top of page
Search

GreyNoise Links Coordinated Firewall Scans to Potential Multi-Vendor Attack Campaign

GreyNoise researchers have uncovered a possible coordinated offensive targeting three major enterprise firewall vendors—Cisco, Palo Alto Networks, and Fortinet—marking one of the most synchronized cross-vendor reconnaissance campaigns seen in months. The firm’s telemetry shows sharp increases in scanning and brute force attempts across all three technologies, suggesting that one or more threat groups are systematically probing the perimeter defenses of organizations worldwide.


A Triad of Attacks


The campaign began with a surge in Cisco ASA scanning, followed closely by waves of login attempts against Palo Alto GlobalProtect portals, and culminated this week in a spike of brute-force activity against Fortinet SSL VPNs. GreyNoise says these patterns are not coincidental.


The company’s analysis identified shared TCP fingerprints, overlapping subnets, and temporal alignment between the campaigns—strong indicators that the same actors, or at least a coordinated cluster, are behind the activity. GreyNoise traced recurring use of infrastructure within AS200373 (3xK Tech GmbH) and AS11878 (tzulo, Inc.), both of which have been tied to previous scanning activity.


Attack Evolution: From Stealth to Noise


What makes this campaign stand out is the brazen nature of its execution. Attackers appear to be prioritizing volume and speed over stealth, rapidly cycling through large credential datasets. According to GreyNoise data, over 2,200 unique IPs were observed scanning Palo login portals by October 7—an almost 500% increase from baseline.


Lydia Zhang, President and Co-Founder of Ridge Security Technology, notes that direct attacks on firewalls are atypical:


“Directly attacking firewalls (FWs) is rare. Firewalls are the keys to the kingdom, and they are usually heavily guarded,” Zhang said. “What’s interesting here is the shift from stealthy tactics to noisy, direct attacks. This suggests the attackers may not be concerned about being caught—or perhaps their goal isn’t data theft but rather disruption and damage, such as taking down the site.”

Historical Correlation With Zero-Days


GreyNoise’s research earlier this year revealed a striking pattern: spikes in Fortinet VPN brute-forcing are frequently followed by vulnerability disclosures within six weeks. A similar temporal relationship was observed before Cisco’s recent ASA zero-day announcements. Whether this new wave of scanning is another precursor to yet-undisclosed flaws remains to be seen, but researchers are watching closely.


Broader Actor Involvement


The diversity of autonomous systems (ASNs) involved has also expanded significantly, indicating that the campaign may be growing beyond its original operators. Roughly 12% of all IPs within AS11878 are now associated with Palo Alto scanning activity—a sign that multiple clusters may be operating simultaneously or renting access to shared infrastructure.


Defender Impact and Response


For defenders, the takeaway is clear: these aren’t random port scans. The clustering, structure, and timing of the activity point to reconnaissance designed to prepare for potential exploitation. GreyNoise recommends organizations:


  • Block tagged IPs from GreyNoise’s ASA Scanner, Fortinet VPN Bruteforcer, and Palo Scanner lists.


  • Harden firewall and VPN authentication, especially for remote access points.


  • Monitor for follow-on exploitation attempts, particularly if using Fortinet, Cisco, or Palo Alto perimeter appliances.


The company has released a Situational Report (SITREP) for decision-makers and a full list of usernames and passwords used in the Fortinet brute-force attempts, available to subscribers.


As Zhang puts it, the industry is seeing a shift from quiet reconnaissance to “noisy testing of the walls.” Whether that noise is a distraction—or a prelude to something larger—will determine the next phase in this multi-vendor threat campaign.

bottom of page