Recent reports from cybersecurity researchers indicate a significant increase in login scanning attempts directed at Palo Alto Networks PAN-OS GlobalProtect gateways. An alarming total of nearly 24,000 unique IP addresses have been identified in this activity, raising concerns about the integrity of these critical systems.
This surge, which the threat intelligence firm GreyNoise describes as indicative of a coordinated effort, suggests that multiple actors are actively probing network defenses to discover exposed or vulnerable systems. They posit that this may serve as a precursor to more targeted exploitation efforts, a tactic observed frequently in contemporary cyber threat landscapes.
The activity reportedly escalated on March 17, 2025, consistently involving around 20,000 unique IP addresses daily before tapering off on March 26. The peak was recorded at 23,958 unique IP addresses engaged in the scanning behavior, with only 154 identified as malicious actors. The distribution of traffic indicates that the United States and Canada are leading sources, followed by Finland, the Netherlands, and Russia. Targets of this scanning activity have primarily been concentrated in the United States, the United Kingdom, Ireland, Russia, and Singapore.
The underlying motivations of such scanning remain unclear; however, this behavior is consistent with systemic approaches aimed at exploiting network vulnerabilities. This aligns with tactics found in the MITRE ATT&CK framework, particularly focusing on initial access, reconnaissance, and potentially lateral movement once initial vulnerabilities are identified.
Bob Rudis, Vice President of Data Science at GreyNoise, noted a prevailing trend over the last 18 to 24 months, characterized by sustained targeting of known vulnerabilities. Such patterns often precede the discovery of new vulnerabilities emerging within a few weeks. Consequently, organizations with internet-facing instances of Palo Alto Networks are urged to bolster their security protocols to protect login portals from these ongoing attacks.
Palo Alto Networks communicated to The Hacker News that they are closely monitoring the situation and have advised customers to ensure their systems are updated with the latest software versions. A spokesperson emphasized the company’s commitment to customer security and acknowledged the recent blog by GreyNoise detailing the scanning activity directed at PAN-OS GlobalProtect portals.
GreyNoise also indicated that they have observed a parallel increase in activity targeting various technologies, including edge devices from multiple vendors, starting March 28, 2025. This uptick suggests a rise in reconnaissance and potential exploitation attempts, as cyber actors seem to be searching for unpatched systems exposing vulnerabilities.
Organizations are strongly advised to ensure all systems are equipped with the latest security patches and to monitor network traffic for any anomalous behavior. Proactively blocking known malicious IP addresses will also be crucial in maintaining robust cybersecurity defenses to mitigate these threats.
(The story was updated after publication to include a response from Palo Alto Networks.)
