Cybersecurity firm GreyNoise reported a dramatic spike in attacks targeting Palo Alto Networks’ GlobalProtect VPN portals.
Starting November 14, 2025, malicious sessions exploded, reaching 2.3 million attempts in just days a 40-fold increase in 24 hours and the highest in 90 days.
Attackers scanned the /global-protect/login. Esp URI on PAN-OS systems, probing for weak logins or vulnerabilities.
This surge links to prior campaigns with high confidence. GreyNoise spotted identical TCP/JA4t fingerprints, shared ASNs, and timed overlaps.
The same actors likely drive these efforts, shifting from past Fortinet VPN brute-force waves.
Historically, Fortinet spikes have preceded disclosures within 6 weeks, suggesting similar risks for Palo Alto users.
Attack Infrastructure and Tactics Exposed
Traffic heavily relies on AS200373 (3xK Tech GmbH). About 62% came from German IP addresses, fueling the main assault.
Another 15% traced to Canada under the same ASN, pointing to a spread-out set of exit nodes or hosting. AS208885 (Noyobzoda Faridduni Saidilhom) supplied the rest as a steady secondary source.
Targets are spread evenly across the United States, Mexico, and Pakistan, hitting equal login volumes. Attackers used two key JA4t fingerprints for tracking:
- 65495_2-4-8-1-3_65495_7
- 33280_2-4-8-1-3_65495_7
These signatures cover all activity, aiding defenders in network hunts. The setup shows coordinated infrastructure: Germany’s cluster dominates, Canada’s adds evasion, and AS208885 provides backup.
GreyNoise ties this to broader patterns. Palo Alto portals draw scanners seeking remote access flaws, much like Fortinet cases.
Brute-force logins test default credentials or leaked credentials, potentially leading to RCE if paired with bugs. No active exploits surfaced yet, but the scale demands action.
Defense Steps and GreyNoise Tools
Organizations should lock down GlobalProtect portals now. GreyNoise offers quick blocks via GreyNoise Block search for “Palo Alto” templates, and add ‘classification: suspicious’ to these IPs. Tweak for countries or types; new users get 14-day trials.
For precision, platform blocklists filter by ASNs, JA4, or destinations using full queries, such as tags: “Palo Alto Networks Login Scanner.”
Palo Alto urges multi-factor authentication, least-privilege access, and timely patches. Monitor JA4t fingerprints in tools like Zeek or Suricata. Expose via Shodan? Pull portals behind WAFs.
This blitz underscores the risks of VPNs in hybrid work environments. As threats evolve, shared intel like GreyNoise’s proves vital.
