patterns, noting that spikes in Fortinet VPN brute-force attempts are often a precursor to the disclosure of new vulnerabilities within six weeks. They strongly recommend blocking all IPs involved in these SSL VPN attacks and immediately hardening defenses for all firewall and VPN appliances.
This pattern holds significant weight. GreyNoise analysts state that roughly 80% of similar activity spikes targeting major firewall and VPN products serve as an early warning system, typically indicating that new vulnerabilities in those products will be publicly disclosed in the following month and a half. The technical evidence linking the three campaigns is substantial; they share TCP fingerprints, leverage the same subnets, and show coordinated peaks in activity at similar times. This has led GreyNoise to assess with high confidence that the campaigns are at least partially driven by the same threat actor or group. A list of credentials used specifically in the Fortinet campaign has also been published by the firm.
(Source: Security Week)
