Networking, Vulnerability Management, Endpoint/Device Security

Palo Alto confirms brute-force attacks on PAN-OS GlobalProtect gateways

Palo Alto Networks logo and sign at Silicon Valley headquarters campus of cybersecurity company under blue sky - Santa Clara, CA, USA - 2020

(Adobe Stock)

A little more than one week after SC Media reported that there was a spike in suspicious logging activity aimed at Palo Alto Networks PAN-OS GlobalProtect portals, Palo Alto has confirmed that it observed brute-force login attempts against these devices.

However, Palo Alto underscored that while its teams are observing evidence of password-related brute force login attacks, it does not indicate exploitation of a vulnerability.

“Palo Alto Networks is aware of a recent blog post by GreyNoise regarding scanning activity targeting PAN-OS GlobalProtect portals,” a Palo Alto spokesperson told SC Media. “We continue to actively monitor this situation and analyze the reported activity to determine its potential impact and identify if mitigations are necessary.”

Here’s why this development is important to security teams: In a brute-force attack, threat actors repeatedly log into an account using many user names and passwords until they find the correct combination. Once an attacker finds the right credential, they can access these networking devices and then either move laterally to continue other malicious activities, or sell the stolen credentials on the dark web.

Boris Cipot, senior security engineer at Black Duck, added that while most Palo Alto customers have probably updated their PAN-OS systems and mitigated their vulnerabilities, it does not mean that everyone has.

“Therefore, the attackers are likely trying to see who has missed the mark and ‘forgot’ to do the necessary basic actions needed to keep their organization safe,” said Cipot.

Here’s a list of the basic actions Cipot recommends for security teams:

  • Apply patches as soon as they become available to close any security vulnerability. Keep in mind – those mitigation steps are a temporary fix. Apply the patch or software upgrade immediately once it becomes available.
  • Restrict access to management interfaces to trusted internal addresses. This can lower the risk of unauthorized access.
  • Review systems and activity logs to find suspicious actions. Teams will need monitoring tools in place. Palo Alto Networks customers might have this box checked, but for those considering using monitoring tools, do not consider for too long as it can benefit the organization.
  • Check system status regularly. Regular security audits are hard and time consuming, but they will also make the organization’s security posture better and help to remediate potential security risks.
  • Deploy software composition analysis (SCA) tools. They can help keep the organization’s software in check by identifying used OSS components and tracking their health status. Monitoring the components used in software can alert the team faster on possible newfound vulnerabilities.

    • Related

    Over $170M cyber, IT contract given by Texas to SAIC

    U.S. technology integrator company Science Applications International Corporation has been given a $170.9 million IT and cybersecurity service contract by the Texas Department of Information Resources after the firm's services were sought by California, Colorado, and Virginia, reports StateScoop.

    Get daily email updates

    SC Media's daily must-read of the most current and pressing daily news

    By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

    Related Terms

    Anti-MalwareAntivirus SoftwareBring Your Own Device (BYOD)Buffer OverflowBugDisassemblyEndpoint SecurityEphemeral PortExtranetFirmware

    You can skip this ad in 5 seconds