Escalating Credential Attacks on Palo Alto GlobalProtect VPNs: 2024 Threat Review
Executive Summary
In early 2024, cybersecurity analysts observed a widespread campaign targeting Palo Alto Networks’ GlobalProtect VPN portals and SonicWall SonicOS API endpoints with aggressive login attempts and scanning activity. Threat actors used automated tools to conduct credential stuffing and exploit potential vulnerabilities in exposed VPN portals, aiming to gain unauthorized network access. While no specific breaches were confirmed, the campaign's scope affected numerous organizations globally relying on these remote access solutions, highlighting the heightened risk to large enterprises and managed service providers leveraging vulnerable or misconfigured VPN infrastructure.
This incident illustrates the surge in identity-driven and credential-based attacks exploiting remote access technologies, especially as hybrid and remote workforces remain prevalent. The rapid evolution and broad targeting underscore the urgent need for continuous VPN hardening, robust access governance, and threat monitoring to preempt similar intrusion attempts impacting business continuity.
Why This Matters Now
This campaign signifies a critical escalation in credential-based attacks on enterprise VPN solutions at a time when remote connectivity is essential and threat actors are automating mass exploitation attempts. Immediate attention to VPN security hygiene, multi-factor authentication, and real-time monitoring is vital to defend against increasingly sophisticated and opportunistic attacks targeting remote access infrastructure.
Attack Path Analysis
The attack began with adversaries launching automated login attempts and scanning exposed VPN and firewall portals, aiming to achieve unauthorized access through credential attacks. Upon success, attackers could escalate privileges by exploiting administrative weaknesses or configuration flaws. With elevated access, they might attempt lateral movement to access additional resources within the network or pivot to new cloud workloads. Next, command and control channels could be established through allowed outbound protocols or encrypted tunnels for persistent access. Upon gaining control, the attackers might exfiltrate sensitive data by leveraging outbound connectivity or VPN tunnels. Impact could follow in the form of malicious configuration, credential abuse, or disruption to business operations.
Kill Chain Progression
Initial Compromise
Description
Attackers targeted exposed Palo Alto GlobalProtect portals and SonicWall SonicOS endpoints with credential stuffing and scanning to gain unauthorized access.
Related CVEs
CVE-2024-3400
CVSS 10A command injection vulnerability in the GlobalProtect feature of PAN-OS allows unauthenticated attackers to execute arbitrary code with root privileges.
Affected Products:
Palo Alto Networks PAN-OS – < 10.2.4-h4, < 10.1.10-h1, < 9.1.16-h3
Exploit Status:
exploited in the wildReferences:
CVE-2024-53704
CVSS 9.8An authentication bypass vulnerability in SonicWall SonicOS SSLVPN allows remote attackers to hijack active SSL VPN client sessions.
Affected Products:
SonicWall SonicOS – 7.1.x (7.1.1-7058 and older), 7.1.2-7019, 8.0.0-8035
Exploit Status:
exploited in the wildReferences:
https://threatprotect.qualys.com/2025/02/19/cisa-added-sonicwall-sonicos-authentication-bypass-vulnerability-to-its-known-exploited-vulnerabilities-catalog-cve-2024-53704/https://www.aha.org/system/files/media/file/2025/02/h-isac-tlp-white-threat-bulletin-sonicwall-sonicos-flaw-confirmed-to-be-exploited-in-the-wild-after-poc-release-2-19-2024.pdfCVE-2024-40766
CVSS 9.3An improper access control vulnerability in SonicWall SonicOS management access and SSLVPN could lead to unauthorized resource access and, in specific conditions, cause the firewall to crash.
Affected Products:
SonicWall SonicOS – Gen 5 and Gen 6 devices, Gen 7 devices running SonicOS 7.0.1-5035 and older
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Brute Force
Valid Accounts
Exploit Public-Facing Application
External Remote Services
Account Discovery
Network Service Scanning
Network Sniffing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Remote Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management
Control ID: Art. 9
CISA ZTMM 2.0 – Identity and Access Management
Control ID: PR.AC-3
NIS2 Directive – Incident Handling and Prevention
Control ID: Art. 21(2)f
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
VPN credential attacks targeting Palo Alto GlobalProtect threaten encrypted traffic and zero trust segmentation, risking HIPAA/PCI compliance violations and data exfiltration.
