MUST READ

GreyNoise detects 500% surge in scans targeting Palo Alto Networks portals

 | 

U.S. CISA adds Smartbedded Meteobridge, Samsung, Juniper ScreenOS, Jenkins, and GNU Bash flaws to its Known Exploited Vulnerabilities catalog

 | 

ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims

 | 

ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE

 | 

Google warns of Cl0p extortion campaign against Oracle E-Business users

 | 

CERT-UA warns UAC-0245 targets Ukraine with CABINETRAT backdoor

 | 

Allianz Life data breach impacted 1.5 Million people

 | 

Cybercrime group claims to have breached Red Hat 's private GitHub repositories

 | 

China-linked APT Phantom Taurus uses Net-Star malware in espionage campaigns against key sectors

 | 

OpenSSL patches 3 vulnerabilities, urging immediate updates

 | 

Apple urges users to update iPhone and Mac to patch font bug

 | 

WestJet confirms cyberattack exposed IDs, passports in June incident

 | 

Broadcom patches VMware Zero-Day actively exploited by UNC5174

 | 

UK convicts Chinese national in £5.5B crypto fraud, marks world’s largest Bitcoin seizure

 | 

U.S. CISA adds Adminer, Cisco IOS, Fortra GoAnywhere MFT, Libraesva ESG, and Sudo flaws to its Known Exploited Vulnerabilities catalog

 | 

Asahi halts ordering, shipping, and customer service after cyberattack

 | 

Scattered Spider, ShinyHunters Restructure - New Attacks Underway 

 | 

UK grants £1.5B loan to Jaguar Land Rover after cyberattack

 | 

Harrods alerts customers to new data breach linked to third-party provider

 | 

Akira Ransomware bypasses MFA on SonicWall VPNs

 | 

GreyNoise detects 500% surge in scans targeting Palo Alto Networks portals

Pierluigi Paganini October 04, 2025

GreyNoise saw a 500% spike in scans on Palo Alto Networks login portals on Oct. 3, 2025, the highest in three months.

Cybersecurity firm GreyNoise reported a 500% surge in scans targeting Palo Alto Networks login portals on October 3, 2025, marking the highest activity in three months.

On October 3, the researchers observed that over 1,285 IPs scanned Palo Alto portals, up from a usual 200. The experts reported that 93% of the IPs were suspicious, 7% malicious.

Palo Alto Networks portals

Most originated from the U.S., with smaller clusters in the U.K., Netherlands, Canada, and Russia.

GryNoise defined the traffic targeted and structured, aimed at Palo Alto login portals and split across distinct scanning clusters.  

The scans targeted emulated Palo Alto profiles, focusing mainly on U.S. and Pakistan systems, indicating coordinated, targeted reconnaissance.

GreyNoise found that recent Palo Alto scanning mirrors Cisco ASA activity, showing regional clustering and shared TLS fingerprints linked to the Netherlands infrastructure. Both used similar tools, suggesting possible shared infrastructure or operators. The overlap follows a Cisco ASA scanning surge preceding the disclosure of two zero-day vulnerabilities.

“Both Cisco ASA and Palo Alto login scanning traffic in the past 48 hours share a dominant TLS fingerprint tied to infrastructure in the Netherlands. This comes after GreyNoise initially reported an ASA scanning surge before Cisco’s disclosure of two ASA zero-days.” reads the report published by Grey Noise. “In addition to a possible connection to ongoing Cisco ASA scanning, GreyNoise identified concurrent surges across remote access services. While suspicious, we are unsure if this activity is related. “

GreyNoise noted in July spikes in Palo Alto scans sometimes preceded new flaws within six weeks; The experts are monitoring if the latest surge signals another disclosure.

“GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Palo Alto Networks portals)

GreyNoise Hacking hacking news information security news IT Information Security Palo Alto Networks Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini October 04, 2025
U.S. CISA adds Smartbedded Meteobridge, Samsung, Juniper ScreenOS, Jenkins, and GNU Bash flaws to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini October 03, 2025
ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

recent articles

GreyNoise detects 500% surge in scans targeting Palo Alto Networks portals

Hacking / October 04, 2025

U.S. CISA adds Smartbedded Meteobridge, Samsung, Juniper ScreenOS, Jenkins, and GNU Bash flaws to its Known Exploited Vulnerabilities catalog

Hacking / October 04, 2025

ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims

Cyber Crime / October 03, 2025

ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE

Malware / October 03, 2025

Google warns of Cl0p extortion campaign against Oracle E-Business users

Cyber Crime / October 03, 2025