Palo Alto Networks Warns of Brute-Force Login Attempts on PAN-OS GlobalProtect Gateways: Potential Imminent Threats
Discover the latest developments as Palo Alto Networks identifies a surge in brute-force login attempts on PAN-OS GlobalProtect gateways, indicating potential upcoming attacks. Learn about the security measures and implications for cybersecurity.
TL;DR
Palo Alto Networks has identified a significant increase in brute-force login attempts targeting PAN-OS GlobalProtect gateways, raising concerns about potential upcoming attacks. Security experts recommend enhanced monitoring and threat analysis to mitigate risks.
Main Content
Brute-Force Login Attempts Detected on PAN-OS GlobalProtect Gateways
Palo Alto Networks has reported a surge in brute-force login attempts targeting PAN-OS GlobalProtect gateways. The security firm emphasized that these attacks do not exploit any known vulnerabilities but warrant continuous monitoring and analysis.
“Our teams are observing evidence of activity consistent with password-related attacks, such as brute-force login attempts, which does not indicate exploitation of a vulnerability,” a company spokesperson told The Hacker News. “We continue to actively monitor this situation and analyze the reported activity to determine its potential impact and identify if mitigations are necessary.”
Recently, the threat intelligence firm GreyNoise reported a spike in login scanning targeting PAN-OS GlobalProtect portals starting March 17, 2025, peaking at 23,958 unique IPs. The activity, likely coordinated, focused on systems in the U.S., U.K., Ireland, Russia, and Singapore, aiming to find exposed systems.[^1]
“GreyNoise has observed a significant surge in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals.” reported GreyNoise. “The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation.”[^1]
GreyNoise found most suspicious traffic (20,010 IPs) tied to 3xK Tech GmbH (ASN200373), with other sources including PureVoltage, Fast Servers, and Oy Crea Nova. They also identified three JA4h hashes linked to the attackers’ login scanner tool, revealing consistent connection patterns across attempts.
The experts also noticed that the activity is likely connected to other PAN-OS reconnaissance campaigns, including a notable spike on March 26, 2025, with 2,580 unique source IPs tagged as PAN-OS Crawler.
“This surge in activity is reminiscent of a 2024 espionage campaign targeting perimeter network devices, reported by Cisco Talos. While the specific methods differ, both incidents highlight the importance of monitoring and securing critical edge devices against unauthorized access.” concludes GreyNoise. “Given the unusual nature of this activity, organizations with exposed Palo Alto Networks systems should review their March logs and consider performing a detailed threat hunt on running systems to identify any signs of compromise.“
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
For more details, visit the full article: source
Conclusion
The recent surge in brute-force login attempts on PAN-OS GlobalProtect gateways underscores the critical need for enhanced monitoring and threat analysis. Organizations are urged to review their security logs and perform detailed threat hunts to identify any potential compromises. Staying vigilant and proactive in securing network defenses is essential in mitigating such threats.