Cybersecurity

Cybersecurity researchers at GreyNoise have reported a significant increase in malicious scanning activities targeting Palo Alto Networks PAN-OS GlobalProtect login portals. As of October 7, 2025, attacks have originated from over 2,200 unique IP addresses.

Increase in Attack Volume

The number of unique IP addresses involved in reconnaissance against Palo Alto login infrastructure has risen sharply. Initially observed at approximately 1,300 IPs on October 3, the figure has escalated significantly within days.

On October 7, peak activity involved over 2,200 distinct IP addresses, indicating a coordinated effort by multiple threat actors or a single operation with distributed infrastructure.

GreyNoise researchers have observed an increasing diversity of Autonomous System Numbers (ASNs) involved, suggesting broadening operator involvement. This indicates that multiple threat actors may be participating rather than a single coordinated group.

Technical Insights

Approximately 12 percent of all ASN11878 subnets have been used for scanning Palo Alto login portals. This highlights the extensive network infrastructure being leveraged for these attacks.

The elevated pace of login attempts suggests systematic iteration through a substantial dataset of compromised credentials, consistent with credential stuffing attacks. In such attacks, previously breached username and password combinations are used to attempt unauthorized access across multiple platforms.

GreyNoise has published a list of unique usernames and passwords observed from Palo Alto login attempts. This resource is available through their GitHub repository, providing valuable indicators for enhancing organizational defense.

Operational Impact

An Executive Situation Report has been produced, offering strategic insights into the threat landscape and recommended defensive measures. The report emphasizes the importance of robust authentication mechanisms and monitoring login anomalies.

Organizations using Palo Alto Networks PAN-OS GlobalProtect should review authentication logs, monitor for suspicious login activities, and consider implementing multi-factor authentication and geographic access restrictions.