Palo Alto Networks Devices Under Intense Scanning Surge, Raising Security Concerns
A important increase in malicious scanning activity targeting Palo Alto Networks devices has been detected by threat intelligence firm GreyNoise, prompting security teams to investigate potential vulnerabilities. The surge,characterized by large-scale internet probing and repeat attacker infrastructure,is reminiscent of patterns observed before the public disclosure of vulnerabilities in other vendors’ products,including Fortinet.
GreyNoise has responded by releasing a dedicated blocklist for Palo Alto Networks through its Block service, allowing customers to proactively defend against the activity. While no active exploits have been linked to the scanning and palo Alto Networks has yet to comment,the timing and volume of the traffic are raising alarms within the security community.This activity primarily impacts organizations utilizing exposed GlobalProtect login portals.
Historically, GreyNoise research indicates that 80 percent of observed scanning spikes preceding vulnerabilities result in a Common Vulnerabilities and Exposures (CVE) disclosure within six weeks. This precedent is fueling concern that the current activity may foreshadow an unpatched flaw in Palo Alto Networks’ products. Defenders are advised to tighten access controls, monitor for login anomalies, and prepare to implement blocklists or intrusion prevention system (IPS) rules if the probing escalates.
GreyNoise provides tools for generating custom filters based on Autonomous System Number (ASN), JA4 fingerprint, destination country, or classification to aid in mitigation efforts. The firm’s earlier research highlighted similar pre-exploitation scanning activity weeks before vulnerabilities were publicly disclosed in Fortinet appliances.
