GreyNoise has observed a significant surge in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals. The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation.
Recent patterns observed by GreyNoise suggest that this activity may signal the emergence of new vulnerabilities in the near future:
“Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies,” said Bob Rudis, VP of Data Science at GreyNoise. “These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.”
Key Observations
- The spike began on March 17, 2025, with activity peaking at nearly 20,000 unique IPs per day and remaining steady until March 26 before tapering off.
- Most of the observed activity is classified as suspicious (23,800 IPs), with a smaller subset flagged as malicious (154 IPs).
The consistency of this activity suggests a planned approach to testing network defenses, potentially paving the way for exploitation. Organizations using Palo Alto Networks products should take steps to secure their login portals.
A significant portion of the traffic is associated with 3xK Tech GmbH (20,010 IPs) under ASN200373. Other notable contributors include PureVoltage Hosting Inc., Fast Servers Pty Ltd., and Oy Crea Nova Hosting Solution Ltd.
Additionally, GreyNoise has identified three JA4h hashes linked to the login scanner tool:
- po11nn11enus_967778c7bec7_000000000000_000000000000
- po11nn09enus_fb8b2e7e6287_000000000000_000000000000
- po11nn060000_c4f66731b00d_000000000000_000000000000
These hashes indicate the use of specific connection patterns typical of the login scanner tool used by the attackers in question, allowing GreyNoise to identify and correlate separate login attempts as originating from the same toolkit.
Source and Destination Analysis
- Source Countries: Predominantly originating from the United States (16,249) and Canada (5,823), followed by Finland, Netherlands, and Russia.
- Destination Countries: The overwhelming majority of traffic targeted systems in the United States (23,768), with smaller volumes directed toward the United Kingdom, Ireland, Russia, and Singapore.
These patterns reflect the global nature of the activity, indicating that multiple regions are being targeted.
Concurrent Crawler Activity Detected
The activity appears to be linked to other PAN-OS reconnaissance-related tags such as PAN-OS Crawler, where a single spike was observed on March 26, 2025 involving 2,580 unique source IPs.
Reminiscent of 2024 Espionage Campaign
This surge in activity is reminiscent of a 2024 espionage campaign targeting perimeter network devices, reported by Cisco Talos. While the specific methods differ, both incidents highlight the importance of monitoring and securing critical edge devices against unauthorized access.
Recommendations
Given the unusual nature of this activity, organizations with exposed Palo Alto Networks systems should review their March logs and consider performing a detailed threat hunt on running systems to identify any signs of compromise.
View Attacker Activity & Block Malicious IPs
GreyNoise will continue to monitor the situation and provide updates if material developments arise.
Navigate now to the GreyNoise Visualizer to:
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
