All news with #palo alto networks tag

Legacy Flaws in Network Edge Devices Threaten Orgs Today

🔒 Enterprises' network edge devices — firewalls, VPNs, routers, and email gateways — are increasingly being exploited due to longstanding 1990s‑era flaws such as buffer overflows, command and SQL injections. Researchers tracked dozens of zero‑day exploits in 2024 and continuing into 2025 that affected vendors including Fortinet, Palo Alto Networks, Cisco, Ivanti, and others. These appliances are attractive targets because they are remotely accessible, often lack endpoint protections and centralized logging, and hold privileged credentials, making them common initial access vectors for state‑affiliated actors and ransomware groups.

Hackers Inject Redirecting JavaScript via WordPress Themes

🔒 Security researchers warn of an active campaign that modifies WordPress theme files (notably functions.php) to inject malicious JavaScript that redirects visitors to fraudulent verification and malware distribution pages. The injected loader uses obfuscated references to advertising services but posts to a controller domain that serves a remote script from porsasystem[.]com and an iframe mimicking Cloudflare assets. The activity has ties to the Kongtuke traffic distribution system and highlights the need to patch themes, enforce strong credentials, and scan for persistent backdoors.

Palo Alto Login Portal Scanning Spikes 500% Globally

🔍 Security researchers observed a roughly 500% surge in reconnaissance activity targeting Palo Alto Networks login portals on October 3, when GreyNoise recorded about 1,300 unique IP addresses probing its Palo Alto Networks Login Scanner tag versus typical daily volumes under 200. Approximately 91% of the IPs were US-based and 93% were classed as suspicious, with 7% confirmed malicious. GreyNoise also reported parallel scanning of other remote-access products including Cisco ASA, SonicWall, Ivanti and Pulse Secure, and noted shared TLS fingerprinting and regional clustering tied to infrastructure in the Netherlands. Analysts will continue monitoring for any subsequent vulnerability disclosures.

Surge in Scans Targeting Palo Alto Network Login Portals

🔍 GreyNoise has observed a roughly 500% rise in IP addresses scanning Palo Alto Networks login portals, primarily emulating GlobalProtect and PAN-OS profiles. Activity peaked on October 3 with more than 1,285 unique IPs—typical daily scans are usually under 200—while most sources were geolocated to the United States with smaller clusters in the UK, Netherlands, Canada, and Russia. GreyNoise classified 91% of the IPs as suspicious and 7% as malicious, noting clusters with distinct TLS fingerprints and warning this reconnaissance could precede exploitation attempts; administrators should verify device exposure and monitoring.

Spike in Scanning Targets Palo Alto Login Portals Globally

🔍 GreyNoise observed a nearly 500% surge in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, jumping from about 200 to roughly 1,300 unique IPs. The firm classified 93% of those IPs as suspicious and 7% as malicious, with most activity geolocated to the U.S. and smaller clusters in the U.K., the Netherlands, Canada and Russia. GreyNoise noted the traffic was targeted and structured and shared a dominant TLS fingerprint with recent Cisco ASA scans.

Case for Multidomain Visibility and Unified Response in SOCs

🔍 The 2025 Unit 42 Global Incident Response Report shows that 84% of investigated incidents involved activity across multiple attack fronts and 70% spanned at least three vectors, underscoring coordinated, multidomain campaigns. Attackers move laterally across cloud, SaaS, IT and OT, exploiting identities, misconfigurations and vulnerabilities. The report recommends unified telemetry, AI-driven behavioral analytics and stronger identity controls to improve detection and accelerate response.

TOTOLINK X6000R Router: Multiple Firmware Vulnerabilities

⚠️ TOTOLINK X6000R routers running firmware V9.4.0cu.1360_B20241207 contain three vulnerabilities that enable argument injection, unauthenticated command execution, and sanitization bypasses leading to file corruption or persistent denial-of-service. The most severe, CVE-2025-52906, is an unauthenticated command injection rated Critical (CVSS 9.3). TOTOLINK has released updated firmware and users should apply the patch immediately while defenders use device visibility and threat prevention to detect exploitation.

Databricks Launches AI-Driven Cybersecurity Lakehouse

🔒 Databricks has introduced Data Intelligence for Cybersecurity, an AI-driven platform that unifies fragmented security telemetry on its Lakehouse architecture to provide real-time, context-rich threat detection. The offering includes Agent Bricks to build governed AI agents, conversational dashboards, and natural-language queries for nontechnical stakeholders. Early adopters such as Arctic Wolf, Palo Alto Networks, and SAP report sharper detection, lower costs, and faster operations, while Databricks expands integrations across a broad partner ecosystem to challenge established SIEM and analytics vendors.

Chinese State-Linked RedNovember Targets Global Org

🛰️ Recorded Future has attributed a widespread cyber-espionage cluster to a Chinese state-sponsored actor it has named RedNovember, which overlaps with Microsoft's Storm-2077. From June 2024 to July 2025 the group targeted internet-facing perimeter appliances and used a mix of open-source and commercial tooling — notably Pantegana, Spark RAT and Cobalt Strike — to gain persistent access across government and private-sector networks worldwide. Attacks exploited known CVEs in VPNs, firewalls and other security appliances and leveraged a Go-based loader derived from LESLIELOADER, while administration infrastructure relied on VPN services such as ExpressVPN and Warp.

Major EDR Vendors Withdraw from MITRE ATT&CK Tests

🔍Three major cybersecurity vendors — Microsoft, SentinelOne and Palo Alto Networks — have declined to participate in the 2025 MITRE Engenuity ATT&CK Evaluations: Enterprise, citing a need to prioritize product development and innovation. Their exits, after strong 2024 performances, have sparked debate over the tests' scope and whether they encourage PR-driven preparation. MITRE says it will revive a vendor forum for 2026 to improve engagement.

