Palo Alto Portal Scans Skyrocket 500%
▼ Summary
– GreyNoise observed a 500% surge in reconnaissance activity targeting Palo Alto Networks login portals, with 1300 IPs detected on October 3 compared to fewer than 200 daily over the previous 90 days.
– The scanning activity is targeted and likely derived from public or attacker-originated scans, with 91% of IPs located in the US and 93% classified as suspicious.
– Similar scanning increases have been detected for other remote access services, including Cisco ASA products, sharing regional clustering and tooling fingerprints with the Palo Alto activity.
– GreyNoise research notes that past surges in Palo Alto scanning have not consistently correlated with new vulnerability disclosures, but monitoring continues for any potential links.
– Security experts warn that cyber-threat actors are using AI to enhance reconnaissance and exploitation efforts, including vulnerability research and social engineering.
Security professionals are witnessing an unprecedented wave of reconnaissance scans directed at Palo Alto Networks login interfaces. GreyNoise, a real-time threat intelligence provider, documented a staggering 500% increase in scanning activity, with approximately 1,300 distinct IP addresses targeting its Palo Alto Networks Login Scanner tag on a single day, October 3rd. This figure is especially alarming when compared to the preceding 90-day period, where daily numbers seldom exceeded 200 IPs.
Analysts assess this activity is deliberate and probably stems from scans initiated by attackers or those leveraging publicly available tools. Geographically, the origin of these scans is heavily concentrated, with 91% of the IP addresses traced back to the United States. Smaller groupings were identified in the United Kingdom, the Netherlands, Canada, and Russia. GreyNoise classifies the overwhelming majority, 93%, of this activity as “suspicious,” while the remaining 7% is confirmed to be malicious.
This recent spike represents the most significant surge in scanning against Palo Alto login portals that GreyNoise has observed over the last quarter. The company’s previous research from July noted that similar surges against Palo Alto technologies were sometimes followed by the public disclosure of new vulnerabilities within a six-week window. However, the firm clarifies that surges specifically targeting its Palo Alto Login Scanner tag have not consistently demonstrated this pattern. GreyNoise is maintaining vigilant observation to determine if the current activity might precede a new vulnerability announcement from Palo Alto, which would add a new data point to their earlier findings.
This trend is not isolated to a single vendor. GreyNoise has also detected heightened scanning efforts aimed at other remote access services, including products from SonicWall, Ivanti, Pulse Secure, and notably, Cisco ASA. The analysis reveals that the recent Palo Alto surge shares distinct characteristics with Cisco ASA scanning observed in the preceding 48 hours. In both campaigns, the scanners displayed regional clustering and overlaps in the digital fingerprints of the tools being used.
A dominant TLS fingerprint associated with infrastructure located in the Netherlands was common to both the Cisco ASA and Palo Alto login scanning traffic. This development follows an earlier instance where GreyNoise reported a surge in ASA scanning just before Cisco publicly disclosed two zero-day vulnerabilities affecting its ASA products. Despite these parallels, GreyNoise cannot definitively confirm whether the same threat actor is behind both campaigns or if the underlying intent is identical.
Security products continue to be a prime target for cybercriminals. Just last week, reports surfaced detailing an uptick in attacks by the Akira ransomware group, which were specifically aimed at commandeering SonicWall SSL VPN appliances.
The role of artificial intelligence is also amplifying these threats, enabling threat groups to scale up their reconnaissance and exploitation efforts significantly. In a report from May, the UK’s National Cyber Security Centre (NCSC) issued a stark warning, stating that cyber-threat actors are almost certainly already using AI to refine their existing tactics, techniques, and procedures. This includes enhancing victim reconnaissance, accelerating vulnerability research and exploit development, gaining system access through more sophisticated social engineering, generating basic malware, and processing stolen data.
(Source: Info Security)
