Malicious traffic targeting Palo Alto Networks’ GlobalProtect portals surged almost 40-fold in the space of 24 hours, hitting a 90-day high and putting defenders on alert for whatever comes next.
According to GreyNoise, the sudden wave began on November 14, when it logged roughly 2.3 million sessions hammering the “global-protect/login.esp” endpoint used by Palo Alto’s PAN-OS and GlobalProtect products. Most of the traffic came from a single network, AS200373 (3xK Tech GmbH), with about 62 percent of the activity geolocated in Germany and another 15 percent in Canada. A second provider, AS208885, also contributed a steady stream of probes.
GreyNoise says the fingerprints suggest this malicious activity is tied to threat actors that have previously hammered Palo Alto kit, pointing to recurring TCP and JA4t signatures and reused infrastructure across multiple campaigns. The scans were aimed at GlobalProtect systems in the US, Mexico, and Pakistan, with each seeing similar levels of attention, suggesting a broad, opportunistic trawl rather than a tightly focused operation.
“GreyNoise has also identified strong connections between this spike and prior related campaigns,” said Matthew Remacle, security research architect at GreyNoise. “We assess with high confidence that these campaigns are at least partially driven by the same threat actor.”
The pattern mirrors what GreyNoise has observed ahead of past VPN-related incidents. Fortinet appliances, for example, often saw scanning spikes weeks before vulnerabilities were publicly disclosed or actively exploited. “GreyNoise research has shown that spikes in attacker activity often precede new vulnerabilities affecting the same vendor – with 80 percent of observed cases followed by a CVE disclosure within six weeks,” the company said in an earlier blog.
That doesn’t mean Palo Alto is sitting on an unpatched bug, but the timing and volume of the traffic are enough to make security teams twitchy.
To help customers get ahead of the surge, GreyNoise has pushed out a dedicated Palo Alto blocklist through its Block service and says defenders can generate their own filters keyed to ASN, JA4 fingerprint, destination country, or classification.
There’s no confirmed exploit in circulation that maps to the observed scanning, and Palo Alto hasn’t issued any fresh advisories that might explain the sudden rush of interest (nor has it responded to The Register’s questions). Even so, the mix of large-scale internet probing, repeat attacker infrastructure, and a known history of pre-exploitation scanning is rarely a good sign.
For organizations running exposed GlobalProtect login portals, the advice is the usual blend of caution and paranoia: tighten access controls, watch for login anomalies, and be ready to slap in blocklists or IPS rules if the probing turns into something more serious. ®