Weekend lookout: VPN login bypass activity, botnet knock-on risk, and sharper phishing lures

Today’s look-out: Remote access (VPN) compromise and business disruption, plus phishing using AI-written lures

What to look out for today

Three themes to brief your team and IT support on today:

Remote access/VPN risk: active exploitation reported for a Palo Alto Networks PAN-OS / GlobalProtect authentication bypass (also impacts Prisma Access).
Business disruption risk: botnet and DDoS capability remains widespread (even with recent law enforcement disruption activity), and DDoS-for-hire services are increasingly “productised”.
Sharper phishing: threat actors are using AI tools to generate more convincing lures and follow-on activity after compromise.

Why this matters to smaller businesses

For many SMEs, the VPN is the front door to email, files, finance systems, and remote support. If attackers bypass authentication, they may gain the same access as a member of staff—often without triggering obvious alarms—leading to ransomware, data theft, invoice fraud, or prolonged downtime. Separately, DDoS attacks are now easy to buy and can take down websites, booking systems, or customer portals. AI-written phishing increases the chance that a busy colleague clicks “just this once”.

Warning signs

Unusual VPN connection alerts, logins at odd hours, or logins from unfamiliar locations.
Unexpected MFA prompts or staff reporting “I didn’t try to sign in, but got a code request”.
New admin accounts, new remote access settings, or changes to identity/VPN configuration that no one can explain.
Website or hosted service becomes intermittently unavailable (especially in bursts), or your provider mentions traffic spikes.
Emails that read “too polished” or unusually context-aware (invoice chasing, HR documents, shared links), especially if they create urgency.

How attackers may exploit the situation

VPN bypass → internal access: attackers may connect to your network without valid credentials, then move on to email, file shares, or backups.
Credential theft → cloud access: once inside, attackers often hunt for stored passwords or cloud tokens to reach Microsoft 365/Google Workspace and finance systems.
Phishing + AI: AI can help criminals quickly tailor messages to your industry (schools, charities, professional services) and mimic tone/format of common business emails.
DDoS distraction: some groups use disruption to distract IT teams while attempting fraud or intrusion elsewhere.

What to do today

Confirm who owns VPN monitoring this weekend: make sure someone will see and act on alerts (internal or your MSP).
Review remote access logs: ask for a quick check for unusual VPN activity over the last 7 days (new locations, repeated attempts, strange times).
Re-brief staff on payment safety: treat any “urgent invoice”, “bank details update”, or “new payment link” email as suspicious—verify using a known phone number.
Check your DDoS/disruption plan: know who to call at your ISP/hosting provider and what your “status update to customers” looks like.
Backups sanity check: confirm you have recent backups and that restore access is protected (separate admin accounts/MFA where possible).

Ask your IT provider

Do we run Palo Alto PAN-OS / GlobalProtect or Prisma Access anywhere (including at a supplier/hosted edge)? If yes, what is our exposure and mitigation status?
Are VPN and identity logs being monitored in near-real-time, and what alerts are enabled for unusual sign-ins?
Do we enforce MFA for all remote access, and can we restrict VPN access by geography or trusted devices?
What is our DDoS protection stance (ISP/hosting/CDN), and who is the escalation contact out of hours?
If the VPN were compromised, what is our fastest containment step (disable remote access, rotate credentials, isolate segments)?

Patch watch - only one short paragraph, and only if relevant

CISA has added a Palo Alto Networks PAN-OS authentication bypass (CVE-2026-0257) to its Known Exploited Vulnerabilities list and reporting indicates active exploitation. This is worth prioritising because it affects remote access (a common entry point) and can lead directly to broader business compromise. Use your IT provider to confirm whether you are affected and what immediate mitigations are in place.

One action today

Get your IT provider (or internal IT) to confirm today whether you use Palo Alto PAN-OS/GlobalProtect or Prisma Access and to review the last 7 days of VPN sign-in logs for anomalies.

Related Actions On Cyber resource

CTA: Actions On Cyber checklist — “Invoice and bank detail change verification (call-back process) + MFA for remote access”

Sources

PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation (The Hacker News)
CISA Adds One Known Exploited Vulnerability to Catalog (CISA Cybersecurity Advisories)
Dutch govt disrupts malware botnet with 17 million infected devices (BleepingComputer)
From $5 Attacks to Botnet-Powered Platforms: Inside the DDoS-as-a- Service Market (BleepingComputer)
GreyVibe hackers use ChatGPT, Gemini to power cyberattacks (BleepingComputer)
Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit (The Hacker News)

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.