Illicit traffic bombards Palo Alto Networks GlobalProtect portals

Nearly 2.3 million IP sessions have targeted Palo Alto Networks PAN-OS and GlobalProtect instances' login endpoint beginning Nov. 14, which is an almost 40 times increase over 24 hours, indicating a coordinated attack campaign, reports The Register.

U.S.-, Mexico-, and Pakistan-based GlobalProtect systems have been primarily aimed by the scans, which mostly came from the AS200373 network that mostly had Germany- and Canada-based IP addresses, findings from GreyNoise showed. Illicit scanning involved TCP and JA4t signatures, as well as infrastructure linked to prior exploitation of Palo Alto Networks products.

"GreyNoise has also identified strong connections between this spike and prior related campaigns. We assess with high confidence that these campaigns are at least partially driven by the same threat actor," said GreyNoise Security Research Architect Matthew Remacle. Such a surge in attacks against GlobalProtect has prompted GreyNoise to release a dedicated blocklist. Organizations with vulnerable GlobalProtect login portals have also been urged to bolster access controls.