🔥 GLOBALPROTECT SCANNING SURGE: NATION-STATE RECON OR MASS EXPLOIT LOADING?

~24,000 IPs. One ASN. Zero excuses.

Palo Alto GlobalProtect VPNs are being aggressively scanned in what experts believe is a coordinated reconnaissance campaign—a prelude to large-scale exploitation.

Between March 17 and March 31, 2025, GreyNoise detected a massive spike in login portal scanning. Nearly 24,000 unique IPs hit GlobalProtect gateways. And this wasn’t random:

• ~20,000 IPs came from one ASN: 3xK Tech GmbH (ASN200373)

• Majority classified as suspicious, with 154 IPs labeled malicious

• Scanning peaked at ~20,000 IPs/day

• Most activity originated from the US and Canada, targeting organizations in the US, UK, Ireland, Russia, Singapore

This isn’t curiosity—it’s choreography.
And your GlobalProtect portal might be on the hit list.

🧠 Context: Why This Matters

GlobalProtect is core perimeter infrastructure—often internet-facing, often under-patched, and often assumed to be “secure by default.” That illusion is dead.

This new wave of scans mirrors patterns seen in 2024’s ArcaneDoor campaign, which compromised Cisco ASAs and other edge devices through zero-days + stealth tooling. The playbook:

1. Wide-area recon (that’s what this is)

2. Exploit known/unknown vulns

3. Establish persistent access via implants or reverse shells

4. Pivot inward

If you’re not hardened and patched, you’re a target.

🛠️ The Vulnerability Landscape (2024–2025)

Even if this current wave isn’t tied to a zero-day yet, recent history paints a clear picture:

CVE-2025-0108

• Auth bypass in the PAN-OS management interface

• Actively exploited in Feb–Mar 2025

• Exploitable by unauthenticated attackers with network access

• Mitigation: Patch, limit interface exposure, uninstall OpenConfig if unused

CVE-2025-0117

• Local privilege escalation in GlobalProtect app (Windows)

• Requires local access—but could be a second-stage vector

• Fix: Registry change + update

CVE-2024-3400

• Command injection in GlobalProtect gateway (root access)

• Still discussed on Reddit as possibly unpatched in the wild

• Exploits GlobalProtect + Telemetry config combos

👀 Even one unpatched endpoint = one compromised org.

🚨 GreyNoise’s Technical Intel

GreyNoise linked the scanning tools to three unique JA4h hashes, representing TLS fingerprinting patterns. That means defenders can write YARA/Snort rules or SIEM detections using those hashes to detect the same tools.

Also notable:

• Concurrency with crawler activity on PAN-OS components (suggests command injection scanning)

• Overlap with known espionage-style infrastructure

• Behavior reminiscent of APT-led recon (e.g., Silk Typhoon, ArcaneDoor)

💥 What You Should Do RIGHT NOW

1. Review Logs: Mar 17–31

Look for login spikes, brute-force attempts, repeated failed authentications, or geolocation anomalies.

2. Block IPs from GreyNoise

• Ingest the list of flagged IPs.

• Consider geo-blocking or rate-limiting high-risk ASN200373 traffic if GlobalProtect is exposed.

3. Patch All Palo Alto Systems

• Apply patches for CVE-2025-0108 and CVE-2025-0117

• Revisit CVE-2024-3400—even if you think you’re covered

• Lock down access to management interfaces. If you can reach them from Starbucks, you’re already compromised.

4. Harden GlobalProtect

• Enforce MFA on everything

• Use strong password policies

• Implement fail2ban-style throttling or equivalent

• Limit portal exposure to trusted IPs/networks only

5. Hunt for Indicators

Use the JA4h hashes, GreyNoise threat actor infrastructure, and spike timestamps to proactively hunt in:

• Firewall logs

• VPN login logs

• Endpoint detection systems

🤔 What’s Next?

This isn’t over. It’s starting.
Scans → Exploits → Backdoors. That’s the play.

No confirmed breaches yet from this wave—but if you’re still running GlobalProtect unpatched or wide open, it’s not if—it’s when.

📊 Key Metrics at a Glance

🧠 Final Word from SecurityBlotter

This is a red alert.

Scanning on this scale doesn’t just happen.
It’s recon—and you’re the recon target.

panic less. patch more.
But for real this time. Or someone else will be reading your logs for you.