Coordinated Global Scanning Campaign Hits Palo Alto Devices

On October 3, 2025, GreyNoise Intelligence reported a ~500% surge in network scanning activity targeting Palo Alto Networks login portals, marking the highest level of such activity in the past 90 days. The surge involved over 1,300 unique IPs, most of which appeared for the first time within 48 hours, indicating a coordinated reconnaissance operation rather than random background noise. The incident coincides with recent scanning activity against Cisco ASA devices, suggesting the possibility of shared infrastructure or coordinated adversarial campaigns.

Severity: High

Threat Characteristics

• Date of Observation: October 1–3, 2025
• Activity Type: Targeted reconnaissance scanning
• Targeted Systems: Palo Alto GlobalProtect and PAN-OS login interfaces
• IP Classification:
  • 93% categorized as suspicious
  • 7% identified as malicious

Geolocation Breakdown

• The scanning IPs originated from the U.S., the U.K., Netherlands, Canada, and Russia.
• This activity targeted distinct global regions such as the U.S., Pakistan, Mexico, France, Australia, and the U.K.

Cross-Technology Correlation

• GreyNoise analysis revealed significant overlap between this Palo Alto-focused scanning and recent Cisco ASA scanning events.
• Both campaigns shared TLS fingerprint similarities linked to infrastructure hosted in the Netherlands.
• Similar scanning cadence and payload patterns indicate possible reuse of reconnaissance tooling or centrally managed command-and-control infrastructure.
• GreyNoise previously noted that spikes in Palo Alto scanning activity often precede new vulnerability disclosures within a 4–6 week window, though correlation is not yet confirmed for this event.

Defensive Implications

The coordinated nature, volume, and focused targeting of this campaign mark it as a clear reconnaissance operation. Such surges often act as precursors to vulnerability exploitation, credential brute-force attacks, or targeted access attempts once a relevant CVE becomes public.
Organizations using Palo Alto PAN-OS or GlobalProtect should assume active scanning and fingerprinting exposure and enforce strict access controls, timely patching, and enhanced logging of login attempts.

Recommendations

1. Restrict access to Palo Alto admin and GlobalProtect interfaces from the internet.
2. Ensure PAN-OS and GlobalProtect are fully patched, prioritizing recent CVEs.
3. Monitor for anomalous authentication attempts targeting GlobalProtect and PAN-OS services.
4. Create alerts for spikes in connection attempts to PAN-OS management ports and for unusual TLS client fingerprints.
5. Disable public access to management interfaces where possible.

Source:

• https://www.greynoise.io/blog/palo-alto-scanning-surges

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.