387/68 Tuesday, October 7, 2025
Cybersecurity company GreyNoise has reported an unusual 500% spike in scanning activity targeting Palo Alto Networks login portals on October 3, 2025-the highest level seen in the past three months. The company detected scanning attempts from 1,285 unique IP addresses, up from a normal daily average of about 200. Of these, more than 93% were classified as “suspicious” and 7% as “malicious.” The majority of the traffic originated from the United States, with smaller clusters identified in the United Kingdom, the Netherlands, Canada, and Russia.
GreyNoise explained that the scans appeared structured and deliberate, focusing on emulated Palo Alto login systems designed to mimic real network environments, particularly in the U.S. and Pakistan. This pattern indicates a deep reconnaissance effort that may involve coordinated groups. Researchers also found that the scanning techniques used against Palo Alto were strikingly similar to those previously observed against Cisco ASA devices-where scanning spikes occurred shortly before the disclosure of two zero-day vulnerabilities. Notably, both incidents shared identical TLS fingerprints and infrastructure connections linked to the Netherlands.
The report further suggests that the similarities between Cisco ASA and Palo Alto scanning activities may point to shared tools or infrastructure among attackers. GreyNoise warned that such activity has historically preceded the disclosure of new vulnerabilities-often within six weeks. As a precaution, the company is actively monitoring the situation to determine whether this surge could signal the discovery of a new Palo Alto vulnerability. In response, GreyNoise has accelerated the development of a new “Dynamic IP Blocklist” aimed at helping organizations more rapidly defend against and respond to emerging threats.
