In a concerning development, cybersecurity researchers have identified a significant increase in malicious scanning activities targeting Palo Alto Networks’ GlobalProtect VPN portals. Over a 30-day period, nearly 24,000 unique IP addresses have attempted to access these critical security gateways, indicating a coordinated effort to probe network defenses and identify vulnerable systems.
Escalation of Suspicious Activity
The campaign commenced on March 17, 2025, with activity rapidly escalating to approximately 20,000 unique IPs per day before tapering off after March 26. GreyNoise, a cybersecurity firm specializing in internet-wide scanning detection, has classified the majority of these sources (23,800 IPs) as suspicious, with 154 IP addresses definitively tagged as malicious.
Bob Rudis, Vice President of Data Science at GreyNoise, commented on the pattern:
Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies. These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.
Context of Previous Vulnerabilities
This surge in scanning activity raises significant concerns, especially in light of the discovery of CVE-2024-3400 last year. This critical command injection vulnerability in PAN-OS GlobalProtect allowed unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls, earning a maximum CVSS score of 10.0 due to its severity.
Technical Analysis and Fingerprinting
Through technical analysis, researchers have identified three distinct JA4h network fingerprint hashes linked to the login scanner tool:
– po11nn11enus_967778c7bec7_000000000000_000000000000
– po11nn09enus_fb8b2e7e6287_000000000000_000000000000
– po11nn060000_c4f66731b00d_000000000000_000000000000
These fingerprints enable security teams to identify and correlate separate login attempts originating from the same toolkit, even as attackers change their source IPs.
Geographical Distribution of Scanning Activity
The scanning activity predominantly originated from the United States (16,249 IPs) and Canada (5,823 IPs), with additional sources in Finland, the Netherlands, and Russia. The vast majority of targeted systems were located in the United States (23,768 IPs).
A substantial portion of the traffic (20,010 IPs) has been linked to infrastructure associated with 3xK Tech GmbH under ASN200373, with additional contributions from PureVoltage Hosting Inc., Fast Servers Pty Ltd., and Oy Crea Nova Hosting Solution Ltd.
Connection to Previous Reconnaissance Efforts
The activity appears connected to other PAN-OS reconnaissance efforts, with a spike in PAN-OS Crawler traffic observed on March 26 involving 2,580 unique source IPs. Security experts have noted similarities to a 2024 espionage campaign that targeted perimeter network devices.
Recommendations for Organizations
Organizations utilizing Palo Alto Networks products should take immediate action to secure their systems:
1. Review Logs: Examine logs from March for any unusual activity or unauthorized access attempts.
2. Enhance Monitoring: Implement enhanced monitoring to detect and respond to suspicious activities promptly.
3. Conduct Threat Hunting: Perform thorough threat hunting exercises to identify potential compromises.
4. Apply Security Patches: Ensure all security patches are applied to mitigate known vulnerabilities.
5. Block Malicious IPs: Consider blocking identified malicious IP addresses to prevent further scanning attempts.
By proactively addressing these concerns, organizations can strengthen their defenses against potential cyber threats targeting their network infrastructure.
