Warning to admins running PaloAlto Networks' GlobalProtect
Someone is scanning for GlobalProtect portals, a sign a cyber attack may be immenent
Administrators with network security products from Palo Alto Networks are being warned to safely update their devices in light of evidence of a possible upcoming cyber attack.
Researchers at U.S.-based GreyNoise have detected a “significant surge in login scanning activity” targeting organizations running Palo Alto Networks’ PAN-OS GlobalProtect portals. That’s a sign someone is looking for an opening or openings.
GlobalProtect is an endpoint application that protects desktop computers, laptops, tablets or smart phones and allows employees to access a company’s resources from anywhere.
Over the last 30 days, GreyNoise said in a blog, nearly 24,000 unique IP addresses have attempted to access these portals. The spike began on March 17, with activity peaking at nearly 20,000 unique IPs per day and remaining steady until March 26 before tapering off.
“This surge in activity is reminiscent of a 2024 espionage campaign targeting perimeter network devices, reported by Cisco Systems’ Talos threat intelligence service,” GreyNoise says. That campaign, which Talos dubbed “ArcaneDoor,” saw a threat actor trying to exploit two zero-day (undiscovered) vulnerabilities in Cisco’s management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower threat defense (FTD) software.
“While the specific methods differ, both incidents highlight the importance of monitoring and securing critical edge devices against unauthorized access,” says GreyNoise.
“Given the unusual nature of this activity, organizations with exposed Palo Alto Networks systems should review their March logs and consider performing a detailed threat hunt on running systems to identify any signs of compromise.”
Most of what the researchers saw is classified as suspicious (23,800 IPs), with a smaller subset flagged as malicious (154 IPs).
These questionable IP attempts are predominantly coming from the United States (16,249) and Canada (5,823), followed by Finland, Netherlands, and Russia. That doesn’t mean the probable hackers reside there. Threat actors are known to hide their activity by covertly taking over servers in other countries.
The overwhelming majority of traffic targeted systems in the United States (23,768), with smaller volumes directed at users in the U.K., Ireland, Russia, and Singapore.