Top Dark Web Monitoring Tools for Threat Detection

🔎 The article explains why Dark Web monitoring is essential for CISOs and security teams, focusing on the discovery of leaked credentials, sensitive corporate data, and brand-abuse used in fraud and phishing. It profiles ten leading solutions and contrasts commercial Digital Risk Protection services with open-source intelligence platforms. The piece emphasizes integration with XDR/MDR, API access, takedown capabilities, and VIP and supply‑chain monitoring to prioritize responses and reduce business risk.

Unit 42 Earns NCSC Enhanced Level Incident Response

🔒 Palo Alto Networks' Unit 42 has been added to the UK's NCSC Cyber Incident Response scheme at the Enhanced Level, demonstrating certified capability to manage the most complex and impactful cyber incidents. The assurance verifies structured, government-benchmarked processes, strong investigative expertise, and a customer-focused retainer model tailored to regulatory and operational needs. This recognition underscores Unit 42's role in helping organisations reduce dwell time, contain threats faster, and strengthen long-term resilience.

Palo Alto Acknowledges Browser-Malware Risks, Validates LMR

🔍 SquareX’s Last Mile Reassembly (LMR) research, disclosed at DEF CON 32, shows how attackers split and reassemble malware inside the browser to evade Secure Web Gateways (SWGs). Palo Alto Networks has become the first major SASE vendor to publicly acknowledge this class of browser-assembled evasive attacks and announced enhancements to Prisma Browser. SquareX says LMR and related Data Splicing techniques exploit channels like WebRTC and gRPC, bypassing traditional SWG and DLP controls and underscoring the need for browser-native security.

Inside Black Hat's NOC: Zero-Hour Security Operations

🛡️ At Black Hat, Palo Alto Networks' NOC operates a zero-hour defense model that protects critical infrastructure while enabling controlled exploit training. Engineers from Cortex and Unit 42 collaborate with partners like Corelight to develop rapid detections, deploy contextual rules on PA-5430 firewalls, and automate responses via Cortex XSIAM. The environment balances visibility, segmentation and automated enforcement to stop external threats without disrupting sanctioned exercises.

Partner-built AI Security Innovations on Google Cloud

🔒 Google Cloud and its partners announced a range of partner-built AI security solutions now available in the Google Cloud Marketplace. These integrations embed Gemini and Vertex AI into partner products — including CrowdStrike, Palo Alto Networks, Fortinet, and others — to protect models, data, applications, and agents. The collaborations emphasize automated detection, incident response, DLP, identity protection, and agent monitoring to reduce mean time to detect and respond, helping customers adopt AI securely.

CRM Supply-Chain Breach via Salesloft Drift Impacts Vendors

🔒 Palo Alto Networks, Zscaler and Cloudflare disclosed a supply-chain breach traced to the Salesloft Drift integration with Salesforce. The compromise exposed business contact information, account/contact/case/opportunity records and, in some instances, OAuth tokens and plaintext support-case content; attachments and files were reportedly not affected. Palo Alto's Unit 42 observed active searches of exfiltrated data and deletion of queries consistent with anti-forensics. Vendors are advising immediate token revocation, credential rotation and comprehensive review of Salesforce logs and SOQL query history.

Prisma SASE 4.0: AI-Ready Security for Distributed Work

🔒 Prisma SASE 4.0 is positioned as a unified, cloud-delivered security platform engineered for the AI era. It combines AI-powered threat protection, frictionless data security for structured and unstructured content, and unified intelligent operations to automate deployment and troubleshooting. New capabilities include browser-based postload inspection, an Advanced DNS Resolver with Precision AI, SaaS security posture monitoring for AI agents, and Autonomous Digital Experience Management to preserve performance and resilience.

Cloudflare, Palo Alto Hit by Salesloft Drift Breach

🔒 Cloudflare and Palo Alto Networks disclosed that threat actors accessed their Salesforce tenants via the third‑party Salesloft Drift app after compromising OAuth tokens. Cloudflare reported reconnaissance on 9 August 2025 and said data was exfiltrated from Salesforce case objects between 12–17 August 2025. The exposed fields principally contained support case text and business contact information; Cloudflare identified 104 API tokens and has rotated them, urging customers to rotate any credentials shared in cases. Google’s Threat Intelligence Group links the activity to UNC6395 and warns harvested data may be used for targeted follow‑on attacks.

Supply-chain Breach Impacts Palo Alto, Zscaler, Cloudflare

🔒 Three major vendors—Palo Alto Networks, Zscaler, and Cloudflare disclosed a supply‑chain breach tied to the Salesloft Drift Salesforce integration that exposed OAuth tokens and customer CRM data. The incident reportedly involved mass exfiltration from Account, Contact, Case and Opportunity records and included business contact data and some plaintext case notes. Vendors recommend rotating credentials, revoking unused OAuth tokens, auditing Salesforce Event Monitoring and reviewing SOQL query logs and connected-app activity for signs of abuse.

Meet the Next Generation of Unit 42 Threat Intelligence

🔍 Unit 42 highlights two threat intelligence interns, Sakthi Vinayak and Gabrielle Calderon, who completed a 12-week program contributing to practical research and automation projects. Sakthi concentrated on mechanizing data ingestion, implementing a fidelity scoring framework, and building dashboards to surface trends and gaps in the knowledge repository. Gabrielle focused on malware ticket analysis and developing an automation tool to identify malware families and extract indicators of compromise. Both interns credited Unit 42’s collaborative mentorship and cross-team exposure for accelerating their technical growth and real-world impact.