A significant spike in scanning activity targeting Palo Alto Network GlobalProtect login portals has been observed, with researchers concerned it may be a prelude to an upcoming attack or flaw being exploited. GreyNoise underlined the consistency in how the scanning activity is performed, suggesting that it could be part of an effort to test network defenses before attempting targeted exploitation. At this time, the exact nature and goals of this large-scale activity remain blurry, but the takeaway for administrators of internet-exposed Palo Alto Networks systems should be to elevate their vigilance against probing and potential exploitation attempts. "Over the past 18 to 24 months, we've observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies," states Bob Rudis, VP of Data Science at GreyNoise. GreyNoise recommends reviewing logs since mid-March to evaluate if you have been targeted, hunt for signs of compromise, harden login portals, and block known malicious IPs (shared in the report). GreyNoise noted that the activity is reminiscent of the espionage campaign Cisco Talos attributed to 'ArcaneDoor' hackers roughly a year ago, targeting edge devices. BleepingComputer has contacted Palo Alto Networks for a comment on the activity Greynoise sees, and we will update this post when we hear back. GreyNoise noted that in the past, such spikes in network scanning have been linked to preparatory reconnaissance, which was eventually followed by the disclosure of flaws two to four weeks later. According to GreyNoise, which reports the activity, the scanning activity involves over 24,000 unique source IP addresses. The researchers have also found a link to another activity they have been observing recently, concerning a PAN-OS crawler that also spiked on March 26, 2025, involving 2,580 IPs in its scans.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 01 Apr 2025 14:35:46 +0000