Nearly 24,000 IPs behind wave of Palo Alto Global Protect scans
A significant spike in scanning activity targeting Palo Alto Network GlobalProtect login portals has been observed, with researchers concerned it may be a prelude to an upcoming attack or flaw being exploited.
According to GreyNoise, which reports the activity, the scanning activity involves over 24,000 unique source IP addresses. The activity peaked at 20,000 unique IP addresses per day on March 17, 2025, and continued at this scale until March 26.
Of those IPs, 23,800 are classified as "suspicious," while 154 were validated by the threat monitoring firm as "malicious," leaving little doubt about the activity's true intentions.
Most of the scanning attempts originate from the United States and Canada. Most targeted systems are based in the United States, though other countries are targeted too.
GreyNoise noted that in the past, such spikes in network scanning have been linked to preparatory reconnaissance, which was eventually followed by the disclosure of flaws two to four weeks later.
"Over the past 18 to 24 months, we've observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies," states Bob Rudis, VP of Data Science at GreyNoise.
"These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later."
GreyNoise underlined the consistency in how the scanning activity is performed, suggesting that it could be part of an effort to test network defenses before attempting targeted exploitation.
The researchers have also found a link to another activity they have been observing recently, concerning a PAN-OS crawler that also spiked on March 26, 2025, involving 2,580 IPs in its scans.
GreyNoise noted that the activity is reminiscent of the espionage campaign Cisco Talos attributed to 'ArcaneDoor' hackers roughly a year ago, targeting edge devices.
At this time, the exact nature and goals of this large-scale activity remain blurry, but the takeaway for administrators of internet-exposed Palo Alto Networks systems should be to elevate their vigilance against probing and potential exploitation attempts.
GreyNoise recommends reviewing logs since mid-March to evaluate if you have been targeted, hunt for signs of compromise, harden login portals, and block known malicious IPs (shared in the report).
BleepingComputer has contacted Palo Alto Networks for a comment on the activity Greynoise sees, and we will update this post when we hear back.
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Google rolls out easy end-to-end encryption for Gmail business users
Attackers are targeting CrushFTP vulnerability with public PoC (CVE-2025-2825)
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
Free online web security scanner
