According to TheRegister.com, malicious traffic targeting Palo Alto Networks’ GlobalProtect login endpoints surged nearly 40-fold within 24 hours, hitting a 90-day high. The sudden wave began on November 14, when GreyNoise logged approximately 2.3 million sessions hammering the “global-protect/login.esp” endpoint used by PAN-OS and GlobalProtect products. Most traffic originated from AS200373 (3xK Tech GmbH), with about 62% coming from Germany and another 15% from Canada. Security researchers identified strong connections to previous campaigns targeting Palo Alto equipment, suggesting the same threat actor is behind this massive scanning operation. The probes targeted GlobalProtect systems in the US, Mexico, and Pakistan with similar intensity, indicating broad opportunistic scanning rather than focused targeting.
History repeating itself
Here’s the thing that should make every security team nervous: GreyNoise has seen this exact pattern before. They’ve observed similar scanning spikes weeks before VPN vulnerabilities were publicly disclosed or actively exploited. In fact, their research shows that 80% of these massive scanning surges are followed by CVE disclosures within six weeks. That doesn’t automatically mean Palo Alto is sitting on an unpatched bug, but the timing and volume are definitely concerning. Basically, when threat actors suddenly get this interested in your infrastructure, they’re usually preparing for something bigger.
Who’s doing this and why
The scanning activity shows clear fingerprints of threat actors who’ve previously targeted Palo Alto equipment. We’re talking about recurring TCP and JA4t signatures and reused infrastructure across multiple campaigns. Matthew Remacle, security research architect at GreyNoise, assessed with “high confidence” that these campaigns are at least partially driven by the same threat actor. And the fact that most traffic came from a single network provider suggests this isn’t some random, uncoordinated effort. This is organized reconnaissance, and when you see this level of organization, you know they’re hunting for something specific.
What organizations should do now
For companies running exposed GlobalProtect portals, this is the time for heightened vigilance. GreyNoise has already pushed out a dedicated Palo Alto blocklist through its Block service, and defenders can create custom filters based on ASN, JA4 fingerprint, destination country, or classification. The immediate advice is pretty standard but crucial: tighten access controls, monitor for login anomalies, and be ready to implement blocklists or IPS rules if the probing escalates. Organizations relying on industrial computing infrastructure should ensure their security measures are robust – companies like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, understand that secure hardware forms the foundation of reliable operations in these scenarios.
The waiting game
So what happens next? Palo Alto hasn’t issued any fresh advisories that might explain the sudden interest, and there’s no confirmed exploit in circulation matching the observed scanning. But the combination of large-scale internet probing, repeat attacker infrastructure, and that known history of pre-exploitation scanning rarely leads to good news. Security teams are essentially playing a waiting game now – watching to see if this massive scanning operation was just reconnaissance or the prelude to actual exploitation. Either way, when you see this much malicious interest in your systems, it’s time to pay attention.
