Urgent Alert: Palo Alto GlobalProtect Portals Under Escalating Attack

In a significant and concerning development, reconnaissance activities targeting Palo Alto Networks PAN-OS GlobalProtect login portals have surged dramatically. As of October 7, 2025, over 2,200 unique IP addresses are actively engaged in scanning operations, a stark increase from the 1,300 IPs observed just days prior. This represents the highest scanning activity recorded in the past 90 days, according to threat intelligence from GreyNoise. This escalation demands immediate attention from all organizations leveraging GlobalProtect for remote access.

Understanding the Threat: What is GlobalProtect?

Palo Alto Networks GlobalProtect is a powerful and widely deployed solution for providing secure remote access to corporate resources. It enables users to connect to the corporate network from any location, ensuring encrypted communication and enforcing security policies. Its critical role in remote work infrastructures makes it an attractive target for malicious actors seeking initial access into an organization’s network. The current surge in scanning activity suggests adversaries are actively probing for weaknesses and potential entry points.

The Escalation: A Deep Dive into the Numbers

The numbers speak for themselves. A jump from 1,300 unique IP addresses conducting reconnaissance to over 2,200 in a matter of days is not a random fluctuation; it signifies a coordinated and intensified effort by attackers. This sustained scanning often precedes more targeted exploitation attempts. Threat actors use these reconnaissance phases to identify vulnerable systems, gather information about network configurations, and ultimately prepare for privilege escalation or data breaches.

Organizations must treat this intelligence with the utmost seriousness. The increased scanning volume translates directly to a heightened risk of successful attacks against unpatched or misconfigured GlobalProtect portals.

Why the Surge? Potential Motivations Behind the Attacks

Several factors could be driving this surge in attacks:

• Vulnerability Disclosure Exploitation: Attackers often intensify their efforts following the public disclosure of new vulnerabilities (CVEs) affecting popular software, especially those related to remote access. While the source does not specify a particular CVE, the timing of such an alert often aligns with new exploit developments.
• Initial Access Brokerage: Compromised VPN and remote access portals are high-value targets for initial access brokers, who then sell this access to other cybercriminal groups for ransomware deployments, data exfiltration, and other malicious activities.
• Supply Chain Attacks: Gaining access to one organization’s network via GlobalProtect could be a stepping stone for broader supply chain attacks if the compromised entity is part of a larger ecosystem.
• Increased Attack Surface: The continued prevalence of remote and hybrid work models means GlobalProtect portals represent a consistently large and critical attack surface.

Remediation Actions: Fortifying Your GlobalProtect Defenses

Given the alarming increase in scanning activity, immediate action is crucial for all organizations utilizing Palo Alto Networks PAN-OS GlobalProtect. Proactive measures can significantly reduce your risk exposure.

• Patch and Update Immediately: Ensure all your PAN-OS instances, particularly those powering GlobalProtect, are running the latest stable firmware versions with all security patches applied. Regularly check Palo Alto Networks’ security advisories and promptly apply any recommended updates.
• Strong Authentication Enforcement: Implement and enforce Multi-Factor Authentication (MFA) for all GlobalProtect users. This is your most critical defense against compromised credentials.
• Monitor Logs Aggressively: Continuously monitor GlobalProtect authentication and session logs for suspicious activity, including:
  • Repeated failed login attempts from unusual IP addresses or locations.
  • Unexplained sessions or connections.
  • Attempts to access resources that users typically do not access.
• Restrict Access: Wherever possible, restrict access to the GlobalProtect login portal. Use geo-blocking for IP addresses from unapproved regions or trusted IP whitelists if your user base is geographically stable.
• Implement Threat Prevention: Ensure your Palo Alto Networks firewalls have subscriptions like Threat Prevention, WildFire, and URL Filtering enabled and up-to-date to detect and block known exploits and malicious traffic.
• Network Segmentation: Isolate GlobalProtect portals on their own network segments to limit lateral movement potential if a compromise occurs.
• Regular Vulnerability Scans: Conduct regular external and internal vulnerability scans on your GlobalProtect infrastructure to identify potential weaknesses before attackers do.
• User Awareness Training: Educate users about phishing attempts that could target their GlobalProtect credentials.

Essential Tools for Detection and Mitigation

Leveraging the right tools is paramount for effectively detecting and mitigating threats against your GlobalProtect infrastructure.

Tool Name	Purpose	Link
Palo Alto Networks Next-Generation Firewalls	Core platform for GlobalProtect, threat prevention, URL filtering, and WildFire endpoint protection.	https://www.paloaltonetworks.com/network-security/next-generation-firewall
Cortex XSOAR	Security Orchestration, Automation, and Response (SOAR) for automating incident response and threat intelligence analysis.	https://www.paloaltonetworks.com/cortex/xsoar
GreyNoise Intelligence	Identifies internet-wide scanning activity and benign vs. malicious traffic. (Used in source for IP count).	https://greynoise.io/
Security Information and Event Management (SIEM) Systems	Centralized log collection, analysis, and alerting for all security events. Examples: Splunk, Elastic SIEM.	https://www.splunk.com/en_us/products/unified-security-operations/security-information-event-management-siem.html
Vulnerability Scanners	Automatically identify security weaknesses and misconfigurations. Examples: Nessus, Qualys, OpenVAS.	https://www.tenable.com/products/nessus

Conclusion: Stay Vigilant, Stay Secure

The significant increase in scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect login portals is a clear indicator of heightened threat actor interest. Organizations must recognize the critical role these portals play in network access and take immediate, decisive action to bolster their defenses. Proactive patching, robust MFA implementation, and diligent monitoring are not merely best practices; they are essential safeguards against the evolving threat landscape. Prioritize the security of your GlobalProtect infrastructure to protect your organization from potential compromise. Stay informed, stay vigilant, and secure your remote access.