A large escalation in assaults focusing on Palo Alto Networks PAN-OS GlobalProtect login portals, with over 2,200 distinctive IP addresses conducting reconnaissance operations as of October 7, 2025.
This represents a big surge from the preliminary 1,300 IPs noticed simply days earlier, marking the very best scanning exercise recorded previously 90 days in keeping with GreyNoise Intelligence monitoring.
The reconnaissance marketing campaign started with a pointy 500% enhance in scanning exercise on October 3, 2025, when researchers noticed roughly 1,300 distinctive IP addresses probing Palo Alto login portals.
This preliminary surge already represented the most important burst of scanning exercise in three months, with each day volumes beforehand not often exceeding 200 IPs in the course of the previous 90-day interval.
2,200 IPs Scan Palo Portals
Palo Alto PAN-OS GlobalProtect Login Portals Surge
The escalating assault marketing campaign demonstrates subtle coordination throughout geographically distributed infrastructure.
GreyNoise evaluation reveals that 91% of the malicious IP addresses are geolocated to the US, with extra clusters concentrated in the UK, the Netherlands, Canada, and Russia.
Safety researchers have recognized roughly 12% of all ASN11878 subnets allotted to scanning Palo login portals, indicating vital infrastructure dedication to this operation.
The assault methodology suggests risk actors are systematically iterating by giant credential databases, with login try patterns indicating automated brute-force operations towards GlobalProtect SSL VPN portals.
Tempo of Palo Alto distinctive login makes an attempt
GreyNoise has printed a complete dataset containing distinctive usernames and passwords from Palo login makes an attempt noticed in the course of the previous week, enabling safety groups to evaluate potential credential publicity.
Technical evaluation reveals that 93% of collaborating IP addresses had been labeled as suspicious, whereas 7% acquired malicious designations.
1,285 Distinctive IPs probing Palo Alto login portals
The scanning exercise reveals distinct regional clustering patterns with separate TCP fingerprints, suggesting a number of coordinated risk teams working concurrently.
Safety researchers have recognized potential correlations between the Palo Alto scanning surge and concurrent reconnaissance operations focusing on Cisco ASA units.
Each assault campaigns share dominant TCP fingerprints linked to infrastructure within the Netherlands, together with comparable regional clustering behaviors and tooling traits.
The cross-technology focusing on suggests a broader reconnaissance marketing campaign towards enterprise distant entry options.
Concurrent surges noticed throughout a number of distant entry service platforms, although the precise relationship between these actions stays underneath investigation.
The focused nature of those assaults is clear from their concentrate on GreyNoise’s emulated Palo Alto profiles, together with GlobalProtect and PAN-OS programs.
This precision signifies attackers probably derived goal lists from public reconnaissance platforms akin to Shodan or Censys, or performed their very own fingerprinting operations to determine susceptible Palo Alto units.
Safety groups ought to implement speedy defensive measures, together with IP blocklisting of identified malicious addresses, enhanced monitoring of GlobalProtect portal authentication logs, and implementation of extra entry controls for distant VPN connections.
Cyber Consciousness Month Supply: Upskill With 100+ Premium Cybersecurity Programs From EHA’s Diamond Membership: Be a part of At the moment
