Cybersecurity firm GreyNoise reported a dramatic spike in attacks targeting Palo Alto Networks’ GlobalProtect VPN portals.
Starting November 14, 2025, malicious sessions exploded, reaching 2.3 million attempts in just days a 40-fold increase in 24 hours and the highest in 90 days.
Attackers scanned the /global-protect/login. Esp URI on PAN-OS systems, probing for weak logins or vulnerabilities.
This surge links to prior campaigns with high confidence. GreyNoise spotted identical TCP/JA4t fingerprints, shared ASNs, and timed overlaps.
The same actors likely drive these efforts, shifting from past Fortinet VPN brute-force waves.
Historically, Fortinet spikes have preceded disclosures within 6 weeks, suggesting similar risks for Palo Alto users.
Traffic heavily relies on AS200373 (3xK Tech GmbH). About 62% came from German IP addresses, fueling the main assault.
Another 15% traced to Canada under the same ASN, pointing to a spread-out set of exit nodes or hosting. AS208885 (Noyobzoda Faridduni Saidilhom) supplied the rest as a steady secondary source.
Targets are spread evenly across the United States, Mexico, and Pakistan, hitting equal login volumes. Attackers used two key JA4t fingerprints for tracking:
These signatures cover all activity, aiding defenders in network hunts. The setup shows coordinated infrastructure: Germany’s cluster dominates, Canada’s adds evasion, and AS208885 provides backup.
GreyNoise ties this to broader patterns. Palo Alto portals draw scanners seeking remote access flaws, much like Fortinet cases.
Brute-force logins test default credentials or leaked credentials, potentially leading to RCE if paired with bugs. No active exploits surfaced yet, but the scale demands action.
Organizations should lock down GlobalProtect portals now. GreyNoise offers quick blocks via GreyNoise Block search for “Palo Alto” templates, and add ‘classification: suspicious’ to these IPs. Tweak for countries or types; new users get 14-day trials.
For precision, platform blocklists filter by ASNs, JA4, or destinations using full queries, such as tags: “Palo Alto Networks Login Scanner.”
Palo Alto urges multi-factor authentication, least-privilege access, and timely patches. Monitor JA4t fingerprints in tools like Zeek or Suricata. Expose via Shodan? Pull portals behind WAFs.
This blitz underscores the risks of VPNs in hybrid work environments. As threats evolve, shared intel like GreyNoise’s proves vital.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…