top of page
Buscar

Credential Miners Dig Into VPN Tunnels

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 19 dic 2025
  • 3 Min. de lectura

Every mine starts with a rumor of value beneath the surface. A weak seam. A forgotten shaft. A tunnel left open just long enough.

For cybercriminals, enterprise VPN gateways have become exactly that.

In mid-December 2025, threat actors launched a coordinated campaign against Cisco SSL VPN and Palo Alto GlobalProtect portals, not with zero-days or exotic exploits, but with relentless, industrial-scale credential mining. Millions of automated login attempts hammered exposed VPN endpoints, probing for reused, weak, or forgotten credentials that could open the door to corporate networks.

This was not a smash-and-grab. It was systematic excavation.


Phase 1: Surveying the Terrain — Exposed VPN Entrances


The campaign targeted one of the most common choke points in modern enterprises: remote access VPN portals.

Organizations rely on VPN gateways to:

  • Provide remote access to internal networks

  • Authenticate users via username and password

  • Expose login interfaces directly to the internet

These portals are designed for availability and convenience. For attackers, that makes them ideal mining sites: always on, always reachable, and often unevenly hardened.

The miners did not need to break in. The tunnel entrances were already there.


Phase 2: The Mining Operation Begins — Centralized Infrastructure


GreyNoise telemetry revealed that the campaign originated from centralized infrastructure hosted by 3xK GmbH in Germany.

Key characteristics of the operation included:

  • Cloud-hosted IP ranges reused across waves

  • Rapid rotation of source IPs

  • Consistent tooling and request structure

On December 11, 2025, the first major blast hit Palo Alto GlobalProtect portals:

  • Over 1.7 million login attempts

  • Executed in just 16 hours

  • Sourced from more than 10,000 unique IP addresses

This was not reconnaissance. It was full-scale extraction.


Phase 3: No Explosives, Just Picks — Credential Stuffing


Despite the scale, there was no evidence of vulnerability exploitation.

Instead, the attackers relied on:

  • Credential stuffing using large credential lists

  • Password spraying against common usernames

  • Uniform request bodies matching legitimate login flows

  • Valid CSRF tokens and correctly structured parameters

The requests even used browser user agents that mimicked real users, including Firefox and Windows-based signatures, an unusual choice that helped blend into background noise.

The goal was simple: find credentials that still worked.


Phase 4: Shifting Shafts — Pivot to Cisco SSL VPN


On December 12, the miners shifted operations.

Traffic pivoted from Palo Alto to Cisco SSL VPN endpoints:

  • Unique attacking IPs jumped from under 200 to 1,273 in a single day

  • Sessions shared the same TCP fingerprints and infrastructure

  • Request logic remained consistent

GreyNoise sensors confirmed the activity was opportunistic scanning at scale, not precision targeting of a single organization.

The same miners, same tools, new tunnel.


Phase 5: Fingerprints in the Rock — A Unified Toolset


Across both vendors, analysts observed:

  • Identical TCP signatures

  • Shared timing patterns

  • Reused automation logic

  • Common hosting infrastructure

These overlaps strongly indicate a single actor or tightly coordinated operation, rather than independent attackers coincidentally probing the same gateways.

Importantly, GreyNoise ruled out any connection to other known campaigns, such as Cisco Talos’ UAT-9686 activity, reinforcing the conclusion that this was a distinct credential-harvesting effort.


Phase 6: Why Credentials Matter More Than Exploits


Credential-based access is often more valuable than exploiting a CVE.

With valid VPN credentials, attackers can:

  • Authenticate legitimately

  • Bypass perimeter defenses

  • Blend into normal user traffic

  • Establish persistence without triggering exploit-based alerts

History shows that large-scale credential probing often precedes more targeted intrusions, data theft, or ransomware operations.

The miners were not just digging for access. They were building inventories.


Defensive Measures: Reinforcing the Shafts


Stopping credential-mining campaigns requires reinforcing the tunnel entrances, not just watching for explosions.

Effective defenses include:

  • Enforcing multi-factor authentication (MFA) on all VPN access

  • Requiring strong, unique passwords and disabling legacy auth

  • Monitoring VPN authentication logs for sudden spikes or anomalies

  • Blocking known malicious IP ranges and cloud providers when appropriate

  • Keeping VPN platforms fully patched and configured to rate-limit login attempts

Without MFA, every password is a potential vein of ore.

This campaign highlights a recurring truth in modern intrusions: attackers do not always look for cracks in the wall. Sometimes they focus on the door.

By abusing exposed VPN gateways with industrial-scale automation, these credential miners demonstrated how access can be harvested quietly, efficiently, and without exploits. The infrastructure was not broken. It was worked.

In a landscape where credentials remain the most common initial access vector, the lesson is clear:

If the tunnel stays open, someone will keep digging — until they strike access.



Cybersecurity News


 
 
 

Comentarios

bottom of page