A spike in suspicious scans targeting Palo Alto Networks login portals indicates clear reconnaissance efforts from suspicious IP addresses, researchers warn.
Cybersecurity intelligence company GreyNoise reports a 500% increase in IP addresses focused on Palo Alto Networks GlobalProtect and PAN-OS profiles.
The activity culminated on October 3 with more than 1,285 unique IPs engaged in the activity. Typically, daily scans do not exceed 200 addresses, the company says.
Most of the observed IPs were geolocated in the U.S., while smaller clusters were based in the U.K., the Netherlands, Canada, and Russia.
One activity cluster concentrated its traffic on targets in the United States and another one focused on Pakistan, the researchers say, noting that both had "distinct TLS fingerprints but not without overlap."
According to GreyNoise, 91% of the IP addresses were classified as suspicious. An additional 7% were tagged as malicious.
"Nearly all activity was directed at GreyNoise’s emulated Palo Alto profiles (Palo Alto GlobalProtect, Palo Alto PAN-OS), suggesting the activity is targeted in nature, likely derived from public (e.g., Shodan, Censys) or attacker-originated scans fingerprinting Palo Alto devices," explains GreyNoise.
Palo Alto scanning activity
Source: GreyNoise
GreyNoise has previously warned that such scan activity often indicates preparation for attacks using new exploits for zero-day or n-day flaws.
... continue reading