Security firm traced attacks on three vendors to the same infrastructure.

GreyNoise discovered that exploitation campaigns targeting Cisco, Palo Alto Networks, and Fortinet devices originate from IP addresses on the same subnets, suggesting coordination by the same threat actors. The firm detected a 500% spike in scanning activity against Palo Alto GlobalProtect portals over two days, eventually tracking over 1.3 million login attempts from roughly 2,200 unique IPs. The campaigns share TCP fingerprints, use overlapping infrastructure, and show elevated activity at similar times, leading GreyNoise to assess with high confidence that the same attackers are behind all three efforts.

Read more:

https://www.securityweek.com/cisco-fortinet-palo-alto-networks-devices-targeted-in-coordinated-campaign/