Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label PAN OS. Show all posts
zero Day vulnerability
Cyber Security Firewall Scanning GlobalProtect GreyNoise Network Security Palo Alto Networks PAN OS Threat Intelligence zero Day vulnerability

Spike in Login Portal Scans Puts Palo Alto Networks on Alert


 

The Palo Alto Networks login portals have seen a dramatic surge in suspicious scanning activity over the past month, a development that has caught the attention of the cybersecurity community. Evidence suggests that threat actors are trying to coordinate reconnaissance efforts aimed at the Palo Alto Networks login portals. 

A new report from cybersecurity intelligence firm GreyNoise revealed that Palo Alto Networks' GlobalProtect and PAN-OS interfaces saw an increase in scanning volumes of over 500%, which marks a sharp departure from the usual pattern for such scanning. In the last week of October, the firm recorded more than 1,285 unique IP addresses attempting to probe these systems - a sharp rise from the typical daily average of fewer than 200 that occurs on a regular basis. 

Approximately 80% of this activity was attributed to IP addresses in the United States, with additional clusters originating from IP addresses in the United Kingdom, the Netherlands, Canada, and Russia. Moreover, separate TLS fingerprints indicated that there were organised scanning clusters that were heavily oriented towards United States targets as well as Pakistani targets. 

A GreyNoise analyst classifies 91% of the observed IP addresses as suspicious, while the remaining 7% are suspected to be malicious, indicating this may represent an early phase of targeted reconnaissance or exploitation attempts against Palo Alto Networks' infrastructure that is widely deployed. 

A GreyNoise analysis revealed that a large portion of the scanning traffic originated from U.S. IP addresses, with smaller but noteworthy clusters originating from the United Kingdom, the Netherlands, Canada, and Russia, indicating the traffic originated primarily from the United States. Using TLS fingerprints, research identified distinct activity clusters – targeting foand cusing o and focusing on Pakistani systems, focusing, overlapping fingerprints, suggesting infrastructure or coordination. 

Ninety per cent of the IP addresses involved in the campaign were deemed suspicious, while another seven per cent were flagged as malicious by the firm. It has been observed that most scanning activity has been directed towards emulated Palo Alto Networks profiles, including GlobalProtect and PAN-OS, indicating that the probes were likely to be intentional and are the product of open-source scanning tools or attackers who are conducting reconnaissance efforts to identify vulnerable Palo Alto devices. 

According to GreyNoise, heightened scanning activity can often be detected before zero-day or zero-n-day vulnerabilities are exploited, acting as a warning to potential offensive operations well in advance. A similar pattern was observed earlier this year, as a spike in Cisco ASA scans followed shortly thereafter by the disclosure and exploitation of a critical zero-day vulnerability in that product line, which was a warning of potential offensive operations. 

Although the timing and scale of the current Palo Alto scans are cause for concern, researchers have clarified that the available evidence suggests a weak correlation with any known or emerging exploit activity at this point in the Palo Alto network ecosystem. Palo Alto Networks' GlobalProtect platform is the core of its next-generation firewall ecosystem, allowing organisations to implement consistent policies for threat prevention and security across remote endpoints, regardless of whether or not the endpoints are connected to a virtual network. 

GlobalProtect portals are critical management tools that enable administrators to customize VPN settings, distribute security agents, and oversee endpoint connectivity within enterprise networks by allowing them to configure VPN settings, distribute security agents, and manage endpoint connectivity. Due to its function and visibility on the Internet, the portal is considered a high-value target for attackers looking to access sensitive data. 

According to experts, firewalls, VPNs, and other edge-facing technologies are among the most attractive security tools for attackers because they act as gateways between internal corporate environments and the open internet as a whole. These systems, by necessity, are available online to support remote operations, but are inadvertently exposing themselves to extensive reconnaissance and scanning efforts as a result. 

A few weeks earlier, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a warning indicating that Palo Alto Networks would be actively exploited if it were to exploit a zero-day authentication bypass vulnerability in the company's PAN-OS software. This has increased Palo Alto Networks' appeal to cyber adversaries. As with other cyber threats, similar trends have been observed across the entire industry. 

For example, Cisco Talos disclosed last year that two zero-day flaws in Cisco firewall appliances were exploited by a state-backed threat actor to conduct an espionage campaign coordinated with Cisco. These risks highlight the persistence of the threats vendors are facing when it comes to edge security infrastructure vendors.

Among experts in the field of cybersecurity, it is very important to recognise that recent spikes in scanning activity targeting Palo Alto Networks' PAN-OS GlobalProtect gateways highlight a long-standing principle of cybersecurity: there is always a vulnerability in software. According to Boris Cipot, Senior Security Engineer at Black Duck, no matter how sophisticated a piece of software is, security vulnerabilities will inevitably arise at some point, whether due to programming oversight or the introduction of vulnerabilities by third-party open-source components. 

According to him, the real test is not whether a vulnerability exists but how swiftly the affected vendor releases a fix and how quickly the users apply the fix. The Palo Alto Networks spokesperson told me that while most Palo Alto Networks customers have probably patched their systems in response to recent advisories, attackers continue to hunt for devices that are not patched or poorly maintained, hoping that they can exploit those that are not well secured. 

