A recent surge in login attempts targeting Palo Alto Networks’ PAN-OS GlobalProtect portals mainly located in the U.S. could be a precursor to a large-scale exploitation of unpatched or zero-day vulnerabilities, researchers have found.
The threat activity means defenders with exposed Palo Alto Networks VPN systems should review March 2025 logs and consider engaging in detailed threat hunting to detect signs of compromise.
Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals, activity that suggests a coordinated effort to identify exposed or vulnerable systems for targeted abuse of flaws, according to a report released this week from security intelligence firm GreyNoise.
"All software can and will be prone to security vulnerabilities, and attackers will be always interested in finding targets with exploitable known vulnerabilities," Boris Cipot, senior security engineer at Black Duck, an application security solutions provider, said via email.
Indeed, researchers categorized a bulk of the activity, or 23,800 IPs, as "suspicious," while flagging a smaller subset, 154 IPs, as outright malicious, according to the report. The traffic predominantly originated from the U.S. (16,249 IPs), followed by Canada (5,823 IPs). Other sources of the scans came from Finland, the Netherlands and Russia, in that order.
Systems in the U.S. were the most scanned, with 23,768 portals affected. Other targets were located in the U.K., Ireland, Russia and Singapore.
Surge portends mass exploitation
The spike in activity started on March 17 and peaked at nearly 20,000 unique IPs per day, a steady pattern that remained until March 26, when it began tapering off. This type of consistency suggests a calculated approach to testing network defenses ahead of a mass exploitation, according to GreyNoise.
“These patterns often coincide with new vulnerabilities emerging two to four weeks later," Bob Rudis, vice president of data science at GreyNoise, said in a statement. Indeed, the activity surge is reminiscent of a 2024 espionage campaign targeting perimeter network devices that was reported by Cisco Talos, according to GreyNoise.
Overall, the activity demonstrates attackers attempting to gain the upper hand by exposing organizations that are missing the security mark by neglecting "to do the necessary basic actions needed to keep their organization safe," such as "applying patches as soon as they become available to close any security vulnerability," Black Duck’s Cipot said.
If organizations haven't done so already, they should ensure their software is up to date with the latest upgrades and take other steps that should be part of basic security hygiene to avoid being affected by any imminent exploitation, he told Cybersecurity Dive.
These actions include restricting access to management interfaces to trusted internal addresses; using monitoring tools to review system and activity logs to find suspicious actions; checking systems and their status regularly through audits; and using software composition and analysis tools, Cipot said.
Organizations also should secure their networks beyond perimeter defenses, which "are not invulnerable," Eric Schwake, director of cybersecurity strategy at API security provider Salt Security, said via email.
"Consequently, organizations should adopt a multilayered security strategy that goes beyond conventional perimeter controls," he said. "This means closely monitoring API traffic, as these gateways often expose APIs for management and authentication."