Full Report
Threat intelligence firm GreyNoise disclosed on Friday that it has observed a massive spike in scanning activity targeting Palo Alto Networks login portals. The company said it observed a nearly 500% increase in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, the highest level recorded in the last three months. It described the traffic as targeted and structured, and
Analysis Summary
# Incident Report: Massive Surge in Scanning Activity Targeting Palo Alto Networks Portals
## Executive Summary
Threat intelligence firm GreyNoise detected an unprecedented, nearly 500% surge in targeted scanning activity against Palo Alto Networks login portals on October 3, 2025, involving approximately 1,300 unique IP addresses. The activity exhibited characteristics similar to concurrent scanning observed against Cisco ASA devices, suggesting potential pre-exploit reconnaissance for a future vulnerability disclosure. While Palo Alto Networks confirmed no evidence of compromise following their investigation, the event highlights a growing trend of organized, pre-emptive scanning targeting network security infrastructure.
## Incident Details
- Discovery Date: October 3, 2025
- Incident Date: Beginning primarily on October 3, 2025 (with escalating activity noted through October 7)
- Affected Organization: Palo Alto Networks (as the target of scanning activity)
- Sector: Cybersecurity / Network Security Appliance Vendors
- Geography: Primary scanning IPs geolocated to the U.S., with smaller clusters in the U.K., the Netherlands, Canada, and Russia. (Update notes increased ASN diversity).
## Timeline of Events
### Initial Access
- Date/Time: October 3, 2025
- Vector: Automated scanning activity targeting Palo Alto Networks login portals (likely GlobalProtect gateways).
- Details: GreyNoise observed a 500% jump in this traffic, reaching 1,300 unique scanning IP addresses, up from around 200 previously.
### Lateral Movement
- **Not applicable/Not confirmed.** This incident solely relates to external preliminary scanning tests against public-facing login portals (potential reconnaissance/brute-forcing), not confirmed internal compromise.
### Data Exfiltration/Impact
- **Not applicable/Not confirmed.** Palo Alto Networks reported finding "no evidence of a compromise." The activity appears preparatory.
### Detection & Response
- **Detection:** Identified by threat intelligence firm GreyNoise based on proprietary sensor data.
- **Response Actions:** Palo Alto Networks investigated the reported scanning and confirmed their own infrastructure (protected by Cortex XSIAM) was secure. They urged customers in prior, similar incidents to update software.
## Attack Methodology
- Initial Access: Automated scanning/fingerprinting targeting specific login credentials or endpoints on Palo Alto Networks portals (PAN-OS GlobalProtect identified in context).
- Persistence: *Not applicable/Not observed in this phase.*
- Privilege Escalation: *Not applicable/Not observed.*
- Defense Evasion: The majority of the scanning IPs (93%) were classified as "suspicious," suggesting efforts to cycle through varying sources to evade simple IP blocking.
- Credential Access: Inferred goal of login scanning is often credential testing (brute-forcing or dictionary attacks).
- Discovery: Fingerprinting overlap noted between this activity and recent Cisco ASA scanning activity, using dominant TLS fingerprints tied to Netherlands infrastructure, suggesting organized tooling.
- Lateral Movement: *Not applicable/Not observed.*
- Collection: *Not applicable/Not observed.*
- Exfiltration: *Not applicable/Not observed.*
- Impact: *None confirmed.* The purpose appears to be preparation for potential future exploitation.
## Impact Assessment
- Financial: No reported costs for this specific scanning event.
- Data Breach: None reported.
- Operational: No operational disruption confirmed for Palo Alto Networks or its customers due to this specific activity.
- Reputational: Minor exposure due to the public reporting of high-volume scanning precursors.
## Indicators of Compromise
- **Network indicators (Defanged):** Traffic spike identified primarily from IPs classified as suspicious/malicious originating globally, characterized by specific TLS fingerprints often associated with bulk scanning infrastructure (sometimes clustered in the Netherlands).
- **File indicators:** None reported.
- **Behavioral indicators:** High-volume, structured scanning targeting vendor login portals, sharing tooling signatures with recent Cisco ASA scanning campaigns. (Update mentioned increased unique ASNs involved).
## Response Actions
- **Containment measures:** N/A (Scanning activity; containment relies on platform security defenses).
- **Eradication steps:** N/A.
- **Recovery actions:** N/A. Palo Alto Networks relied on its existing robust security posture (Cortex XSIAM).
## Lessons Learned
- **Key takeaways:** Highly organized threat actors are engaging in intensive, widespread reconnaissance against major security platform login endpoints *before* new vulnerabilities are disclosed (as evidenced by historical correlation with Cisco ASA disclosures).
- **What could have been done better:** While PAN was secure, the incident highlights the need for vendors and customers to remain hyper-vigilant regarding login port scanning, as it often precedes exploit disclosure.
## Recommendations
- **Prevention measures for similar incidents:**
1. Organizations using Palo Alto Networks GlobalProtect/PAN-OS must ensure all software is running the latest, patched versions, especially following intelligence reports of pre-exploit scanning.
2. Implement advanced behavioral monitoring (like WAFs or XSIAM) capable of detecting TLS fingerprint anomalies and high-volume, structured login attempts indicative of credential stuffing or reconnaissance campaigns.
3. Implement strong, non-guessable passwords and mandatory Multi-Factor Authentication (MFA) on all network access control systems (like VPN gateways).