Among Cipot's recommendations are to perform timely patching, follow vendor-recommended mitigations when patches are not available, and restrict management interfaces to trusted internal networks, which, he says, is also one of the most fundamental practices. 

The report also recommends that organisations use continuous log monitoring, conduct regular security audits, and analyse open-source components to identify vulnerabilities as early as possible in the lifecycle. A Salt Security director, Eric Schwake, who is responsible for cybersecurity strategy, expressed the concerns of these people by pointing out that the pattern of scans, which span nearly 24,000 unique IP addresses, demonstrates the persistence of threat actors in attempting to gain unauthorised access to data. 

While perimeter security, such as firewalls and VPNs, is still crucial, it should not be viewed as impenetrable, according to Schwake. As a result, he recommended organisations adopt a multi-layered security approach integrating API security governance, robust authentication mechanisms, and behavioural threat detection in order to detect abnormal login attempts as well as other malicious activities immediately in real time, as opposed to just relying on a single approach. 

Also, it was recommended that users be trained in user awareness, and multifactor authentication (MFA) should be enforced in order to reduce the risk of credential compromise and strengthen the overall cyber resilience of organisations. A GreyNoise security research team has noted unusual scanning activity directed at Palo Alto Networks’ PAN-OS GlobalProtect gateways for a number of years. 

In April 2025, the cybersecurity intelligence firm spotted another wave of suspicious login probes, resulting in Palo Alto Networks advising its customers to make sure that their systems are running the latest software versions and to apply all patches available to them. There are several patterns in GreyNoise’s Early Warning Signals report from July 2025 that support the company’s renewed warning. Among those patterns are large-scale spikes in malicious scanning, brute-force attempts, or exploit probing, which often follow a new CVE being disclosed within six weeks of the spike in those activities.

A similar pattern appeared to occur in early September 2025 when GreyNoise detected an increase in suspicious network scans targeting Cisco Adaptive Security Appliance (ASA) devices - traced back to late August. A total of 25,100 IP addresses were involved in the initial wave, primarily located in Brazil, Argentina, and the United States, with most originating from Brazil. 

Researchers at Palo Alto Networks have discovered what appears to be an alarming rise in the number of scanning sessions available on the Internet targeting a critical flaw in the software Palo Alto Networks GlobalProtect, identified as CVE-2024-3400. There is a high-severity vulnerability that affects one of the most widely deployed enterprise firewall solutions, allowing the creation of arbitrary files that can be weaponised in order to execute root privilege-based commands on the operating system.

By exploiting such vulnerabilities, attackers are able to gain complete control over affected devices, potentially resulting in the theft of sensitive data, the compromise of critical network functions, and even the disruption of critical network functions. In the last few weeks, analysts have noticed a significant increase in the probing attempts of this exploit, suggesting that threat actors have been actively incorporating it into their attack arsenals. 

The fact that GlobalProtect serves as a gateway to the internet in many corporate environments increases the risks associated with the flaw, which is remote and unauthenticated. A surge of malicious reconnaissance, according to analysts, could be the precursor to coordinated intrusion campaigns. This makes it imperative that organizations implement security patches as soon as possible, enforce access restrictions, and strengthen monitoring mechanisms across all perimeter defenses, as well as implement security patches as soon as possible.

Only weeks after the discovery of one of the exploitable zero-day vulnerabilities in its ASA products (CVE-2025-20333), Cisco confirmed that the other zero-day vulnerability in the same product (CVE-2025-2020362) was actively exploited, enabling advanced malware strains such as RayInitiator and LINE VIPER to be deployed in real-world attacks. 

In accordance with the data supplied by the Shadowserver Foundation, over 45,000 Cisco ASA and Firepower Threat Defence instances in the world, including more than 20,000 in the United States, remain susceptible to these vulnerabilities. It is evident that organisations reliant on perimeter security technologies face escalating threats and are faced with an ongoing challenge of timely patch adoption, as well as the escalating risks associated with them. 

This latest surge in scanning activity serves as yet another reminder that cyber threats are constantly evolving, and that is why maintaining vigilance, visibility, and velocity is so crucial in terms of defence against them. As reconnaissance efforts become more sophisticated and automated, organisations have to take more proactive steps - both in terms of integrating threat intelligence, continuously monitoring, and managing attack surfaces in order to remain effective. 

This cannot be done solely through vendor patches. It is imperative to combine endpoint hardening, strict access controls, timely updates, and intelligence anomaly detection based on behavioural analytics in order to strengthen network resilience today. It is also important for security teams to minimise the exposure of interfaces, and wherever possible, to shield them behind zero-trust architectures that validate every connection attempt with a zero-trust strategy. 

The use of regular penetration testing, as well as active participation in information-sharing communities, can make it much easier to detect early warning signs before adversaries gain traction. The attackers are ultimately playing the long game, as can be seen by the recurring campaigns against Palo Alto Networks and Cisco infrastructure – scanning for vulnerabilities, waiting for them to emerge, and then attacking when they become complacent. Defenders' edge lies, therefore, in staying informed, staying updated, and staying ahead of the curve: staying informed and staying updated.
Read more »
Subscribe to: Posts (Atom)