FlagThis

Cybersecurity researchers have detected a significant surge in scanning activity targeting Palo Alto Networks GlobalProtect login portals. Nearly 24,000 unique IP addresses have been observed attempting to access these portals, a pattern suggesting a coordinated effort to probe network defenses. GreyNoise has classified the majority of this activity as suspicious, with a smaller subset identified as malicious, indicating both reconnaissance and potentially more immediate threats. The spike in activity began in mid-March, peaking around March 17th to March 26th, before tapering off.

This activity has been linked to other PAN-OS reconnaissance-related tags and is believed to be a precursor to potential exploitation. The scans predominantly originated from the United States and Canada, while the targeted systems were primarily located in the United States, United Kingdom, Ireland, Russia, and Singapore. Experts advise that organizations using Palo Alto Networks products take immediate steps to secure their login portals and monitor for any suspicious behavior. These scans are reminiscent of previous patterns observed by GreyNoise, where similar network scanning has preceded the discovery of new vulnerabilities.

ImgSrc: cdn.prod.websit

References :

• The Hacker News: Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign
• The Hacker News: Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign
• BleepingComputer: Nearly 24,000 IPs behind wave of Palo Alto Global Protect scans
• The GreyNoise Blog: Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats

Classification:

• HashTags: #PaloAltoNetworks #GlobalProtect #ScanningActivity
• Company: GreyNoise
• Target: Palo Alto Networks GlobalProtect portals
• Product: GlobalProtect
• Feature: Probing Network Defenses
• Type: HighRisk
• Severity: Medium