Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats
Summary:
GreyNoise has reported a significant increase in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals, with nearly 24,000 unique IP addresses attempting access in the past 30 days. This surge, which peaked at nearly 20,000 IPs per day from March 17 to March 26, suggests a coordinated effort to probe for vulnerable systems, potentially indicating preparations for future exploitation. Historically, such patterns have preceded the discovery of new vulnerabilities, as noted by GreyNoise's Bob Rudis, who highlighted that deliberate targeting of older vulnerabilities often coincides with new ones emerging in the following weeks. While most of the activity is suspicious, with a small subset identified as malicious, the consistent nature of this scanning suggests a planned effort to test network defenses and identify potential security holes which can be exploited in future attacks.
Security Officer Comments:
According to GreyNoise, most of the traffic has originated from the United States (16,249 IPs) and Canada (5,823 IPs), followed by Finland, the Netherlands, and Russia. Whereas, the majority of targeted systems are based in the United states, followed by smaller volumes directed at the United Kingdom, Ireland, Russia, and Singapore. Overall, this activity mirrors a 2024 espionage campaign reported by Cisco Talos, which also focused on perimeter network devices. Although the tactics differ, both incidents emphasize the critical need for monitoring and securing edge devices to prevent unauthorized access.
Suggested Corrections:
GreyNoise has identified three JA4h hashes linked to a login scanner tool used by the attackers in the latest campaign:
po11nn11enus_967778c7bec7_000000000000_000000000000po11nn09enus_fb8b2e7e6287_000000000000_000000000000po11nn060000_c4f66731b00d_000000000000_000000000000
The firm also also shared relevant IP addresses, which organizations should consider blocking.
Link(s):
https://www.greynoise.io/blog/surge-palo-alto-networks-scanner-activity
GreyNoise has reported a significant increase in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals, with nearly 24,000 unique IP addresses attempting access in the past 30 days. This surge, which peaked at nearly 20,000 IPs per day from March 17 to March 26, suggests a coordinated effort to probe for vulnerable systems, potentially indicating preparations for future exploitation. Historically, such patterns have preceded the discovery of new vulnerabilities, as noted by GreyNoise's Bob Rudis, who highlighted that deliberate targeting of older vulnerabilities often coincides with new ones emerging in the following weeks. While most of the activity is suspicious, with a small subset identified as malicious, the consistent nature of this scanning suggests a planned effort to test network defenses and identify potential security holes which can be exploited in future attacks.
Security Officer Comments:
According to GreyNoise, most of the traffic has originated from the United States (16,249 IPs) and Canada (5,823 IPs), followed by Finland, the Netherlands, and Russia. Whereas, the majority of targeted systems are based in the United states, followed by smaller volumes directed at the United Kingdom, Ireland, Russia, and Singapore. Overall, this activity mirrors a 2024 espionage campaign reported by Cisco Talos, which also focused on perimeter network devices. Although the tactics differ, both incidents emphasize the critical need for monitoring and securing edge devices to prevent unauthorized access.
Suggested Corrections:
GreyNoise has identified three JA4h hashes linked to a login scanner tool used by the attackers in the latest campaign:
po11nn11enus_967778c7bec7_000000000000_000000000000po11nn09enus_fb8b2e7e6287_000000000000_000000000000po11nn060000_c4f66731b00d_000000000000_000000000000
The firm also also shared relevant IP addresses, which organizations should consider blocking.
Link(s):
https://www.greynoise.io/blog/surge-palo-alto-networks-scanner-activity