Pierluigi Paganini April 11, 2025

Experts warn of brute-force login attempts on PAN-OS GlobalProtect gateways following increased scanning activity on its devices.

Palo Alto Networks reports brute-force login attempts on PAN-OS GlobalProtect gateways. The security firm pointed out that no known vulnerability has been exploited, but monitoring and analysis continue.

“Our teams are observing evidence of activity consistent with password-related attacks, such as brute-force login attempts, which does not indicate exploitation of a vulnerability,” a company spokesperson told The Hacker News. “We continue to actively monitor this situation and analyze the reported activity to determine its potential impact and identify if mitigations are necessary.”

Recently, the threat intelligence firm GreyNoise reported a spike in login scanning targeting PAN-OS GlobalProtect portals starting March 17, 2025, peaking at 23,958 unique IPs. The activity, likely coordinated, focused on systems in the U.S., U.K., Ireland, Russia, and Singapore, aiming to find exposed systems.

“GreyNoise has observed a significant surge in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals.” reported GreyNoise. “The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation.”

Threat intel firm GreyNoise reported a spike in login scanning targeting PAN-OS GlobalProtect portals starting March 17, 2025, peaking at 23,958 unique IPs. The activity, likely coordinated, focused on systems in the U.S., U.K., Ireland, Russia, and Singapore, aiming to find exposed systems.

GreyNoise found most suspicious traffic (20,010 IPs) tied to 3xK Tech GmbH (ASN200373), with other sources including PureVoltage, Fast Servers, and Oy Crea Nova. They also identified three JA4h hashes linked to the attackers’ login scanner tool, revealing consistent connection patterns across attempts.

The experts also noticed that the activity is likely connected to other PAN-OS reconnaissance campaign, including a notable spike on March 26, 2025, with 2,580 unique source IPs tagged as PAN-OS Crawler.

“This surge in activity is reminiscent of a 2024 espionage campaign targeting perimeter network devices, reported by Cisco Talos. While the specific methods differ, both incidents highlight the importance of monitoring and securing critical edge devices against unauthorized access.” concludes GreyNoise. “Given the unusual nature of this activity, organizations with exposed Palo Alto Networks systems should review their March logs and consider performing a detailed threat hunt on running systems to identify any signs of compromise.“

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)