Cybersecurity researchers reported a large increase in scans aimed at Palo Alto Networks login portals, with GreyNoise saying the number of IP addresses focusing on GlobalProtect and PAN-OS profiles rose about 500 percent and peaked on October 3 with more than 1,285 unique IPs; the company said typical daily scans do not exceed 200.
Most of the observed IPs were geolocated in the United States, with smaller clusters in the U.K., the Netherlands, Canada and Russia. GreyNoise said one cluster concentrated traffic on targets in the United States and another focused on Pakistan; the clusters had “distinct TLS fingerprints but not without overlap,” and the firm classified 91% of the addresses as suspicious and 7% as malicious, which the company said suggests targeted reconnaissance and fingerprinting of Palo Alto devices.
Palo Alto Networks provided a written response to the activity on October 5, saying the company had “investigated the reported scanning activity and found no evidence of a compromise.” The company said it is protected by its Cortex XSIAM platform, which it said “stops 1.5 million new attacks daily and autonomously reduces 36 billion security events into the most critical threats to ensure our infrastructure remains secure,” and added it remained confident in its security posture, the company spokesperson said.
GreyNoise has previously warned that spikes in scanning activity can be preparatory steps for attacks that exploit newly discovered or publicly known flaws. The firm noted that while similar scanning preceded exploits against other products such as Cisco ASA, it considers the observed correlation for the recent Palo Alto-focused scans to be weaker.
Researchers also reported an increase in attempts to exploit an older Grafana path traversal vulnerability identified as CVE-2021-43798. According to GreyNoise, 110 unique malicious IPs, most from Bangladesh, launched attacks on September 28 against targets in the United States, Slovakia and Taiwan, with destination patterns that the researchers said are consistent with automated attacks.
GreyNoise recommended administrators ensure Grafana instances are patched against CVE-2021-43798, block the identified malicious IPs and check logs for path traversal requests that might expose sensitive files.