Palo Alto Networks Login Portals Under Massive Attack Surge
▼ Summary
– Researchers detected a 500% surge in suspicious scans targeting Palo Alto Networks login portals, indicating reconnaissance efforts from suspicious IP addresses.
– The scanning activity peaked on October 3 with over 1,285 unique IPs, far exceeding the typical daily average of 200 addresses.
– Most of the IPs were geolocated in the U.S., with smaller clusters in the U.K., Netherlands, Canada, and Russia, and 91% were classified as suspicious.
– GreyNoise warns that such scans often precede attacks using new exploits, though the correlation is weaker for this Palo Alto activity compared to past Cisco incidents.
– A separate increase in exploitation attempts targeted an old Grafana vulnerability (CVE-2021-43798), with 110 malicious IPs primarily from Bangladesh attacking systems in the U.S., Slovakia, and Taiwan.
A dramatic surge in suspicious network scans is currently targeting Palo Alto Networks login portals, signaling what cybersecurity experts believe is a coordinated reconnaissance campaign. Intelligence gathered by GreyNoise reveals an astonishing 500% increase in IP addresses probing Palo Alto’s GlobalProtect and PAN-OS systems. This activity reached its peak on October 3rd, with over 1,285 unique IPs participating in these scans, a figure that dwarfs the typical daily average of fewer than 200 addresses.
Geographical analysis shows the majority of these scanning IPs originated from the United States, with smaller but notable clusters based in the United Kingdom, the Netherlands, Canada, and Russia. Researchers identified two primary activity clusters: one concentrating its efforts on targets within the United States and another focusing specifically on Pakistan. These groups displayed distinct TLS fingerprints, though investigators noted some technical overlap between them.
GreyNoise classified a staggering 91% of the observed IP addresses as suspicious, with an additional 7% receiving the more severe malicious designation. The company’s analysis indicates that nearly all this activity targeted their emulated Palo Alto system profiles, suggesting a highly focused campaign. This pattern typically emerges from public internet scans or attacker-orientated reconnaissance specifically designed to fingerprint Palo Alto network devices.
Historical context provides cause for concern, as GreyNoise has previously documented how such scanning activity often precedes attacks leveraging newly discovered vulnerabilities. The cybersecurity firm recently observed similar patterns with Cisco ASA devices, where increased network scans preceded the emergence of a zero-day vulnerability being actively exploited. While the correlation appears less definitive for the current Palo Alto scans, the precedent remains worrying for security professionals.
In a related development, researchers simultaneously detected increased exploitation attempts targeting an older path traversal vulnerability in Grafana, identified as CVE-2021-43798. This security flaw was originally exploited in zero-day attacks back in December 2021. On September 28th, GreyNoise observed 110 unique malicious IPs, primarily from Bangladesh, launching attacks against Grafana instances. The primary targets were located in the United States, Slovakia, and Taiwan, with attack patterns showing consistent destination ratios that typically indicate automated exploitation tools.
Security teams managing Grafana installations should immediately verify that their systems are patched against CVE-2021-43798 and consider blocking the identified malicious IP addresses. Administrators are also advised to thoroughly review their system logs for any evidence of path traversal requests that could indicate attempted unauthorized access to sensitive files. This dual-threat environment underscores the importance of maintaining vigilant security postures across all network infrastructure components.
(Source: Bleeping Computer)