Full Report
Palo Alto Networks has revealed that it's observing brute-force login attempts against PAN-OS GlobalProtect gateways, days after threat actors warned of a surge in suspicious login scanning activity targeting its appliances. "Our teams are observing evidence of activity consistent with password-related attacks, such as brute-force login attempts, which does not indicate exploitation of a
Analysis Summary
# Incident Report: Widespread Brute-Force Attacks Targeting PAN-OS GlobalProtect Gateways
## Executive Summary
Security vendor Palo Alto Networks reported observing widespread brute-force login attempts targeting customer PAN-OS GlobalProtect gateways. This activity followed public warnings from threat intelligence firms regarding a significant surge in scanning targeting these appliances. While the activity is consistent with password-related attacks and not confirmed vulnerability exploitation, it indicates a coordinated, large-scale probing effort against remote access infrastructure leveraged by numerous organizations globally. Response efforts focus on customer advisories, monitoring, and recommending immediate security hardening measures like MFA enforcement.
## Incident Details
- Discovery Date: April 11, 2025 (Date of Palo Alto Networks warning)
- Incident Date: Scanning activity commenced around March 17, 2025, peaking later that month.
- Affected Organization: Customers utilizing PAN-OS GlobalProtect Gateways (unspecified number of organizations).
- Sector: Unspecified (Affects organizations across various sectors using Palo Alto firewalls for VPN access).
- Geography: Worldwide, with notable scanning targets in the United States, the United Kingdom, Ireland, Russia, and Singapore.
## Timeline of Events
### Initial Access
- Date/Time: Commenced around March 17, 2025.
- Vector: Brute-force login attempts directed at the GlobalProtect portal/gateway interfaces of PAN-OS appliances.
- Details: Attackers used automated methods ("password-related attacks") to test login credentials against these public-facing services.
### Lateral Movement
- Not explicitly detailed, as the activity described pertains to initial access scanning and login attempts. Success in achieving initial access was not confirmed as occurring en masse.
### Data Exfiltration/Impact
- No evidence of successful data exfiltration or extensive compromise was reported at the time of the alert; the primary threat observed was credential compromise via brute force.
### Detection & Response
- Detection: The activity was first noted by threat intelligence firm GreyNoise, which alerted to a spike in suspicious login scanning activity. Palo Alto Networks subsequently confirmed observing activity consistent with brute-force attacks.
- Response Actions: Palo Alto Networks issued a public warning and analysis, actively monitoring the situation, and advising customers on mitigation strategies.
## Attack Methodology
- Initial Access: Brute-Force Login Attacks (Guessing credentials against the GlobalProtect login interface).
- Persistence: Not applicable based on known activity (Brute-force does not inherently establish persistence).
- Privilege Escalation: Not applicable based on known activity.
- Defense Evasion: Not applicable to the scanning phase, though effective password policies/MFA would mitigate evasion of simple login checks.
- Credential Access: Attempting to guess valid usernames and passwords.
- Discovery: Login scanning activity serves as reconnaissance to identify active GlobalProtect portals and test credentials.
- Lateral Movement: Not detailed.
- Collection: Not detailed.
- Exfiltration: Not detailed.
- Impact: Potential unauthorized remote access if brute-force attacks succeed in obtaining valid credentials.
## Impact Assessment
- Financial: Costs associated with remediation, security auditing, and potential downtime if successful intrusions occur (Not quantified).
- Data Breach: Potential for unauthorized access to networks protected by GlobalProtect VPNs if credentials are compromised.
- Operational: Minimal operational impact reported unless individual breaches occur. The detection itself led to proactive advisories.
- Reputational: Minor due to the nature of the event being a widespread, publicly disclosed scanning campaign rather than confirmed successful nation-state breaches.
## Indicators of Compromise
- Network indicators: High volume of login attempts originating from vast numbers of unique IP addresses (Peak of 23,958 unique IPs reported by GreyNoise).
- File indicators: None specified for this credential-stuffing/brute-force campaign.
- Behavioral indicators: Pattern of rapid, repeated failed login attempts against GlobalProtect portals.
## Response Actions
- Containment: Not applicable yet, as the focus is on preventing successful logins.
- Eradication: Not applicable yet.
- Recovery Actions: While not specific recovery steps, the necessary actions involve hardening to prevent success:
1. Enforcing Multi-Factor Authentication (MFA) for GlobalProtect access.
2. Configuring GlobalProtect to facilitate MFA notifications.
3. Setting up security policies to detect and block brute-force attacks.
4. Limiting unnecessary external exposure of the GlobalProtect interface.
## Lessons Learned
- Remote access gateways (like GlobalProtect) are consistently high-value targets for automated, large-scale credential attack campaigns.
- Reliance solely on username/password authentication for VPN access creates a significant, persistent risk surface, evidenced by coordinated scanning efforts.
- Threat intelligence sharing (like that provided by GreyNoise) is crucial for early detection of widespread scanning campaigns.
## Recommendations
- Immediately enforce MFA across all remote access solutions, including PAN-OS GlobalProtect.
- Implement granular throttling or lock-out policies on login pages susceptible to brute force.
- Review and restrict external firewall rules to ensure GlobalProtect is only accessible from necessary geographic regions or via restricted management networks where possible.
- Ensure all PAN-OS instances are running the latest, patched versions.