Latest Cyber Security News

You are here: Home / General Cyber Security News / Nearly 24,000 IPs Target PAN-OS GlobalProtect in Coordinated Login Scan Campaign
April 1, 2025

Cybersecurity researchers are warning of a spike in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting to access these portals.

“This pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation,” threat intelligence firm GreyNoise said.

The surge is said to have commenced on March 17, 2025, sustaining at nearly 20,000 unique IP addresses per day before dropping off on March 26. At its peak, 23,958 unique IP addresses are estimated to have participated in the activity. Of these, only a smaller subset of 154 IP addresses has been flagged as malicious.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


Cybersecurity

The United States and Canada have emerged as the top sources of traffic, followed by Finland, the Netherlands, and Russia. The activity has primarily targeted systems in the United States, the United Kingdom, Ireland, Russia, and Singapore.

It’s currently not clear what’s driving the activity, but it points to a systemic approach to testing network defenses, which could likely pave the way for later exploitation.

PAN-OS GlobalProtect

“Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies,” Bob Rudis, VP of Data Science at GreyNoise, said. “These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.”

In light of the unusual activity, it’s imperative that organizations with internet-facing Palo Alto Networks instances take steps to secure their login portals.

The Hacker News has reached out to Palo Alto Networks for further comment, and we will update the story if we hear back.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *