Surge In Palo Alto Networks Globalprotect Scanning Suggests Impending Cyber Threats

In recent weeks, security researchers at GreyNoise have detected a substantial increase in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. This coordinated probing effort, involving nearly 24,000 unique IP addresses, suggests an organized attempt to identify exposed or vulnerable systems. Similar historical patterns indicate that new vulnerabilities often emerge within 2 to 4 weeks of such activity, raising concerns about potential upcoming exploits against Palo Alto Networks devices.

Severity Level: High

THREAT DETAILS

Surge in Scanning Activity

1. Timeframe: The scanning activity spiked on March 17, 2025, reaching a daily peak of 20,000 unique IP addresses before tapering off on March 26, 2025.
2. Scale: A total of 23,800 unique IP addresses were involved in reconnaissance attempts, with 154 IPs classified as malicious.
3. Indicators of Coordination: The sustained, high-volume scanning suggests a planned effort rather than random attacks.

Threat Actors & Attribution

1. Unattributed.
2. Major IP Contributors:
3. 3xK Tech GmbH (ASN200373): 20,010 IPs involved.
4. Other Notable ASNs: PureVoltage Hosting Inc., Fast Servers Pty Ltd., and Oy Crea Nova Hosting Solution Ltd.
5. JA4h Hashes Detected:
6. po11nn11enus_967778c7bec7_000000000000_000000000000
7. po11nn09enus_fb8b2e7e6287_000000000000_000000000000
8. po11nn060000_c4f66731b00d_000000000000_000000000000

These hashes indicate common connection patterns used by the scanning tool, helping researchers correlate separate login attempts to the same attacker infrastructure.

Geographic Breakdown of Activity

1. Top Source Countries (Attack Origins):
2. United States (16,249 IPs)
3. Canada (5,823 IPs)
4. Other notable contributors: Finland, Netherlands, Russia
5. Top Targeted Countries:
6. United States (23,768 attacks detected)
7. Secondary targets: United Kingdom, Ireland, Russia, Singapore

These patterns reflect a global-scale reconnaissance campaign, with attackers likely searching for unpatched or misconfigured systems.

Similarity to Past Cyber Espionage Campaigns

1. A similar large-scale scanning operation was observed in 2024, which preceded a cyber-espionage campaign targeting perimeter network devices.
2. While the tactics differ, both incidents emphasize the importance of securing edge devices, particularly firewall and VPN appliances.

Potential Implications

1. Emerging Exploits: Historical patterns suggest that new vulnerabilities may emerge within 2-4 weeks following such scanning surges.
2. Targeted Exploitation Likely: Attackers may use collected data to launch credential stuffing attacks, exploit known vulnerabilities, or test zero-days.
3. Increased Risk for Palo Alto Networks Users: Organizations using GlobalProtect portals and PAN-OS-based infrastructure are at higher risk and should immediately assess security postures.

Recommendations:

1. Given the unusual nature of this activity, organizations with exposed Palo Alto Networks systems should review their March logs and consider performing a detailed threat hunt on running systems to identify any signs of compromise.
2. Ensure all GlobalProtect systems and PAN-OS firmware are up to date.
3. Alert users of possible credential harvesting campaigns; encourage MFA usage.
4. Restrict GlobalProtect portal access to trusted IP ranges.
5. Prepare for rapid patch deployment in case of emergent PAN-OS CVEs.
6. Block the IOCs at their respective controls

SOURCES:

• https://www.virustotal.com/gui/collection/3de2e5ec1cfc83164f27a916aa0f4bc1db1a0924d360458b8cc8c5771072e0f9/iocs
• https://www.greynoise.io/blog/surge-palo-alto-networks-scanner-activity

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.