Health Care / Life Sciences
Healthcare organizations face critical exposure to credential attacks on VPN portals, compromising patient data encryption and HIPAA compliance requirements for secure communications.
Government Administration
Government entities using GlobalProtect VPNs vulnerable to credential-based lateral movement attacks, threatening east-west traffic security and multicloud visibility controls.
Information Technology/IT
IT sector faces heightened risk from VPN portal attacks affecting threat detection capabilities, egress security enforcement, and cloud firewall integrity across hybrid environments.
Sources
- New wave of VPN login attempts targets Palo Alto GlobalProtect portalshttps://www.bleepingcomputer.com/news/security/new-wave-of-vpn-login-attempts-targets-palo-alto-globalprotect-portals/Verified
- Palo Alto Networks Firewalls (CVE-2024-3400)https://www.hhs.gov/sites/default/files/palo-alto-networks-firewalls-sector-alert-tlpclear.pdfVerified
- Update: Palo Alto Networks Has Released Security Updates to Address Critical Vulnerability CVE-2024-3400https://www.aha.org/system/files/media/file/2024/04/h-isac-tlp-white-threat-bulletin-update-palo-alto-networks-has-released-security-updates-to-address-critical-vulnerability-cve-2024-3400-4-15-24.pdfVerified
- CISA Added SonicWall SonicOS Authentication Bypass Vulnerability to its Known Exploited Vulnerabilities Catalog (CVE-2024-53704)https://threatprotect.qualys.com/2025/02/19/cisa-added-sonicwall-sonicos-authentication-bypass-vulnerability-to-its-known-exploited-vulnerabilities-catalog-cve-2024-53704/Verified
- SonicWall SonicOS Flaw Confirmed to be Exploited In-the-Wild After PoC Releasehttps://www.aha.org/system/files/media/file/2025/02/h-isac-tlp-white-threat-bulletin-sonicwall-sonicos-flaw-confirmed-to-be-exploited-in-the-wild-after-poc-release-2-19-2024.pdfVerified
- Critical Access Control Vulnerability Detected in SonicWall’s SonicOShttps://vulnera.com/newswire/critical-access-control-vulnerability-detected-in-sonicwalls-sonicos/Verified
- A Vulnerability in SonicWall SonicOS Management Access and SSLVPN Could Allow for Unauthorized Resource Accesshttps://its.ny.gov/2024-097Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Network and workload segmentation, policy-driven egress controls, and real-time threat detection would have significantly limited the adversaries’ ability to compromise, pivot, exfiltrate, or disrupt resources during this multi-stage credential attack. CNSF capabilities such as Zero Trust Segmentation, East-West Traffic Security, and Egress Policy Enforcement are directly effective against the observed TTPs.
Control: Zero Trust Segmentation
Mitigation: Reduces attack surface and blocks unauthorized access attempts at the perimeter.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Detects suspicious activity and limits scope of privilege misuse.
Control: East-West Traffic Security
Mitigation: Limits or detects unauthorized internal network movement between workloads.
Control: Egress Security & Policy Enforcement
Mitigation: Detects and blocks unapproved outbound C2 channels.
Control: Encrypted Traffic (HPE)
Mitigation: Prevents exfiltration over unencrypted or unauthorized encrypted pathways.
Detects suspicious post-compromise activity for rapid response.
Impact at a Glance
Affected Business Functions
- Remote Access
- Network Security
- Data Protection
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data due to unauthorized access through compromised VPN and firewall systems.
Recommended Actions
Key Takeaways & Next Steps
- • Apply Zero Trust Segmentation to restrict VPN portal and management interface access only to authorized identities and secure locations.
- • Enforce east-west traffic inspection and microsegmentation to block lateral movement from compromised entry points.
- • Tighten outbound egress controls and real-time encryption visibility to detect and block data exfiltration and command-and-control attempts.
- • Deploy advanced anomaly detection and continuous monitoring to rapidly identify abnormal login, privilege escalation, and configuration changes.
- • Regularly audit VPN/firewall configuration, credential hygiene, and leverage distributed, inline policy enforcement to minimize perimeter exposure.
