The focused portals had been geographically distributed, primarily in the USA, Pakistan, and Mexico, with the visitors virtually solely originating from IP area linked to a single German internet hosting supplier, 3xk GmbH. The login makes an attempt adopted a extremely uniform sample, reusing widespread usernames and passwords and even adopting a browser-like Firefox person agent string.
This can be a telltale signal of scripted credential probes reasonably than opportunistic scanning, the researchers famous.
“This consistency of the person agent, request construction, and timing suggests scripted credential probing designed to establish uncovered or weakly protected GlobalProtect portals, reasonably than interactive entry makes an attempt or vulnerability exploitation,” they mentioned.
