- GreyNoise observes 500% spike in scans targeting Palo Alto GlobalProtect and PAN-OS profiles
- 7% of scanning IPs were malicious; most originated from the US, targeting systems in the US and Pakistan
- Palo Alto found no compromise evidence and remains confident in its Cortex XSIAM-powered defenses
Experts have warned it seems that someone is trying to sniff out a vulnerability in Palo Alto Networks login portals.
Security researchers from GreyNoise said they had observed a 500% increase in IP addresses scanning for Palo Alto Networks GlobalProtect and PAN-OS profiles.
On an average Friday, around 200 IP addresses scan for different profiles across the web, but on October 3, the researchers saw more than 1,280.
Palo Alto remains secure
Spikes such as this one are not unusual, but they’re often a sign that a threat actor discovered a vulnerability and is now mapping out potential victims.
GreyNoise also said that of the IP addresses it saw, 7% are confirmed to be malicious, and 91% “suspicious”.
Most of these IP addresses came from the US, with notable minorities coming in from the UK, Netherlands, Canada, and Russia. Targets are mostly located in the US and Pakistan.
“Nearly all activity was directed at GreyNoise’s emulated Palo Alto profiles (Palo Alto GlobalProtect, Palo Alto PAN-OS), suggesting the activity is targeted in nature, likely derived from public (e.g., Shodan, Censys) or attacker-originated scans fingerprinting Palo Alto devices,” GreyNoise said in its report.
At the same time, Palo Alto remains confident that its systems can withstand almost any onslaught. In a statement shared with BleepingComputer, the company said it investigated the reports and “found no evidence” of a compromise:
“Palo Alto Networks is protected by our own Cortex XSIAM platform, which stops 1.5 million new attacks daily and autonomously reduces 36 billion security events into the most critical threats to ensure our infrastructure remains secure. We remain confident in our robust security posture and our ability to protect our network,” the spokesperson told the publication.
Scans like this can be used to hunt for n-day vulnerabilities, but also for zero-days.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You might also like
https://cdn.mos.cms.futurecdn.net/npcbk7YXhzMMcp7p8Bciwj-2000-80.jpg
Source link
