Increased scanning activity targeting entrances to PAN GlobalProtect networks too high
In recent weeks, a significant surge in login attempts has been targeting Palo Alto Networks' PAN-OS GlobalProtect portals, raising concerns about potential large-scale exploitation of unpatched or zero-day vulnerabilities in Palo Alto VPN systems.
Researchers have categorised a bulk of the activity, approximately 23,800 IP addresses, as suspicious. A smaller subset, 154 IP addresses, has been flagged as outright malicious. The surge in activity started on March 17 and peaked at nearly 20,000 unique IP addresses per day, with the traffic predominantly originating from the United States, followed by Canada.
The consistency in this surge suggests a calculated approach to testing network defences ahead of a mass exploitation. Eric Schwake, director of cybersecurity strategy at API security provider Salt Security, advises organisations to adopt a multilayered security strategy that goes beyond conventional perimeter controls and closely monitor API traffic.
To defend against this ongoing surge and exploitation risks, it is recommended to enforce multi-factor authentication (MFA), apply timely patching and updates, implement strict security policies, use network segmentation and micro-segmentation, monitor and analyse VPN traffic, disable unnecessary protocols, and enforce encryption.
Palo Alto’s platform, including GlobalProtect VPN and NGFW features, is designed to support these best practices effectively. Organisations should also use software composition and analysis tools, conduct regular audits of systems and their status, and restrict access to management interfaces to trusted internal addresses.
The threat activity means defenders with exposed Palo Alto Networks VPN systems should review March 2025 logs and consider engaging in detailed threat hunting to detect signs of compromise. Bob Rudis, vice president of data science at GreyNoise, has stated that the current surge in login attempts on Palo Alto Networks' PAN-OS GlobalProtect portals coincides with new vulnerabilities emerging two to four weeks later.
Black Duck's Cipot suggests that organisations that have been affected by the surge are possibly neglecting "to do the necessary basic actions needed to keep their organisation safe," such as "applying patches as soon as they become available to close any security vulnerability."
In summary, combining strong authentication (MFA), up-to-date patching, tightly managed security policies, network segmentation, and advanced monitoring is critical to defending Palo Alto VPN systems against ongoing surge and exploitation risks. Organisations must take immediate action to protect their systems and prevent potential exploitation.
- The ongoing surge in login attempts on Palo Alto Networks' PAN-OS GlobalProtect portals has been categorized as suspicious or malicious by researchers, indicating a potential large-scale exploitation of unpatched or zero-day vulnerabilities in Palo Alto VPN systems.
- Eric Schwake, director of cybersecurity strategy at API security provider Salt Security, advises organizations to adopt a multilayered security strategy that includes strengthening their cybersecurity through measures like enforcing multi-factor authentication, applying timely patching and updates, and implementing strict security policies.
- To effectively defend against this surge and exploitation risks, organizations should also leverage the capabilities of Palo Alto’s platform, such as GlobalProtect VPN and NGFW features, and employ additional strategies like network segmentation and micro-segmentation, monitoring and analyzing VPN traffic, and disabling unnecessary protocols.
- In light of the current threat activity, organizations with exposed Palo Alto Networks VPN systems should review their March 2025 logs, engage in detailed threat hunting, and ensure they are promptly applying patches to close any security vulnerabilities, as failure to do so may expose them to potential exploitation.
