When Attackers Switch Targets: Palo Alto GlobalProtect in the Spotlight

Written By Frank Marano

It’s not every day you see Palo Alto Networks in the headlines for brute‑force VPN login attempts. Usually, the spotlight shines on FortiNet or SonicWall when attackers go credential hunting. So when I saw Palo Alto GlobalProtect portals being targeted, I had to look twice.

For context, GlobalProtect is the VPN and remote access component of Palo Alto Networks’ firewall platform. It’s the gateway that allows employees to connect securely from outside the office. And now, it’s the latest focus of attackers who seem to have taken a break from their usual FortiNet and SonicWall campaigns.

The Shift in Attacker Behavior

What makes this story particularly interesting is the overlap with previous activity. The same group behind scanning SonicWall SonicOS has now been observed hammering Palo Alto GlobalProtect portals. Instead of exploiting vulnerabilities, they’re going after credentials—launching brute‑force login attempts and credential stuffing attacks to gain access.

Palo Alto Networks confirmed that this wave of activity represents credential‑based attacks, not an exploit of a software vulnerability. Translation: attackers aren’t breaking down the firewall with a zero‑day, they’re trying to guess the keys to the front door.

This shift highlights a recurring theme in cybersecurity: attackers don’t always need sophisticated exploits when weak or reused passwords are still in play.

Why This Matters

Credential‑based attacks are deceptively simple but incredibly effective. If attackers can brute‑force or reuse stolen credentials, they bypass the need for technical exploits entirely. That’s why VPN portals are such attractive targets—they’re exposed to the internet, they’re critical for remote access, and they often represent a single point of failure.

The fact that attackers are rotating between FortiNet, SonicWall, and now Palo Alto GlobalProtect shows that they’re opportunistic. They’ll chase whichever target offers the best chance of success. And if organizations aren’t enforcing strong authentication, attackers don’t need to be geniuses—they just need persistence.

Recommended Defenses

So what can organizations do to stay ahead of this wave? Palo Alto recommends several key steps:

  • Monitor and block suspicious IPs: Keep an eye on login attempts and block IPs associated with brute‑force activity.

  • Enforce Multi‑Factor Authentication (MFA): This is the single most effective way to stop credential abuse. Even if attackers guess the password, they won’t get past MFA.

  • Stay current on PAN‑OS updates: Always run the latest version of your firewall software to ensure you’re protected against known issues.

  • Audit your VPN exposure: Make sure your GlobalProtect portal isn’t the weakest link in your security chain.

These recommendations may sound familiar, but they’re worth repeating. Attackers thrive on organizations that skip the basics.

The Bigger Picture

This campaign is a reminder that credential‑based attacks are not going away. They’re cheap, scalable, and effective. Attackers don’t need to burn a zero‑day when they can simply hammer login portals until something gives.

It also underscores the importance of visibility. If you’re not monitoring for unusual login activity, you’re flying blind. And if you’re not enforcing MFA, you’re leaving the door wide open.

The headlines may have shifted from FortiNet and SonicWall to Palo Alto, but the playbook remains the same. Attackers are betting that someone, somewhere, hasn’t locked down their VPN.

Final Thoughts

I couldn’t help but laugh at the irony—Palo Alto taking a turn in the spotlight while FortiNet and SonicWall catch a breather. But the humor fades quickly when you realize how many organizations still rely on VPN portals without MFA.

Credential‑based attacks may not be flashy, but they’re relentless. And unless organizations take proactive steps, attackers will keep winning the credential lottery.

So whether you’re running FortiNet, SonicWall, or Palo Alto GlobalProtect, the message is clear: enforce MFA, monitor aggressively, and keep your firewall software up to date.

At Actionable Security, we help small businesses and organizations cut through the noise and focus on what matters most: risk reduction. Our Cybersecurity Risk Assessment dives deep into your firewall configuration, ensuring your VPN and remote access portals are hardened against credential abuse. Learn more at actionablesec.com and take the first step toward staying protected.

#VPNDrama #BruteForceBreaktime #NotJustFortiNetThisTime

Frank Marano https://actionablesec.com
Previous

Google Chrome Powers Up Security: Guardrails for Agentic AI Browsing
Next

Monday exploit club: Sneeit framework plugin goes rogue