Cyber attack surge infographic: world map highlighting 2,200 IP clusters (91% US, UK/Netherlands/Canada/Russia) targeting Palo Alto GlobalProtect portals, brute-force login icons and credential database arrows, GreyNoise shield with warning "Block Malicio

Attacks on Palo Alto Networks' PAN-OS GlobalProtect login portals have surged dramatically, with over 2,200 unique IPs conducting reconnaissance as of October 7, 2025—up from 1,300 just days prior on October 3, marking a 500% spike and the highest activity in 90 days per GreyNoise Intelligence. This coordinated campaign uses automated brute-force tactics, iterating through credential databases to probe SSL VPN portals, with GreyNoise releasing a dataset of observed usernames and passwords for security teams to check exposures.

Cyber attack surge infographic: world map highlighting 2,200 IP clusters (91% US, UK/Netherlands/Canada/Russia) targeting Palo Alto GlobalProtect portals, brute-force login icons and credential database arrows, GreyNoise shield with warning "Block MalicioCyber attack surge infographic: world map highlighting 2,200 IP clusters (91% US, UK/Netherlands/Canada/Russia) targeting Palo Alto GlobalProtect portals, brute-force login icons and credential database arrows, GreyNoise shield with warning "Block Malicio

Geographically, 91% of IPs originate from the US, followed by clusters in the UK, Netherlands, Canada, and Russia; 12% of ASN11878 subnets are involved, showing heavy infrastructure use. Analysis flags 93% of IPs as suspicious and 7% as malicious, with distinct TCP fingerprints and regional patterns indicating multiple threat groups. The attacks target emulated profiles, likely sourced from Shodan or Censys scans.

Cyber attack surge infographic: world map highlighting 2,200 IP clusters (91% US, UK/Netherlands/Canada/Russia) targeting Palo Alto GlobalProtect portals, brute-force login icons and credential database arrows, GreyNoise shield with warning "Block MalicioCyber attack surge infographic: world map highlighting 2,200 IP clusters (91% US, UK/Netherlands/Canada/Russia) targeting Palo Alto GlobalProtect portals, brute-force login icons and credential database arrows, GreyNoise shield with warning "Block Malicio

Correlations link this to simultaneous probes on Cisco ASA devices, sharing Dutch infrastructure fingerprints, tooling, and behaviors—suggesting a wider enterprise remote access reconnaissance effort. Defenders should block known malicious IPs, monitor GlobalProtect auth logs closely, and enforce stricter VPN access controls to counter the threat.
 
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security