CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Increased Scanning Activity on Palo Alto Networks Login Portals

First reported
Last updated
3 unique sources, 6 articles

Summary

Hide ▲

A significant increase in scanning activity targeting Palo Alto Networks login portals was observed on October 3, 2025. The activity involved 1,300 unique IP addresses, with 91% classified as suspicious and 7% as malicious. The scans were geolocated primarily in the U.S., with smaller clusters in the U.K., the Netherlands, Canada, and Russia. The scans were directed at Palo Alto GlobalProtect and PAN-OS profiles, indicating targeted reconnaissance efforts. This surge shares characteristics with recent scanning activity targeting Cisco ASA devices, which was followed by the disclosure of zero-day vulnerabilities. An automated campaign targeting multiple VPN platforms, including Palo Alto Networks GlobalProtect and Cisco SSL VPN, was observed starting on December 11, 2025. The number of login attempts aimed at GlobalProtect portals peaked at 1.7 million during a 16-hour period. The attacks originated from more than 10,000 unique IP addresses, primarily from the 3xK GmbH (Germany) IP space, and targeted infrastructure in the United States, Mexico, and Pakistan. The threat actor reused common username and password combinations, with most requests using an uncommon Firefox user agent for automated login activity. The activity reflects scripted credential probing designed to identify exposed or weakly protected GlobalProtect portals. On December 12, 2025, activity from the same hosting provider using the same TCP fingerprint started probing Cisco SSL VPN endpoints, with unique attack IPs jumping to 1,273 from a normal baseline of less than 200. The login payloads followed normal SSL VPN authentication flows, indicating automated credential attacks rather than exploits. Palo Alto Networks confirmed the activity and recommended using strong passwords and multi-factor authentication protection.

Timeline

  1. 04.10.2025 17:18 2 articles · 2mo ago

    Increased Exploitation Attempts on Grafana Path Traversal Vulnerability

    An increase in exploitation attempts of an old path traversal vulnerability in Grafana was observed, with 110 unique malicious IPs, most from Bangladesh, launching attacks on September 28, 2025. The Grafana attacks targeted primarily the United States, Slovakia, and Taiwan, with consistent destination ratios indicating automation.

    Show sources
    Open in new tab
  2. 04.10.2025 13:39 6 articles · 2mo ago

    Palo Alto Networks Login Portals Scanning Activity Spikes

    An automated campaign targeting multiple VPN platforms, including Palo Alto Networks GlobalProtect and Cisco SSL VPN, was observed starting on December 11, 2025. The number of login attempts aimed at GlobalProtect portals peaked at 1.7 million during a 16-hour period. The attacks originated from more than 10,000 unique IP addresses, primarily from the 3xK GmbH (Germany) IP space, and targeted infrastructure in the United States, Mexico, and Pakistan. The threat actor reused common username and password combinations, with most requests using an uncommon Firefox user agent for automated login activity. The activity reflects scripted credential probing designed to identify exposed or weakly protected GlobalProtect portals. On December 12, 2025, activity from the same hosting provider using the same TCP fingerprint started probing Cisco SSL VPN endpoints, with unique attack IPs jumping to 1,273 from a normal baseline of less than 200. The login payloads followed normal SSL VPN authentication flows, indicating automated credential attacks rather than exploits. Palo Alto Networks confirmed the activity and recommended using strong passwords and multi-factor authentication protection.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active Exploitation of Unpatched Cisco AsyncOS Zero-Day in SEG and SEWM Appliances

Cisco has identified an unpatched, critical zero-day vulnerability (CVE-2025-20393) in AsyncOS, affecting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw is actively exploited by a Chinese threat group, UAT-9686, to deploy backdoors and other malware. The attacks have been ongoing since at least late November 2025. Cisco recommends securing and restricting access to vulnerable appliances and advises customers to contact TAC for further assistance. The vulnerability allows threat actors to execute arbitrary commands with root privileges and deploy tools like AquaShell, AquaTunnel, Chisel, and AquaPurge. CISA has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, requiring FCEB agencies to apply mitigations by December 24, 2025. Additionally, GreyNoise detected a coordinated campaign targeting enterprise VPN infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect portals.

Open in new tab

GreyNoise IP Check Tool Detects Botnet Participation

GreyNoise Labs has launched a free tool called GreyNoise IP Check to help users determine if their IP address has been involved in malicious scanning activities, such as botnet or residential proxy networks. The tool provides a simple way to check for malicious activity without requiring deep technical analysis. The tool offers three possible results: Clean, Malicious/Suspicious, and Common Business Service. For suspicious activity, it provides a 90-day historical timeline to help identify potential infection points. Users are advised to investigate their devices, run malware scans, update firmware, and secure network settings if suspicious activity is detected.

Open in new tab

Active Spyware Campaigns Targeting High-Value Signal and WhatsApp Users

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of active spyware campaigns targeting high-value Signal and WhatsApp users. These campaigns leverage sophisticated social engineering and zero-click exploits to compromise mobile devices and exfiltrate sensitive data. The targets include government officials, military personnel, political figures, and civil society organizations across the U.S., Middle East, and Europe. A new campaign, dubbed GhostPairing, abuses the legitimate device-linking feature to hijack WhatsApp accounts via pairing codes. This campaign was first spotted in Czechia but has the potential to spread to other regions. The attack involves tricking victims into linking an attacker's browser to their WhatsApp device, granting the attacker full access to the account without requiring any authentication.

Open in new tab

Large-scale RDP targeting campaign detected from multi-country botnet

A large-scale botnet targeting Remote Desktop Protocol (RDP) services in the United States has been detected. The campaign, which began on October 8, 2025, originates from over 100,000 IP addresses across multiple countries. The botnet uses two primary attack methods: RD Web Access timing attacks and RDP web client login enumeration. The botnet's activity was first detected by GreyNoise, a threat monitoring platform, following an unusual traffic spike from Brazil. Subsequent activity was observed from Argentina, Iran, China, Mexico, Russia, South Africa, Ecuador, and over 100 countries in total. The campaign highlights the ongoing threat to RDP services, which are commonly used by administrators, helpdesk staff, and remote workers. Attackers often exploit vulnerabilities, perform brute-force logins, or use timing attacks to gain unauthorized access.

Open in new tab

Increased Scanning for PAN-OS GlobalProtect Vulnerability

SANS Internet Storm Center has observed a significant rise in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability (CVE-2024-3400). This flaw, disclosed last year, allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. The scans involve attempts to upload and retrieve files, indicating potential pre-exploit staging activities. The vulnerability is a command injection flaw that can be exploited to gain unauthorized access and control over vulnerable firewalls. This development underscores the ongoing threat posed by unpatched systems and the importance of timely security updates. The scans are part of a broader trend of increased cyber activity targeting critical infrastructure and enterprise networks.

Open in new tab