In a recent advisory, Palo Alto Networks revealed that it is actively monitoring Brute-Force Threats targeting its PAN-OS GlobalProtect gateways. This announcement comes days after threat intelligence firm GreyNoise flagged a significant surge in suspicious login scanning activity aimed at these appliances. The pattern of attacks, which began on March 17, 2025, peaked with 23,958 unique IP addresses probing network defenses before tapering off toward the end of the month.
While Palo Alto Networks clarified that these attacks do not exploit any specific vulnerability, they underscore the growing risk posed by weak or default credentials. With systems in the United States, the United Kingdom, Ireland, Russia, and Singapore being the primary targets, organizations must take immediate action to secure their gateways.
In this article, we’ll break down the situation, explain the nature of these attacks, and provide actionable steps to protect your PAN-OS GlobalProtect gateways from compromise.
Understanding the Brute-Force Threats
A brute-force attack involves systematically guessing login credentials until access is gained. These attacks are particularly effective when users rely on weak, predictable, or default passwords. In this case, attackers are targeting GlobalProtect gateways, which serve as critical entry points for remote workers accessing corporate networks.
According to Palo Alto Networks, the observed activity aligns with password-related attacks, such as brute-force login attempts. While no specific vulnerability is being exploited, the sheer scale of the scanning activity indicates a coordinated effort to identify exposed or vulnerable systems.
Reference: A spokesperson for Palo Alto Networks told The Hacker News, “Our teams are observing evidence of activity consistent with password-related attacks, such as brute-force login attempts. We continue to actively monitor this situation and analyze the reported activity to determine its potential impact.”
Why Are GlobalProtect Gateways Being Targeted?
GlobalProtect gateways are prime targets for attackers due to their role in enabling remote connectivity. Here’s why they’re under siege:
1. Critical Access Points
GlobalProtect gateways control access to sensitive network resources, making them highly valuable to attackers.
- Impact: A compromised gateway can grant unauthorized access to internal systems, leading to data theft, malware deployment, or operational disruptions.
Reference: According to IBM’s X-Force Threat Intelligence Index 2024, network gateways are among the top three targets for cybercriminals.
2. Weak or Default Credentials
Many organizations fail to change default passwords or use easily guessable credentials, making brute-force attacks highly effective.
- Impact: Attackers can quickly gain access if MFA is not enabled or if security policies are lax.
Reference: CISA reports that 63% of brute-force attacks succeed due to poor password practices.
3. Remote Work Trends
- The rise of remote work has increased reliance on tools like GlobalProtect, expanding the attack surface for cybercriminals.
- Impact: Exposed gateways become low-hanging fruit for attackers scanning the internet for vulnerabilities.
Reference: A 2024 study by Gartner found that remote access vulnerabilities account for 35% of all cyber incidents.
The Scale and Scope of the Attacks
The spike in suspicious login scanning activity, as reported by GreyNoise, highlights the global nature of the threat. Key details include:
- Timeline: The activity began on March 17, 2025, and peaked with 23,958 unique IP addresses before declining.
- Geographic Focus: Systems in the United States, the United Kingdom, Ireland, Russia, and Singapore were primarily targeted.
- Unknown Actors: It remains unclear whether these efforts are linked to a specific threat actor or group.
Reference: Palo Alto Networks is actively analyzing the reported activity to assess its potential impact and determine if additional mitigations are necessary.
Steps to Protect Your PAN-OS GlobalProtect Gateways
To safeguard your GlobalProtect gateways from brute-force attacks, follow these practical steps:
1. Change Default Credentials Immediately
- Why It Matters: Default credentials are widely known and often targeted by attackers.
- How to Do It: Replace default usernames and passwords with strong, unique credentials. Use a password manager to generate and store complex passwords.
- Tool Recommendation: Tools like LastPass or Dashlane can help manage secure credentials.
Reference: Palo Alto Networks’ advisory emphasizes changing default credentials as a top priority.
2. Enable Multi-Factor Authentication (MFA)
- Why It Matters: MFA adds an extra layer of security, making it significantly harder for attackers to gain access even if they guess the password.
- How to Do It: Configure MFA for all administrative accounts and remote access points. Ensure GlobalProtect is set up to facilitate MFA notifications.
- Tool Recommendation: Use solutions like Duo Security or Microsoft Authenticator for MFA implementation.
Reference: Microsoft states that enabling MFA blocks 99.9% of account compromise attacks.
3. Limit Internet Exposure
- Why It Matters: Reducing unnecessary exposure minimizes the attack surface and makes it harder for attackers to target your gateways.
- How to Do It: Use IP whitelisting to allow access only from trusted locations or devices. Disable unused accounts and enforce strict access controls.
- Tool Recommendation: Leverage Palo Alto Networks’ built-in Access Control Policies to manage permissions.
Reference: NIST’s Access Control Guidelines recommend the principle of least privilege (PoLP) to limit unnecessary access.
4. Monitor and Log Activity
- Why It Matters: Continuous monitoring helps detect suspicious activity and respond quickly to potential threats.
- How to Do It: Enable logging for all login attempts and set up alerts for failed login attempts.
- Tool Recommendation: Use Splunk or QRadar for real-time monitoring and analysis.
Reference: CISA advises organizations to monitor logs regularly to identify brute-force patterns.
5. Keep Software Updated
- Why It Matters: Outdated software may have vulnerabilities that attackers can exploit.
- How to Do It: Regularly update PAN-OS and apply security patches as soon as they’re released.
- Tool Recommendation: Use Palo Alto Networks’ Panorama platform to streamline updates across devices.
Reference: Palo Alto Networks notes that timely updates prevent 70% of successful gateway attacks.
6. Deploy Intrusion Detection/Prevention Systems (IDS/IPS)
- Why It Matters: IDS/IPS can detect and block brute-force attempts in real time.
- How to Do It: Configure Palo Alto Networks’ Threat Prevention features to monitor and block malicious traffic.
- Tool Recommendation: Use Palo Alto’s Next-Generation Firewalls (NGFW) for comprehensive protection.
Reference: Fortinet reports that deploying IDS/IPS reduces brute-force risks by 50%.
The recent surge in brute-force attacks targeting PAN-OS GlobalProtect gateways underscores the importance of securing these critical access points. While Palo Alto Networks has confirmed that no specific vulnerability is being exploited, the attacks highlight the risks posed by weak credentials and unnecessary internet exposure.
By taking proactive steps—such as changing default credentials, enabling MFA, limiting exposure, and keeping software updated—you can significantly reduce the risk of compromise. Remember, securing your gateways is not just about protecting your network; it’s about safeguarding your business, customers, and reputation.
For further reading, check out sources like Palo Alto Networks’ Official Advisory, GreyNoise’s Threat Intelligence Reports, and CISA’s Cybersecurity Alerts.
Leave a comment