Palo Alto Login Portal Scanning Spikes 500% Globally
🔍 Security researchers observed a roughly 500% surge in reconnaissance activity targeting Palo Alto Networks login portals on October 3, when GreyNoise recorded about 1,300 unique IP addresses probing its Palo Alto Networks Login Scanner tag versus typical daily volumes under 200. Approximately 91% of the IPs were US-based and 93% were classed as suspicious, with 7% confirmed malicious. GreyNoise also reported parallel scanning of other remote-access products including Cisco ASA, SonicWall, Ivanti and Pulse Secure, and noted shared TLS fingerprinting and regional clustering tied to infrastructure in the Netherlands. Analysts will continue monitoring for any subsequent vulnerability disclosures.
