A significant surge in scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateway portals was observed in which over the last 30 days, nearly 24,000 unique IP addresses have attempted to access the PAN-OS devices.
The increased activity suggests a coordinated effort to probe network defenses and identify vulnerable systems, potentially as a precursor to targeted exploitation, according to a March 31 GreyNoise blog.
“Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies, said Bob Rudis, vice president of data science at GreyNoise. “These patterns often coincide with new vulnerabilities emerging two to four weeks later.”
Palo Alto Networks is well-aware that its PAN-OS products are targeted by attackers. In fact, last November, Palo Alto Unit 42 research group found an authentication bypass on PAN-OS appliances that was actively exploited. The security flaw was given a severity rating of 9.3 and was designated as "critical" by Palo Alto, which at the time released instructions for update the PAN-OS firewalls.
For this more recent incident involving the 24,000 IPs, GreyNoise researchers reported that the source countries were the United States and Canada, followed by Finland, Netherland, and Russia. The vast majority of the attacks targeted organizations in the United States, with smaller volumes of the IP addresses targeting the UK, Ireland, Russia, and Singapore.
Eric Schwake, director of cybersecurity strategy at Salt Security, said the recent increase in suspicious login scanning aimed at Palo Alto Networks PAN-OS GlobalProtect gateways illustrates the ongoing threat from attackers looking to exploit vulnerabilities in network security devices. Schwake said this persistent activity, involving nearly 24,000 distinct IP addresses, highlights the attackers' commitment to gaining unauthorized access.
“Extensive IP scanning is mainly a reconnaissance method attackers employ to uncover unknown vulnerabilities, such as zero-day exploits,” said Schwake. “Attackers automate these scans to examine systems for weaknesses, open ports, and misconfigurations, with the goal of finding exploitable vulnerabilities before defenders or vendors realize the threats. Though defenders may identify more vulnerabilities during post-attack assessments, the scanning process itself is an offensive approach intended to actively locate and exploit hidden security flaws.”
Schwake said security teams need to understand that while perimeter defenses are important, they are not invulnerable. Consequently, organizations should adopt a multi-layered security strategy that goes beyond conventional perimeter controls.
“This means closely monitoring API traffic, as these gateways often expose APIs for management and authentication,” said Schwake. “It’s vital to govern API security posture to ensure these interfaces are securely configured, with robust authentication and authorization measures in place.”
J. Stephen Kowski, Field CTO at SlashNext Email Secuirty, added that this massive scanning campaign targeting Palo Alto Networks GlobalProtect portals follows a concerning pattern we’ve seen before: intensive reconnaissance preceding the discovery of new vulnerabilities.
“Organizations should immediately implement strict access controls for management interfaces, enforce strong authentication policies, and consider implementing real-time threat detection that can identify and block suspicious login attempts from known malicious IPs,” said Kowski. “Advanced threat intelligence that continuously monitors for these coordinated scanning campaigns can provide early warning before vulnerabilities are publicly disclosed, giving security teams precious time to harden defenses against the inevitable exploitation attempts that follow.”
Lawrence Pingree, vice president at Dispersive, added that it makes total sense that these devices and management planes are being targeted, since they are often wide-open and live on the internet, which is one of the worst practices for a firewall.
“Remember, any open ports or protocols in the infrastructure become an attack target,” said Pingree. “The sheer number of sources participating in the brute force/credential attacks is due to the speed and scale of the attack. This is really about the threat actor nabbing as many targets as possible, then picking from locations they either want to sell to the dark web, or using themselves for other types of activities.”
