New Credential Attacks Target Palo Alto & SonicWall VPNs via 3xK Infrastructure

Dark Web News Analysis

A coordinated campaign has launched a new wave of attacks targeting Palo Alto GlobalProtect VPN portals and SonicWall SonicOS API endpoints. The activity, which began on December 2, 2025, originates from a massive botnet of over 7,000 IP addresses.

Brinztech Analysis:

• The Source (AS200373): All malicious traffic is routing through infrastructure operated by 3xK GmbH, a German hosting provider (AS200373). This network has frequently been linked to “bulletproof” hosting or proxy abuse.
• The Tactics (Pivot & Scan):
  • Phase 1 (Dec 2): The actor launched brute-force and credential stuffing attacks against Palo Alto GlobalProtect login portals.
  • Phase 2 (Dec 3): The same actor pivoted to scanning SonicWall SonicOS API endpoints, likely looking for misconfigurations or vulnerabilities to exploit later.
• Attribution: Threat intelligence firm GreyNoise linked this activity to a single actor by identifying unique TCP/JA4t client fingerprints. These same fingerprints were seen in previous campaigns in September and October, indicating a persistent threat actor rotating their infrastructure.

Vendor Response: Palo Alto Networks has confirmed this is a credential-based attack (brute-force), not an exploit of a new software vulnerability (0-day). Their internal telemetry shows no successful compromises of the product itself, but user accounts with weak passwords are at risk.

Key Cybersecurity Insights

This campaign highlights a shift in how attackers are probing perimeter defenses:

• Credential Stuffing at Scale: The volume of traffic (millions of non-spoofable HTTP sessions) suggests the attackers are testing massive lists of stolen credentials. Without MFA, any account with a reused password is a guaranteed entry point.
• API Reconnaissance: The pivot to SonicWall API scanning is alarming. Attackers often scan APIs to map out version numbers and patch levels, preparing to launch exploits for known vulnerabilities (like the recent SonicWall SSLVPN flaws) against unpatched targets.
• Infrastructure Abuse: The use of 3xK GmbH shows how threat actors leverage “grey area” hosting providers to anonymize their attacks. Blocking known-bad ASNs is becoming as critical as blocking individual IPs.

Mitigation Strategies

Defenders should immediately update their perimeter security posture:

• Enforce MFA (Critical): Since this is a credential attack, Multi-Factor Authentication (MFA) is the primary defense. Ensure MFA is enforced for all GlobalProtect and SonicWall VPN users.
• Block High-Risk ASNs: If your organization has no business interest in the hosting provider 3xK GmbH (AS200373), block all inbound traffic from this ASN at your firewall.
• Monitor Authentication Velocity: Configure alerts for “abnormal login velocity” or repeated authentication failures from a single IP or subnet.
• Dynamic Blocking: Use context-aware blocking (like GreyNoise or similar feeds) to automatically block IPs exhibiting “internet scanner” behavior, rather than relying on static blocklists.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com