Over a 30-day period, nearly 24,000 unique IP addresses have attempted to access these critical security gateways, suggesting a coordinated effort to probe network defenses and identify vulnerable systems.
The campaign began on March 17, 2025, with activity rapidly escalating to approximately 20,000 unique IPs per day before tapering off after March 26.
GreyNoise has classified most sources (23,800 IPs) as suspicious, with 154 IP addresses definitively tagged as malicious.
“Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies,” explained Bob Rudis, VP of Data Science at GreyNoise.
“These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.”
This scanning surge raises significant concerns following the discovery of CVE-2024-3400 last year, a critical command injection vulnerability in PAN-OS GlobalProtect that allowed unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls.
The vulnerability received the maximum CVSS score of 10.0, highlighting its severity.
Through technical analysis, researchers identified three distinct JA4h network fingerprint hashes linked to the login scanner tool:
These fingerprints enable security teams to identify and correlate separate login attempts originating from the same toolkit, even as attackers change their source IPs.
Geographically, the scanning originated predominantly from the United States (16,249 IPs) and Canada (5,823 IPs), with additional sources in Finland, the Netherlands, and Russia. The vast majority targeted systems in the United States (23,768 IPs).
A substantial portion of the traffic (20,010 IPs) has been linked to infrastructure associated with 3xK Tech GmbH under ASN200373, with additional contributions from PureVoltage Hosting Inc., Fast Servers Pty Ltd., and Oy Crea Nova Hosting Solution Ltd.
The activity appears connected to other PAN-OS reconnaissance efforts, with a spike in “PAN-OS Crawler” traffic observed on March 26 involving 2,580 unique source IPs.
Security experts have noted similarities to a 2024 espionage campaign that targeted perimeter network devices.
Organizations using Palo Alto Networks products should immediately review their March logs, implement enhanced monitoring, conduct thorough threat hunting, ensure all security patches are applied, and consider blocking identified malicious IPs.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post Hackers Scanning From 24,000 IPs to Gain Access to Palo Alto Networks GlobalProtect Portals appeared first on Cyber Security News.
An excellent 3D printer with multi-color print capability just got a huge price drop ahead…
Similar to every other high-end GPU on the market, the AMD Radeon 9070 XT graphics…
Don't worry, the Duffer Brothers will be happy to tell you what happened to Eleven…
A data breach makes headlines for a day. The damage it leaves behind lasts years. Critical…
Linus Torvalds has publicly declared that the Linux kernel’s private security mailing list has become…
A fresh set of critical vulnerabilities in the popular workflow automation platform n8n is raising…
This website uses cookies.