Redazione RHC : 8 October 2025 14:42
Beginning on October 7, 2025, there was a large-scale intensification of targeted attacks against Palo Alto Networks’ GlobalProtect access portals, PAN-OS . Over 2,200 unique IP addresses were targeted in reconnaissance efforts.
A significant increase has been detected from the initial 1,300 IP addresses detected just a few days earlier . According to GreyNoise Intelligence monitoring, this represents the most intense scanning activity in the last 90 days.
On October 3, 2025, a significant 500% spike in scanning activity marked the start of the reconnaissance campaign. On that day, approximately 1,300 unique IP addresses were detected exploring Palo Alto login portals . Compared to the previous three months, this initial spike in activity represented the highest level of scans recorded.
In the 90 days leading up to this event, daily scan volumes had almost never reached the 200 IP threshold.
The analysis conducted by GreyNoise highlighted that a preponderant share of malicious IP addresses, a full 91%, is located in the United States . Other concentrated nuclei of these addresses were also found in the United Kingdom, the Netherlands, Canada, and Russia, respectively.
The substantial infrastructure investment required for this operation is evidenced by the fact that security specialists identified approximately 12% of the ASN11878 subnets overall dedicated to scanning Palo access gates . It is likely that the threat actors are systematically examining large credential databases , given the failed authentication patterns that suggest the use of automated brute-force operations against GlobalProtect SSL VPN portals.
GreyNoise has released a comprehensive dataset including unique usernames and passwords from monitored Palo login attempts, allowing security teams to estimate the potential exposure of credentials. The technical analysis shows that 93% of the affected IP addresses were labeled suspicious, while 7% were deemed malicious.
Examination of scanning activity reveals several regional aggregation patterns with unique TCP signatures , suggesting multiple organized threat groups operating concurrently . Security researchers have identified possible links between the Palo Alto scan series and simultaneous exploration operations against Cisco ASA devices.
Both attack campaigns share dominant TCP footprints tied to infrastructure in the Netherlands, along with similar regional clustering behaviors and tool characteristics. The multi-technology attack suggests a broader reconnaissance campaign targeting enterprise remote access solutions.
Redazione