Ethical Hacking News
Palo Alto Networks is facing a massive surge in malicious activity targeting their GlobalProtect portals. Cybersecurity experts are warning of a potential larger-scale attack, with many advising customers to take immediate action to protect themselves.
Palo Alto Networks is facing a massive cyber threat targeting their GlobalProtect portals.The malicious traffic has surged 40-fold in 24 hours, representing a 90-day high.The attack appears to be related to known threat actors who have previously targeted Palo Alto Networks' kit.GreyNoise has identified strong connections between this spike and prior related campaigns.Experts advise customers with exposed GlobalProtect login portals to tighten access controls, watch for login anomalies, and prepare for potential blocklists or IPS rules.A dedicated Palo Alto blocklist is available through GreyNoise's Block service to help defenders generate filters to block malicious traffic.
Palo Alto Networks, a leading provider of cybersecurity solutions, has found itself at the epicenter of a massive cyber threat. In recent days, malicious actors have been targeting the GlobalProtect portals of Palo Alto Networks' customers, sparking concerns about the potential consequences of this attack.
According to data from GreyNoise, a security research firm, the malicious traffic targeting Palo Alto Networks' GlobalProtect portals has surged almost 40-fold in the space of 24 hours. This represents a 90-day high and puts defenders on high alert for whatever comes next. The sudden wave began on November 14, when it logged roughly 2.3 million sessions hammering the "global-protect/login.esp" endpoint used by Palo Alto's PAN-OS and GlobalProtect products.
Most of the traffic came from a single network, AS200373 (3xK Tech GmbH), with about 62 percent of the activity geolocated in Germany and another 15 percent in Canada. A second provider, AS208885, also contributed a steady stream of probes. The fingerprints suggest that this malicious activity is tied to threat actors that have previously hammered Palo Alto Networks' kit.
GreyNoise has identified strong connections between this spike and prior related campaigns, with the company assessing with high confidence that these campaigns are at least partially driven by the same threat actor. This assessment mirrors what GreyNoise has observed ahead of past VPN-related incidents. In fact, Fortinet appliances often saw scanning spikes weeks before vulnerabilities were publicly disclosed or actively exploited.
The pattern suggests that there may be a larger-scale attack brewing, with Palo Alto Networks' GlobalProtect login portals being targeted in a broad, opportunistic manner rather than as part of a tightly focused operation. The timing and volume of the traffic are enough to make security teams twitchy, with many experts advising customers who run exposed GlobalProtect login portals to tighten access controls, watch for login anomalies, and be ready to slap in blocklists or IPS rules if the probing turns into something more serious.
To help customers get ahead of the surge, GreyNoise has pushed out a dedicated Palo Alto blocklist through its Block service. The list is keyed to ASN, JA4 fingerprint, destination country, or classification, allowing defenders to generate their own filters to block malicious traffic. There's no confirmed exploit in circulation that maps to the observed scanning, and Palo Alto hasn't issued any fresh advisories that might explain the sudden rush of interest.
Even so, the mix of large-scale internet probing, repeat attacker infrastructure, and a known history of pre-exploitation scanning is rarely a good sign. Cybersecurity experts are on high alert, watching for signs of what could be a larger-scale attack on Palo Alto Networks' customers. As one expert noted, "The pattern mirrors what GreyNoise has observed ahead of past VPN-related incidents."
For organizations running exposed GlobalProtect login portals, the advice is to exercise caution and paranoia. Tighten access controls, watch for login anomalies, and be ready to slap in blocklists or IPS rules if the probing turns into something more serious. The cybersecurity landscape continues to evolve at a breakneck pace, with Palo Alto Networks under siege from multiple fronts.
The security firm's Block service has issued a dedicated blocklist through its Block service. This list is keyed to ASN, JA4 fingerprint, destination country, or classification, allowing defenders to generate their own filters to block malicious traffic. As the situation continues to unfold, cybersecurity experts will be watching for signs of what could be a larger-scale attack on Palo Alto Networks' customers.
The Register would like to thank GreyNoise for its timely analysis and for providing critical information about this ongoing cyber threat.
Related Information:
https://www.ethicalhackingnews.com/articles/Palo-Alto-Networks-Under-Siege-A-Looming-Cyber-Threat-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/11/20/palo_alto_traffic_flood/
Published: Thu Nov 20 05:47:25 2025 by llama3.2 3B Q4_K_M
