Security experts have observed a massive increase in reconnaissance activity targeted at login portals for Palo Alto Networks products.
Real-time intelligence provider GreyNoise said it saw around 1300 IP addresses target its Palo Alto Networks Login Scanner tag on October 3. By contrast, daily volumes rarely topped 200 IPs over the previous 90 days.
The firm said that the activity is targeted and “likely derived” from public or attacker-originated scans.
Some 91% of IPs were located in the US, with smaller clusters in the UK, Netherlands, Canada and Russia. The vast majority (93%) of these are classed as “suspicious,” with 7% confirmed as malicious.
Read more on Palo Alto Networks threats: Hackers Chain Exploits of Three Palo Alto Networks Firewall Flaws
The 500% surge is the biggest observed by GreyNoise for Palo Alto login portals in three months.
“GreyNoise research in July found that surges in activity against Palo Alto technologies have, in some cases, been followed by new vulnerability disclosures within six weeks,” the firm continued.
“However, surges against GreyNoise’s Palo Alto Networks Login Scanner tag have not shown this correlation. GreyNoise will continue monitoring in case this activity precedes a new Palo Alto disclosure, which would represent an additive signal to our July research.”
Cisco Also Targeted
GreyNoise has also detected increases in scanning of other remote access services including SonicWall, Ivanti, Pulse Secure and Cisco ASA products.
“GreyNoise analysis shows that this Palo Alto surge shares characteristics with Cisco ASA scanning occurring in the past 48 hours. In both cases, the scanners exhibited regional clustering and fingerprinting overlap in the tooling used,” it said.
“Both Cisco ASA and Palo Alto login scanning traffic in the past 48 hours share a dominant TLS fingerprint tied to infrastructure in the Netherlands. This comes after GreyNoise initially reported an ASA scanning surge before Cisco’s disclosure of two ASA zero-days.”
However, GreyNouse couldn’t say for certain if the activity was carried out by the same operator and/or with the same intent.
Security products remain a popular target for threat actors. Last week, Infosecurity reported an increase in attacks from the Akira ransomware group aimed at hijacking SonicWall SSL VPN appliances.
AI is also helping groups to scale up reconnaissance and exploitation efforts.
The NCSC warned in a May report: “Cyber-threat actors are almost certainly already using AI to enhance existing tactics, techniques and procedures (TTPs) in victim reconnaissance, vulnerability research and exploit development, access to systems through social engineering, basic malware generation and processing exfiltrated data.”
Image credit: Poetra.RH / Shutterstock.com
