Cybersecurity researchers have warned of a surge in suspicious login scan activity targeting the Palo Alto Networks Pan-OS Global-Protect Gateways, with nearly 24,000 unique IP addresses attempting to access these portals.
“This pattern suggests coordinated efforts to investigate network defenses and identify potentially exposed or vulnerable systems as a precursor to target exploitation,” said Graynois, a threat intelligence company.
The surge was launched on March 17, 2025 and is said to have maintained nearly 20,000 unique IP addresses per day before descending on March 26th. At that peak, it is estimated that 23,958 unique IP addresses participated in the activity. Of these, only a small subset of 154 IP addresses are flagged as malicious.
The US and Canada are emerging as the largest sources of traffic following Finland, the Netherlands and Russia. This activity is primarily intended for the system in the US, UK, Ireland, Russia and Singapore.
Currently, it is not clear what the activity is, but it refers to a systematic approach to testing network defense. This could pave the way for later exploitation.
“Over the last 18 to 24 months, we have observed a consistent pattern of intentional targeting of old vulnerabilities, or a consistent pattern of conventional attacks and reconnaissance attempts against certain technologies,” said Greynoise’s vice president of data science. “These patterns often coincide with new vulnerabilities that appear in two to four weeks.”
In light of extraordinary activity, it is essential that organizations with instances of the Palo Alto Networks towards the Internet take steps to protect their login portal.
Hacker news has been contacted by the Palo Alto Network for further comments and will update the story if there is a reply.
Source link
