Malicious scanning activity against Palo Alto Networks GlobalProtect VPN login portals has surged 40 times within 24 hours, indicating a coordinated attack campaign. This escalation is linked to previous campaigns and primarily targets the US, Mexico, and Pakistan. #GlobalProtect #PaloAltoNetworks
Keypoints
- Scanning activity targeting Palo Alto Networks GlobalProtect VPN portals has increased significantly, reaching a 90-day high.
- Most attack traffic originates from ASN AS200373 (3xK Tech GmbH), with significant IPs in Germany and Canada.
- Between November 14 and 19, over 2.3 million login attempts were recorded on the GlobalProtect login endpoint.
- These malicious probes tend to precede the disclosure of new security vulnerabilities in Palo Alto Networks products.
- Past incidents include active exploitation of vulnerabilities and a data breach linked to threat groups like ShinyHunters.