Ethical Hacking News
Palo Alto Networks has warned that it is observing evidence of brute-force login attempts on its PAN-OS GlobalProtect gateways, with the potential for these attacks to be a precursor to more targeted exploitation. The attack appears to be coordinated and focused on systems in multiple countries, including the US, UK, Ireland, Russia, and Singapore.
Palo Alto Networks has detected evidence of brute-force login attempts on its PAN-OS GlobalProtect gateways. The attacks may be a precursor to more targeted exploitation, according to security experts. A surge in login scanning activity was reported by GreyNoise starting March 17, 2025, with 23,958 unique IPs involved. Most suspicious traffic was tied to three IP addresses: 3xK Tech GmbH, PureVoltage, and Fast Servers. The attack appears to be connected to other PAN-OS reconnaissance campaigns, suggesting a coordinated effort by attackers. Organizations with exposed Palo Alto Networks systems should review their logs and perform a detailed threat hunt to identify any signs of compromise.
Palo Alto Networks has issued a warning that it is witnessing evidence of brute-force login attempts on its PAN-OS GlobalProtect gateways, with experts suggesting that these attacks may be a precursor to more targeted exploitation. This warning comes as the security firm continues to monitor activity on its devices, following a recent surge in login scanning activity targeting PAN-OS GlobalProtect portals.
The threat intelligence firm GreyNoise reported a spike in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals starting March 17, 2025, peaking at 23,958 unique IPs. This activity is believed to be coordinated and focused on systems in the US, UK, Ireland, Russia, and Singapore, with an aim to identify exposed or vulnerable systems.
GreyNoise found that most suspicious traffic was tied to three different IP addresses: 3xK Tech GmbH (ASN200373), PureVoltage, and Fast Servers. These IP addresses were identified as part of a larger pattern of activity, which included a notable spike on March 26, 2025, with 2,580 unique source IPs tagged as PAN-OS Crawler.
"This surge in activity is reminiscent of a 2024 espionage campaign targeting perimeter network devices, reported by Cisco Talos," said GreyNoise. "While the specific methods differ, both incidents highlight the importance of monitoring and securing critical edge devices against unauthorized access."
GreyNoise also noted that the activity appears to be connected to other PAN-OS reconnaissance campaigns, with the attackers likely using a combination of tools and techniques to identify exposed systems.
"The surge in activity is unusual and warrants further investigation," said GreyNoise. "Organizations with exposed Palo Alto Networks systems should review their March logs and consider performing a detailed threat hunt on running systems to identify any signs of compromise."
Palo Alto Networks has confirmed that it is actively monitoring the situation and analyzing reported activity to determine its potential impact and identify any necessary mitigations.
"Our teams are observing evidence of activity consistent with password-related attacks, such as brute-force login attempts, which does not indicate exploitation of a vulnerability," said a company spokesperson. "We continue to actively monitor this situation and analyze the reported activity to determine its potential impact and identify if mitigations are necessary."
The attack is believed to be a coordinated effort, with attackers using a combination of tools and techniques to target exposed systems. The use of brute-force login attempts suggests that the attackers may be attempting to identify vulnerable systems before launching more targeted attacks.
While the specifics of the attack are still unclear, experts agree that it highlights the importance of monitoring and securing critical edge devices against unauthorized access. As organizations continue to rely on cloud-based solutions and remote work arrangements, the risk of brute-force login attempts and other types of cyber threats will only continue to grow.
In response to this warning, organizations with exposed Palo Alto Networks systems should take immediate action to review their logs and perform a detailed threat hunt on running systems to identify any signs of compromise. This may involve conducting regular security audits and monitoring for suspicious activity, as well as implementing additional security measures to prevent brute-force login attempts in the future.
The use of brute-force login attempts by attackers highlights the importance of robust security measures and the need for organizations to take proactive steps to protect themselves against cyber threats. By taking a proactive approach to security, organizations can reduce their risk of being targeted by attackers and minimize the impact of any potential breaches.
Related Information:
https://www.ethicalhackingnews.com/articles/Palo-Alto-Warns-of-Potential-Upcoming-Brute-Force-Login-Attacks-on-PAN-OS-GlobalProtect-Gateways-ehn.shtml
https://securityaffairs.com/176446/hacking/brute-force-login-attempts-on-pan-os-globalprotect.html
Published: Fri Apr 11 10:44:32 2025 by llama3.2 3B Q4_K_M
