Scanning for Palo Alto Networks portals: Meanwhile, researchers at GreyNoise this week reported seeing a recent significant surge in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. GlobalProtect is an endpoint application that allows employees to access a company’s resources remotely.Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals, the researchers said. “The pattern suggests a co-ordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation,” they said, suggesting a threat actor has discovered a new vulnerability.The report doesn’t say if the scanning was accompanied by login attempts.Most of the traffic came from the United States (16,249 IP addresses) and Canada (5,823), followed by Finland, Netherlands, and Russia. However, threat actors are known to disguise their bases by leveraging compromised servers in other countries.The overwhelming majority of traffic targeted systems in the United States (23,768), with smaller volumes directed toward the United Kingdom, Ireland, Russia, and Singapore. The spike began on March 17, the report says, with activity peaking at nearly 20,000 unique IPs per day and remaining steady until March 26 before tapering off. Most of the activity is suspicious, with a smaller subset flagged as malicious.”The consistency of this activity suggests a planned approach to testing network defenses,” says the report, “potentially paving the way for exploitation. Organizations using Palo Alto Networks products should take steps to secure their login portals,” the researchers said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3953828/surge-in-threat-actors-scanning-juniper-cisco-and-palo-alto-networks-devices.html
