"The company said it observed a nearly 500% increase in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, the highest level recorded in the last three months. It described the traffic as targeted and structured, and aimed primarily at Palo Alto login portals. As many as 1,300 unique IP addresses have participated in the effort, a significant jump from around 200 unique IP addresses observed before. Of these IP addresses, 93% are classified as suspicious and 7% as malicious."
"The vast majority of the IP addresses are geolocated to the U.S., with smaller clusters detected in the U.K., the Netherlands, Canada, and Russia. "This Palo Alto surge shares characteristics with Cisco ASA scanning occurring in the past 48 hours," GreyNoise noted. "In both cases, the scanners exhibited regional clustering and fingerprinting overlap in the tooling used." "Both Cisco ASA and Palo Alto login scanning traffic in the past 48 hours share a dominant TLS fingerprint tied to infrastructure in the Netherlands.""
GreyNoise observed a nearly 500% increase in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, rising to about 1,300 unique IPs from roughly 200. Ninety-three percent of the IPs were classified as suspicious and 7% as malicious. The majority of these IPs were geolocated to the U.S., with smaller clusters in the U.K., the Netherlands, Canada, and Russia. The surge exhibited similarities and TLS fingerprint overlap with recent Cisco ASA scanning, with a dominant TLS fingerprint tied to infrastructure in the Netherlands. Prior suspicious scans targeted PAN-OS GlobalProtect gateways in April 2025, and warning data links scanning surges to CVE disclosures within six weeks.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]