Skip to main content

Command Palette

Search for a command to run...

Massive surge in scans targeting Palo Alto Networks login portals

Published
2 min readView as Markdown
Massive surge in scans targeting Palo Alto Networks login portals

A spike in suspicious scans targeting Palo Alto Networks login portals indicates clear reconnaissance efforts from suspicious IP addresses, researchers warn.

Cybersecurity intelligence company GreyNoise reports a 500% increase in IP addresses focused on Palo Alto Networks GlobalProtect and PAN-OS profiles.

The activity culminated on October 3 with more than 1,285 unique IPs engaged in the activity. Typically, daily scans do not exceed 200 addresses, the company says.

Most of the observed IPs were geolocated in the U.S., while smaller clusters were based in the U.K., the Netherlands, Canada, and Russia.

One activity cluster concentrated its traffic on targets in the United States and another one focused on Pakistan, the researchers say, noting that both had "distinct TLS fingerprints but not without overlap."

According to GreyNoise, 91% of the IP addresses were classified as suspicious. An additional 7% were tagged as malicious.

"Nearly all activity was directed at GreyNoise’s emulated Palo Alto profiles (Palo Alto GlobalProtect, Palo Alto PAN-OS), suggesting the activity is targeted in nature, likely derived from public (e.g., Shodan, Censys) or attacker-originated scans fingerprinting Palo Alto devices," .

Palo Alto scanning activity Source: GreyNoise

GreyNoise has that such scan activity often indicates preparation for attacks using new exploits for zero-day or n-day flaws.

The cybersecurity firm issued a warning recently about targeting Cisco ASA devices. Two weeks later, news emerged about a targeting the same Cisco product.

However, GreyNoise says the observed correlation is weaker for the recent scans focusing on Palo Alto Networks products.

Grafana also targeted

Researchers also noticed an increase in exploitation attempts of an old path traversal vulnerability in Grafana. The security issue is identified as CVE-2021-43798 and was in zero-day attacks.

110 unique malicious IPs, most of them from Bangladesh, launching attacks on September 28.

The targets were primarily based in the United States, Slovakia, and Taiwan, with the attacks maintaining a consistent destination ratio depending on the specific origin, which typically indicates automation.

Observed exploitation attempts Source: GreyNoise

Greynoise recommends administrators to make sure that their Grafana instances are patched against CVE-2021-43798 and block the identified 110 malicious IP addresses.

The researchers also advise checking the logs for evidence of path traversal requests that may return sensitive files.

Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.

Don't miss the event that will shape the future of your security strategy


More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com