CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Increased Scanning Activity on Palo Alto Networks Login Portals

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

A significant increase in scanning activity targeting Palo Alto Networks login portals was observed on October 3, 2025. The activity involved 1,300 unique IP addresses, with 91% classified as suspicious and 7% as malicious. The scans were geolocated primarily in the U.S., with smaller clusters in the U.K., the Netherlands, Canada, and Russia. The scans were directed at Palo Alto GlobalProtect and PAN-OS profiles, indicating targeted reconnaissance efforts. This surge shares characteristics with recent scanning activity targeting Cisco ASA devices, which was followed by the disclosure of zero-day vulnerabilities. The scans are likely part of a broader pattern of increased malicious activity targeting network security appliances. Palo Alto Networks customers are advised to ensure they are running the latest software versions. Additionally, an increase in exploitation attempts of an old path traversal vulnerability in Grafana was observed, with 110 unique malicious IPs, most from Bangladesh, launching attacks on September 28, 2025. GreyNoise will continue monitoring the activity in case it precedes a new Palo Alto vulnerability disclosure. Security products remain a popular target for threat actors, with recent increases in attacks from the Akira ransomware group aimed at SonicWall SSL VPN appliances. AI is being used by cyber-threat actors to enhance existing tactics, techniques, and procedures (TTPs) in victim reconnaissance, vulnerability research, and exploit development. Malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN login portals increased 40 times in 24 hours, indicating a coordinated campaign. Activity began climbing on November 14 and hit its highest level in 90 days within a week. GreyNoise identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals. The primary ASN used in these attacks is identified as AS200373 (3xK Tech GmbH), with 62% of the IPs being geolocated to Germany, and 15% to Canada. A second ASN involved in this activity is AS208885 (Noyobzoda Faridduni Saidilhom). Between November 14 and 19, GreyNoise observed 2.3 million sessions hitting the */global-protect/login.esp URI on Palo Alto PAN-OS and GlobalProtect. The URI corresponds to a web endpoint exposed by a Palo Alto Networks firewall running GlobalProtect and shows a page where VPN users can authenticate. Login attempts are mainly aimed at the United States, Mexico, and Pakistan, with similar volumes across all of them. GreyNoise has previously underlined the importance of blocking these attempts and actively tracking them as malicious probes, instead of disregarding them as failed exploit attempts targeting long-patched flaws. As the company's stats show, these scanning spikes typically precede the disclosure of new security flaws in 80% of cases, with the correlation being even stronger for Palo Alto Networks' products. Concerning malicious activity for Palo Alto Networks this year, there have been two cases of active exploitation of flaws in February, with CVE-2025-0108, which was later chained with CVE-2025-0111 and CVE-2024-9474.

Timeline

  1. 04.10.2025 17:18 2 articles · 1mo ago

    Increased Exploitation Attempts on Grafana Path Traversal Vulnerability

    An increase in exploitation attempts of an old path traversal vulnerability in Grafana was observed, with 110 unique malicious IPs, most from Bangladesh, launching attacks on September 28, 2025. The Grafana attacks targeted primarily the United States, Slovakia, and Taiwan, with consistent destination ratios indicating automation.

    Show sources
    Open in new tab
  2. 04.10.2025 13:39 4 articles · 1mo ago

    Palo Alto Networks Login Portals Scanning Activity Spikes

    The scans were directed at Palo Alto GlobalProtect and PAN-OS profiles, indicating targeted reconnaissance efforts. The scans were directed at GreyNoise’s emulated Palo Alto profiles, suggesting the activity is targeted in nature, likely derived from public or attacker-originated scans fingerprinting Palo Alto devices. The scans targeting Palo Alto Networks products showed a weaker correlation to previous zero-day vulnerabilities compared to the Cisco ASA scans. The activity is targeted and likely derived from public or attacker-originated scans fingerprinting Palo Alto devices. The scanning activity shares characteristics with recent scanning activity targeting Cisco ASA devices, including regional clustering and fingerprinting overlap. Both Palo Alto Networks and Cisco ASA scanning traffic share a dominant TLS fingerprint tied to infrastructure in the Netherlands. GreyNoise will continue monitoring the activity in case it precedes a new Palo Alto vulnerability disclosure. Malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN login portals increased 40 times in 24 hours, indicating a coordinated campaign. Activity began climbing on November 14 and hit its highest level in 90 days within a week. GreyNoise identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals. The primary ASN used in these attacks is identified as AS200373 (3xK Tech GmbH), with 62% of the IPs being geolocated to Germany, and 15% to Canada. A second ASN involved in this activity is AS208885 (Noyobzoda Faridduni Saidilhom). Between November 14 and 19, GreyNoise observed 2.3 million sessions hitting the */global-protect/login.esp URI on Palo Alto PAN-OS and GlobalProtect. The URI corresponds to a web endpoint exposed by a Palo Alto Networks firewall running GlobalProtect and shows a page where VPN users can authenticate. Login attempts are mainly aimed at the United States, Mexico, and Pakistan, with similar volumes across all of them. GreyNoise has previously underlined the importance of blocking these attempts and actively tracking them as malicious probes, instead of disregarding them as failed exploit attempts targeting long-patched flaws. As the company's stats show, these scanning spikes typically precede the disclosure of new security flaws in 80% of cases, with the correlation being even stronger for Palo Alto Networks' products. Concerning malicious activity for Palo Alto Networks this year, there have been two cases of active exploitation of flaws in February, with CVE-2025-0108, which was later chained with CVE-2025-0111 and CVE-2024-9474.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Large-scale RDP targeting campaign detected from multi-country botnet

