Palo Alto kit sees massive surge in malicious activity

Palo Alto kit sees massive surge in malicious activity

Briefly

"According to GreyNoise, the sudden wave began on November 14, when it logged roughly 2.3 million sessions hammering the "global-protect/login.esp" endpoint used by Palo Alto's PAN-OS and GlobalProtect products. Most of the traffic came from a single network, AS200373 (3xK Tech GmbH), with about 62 percent of the activity geolocated in Germany and another 15 percent in Canada. A second provider, AS208885, also contributed a steady stream of probes."

"GreyNoise says the fingerprints suggest this malicious activity is tied to threat actors that have previously hammered Palo Alto kit, pointing to recurring TCP and JA4t signatures and reused infrastructure across multiple campaigns. The scans were aimed at GlobalProtect systems in the US, Mexico, and Pakistan, with each seeing similar levels of attention, suggesting a broad, opportunistic trawl rather than a tightly focused operation."

"The pattern mirrors what GreyNoise has observed ahead of past VPN-related incidents. Fortinet appliances, for example, often saw scanning spikes weeks before vulnerabilities were publicly disclosed or actively exploited. "GreyNoise research has shown that spikes in attacker activity often precede new vulnerabilities affecting the same vendor - with 80 percent of observed cases followed by a CVE disclosure within six weeks," the company said in an earlier blog."