Hackers have unleashed over 2.3 million malicious sessions against Palo Alto Networks’ GlobalProtect VPN portals since November 14, 2025, according to threat intelligence firm GreyNoise.
This surge, which intensified dramatically within 24 hours to reach a 40-fold increase, represents the highest activity level in the past 90 days and underscores growing risks to remote access systems worldwide.
The attacks primarily target the /global-protect/login.esp URI on Palo Alto PAN-OS and GlobalProtect platforms, focusing on brute-force login attempts that could expose corporate networks to unauthorized access.
GreyNoise researchers noted the rapid buildup starting last week, with activity peaking as organizations rely heavily on these VPNs for secure remote work. This campaign not only threatens data breaches but also highlights persistent vulnerabilities in widely used network security tools.
Surge Linked to Coordinated Threat Actors
GreyNoise has uncovered strong ties between this Palo Alto assault and earlier malicious campaigns, attributing them with high confidence to overlapping threat actors.
Key indicators include consistent TCP and JA4t fingerprints across incidents, shared infrastructure via recurring Autonomous System Numbers (ASNs), and synchronized timing in activity spikes.
These patterns suggest a sophisticated, possibly state-sponsored or cybercrime operation iterating on proven tactics to probe for weaknesses in enterprise defenses.
The infrastructure behind the attacks is highly concentrated, with 62% of sessions originating from AS200373 (3xK Tech GmbH), a German company, forming the campaign’s backbone.
An additional 15% traces to the same ASN but is routed through Canadian clusters, indicating distributed hosting to evade detection. Secondary contributions come from AS208885 (Noyobzoda Faridduni Saidilhom), reinforcing a coordinated footprint that spans continents.
Targets appear geographically focused, with the United States, Mexico, and Pakistan each facing roughly equal volumes of login probes. This distribution may reflect attackers prioritizing high-value regions or leveraging stolen credential lists from diverse sources.
For defensive hunting, GreyNoise highlighted two JA4t fingerprints covering all observed activity: 65495_2-4-8-1-3_65495_7 and 33280_2-4-8-1-3_65495_7.
Indicator TypeValueASN (Primary)AS200373 (3xK Tech GmbH)ASN (Secondary)AS208885 (Noyobzoda Faridduni Saidilhom)JA4t Fingerprint 165495_2-4-8-1-3_65495_7JA4t Fingerprint 233280_2-4-8-1-3_65495_7Target URI/global-protect/login.esp
This incident echoes historical patterns observed by GreyNoise, where spikes in Fortinet VPN brute-force attacks often precede vulnerability disclosures within six weeks, a trend first noted in July 2025.
Similar surges hit Palo Alto portals in April and October 2025, prompting advisories and linked to broader campaigns against Cisco and Fortinet devices.
Organizations should audit exposed GlobalProtect portals, enforce multi-factor authentication, and monitor for these indicators to prevent potential exploits.
As remote access remains a prime vector for ransomware and espionage, this 2.3 million-attack wave serves as a stark reminder for enterprises to harden VPN configurations amid rising threat sophistication.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Attacking Palo Alto Networks’ GlobalProtect VPN Portals with 2.3 Million Attacks appeared first on Cyber Security News.
