Increased Scanning Activity of Palo Alto Networks Indicates Potential Cyber Threats

TL;DR

• Hackers are actively scanning Palo Alto Networks GlobalProtect portals for vulnerabilities.
• Over 24,000 unique IP addresses have been involved in this coordinated effort.
• Organizations are advised to secure their login portals and review logs for potential compromises.

Spike in Palo Alto Networks Scanner Activity Suggests Imminent Cyber Threats

Researchers at the threat intelligence firm GreyNoise have issued a warning about hackers scanning for vulnerabilities in Palo Alto Networks GlobalProtect portals. This activity is likely a preparation for targeted attacks. GreyNoise has observed a significant surge in login scanning activity targeting these portals, with nearly 24,000 unique IP addresses attempting to access them over the last 30 days¹.

Coordinated Effort to Identify Vulnerabilities

From March 17 to 26, the activity surged with nearly 20,000 IPs scanning logins daily. GreyNoise identified around 23,000 suspicious IPs and 150 known malicious ones, suggesting a potential targeted attack. The pattern indicates a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation¹.

Reconnaissance Effort and Recommendations

Experts believe that this activity is part of a reconnaissance effort to test network defenses, potentially paving the way for future attacks. GreyNoise recommends that organizations using Palo Alto Networks products take steps to secure their login portals. A large portion of the traffic is linked to 3xK Tech GmbH (20,010 IPs) under ASN200373, with contributions from PureVoltage Hosting Inc., Fast Servers Pty Ltd., and Oy Crea Nova Hosting. GreyNoise identified three JA4h hashes related to a login scanner tool¹.

Geographic Distribution and Similar Threats

The activity originates mainly from the U.S. (16,249 IPs) and Canada (5,823 IPs), targeting primarily the U.S. (23,768), followed by the U.K., Ireland, Russia, and Singapore. The researchers also observed scans targeting GlobalProtect portals and other PAN-OS appliances like PAN-OS Crawler, similar to threats identified by Cisco Talos in April last year, which targeted Cisco appliances, Microsoft Exchange servers, and edge devices from various vendors².

Conclusion

Given the unusual nature of this activity, organizations with exposed Palo Alto Networks systems should review their March logs and consider performing a detailed threat hunt on running systems to identify any signs of compromise¹.

Additional Resources

For further insights, check:

• GreyNoise Report on Surge in Palo Alto Networks Scanner Activity
• Cisco Talos Report on ArcaneDoor Espionage Campaign

References

1. GreyNoise (2025). “Surge in Palo Alto Networks Scanner Activity”. GreyNoise. Retrieved 2025-04-02. ↩︎ ↩︎² ↩︎³ ↩︎⁴

2. Cisco Talos (2024). “ArcaneDoor: New Espionage-Focused Campaign Found Targeting Perimeter Network Devices”. Cisco Talos. Retrieved 2025-04-02. ↩︎