A large-scale botnet targeting Remote Desktop Protocol (RDP) services in the United States has been detected. The campaign, which began on October 8, 2025, originates from over 100,000 IP addresses across multiple countries. The botnet uses two primary attack methods: RD Web Access timing attacks and RDP web client login enumeration. The botnet's activity was first detected by GreyNoise, a threat monitoring platform, following an unusual traffic spike from Brazil. Subsequent activity was observed from Argentina, Iran, China, Mexico, Russia, South Africa, Ecuador, and over 100 countries in total. The campaign highlights the ongoing threat to RDP services, which are commonly used by administrators, helpdesk staff, and remote workers. Attackers often exploit vulnerabilities, perform brute-force logins, or use timing attacks to gain unauthorized access.

Open in new tab

Increased Scanning for PAN-OS GlobalProtect Vulnerability

SANS Internet Storm Center has observed a significant rise in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability (CVE-2024-3400). This flaw, disclosed last year, allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. The scans involve attempts to upload and retrieve files, indicating potential pre-exploit staging activities. The vulnerability is a command injection flaw that can be exploited to gain unauthorized access and control over vulnerable firewalls. This development underscores the ongoing threat posed by unpatched systems and the importance of timely security updates. The scans are part of a broader trend of increased cyber activity targeting critical infrastructure and enterprise networks.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has **reiterated urgent warnings** to U.S. federal agencies after discovering that some organizations incorrectly applied updates for **CVE-2025-20333** and **CVE-2025-20362**, leaving devices marked as 'patched' but still vulnerable to active exploitation. CISA confirmed it is tracking ongoing attacks targeting unpatched Cisco ASA and Firepower devices within Federal Civilian Executive Branch (FCEB) agencies, with over **30,000 devices** remaining exposed globally, down from 45,000 in early October. The vulnerabilities enable unauthenticated remote code execution, unauthorized access to restricted endpoints, and denial-of-service (DoS) attacks. They have been linked to the **ArcaneDoor campaign**, a state-sponsored group active since at least July 2023, which has deployed malware like **RayInitiator** and **LINE VIPER**, manipulated ROM for persistence, and forced devices into reboot loops. CISA’s **Emergency Directive 25-03**, issued in September 2025, mandates federal agencies to account for all affected devices, disconnect end-of-support systems, and apply minimum software versions. The directive also introduced the **RayDetect scanner** to detect compromise evidence in ASA core dumps. Recent findings reveal the same threat actor also exploited **CVE-2025-5777 (Citrix Bleed 2)** and **CVE-2025-20337 (Cisco ISE)** as zero-days, deploying a custom web shell ('IdentityAuditAction') with advanced evasion techniques. The campaign’s indiscriminate targeting and multi-platform exploitation underscore the adversary’s broad capabilities and access to sophisticated tools.

Open in new tab

SonicWall MySonicWall Breach Exposes Firewall Configuration Files

SonicWall has confirmed that all customers using its cloud backup service had firewall configuration files accessed by an unauthorized actor. The accessed backup files contain AES-256-encrypted credentials and configuration data, increasing the risk of targeted attacks. The breach, initially detected in early September 2025, was caused by brute-force attacks. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with Mandiant and law enforcement agencies. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. There is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. In September 2025, SonicWall disclosed a security breach affecting MySonicWall accounts, resulting in the exposure of firewall configuration backup files for all customers using the cloud backup service. The breach, caused by a series of brute-force attacks, could facilitate easier exploitation of SonicWall firewalls by threat actors. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with cybersecurity and law enforcement agencies. The exposed files may contain sensitive information, such as credentials and tokens, for services running on SonicWall devices. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. SonicWall confirmed that attackers accessed the API service for cloud backup and there is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance. Over 100 SonicWall SSL VPN accounts across 16 customer accounts have been compromised. The compromised accounts were accessed rapidly, indicating the use of valid credentials rather than brute-forcing. The compromised accounts were accessed from the IP address 202.155.8[.]73. In some cases, threat actors conducted network scanning and attempted to access local Windows accounts. Huntress has not found evidence linking the breach to the recent spike in compromises.

Open in new tab

Massive 1.5 Bpps DDoS attack targets European DDoS mitigation provider

A European DDoS mitigation service provider was targeted in a large-scale distributed denial-of-service (DDoS) attack reaching 1.5 billion packets per second (Bpps). The attack originated from thousands of compromised IoT devices and MikroTik routers, affecting over 11,000 unique networks worldwide. FastNetMon, the DDoS mitigation service, successfully detected and mitigated the attack in real-time. The attack underscores the growing threat of large-scale DDoS attacks and the need for proactive measures at the ISP level to prevent such incidents. The attack aimed to exhaust the target's processing capabilities, causing potential service outages.

Open in new tab