Cybersecurity researchers are warning of a spike in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting to access these portals.
"This pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation," threat intelligence firm GreyNoise said.
The surge is said to have commenced on March 17, 2025, sustaining at nearly 20,000 unique IP addresses per day before dropping off on March 26. At its peak, 23,958 unique IP addresses are estimated to have participated in the activity. Of these, only a smaller subset of 154 IP addresses has been flagged as malicious.
The United States and Canada have emerged as the top sources of traffic, followed by Finland, the Netherlands, and Russia. The activity has primarily targeted systems in the United States, the United Kingdom, Ireland, Russia, and Singapore.
It's currently not clear what's driving the activity, but it points to a systemic approach to testing network defenses, which could likely pave the way for later exploitation.
"Over the past 18 to 24 months, we've observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies," Bob Rudis, VP of Data Science at GreyNoise, said. "These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later."
In light of the unusual activity, it's imperative that organizations with internet-facing Palo Alto Networks instances take steps to secure their login portals.
When reached for comment, Palo Alto Networks told The Hacker News that it's actively tracking the situation, urging customers to take steps to ensure that their instances are running the latest version of the software.
"The security of our customers is always our top priority," a spokesperson for the company said. "Palo Alto Networks is aware of a recent blog posted by GreyNoise regarding scanning activity targeting PAN-OS GlobalPortect portals."
"Our teams are actively monitoring this situation and analyzing the reported activity to determine its potential impact and identify if mitigations are necessary. We encourage all customers to follow the best practice of running the latest versions of PAN-OS."
GreyNoise has since revealed that it has observed a significant spike in activity targeting multiple technologies, including edge devices, from F5, Ivanti, Linksys, SonicWall, Zoho ManageEngine, and Zyxel starting March 28, 2025.
"This uptick suggests increased reconnaissance or exploitation attempts, indicating that threat actors may be probing for vulnerabilities or unpatched systems," the company said.
It's essential that organizations ensure all systems are up to date with the latest security patches to mitigate known vulnerabilities, monitor network traffic for any signs of anomalous activity, and block malicious IP addresses.
(The story was updated after publication to include a response from Palo Alto Networks.)
