Particle.news
Download on the App Store
3 ARTICLES
·
3h ago

GreyNoise Flags 500% Surge in Scans on Palo Alto Login Portals on Oct. 3

The surge shares a dominant TLS fingerprint with recent Cisco ASA scans, pointing to coordinated reconnaissance.

Image

Overview

  • GreyNoise counted roughly 1,285–1,300 unique IPs focusing on GlobalProtect and PAN-OS login pages, far above the usual ~200 daily scanners.
  • About 91–93% of the observed addresses were labeled suspicious and around 7% malicious under GreyNoise classifications.
  • Most sources geolocated to the U.S., with smaller clusters in the U.K., the Netherlands, Canada, and Russia, including a distinct cluster concentrating on Pakistan targets.
  • Traffic was targeted and structured against emulated Palo Alto profiles and shared a Netherlands-linked TLS fingerprint with concurrent Cisco ASA scanning.
  • GreyNoise recommends patching and log review and blocking known malicious IPs, noting the scan-to-CVE correlation appears weaker here than in the recent Cisco ASA sequence, and it also reported 110 malicious IPs exploiting Grafana CVE-2021-43798 on September 28.