Threat actors are probing the internet for vulnerable Palo Alto Networks GlobalProtect secure remote access instances, likely in preparation for targeted exploitation, threat intelligence firm GreyNoise warns.
Over the past month, more than 24,000 unique IP addresses have been observed attempting to access GlobalProtect portals, indicating a coordinated effort that could precede the exploitation of fresh vulnerabilities.
Beginning March 17, the activity increased significantly, with nearly 20,000 unique IPs seen performing login scans against GlobalProtect per day, and remained high until March 26.
Roughly 23,000 IPs engaged in this activity are classified as suspicious, and a small subset of 150 IPs are known to be malicious, GreyNoise explains.
According to the security firm, the coordinated effort is likely meant to test network defenses ahead of planned exploitation attempts.
“Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies. These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later,” GreyNoise VP Bob Rudis said.
Most of the attacks originate from the US, where more than 16,000 of the identified IPs are located. Canada comes in second with over 5,800 IPs. The scanning activity mainly targets the US, with a small percentage of the scans targeting the UK, Ireland, Russia, and Singapore.
GreyNoise also notes that over 20,000 of the identified IPs are associated with 3xK Tech GmbH, under ASN200373. Others are linked to Fast Servers Pty Ltd., Oy Crea Nova Hosting Solution Ltd, and PureVoltage Hosting Inc.
In addition to targeting GlobalProtect portals, the scans also hit other appliances running PAN-OS, such as PAN-OS Crawler. It’s similar to activity flagged by Cisco in April last year, when threat actors were seen targeting Cisco appliances, Microsoft Exchange servers, and edge devices from other vendors.
“Given the unusual nature of this activity, organizations with exposed Palo Alto Networks systems should review their March logs and consider performing a detailed threat hunt on running systems to identify any signs of compromise,” GreyNoise notes.
Related: Second Recently Patched Flaw Exploited to Hack Palo Alto Firewalls
Related: New VPN Attack Demonstrated Against Palo Alto Networks, SonicWall Products
Related: 2,000 Palo Alto Firewalls Compromised via New Vulnerabilities
Related: Palo Alto Networks Addresses BlastRADIUS Vulnerability, Fixes Critical Bug in Expedition Tool
