GreyNoise has uncovered a coordinated campaign targeting Cisco, Fortinet, and Palo Alto Networks devices, with attackers using IPs from the same subnets. The firm detected scanning attempts against Cisco ASA devices in September, weeks before two zero-day vulnerabilities were disclosed. These bugs, scoring up to 9.9 on the CVSS scale, were linked to China-based hackers in the ArcaneDoor espionage campaign.
Scanning activity against Palo Alto Networks firewalls spiked 500% over two days, involving 2,200 unique IPs and generating over 1.3 million login attempts. GreyNoise warns that similar spikes typically precede vulnerability disclosures within six weeks, with roughly 80% accuracy for major firewall and VPN vendors.
Source: Security Week