Security researchers are warning of a rise in dubious registration monitoring activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, with almost 24, 000 unique IP addresses attempting to access these portals.
” This style suggests a coordinated effort to probe community defenses and identify exposed or susceptible systems, possibly as a prelude to qualified exploitation”, threat intelligence company GreyNoise .
The wave is said to have commenced on March 17, 2025, sustaining at nearly 20, 000 unique IP addresses per day before dropping off on March 26. At its peak, 23, 958 unique IP addresses are estimated to have participated in the action. Of these, only a smaller set of 154 Internet names has been flagged as harmful.
The United States and Canada have emerged as the top sources of visitors, followed by Finland, the Netherlands, and Russia. The exercise has largely targeted systems in the United States, the United Kingdom, Ireland, Russia, and Singapore.
It’s now no distinct what’s driving the exercise, but it points to a structural approach to testing network defenses, which may possibly pave the way for after exploitation.
” Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies”, Bob Rudis, VP of Data Science at Grey Noise, said. ” These designs often coincide with new risks emerging 2 to 4 months after”.
In light of the strange exercise, it’s important that organizations with internet-facing Palo Alto Networks instances take steps to secure their registration sites.
The Hacker News has reached out to Palo Alto Networks for further reply, and we will update the account if we hear again.