The focused portals had been geographically distributed, primarily in america, Pakistan, and Mexico, with the visitors nearly solely originating from IP house linked to a single German internet hosting supplier, 3xk GmbH. The login makes an attempt adopted a extremely uniform sample, reusing widespread usernames and passwords and even adopting a browser-like Firefox person agent string.
It is a telltale signal of scripted credential probes slightly than opportunistic scanning, the researchers famous.
“This consistency of the person agent, request construction, and timing suggests scripted credential probing designed to establish uncovered or weakly protected GlobalProtect portals, slightly than interactive entry makes an attempt or vulnerability exploitation,” they stated.
