Researchers at GreyNoise have identified what they assess with “high confidence” as a coordinated campaign targeting networking equipment from Cisco, Palo Alto Networks, and Fortinet.
The activity included scanning Cisco ASA devices, attempting elevated logins on Palo Alto Networks portals, and launching brute-force attacks against Fortinet SSL VPNs.
They became aware of the 500% spike in scanning activity over a two-day period, originating from around 1,300 Ips, which surged to 2,200 IPs within days, likely due to increased engagement from additional threat actors.
GreyNoise determined the attacks were linked based on recurring TCP fingerprints, shared infrastructure (i.e. recurring subnets used in each campaign), and activity spikes occurring at similar times.
“All these attacks originate from shared subnets and target different vendors, suggesting not just a high degree of coordination, but potentially shared infrastructure,” said MacKenzie Brown, vice president, Adversary Pursuit Group at Blackpoint Cyber. “Adversaries are also leveraging generative AI to automate these attacks and adopt nation-state style tactics, and this cross-vendor campaign is a perfect example of a single set of resources to hit multiple targets.”
Brown emphasized that networking devices and VPNs are high-value targets because they provide immediate access to internal systems and often bypass security controls. She noted that attackers are not only after sensitive data, but also seek operational disruption in sectors such as manufacturing, industry, and utilities to accelerate returns.
During the past week, GreyNoise published a list of all unique usernames and passwords from the Palo Alto login attempts that they observed. They also produced an Executive Situation Report (SITREP) for decision makers to learn about the situation.
According to SecurityWeek, GreyNoise explained that: “Spikes in Fortinet VPN brute force attempts are typically followed by Fortinet VPN vulnerabilities disclosures within six weeks. Block all IPs brute forcing Fortinet SSL VPNs, and consider hardening defences for firewall and VPN appliances amid these findings.”
The Big Picture
GreyNoise reports that the recent spike in Palo Alto scanning activity mirrors patterns seen in Cisco ASA scanning within the past two days.
In both cases, the scans showed similar regional clustering and overlapping fingerprints in the tools being used. Traffic targeting Cisco ASA and Palo Alto portals shared a core TCP fingerprint traced to Netherlands-hosted infrastructure. GreyNoise previously observed a similar ASA scanning surge shortly before Cisco disclosed two zero-day vulnerabilities.
The overlap suggests the campaigns could be connected through common tooling or coordinated infrastructure, though GreyNoise has not confirmed whether the same threat actors or objectives are involved.
This campaign signals a shift from opportunistic scanning to highly coordinated, cross-vendor attacks on critical network infrastructure. By focusing on firewalls and VPNs, attackers can gain privileged access and reside in enterprise networks, highlighting the need for timely patching, vigilant monitoring, and proactive defenses across all devices at the network perimeter.
