Palo Alto Networks has alerted the cybersecurity community regarding ongoing brute-force login attempts directed at PAN-OS GlobalProtect gateways. This warning follows recent observations from threat hunters who noted an increase in suspicious login scanning activity targeting the company’s devices.
A spokesperson from Palo Alto Networks commented that evidence exists of attempts that align with password-related attacks, specifically brute-force logins. Importantly, these activities do not indicate a breach involving any known vulnerabilities. The company is actively monitoring the situation and analyzing the reported occurrences to assess their potential ramifications and the necessity for countermeasures.
The warning from Palo Alto Networks coincides with an earlier alert from threat intelligence firm GreyNoise, which indicated a spike in login scanning aimed at PAN-OS GlobalProtect portals. Data suggests that this campaign began on March 17, 2025, reaching a peak of nearly 24,000 unique IP addresses before tapering off at the month’s close. The trend appears indicative of organized efforts to test network defenses and identify any exposed or susceptible systems.
The primary focus of these brute-force attempts has been systems located in the United States, the United Kingdom, Ireland, Russia, and Singapore. While it remains unclear whether these attempted intrusions can be attributed to any specific adversaries, it is vital for organizations to remain vigilant and proactive in their security measures.
Palo Alto Networks has yet to determine the full scale of these activities. The Hacker News has sought further comments from the company and will provide updates if additional information becomes available. In the meantime, all users are urged to ensure they are running the latest versions of PAN-OS. Recommended mitigations include enforcing multi-factor authentication, configuring GlobalProtect to facilitate MFA notifications, setting up security policies to detect and block brute-force attacks, and minimizing unnecessary exposure to the internet.
This incident exemplifies techniques outlined in the MITRE ATT&CK framework, particularly under tactics such as initial access and credential dumping. By understanding these tactics, businesses can better fortify their defenses against similar attempts. As cybersecurity threats evolve, it is imperative for business owners to stay informed and implement robust security practices to mitigate risks.
Found this article interesting? Follow us on Google News, Twitter, and LinkedIn for more exclusive insights and updates on cybersecurity.
