Summary: Threat actors are aggressively probing Palo Alto Networks GlobalProtect secure remote access instances, with over 24,000 unique IP addresses engaged in login scans, signaling a potential exploitation of vulnerabilities. The activity peaked between March 17 and March 26, primarily originating from the United States and Canada. Organizations are urged to review their security logs and consider threat hunting due to this unusual activity.
Affected: Palo Alto Networks GlobalProtect
Keypoints :
- Over 24,000 unique IP addresses were detected attempting to access GlobalProtect portals.
- Suspicious activity surged from March 17 to March 26, with nearly 20,000 unique IPs scanning daily.
- Most activity is from the US, with over 16,000 suspicious IPs, followed by Canada and other countries.
- Organizations are advised to review logs and perform threat hunts on their Palo Alto systems.