CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Increased Scanning Activity on Palo Alto Networks Login Portals

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A significant increase in scanning activity targeting Palo Alto Networks login portals was observed on October 3, 2025. The activity involved 1,285 unique IP addresses, with 91% classified as suspicious and 7% as malicious. The scans were geolocated primarily in the U.S., with smaller clusters in the U.K., the Netherlands, Canada, and Russia. The scans were directed at Palo Alto GlobalProtect and PAN-OS profiles, indicating targeted reconnaissance efforts. This surge shares characteristics with recent scanning activity targeting Cisco ASA devices, which was followed by the disclosure of zero-day vulnerabilities. The scans are likely part of a broader pattern of increased malicious activity targeting network security appliances. Palo Alto Networks customers are advised to ensure they are running the latest software versions. Additionally, an increase in exploitation attempts of an old path traversal vulnerability in Grafana was observed, with 110 unique malicious IPs, most from Bangladesh, launching attacks on September 28, 2025.

Timeline

  1. 04.10.2025 17:18 1 articles · 6h ago

    Increased Exploitation Attempts on Grafana Path Traversal Vulnerability

    An increase in exploitation attempts of an old path traversal vulnerability in Grafana was observed, with 110 unique malicious IPs, most from Bangladesh, launching attacks on September 28, 2025. The Grafana attacks targeted primarily the United States, Slovakia, and Taiwan, with consistent destination ratios indicating automation.

    Show sources
    Open in new tab
  2. 04.10.2025 13:39 2 articles · 9h ago

    Palo Alto Networks Login Portals Scanning Activity Spikes

    The scans were directed at Palo Alto GlobalProtect and PAN-OS profiles, indicating targeted reconnaissance efforts. The scans were directed at GreyNoise’s emulated Palo Alto profiles, suggesting the activity is targeted in nature, likely derived from public or attacker-originated scans fingerprinting Palo Alto devices. The scans targeting Palo Alto Networks products showed a weaker correlation to previous zero-day vulnerabilities compared to the Cisco ASA scans.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increased Scanning for PAN-OS GlobalProtect Vulnerability

SANS Internet Storm Center has observed a significant rise in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability (CVE-2024-3400). This flaw, disclosed last year, allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. The scans involve attempts to upload and retrieve files, indicating potential pre-exploit staging activities. The vulnerability is a command injection flaw that can be exploited to gain unauthorized access and control over vulnerable firewalls. This development underscores the ongoing threat posed by unpatched systems and the importance of timely security updates. The scans are part of a broader trend of increased cyber activity targeting critical infrastructure and enterprise networks.

Open in new tab

Increased network scans targeting Cisco ASA devices observed

Large-scale network scans targeting Cisco ASA devices have been detected, raising concerns about potential upcoming vulnerabilities. The scans, which began in late July and peaked in late August, involved up to 25,000 unique IP addresses probing ASA login portals and Cisco IOS Telnet/SSH. The activity was predominantly observed in the United States, UK, and Germany. The scans were largely driven by a Brazilian botnet and used overlapping Chrome-like user agents, suggesting a coordinated effort. The scans are likely reconnaissance for exploiting new or existing vulnerabilities. System administrators are advised to apply the latest security updates and enforce multi-factor authentication (MFA) for all remote ASA logins.

Open in new tab

Chinese State-Sponsored Actors Target Global Critical Infrastructure

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group and a newly identified group named RedNovember, have been conducting sustained campaigns to compromise critical infrastructure networks worldwide. The campaigns aim to gain long-term access to telecommunications, government, transportation, lodging, and military networks. This activity has been detailed in a joint advisory by CISA, NSA, FBI, and international partners, including Canada, Australia, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain. The advisory provides intelligence on tactics used by these actors and recommends mitigations to strengthen defenses. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The threat actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The advisory also notes that the APT actors may target other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc. RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.

Open in new tab