A significant surge in malicious activities targeting Palo Alto Networks PAN-OS GlobalProtect portals has been reported, with nearly 24,000 distinct IP addresses attempting to gain unauthorized access in the past month. This alarming trend, initially identified by cybersecurity firm GreyNoise, underscores the heightened sophistication of attackers scrutinizing network defenses in what seems to be a prelude to potential exploitations.
The upsurge in attack attempts began on March 17, 2025, reaching a staggering peak of nearly 20,000 unique IPs per day. Although this activity began to decline by March 26, the data revealed notable patterns, with the vast majority of these addresses classified as suspicious (23,800), while a smaller segment (154) was identified as outright malicious. These findings not only highlight the pressing nature of the threat but also raise concerns about the possibility of imminent exploitation attempts.
Bob Rudis, Vice President of Data Science at GreyNoise, commented on how this trend correlates with earlier patterns of cyber threats. He noted, “Over the past 18 to 24 months, we’ve observed deliberate targeting of older vulnerabilities, often followed by the discovery of new exploits within weeks.” This insight reflects a strategic methodology employed by attackers as they leverage previously known vulnerabilities while preparing for future exploits.
The majority of attack traffic originated predominantly from the United States (16,249 IPs) and Canada (5,823 IPs), with additional activity noted from Finland, the Netherlands, and Russia. Targets within the United States also accounted for a significant share (23,768 IPs), followed by smaller numbers aimed at the UK, Ireland, Russia, and Singapore. Such a geographical distribution indicates a well-orchestrated campaign with a vast operational reach.
A considerable portion of the malicious traffic was traced back to 3xK Tech GmbH, which was associated with over 20,000 of the detected IP addresses under the AS number 200373. Other notable contributors included PureVoltage Hosting Inc., Fast Servers Pty Ltd., and Oy Crea Nova Hosting Solutions Ltd. Moreover, GreyNoise identified three JA4 hashes linked to the login scanner tool used in these attempts, suggesting a meticulous and organized effort to breach the portals.
This incident draws comparisons to previous cyber espionage campaigns targeting perimeter devices, as reported by Cisco Talos, emphasizing the critical need for heightened vigilance among organizations, particularly those reliant on Palo Alto Networks products. The similarities in methodology reinforce the importance of maintaining robust defenses around network infrastructures to mitigate potential risks.
Experts emphasize the urgent need for businesses to respond proactively to this evolving threat landscape. Conducting thorough audits of March access logs can reveal unusual access attempts, while performing routine threat hunts can help to identify potential compromises. Blocking known malicious IPs using actionable intelligence is also paramount in reducing organizational exposure to cyber threats.
This recent escalation in coordinated attacks against vital network systems serves as a sobering reminder of the need for proactive cybersecurity measures. With attackers becoming increasingly adept at exploiting vulnerabilities, businesses must prioritize their defensive strategies to safeguard against future threats. As organizations navigate this complex cybersecurity terrain, understanding tactics and techniques from frameworks such as MITRE ATT&CK—ranging from initial access to privilege escalation—will be crucial in fortifying their defenses.
