Cyber Comedy: Hackers Can’t Keep Their Hands Off GlobalProtect and SonicWall!
Hackers are pulling a two-step waltz on GlobalProtect portals and SonicWall APIs. Since December 2, over 7,000 IPs have been tangoing through Palo Alto GlobalProtect logins and SonicWall API scans. With identical fingerprints, it’s like they’re wearing the same hacker cologne. Looks like someone’s been busy this holiday season!
Hot Take:
Looks like the cyber bad guys are getting their holiday shopping done early by targeting GlobalProtect portals and SonicWall APIs. Maybe someone should tell them ’tis the season for giving, not taking! With over 7,000 IPs involved, it seems like everyone and their grandma got an invite to this hacking party. If only they put this much effort into something productive, like, I don’t know, inventing a calorie-free cookie?
Key Points:
- Attackers target GlobalProtect portals and scan SonicWall APIs starting December 2, 2025.
- Over 7,000 IPs, all linked to German hosting provider 3xK GmbH, are involved in the attack.
- Identical client fingerprints from previous campaigns suggest consistent tooling.
- GreyNoise provides templates for automatic blocking of malicious IPs for Palo Alto and SonicWall activity.
- Defenders are advised to monitor for abnormal login activity and apply dynamic blocking.