In a new wave of cyber activity, Palo Alto Networks has sounded the alarm over a sharp uptick in brute-force login attempts targeting its PAN-OS GlobalProtect gateways. While the company confirmed that these attacks are not linked to any known vulnerabilities, the sheer volume and scale of the attempts point to a highly coordinated effort to breach enterprise defenses.
The team is observing evidence of activity consistent with password-related attacks, such as brute-force login attempts, which does not indicate exploitation of a vulnerability. They are actively monitor this situation and analyzing the reported activity to determine its potential impact and identify if mitigations are necessary.
This alert follows a warning from threat intelligence firm GreyNoise, which observed a significant spike in suspicious login scanning activity starting March 17, 2025.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
At its peak, the activity involved nearly 24,000 unique IP addresses before tapering off towards the end of the month. The pattern suggests a widespread reconnaissance operation likely aimed at identifying weak or misconfigured GlobalProtect portals.
The countries most affected by the scanning include the United States, the United Kingdom, Ireland, Russia, and Singapore—indicating a global footprint and potentially serious implications for organizations relying on these systems for secure remote access.
At this stage, it remains unclear whether a specific threat actor is behind the campaign, and how far-reaching the attempted intrusions have been.
In the meantime, customers are strongly advised to take immediate steps to harden their defenses. Recommended actions include:
Upgrading to the latest PAN-OS versions
Enforcing multi-factor authentication (MFA)
Configuring GlobalProtect to send MFA notifications
Implementing security policies to detect and block brute-force attempts
Limiting unnecessary exposure of gateways to the public internet