Cybersecurity researchers are warning of a spike in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting to access these portals.
“This pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation,” threat intelligence firm GreyNoise said.
The surge is said to have commenced on March 17, 2025, sustaining at nearly 20,000 unique IP addresses per day before dropping off on March 26. At its peak, 23,958 unique IP addresses are estimated to have participated in the activity. Of these, only a smaller subset of 154 IP addresses has been flagged as malicious.
The United States and Canada have emerged as the top sources of traffic, followed by Finland, the Netherlands, and Russia. The activity has primarily targeted systems in the United States, the United Kingdom, Ireland, Russia, and Singapore.
It’s currently not clear what’s driving the activity, but it points to a systemic approach to testing network defenses, which could likely pave the way for later exploitation.
“Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies,” Bob Rudis, VP of Data Science at GreyNoise, said. “These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.”
In light of the unusual activity, it’s imperative that organizations with internet-facing Palo Alto Networks instances take steps to secure their login portals.
The Hacker News has reached out to Palo Alto Networks for further comment, and we will update the story if we hear back.
