Full Report
Cybersecurity researchers are warning of a spike in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting to access these portals. "This pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation," threat
Analysis Summary
# Incident Report: Coordinated PAN-OS GlobalProtect Login Scanning Campaign
## Executive Summary
A large-scale, coordinated scanning campaign targeting Palo Alto Networks (PAN-OS) GlobalProtect gateways was detected, involving nearly 24,000 unique IP addresses attempting suspicious logins. This activity, observed over ten days in March 2025, suggests a systematic reconnaissance effort possibly preceding targeted exploitation of exposed vendor-specific VPN portals. While most scanning IPs were labeled benign noise, a malicious subset prompted security warnings for organizations to secure their internet-facing instances.
## Incident Details
- **Discovery Date:** March 17, 2025 (Start of sustained activity)
- **Incident Date:** Began March 17, 2025, lasting until at least March 26, 2025.
- **Affected Organization:** Various organizations globally utilizing internet-facing Palo Alto Networks PAN-OS GlobalProtect gateways.
- **Sector:** Unspecified (Broad targeting across various sectors utilizing firewall/VPN solutions).
- **Geography:** Top sources of traffic were the US and Canada; primary targets included systems in the US, UK, Ireland, Russia, and Singapore.
## Timeline of Events
### Initial Access
- **Date/Time:** Commenced March 17, 2025.
- **Vector:** Direct login attempts against PAN-OS GlobalProtect portals.
- **Details:** A surge of activity began, sustained by nearly 20,000 unique IP addresses daily.
### Lateral Movement
- *Not explicitly detailed, as this event appears to be reconnaissance/pre-exploitation scanning targeting the external perimeter.*
### Data Exfiltration/Impact
- *No confirmed data exfiltration or system compromise was reported as a result of this specific scanning event, though the intent was likely discovery.*
### Detection & Response
- **How it was discovered:** Threat intelligence firm GreyNoise observed and reported the spike in suspicious login scanning activity.
- **Response actions taken:** Organizations using internet-facing PAN-OS instances were warned to take immediate steps to secure their login portals.
## Attack Methodology
- **Initial Access:** Brute-forcing or credential stuffing attempts against GlobalProtect login endpoints.
- **Persistence:** N/A for this scanning phase.
- **Privilege Escalation:** N/A for this scanning phase.
- **Defense Evasion:** The vast majority of IPs (the 23,840 benign scanners) blended in with general internet noise, though 154 IPs were definitively flagged as malicious.
- **Credential Access:** Attempting to gain access via exposed login portals.
- **Discovery:** Identifying externally accessible PAN-OS GlobalProtect deployments.
- **Lateral Movement:** N/A for this scanning phase.
- **Collection:** N/A for this scanning phase.
- **Exfiltration:** N/A (Reconnaissance phase).
- **Impact:** Potential identification of weak credentials or vulnerable portals for future exploitation.
## Impact Assessment
- **Financial:** Not specified; potential future costs related to incident handling/remediation if exploitation occurs.
- **Data Breach:** None confirmed from the scanning activity itself.
- **Operational:** Potential service disruption due to high authentication query volume, though this was not explicitly mentioned.
- **Reputational:** Minor impact stemming from the public disclosure of widespread scanning activity targeting this platform.
## Indicators of Compromise
- **Network indicators (Defanged):** Traffic originating from nearly 24,000 unique IPs, with **154** IPs specifically flagged as malicious (Source IPs require specific threat intelligence feeds for full identification).
- **File indicators:** None reported.
- **Behavioral indicators:** High volume of sequential login attempts against PAN-OS GlobalProtect URLs/endpoints over a ten-day period (March 17 - March 26, 2025).
## Response Actions
- **Containment measures:** Organizations were advised to secure internet-facing login portals.
- **Eradication steps:** Not applicable to the scanning phase, but implied requirements for any subsequent successful compromise.
- **Recovery actions:** Not applicable to the scanning phase.
## Lessons Learned
- Broad, technologically specific reconnaissance campaigns (like targeting PAN-OS) remain a consistent pattern, often preceding vulnerability disclosures or exploitation waves (observed over the last 18-24 months).
- Organizations must remain vigilant regarding perimeter security, even when the activity appears to be only "scanning."
## Recommendations
- Immediately review and enforce strong authentication policies (MFA) on all internet-facing PAN-OS GlobalProtect instances.
- Implement strict rate-limiting or automatic blocking rules based on unusual login attempt volumes directed at GlobalProtect portals.
- Ensure all PAN-OS devices are patched against known vulnerabilities, as these scanners often test for older, specific weaknesses.