Palo Alto Networks has revealed that it is observing brutefog login attempts to Pan-OS Global-Protect Gateways. It’s days after threat actors warned about a surge in suspicious login scan activities targeting appliances.
“Our teams are observing evidence of activity that is consistent with password-related attacks, including attempts to brute force logins that do not indicate exploitation of vulnerabilities,” a spokesman for the company told HackerNews. “We will actively monitor this situation, analyse reported activities to determine their potential impact and identify whether mitigation is necessary.”
The development comes after threat intelligence company Greynoise warned about a surge in suspicious login scanning activities targeting the Pan-OS Globalprotect portal.
The company also noted that the activity began on March 17, 2025 and reached a peak of 23,958 unique IP addresses before it was dropped towards the end of last month. This pattern illustrates coordinated efforts to probe network defenses and identify exposed or vulnerable systems.
Login Scanning Activity has singled out systems primarily in the US, UK, Ireland, Russia and Singapore.
I don’t know how widespread these efforts are now, and whether it is the work of a particular threat actor at this stage. Hacker News has contacted the Palo Alto Network for additional comment and will update the story if there is a reply.
In the interim, all customers are encouraged to ensure they are running the latest version of PAN-OS. Other mitigations include enforcing multifactor authentication (MFA), facilitating GlobalProtect configuration MFA notifications, setting security policies to detect and block brute-force attacks, and limiting unnecessary exposure to the Internet.
Source link
