Summary Points
- Malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN login portals surged 40 times within 24 hours starting November 14, indicating a coordinated campaign, with geo-targeted attempts primarily from Germany, Canada, the US, Mexico, and Pakistan.
- GreyNoise reports a pattern of recurring campaigns involving suspicious and malicious IPs, with previous spikes in October and April, linked through consistent fingerprints and reused Autonomous System Numbers (ASNs), notably ASN AS200373.
- Approximately 2.3 million sessions targeted the GlobalProtect login endpoint during this spike, emphasizing the importance of actively blocking and monitoring these malicious probes, especially since such spikes often precede security flaw disclosures in Palo Alto products.
- Past incidents include exploitation of vulnerabilities (e.g., CVE-2025-0108) and a September data breach tied to targeted campaigns, underscoring ongoing cyber threats and urging vigilant security measures for VPN and firewall systems.
The Issue
Recent intelligence reports have revealed a dramatic surge in malicious scanning activity targeting Palo Alto Networks’ GlobalProtect VPN login portals, escalating 40-fold over a 24-hour period starting November 14, 2025. This spike represents the highest level of such activity in three months and is believed to be part of a coordinated campaign, with the scans largely originating from IP addresses associated with Germany and Canada, and primarily involving Autonomous System Numbers like AS200373 and AS208885. The targets are predominantly VPN login pages in the United States, Mexico, and Pakistan, where over 2.3 million sessions have been recorded within a few days. Security experts from GreyNoise, a real-time threat intelligence company, suggest that these persistent probing efforts are highly suspicious and often precede significant security breaches, highlighting the urgency for vigilant monitoring and proactive defense measures.
This escalation is part of an ongoing pattern that has seen similar surges in scanning activity dating back to earlier in the year, including a 500% increase in suspicious or malicious IP addresses in October and another intense campaign in April involving thousands of IPs. The repeated use of identical fingerprints and reuse of infrastructure points to a coordinated effort likely driven by persistent threat actors aiming to exploit vulnerabilities in Palo Alto Networks’ systems. With prior incidents such as the February exploitation of CVE-2025-0108 and a recent data breach disclosed in September, it becomes clear that these attacks are part of a broader attempt to compromise, exploit, or extract sensitive information from targeted networks. The reports are primarily issued by GreyNoise, emphasizing the need for organizations to heed these alerts and strengthen their security postures against evolving threats.
Risks Involved
The issue of “GlobalProtect VPN portals probed with 2.3 million scan sessions” can pose a severe threat to any business by overwhelming its network infrastructure, creating a lucrative target for cyber attackers, and risking data breaches or service outages. Such an intense probing activity indicates that malicious actors might be mapping vulnerabilities in your VPN portals, which could lead to unauthorized access, data theft, or disruption of critical operations. For a business, especially one handling sensitive information or reliant on seamless remote connectivity, this scenario translates into substantial financial loss, reputational damage, and increased security costs. In essence, unchecked or unmitigated scanning attacks compromise operational integrity and can expose your entire digital ecosystem to exploitation, making rigorous security measures and monitoring essential to safeguard your enterprise.
Possible Remediation Steps
In today’s interconnected digital landscape, swift response to vulnerabilities detected during extensive security scans is essential. The probing of GlobalProtect VPN portals with 2.3 million scan sessions signals a significant security concern, emphasizing the urgency of timely remediation to prevent potential breaches and maintain trust.
Containment Measures
Implement immediate access restrictions for the affected portals to limit further probing and potential exploitation.
Assessment and Analysis
Conduct thorough vulnerability assessments to identify specific weaknesses uncovered during the scans.
Patch and Update
Apply the latest security patches and firmware updates to address known vulnerabilities.
Configuration Review
Audit and harden VPN configurations, ensuring strong encryption, proper authentication, and minimized attack surface.
Monitoring
Enhance logging and real-time monitoring to detect irregular activities and respond swiftly to suspicious behavior.
User Education
Educate users and administrators about current threats and reinforce best security practices.
Incident Response
Activate and refine incident response plans to efficiently manage and contain any potential compromise.
Network Segmentation
Segment network traffic to isolate VPN portals and prevent lateral movement of malicious entities within the network.
Risk Communication
Maintain clear communication channels with stakeholders about vulnerabilities and mitigation efforts to foster awareness and cooperation.
Regular Testing
Schedule ongoing vulnerability testing and penetration testing to proactively identify and remediate emerging threats.
Advance Your Cyber Knowledge
Stay informed on the latest Threat Intelligence and Cyberattacks.
Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
