- Greynoise observed a scanning peak throughout March 2025
- Thousands of IP addresses were Pan-Os GlobalProtect portals
- These activities generally lead to a cyber attack, say the researchers
Someone can prepare to attack Palo Alto network devices, safety researchers warn after identifying an increase in activity.
Greynoise analysts said that they had observed a “significant increase” of connection scanning activity against the company’s GlobalProtect Pan-Os portals, with nearly 24,000 unique IP addresses attempting to access these portals in March 2025.
“The model suggests a coordinated effort to probe the network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation,” said the article. This could also mean that someone has found a zero vulnerability in these ending points and now seeks to see how many ending points he can compromise through.
Risks of execution of the remote code
“In the past 18 to 24 months, we have observed a coherent diagram of deliberate targeting of older vulnerabilities or well-used attempts to attack and recognition against specific technologies,” said Bob Rudis, vice-president of data science at Graynoise. “These models often coincide with new vulnerabilities emerging 2 to 4 weeks later.”
For Graynoise, there is no doubt that it is a malicious campaign. Of the 24,000 unique IP addresses that scored Palo Alto devices, 154 were labeled as “malicious” beyond reasonable doubt, while the others have been classified as “suspects” in the past. Their locations are mainly found in North America, the United States and Canada.
The majority of targets are also based in the United States.
Graynoise says that this activity could be linked to labels linked to separate pan-dos recognition, such as the Pan-Os robot, where they observed a single peak on March 26, 2025 involving 2580 IPS Unique Source.
Obviously, the final objective is not known for the moment, but vigilance is advised. IT teams should examine their newspapers since mid-March to see if they were targeted and should be looking for compromise signs. They should also harden their connection portals and block known malicious IPs.
Via Bleeping Compompute
