惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Register - Security
The Register - Security
P
Privacy International News Feed
月光博客
月光博客
博客园 - 聂微东
Blog — PlanetScale
Blog — PlanetScale
V
Visual Studio Blog
Y
Y Combinator Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
Google DeepMind News
Google DeepMind News
罗磊的独立博客
Vercel News
Vercel News
Last Week in AI
Last Week in AI
A
About on SuperTechFans
P
Proofpoint News Feed
M
MIT News - Artificial intelligence
人人都是产品经理
人人都是产品经理
H
Hackread – Cybersecurity News, Data Breaches, AI and More
博客园_首页
T
Tailwind CSS Blog
GbyAI
GbyAI
S
Schneier on Security
L
LINUX DO - 热门话题
C
CERT Recently Published Vulnerability Notes
AWS News Blog
AWS News Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
The Hacker News
The Hacker News
N
News and Events Feed by Topic
云风的 BLOG
云风的 BLOG
博客园 - 【当耐特】
C
Cybersecurity and Infrastructure Security Agency CISA
I
Intezer
V2EX - 技术
V2EX - 技术
The GitHub Blog
The GitHub Blog
Scott Helme
Scott Helme
V
V2EX
IT之家
IT之家
S
SegmentFault 最新的问题
爱范儿
爱范儿
L
LangChain Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
MongoDB | Blog
MongoDB | Blog
S
Security Affairs
Security Latest
Security Latest
T
The Blog of Author Tim Ferriss
P
Proofpoint News Feed
S
Secure Thoughts
MyScale Blog
MyScale Blog
F
Fortinet All Blogs
Hugging Face - Blog
Hugging Face - Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed

The Register - Security: CSO

Anthropic's Mythos has The Kettle crew curious, skeptical 'People's Panel' to check if UK wants controversial Digital ID will cost £630K Top npm package backdoored to drop dirty RAT on dev machines Lightning-fast exploits mean patch fast, says Cisco Talos Lightning-fast exploits mean patch fast, says Cisco Talos Smooth criminals talking their way into cloud environments, Google says Cybercrime up 245% since the start of the Iran war Scattered Lapsus$ Hunters seeks women to defraud helpdesks Every day in every way, passwords are getting worse CISA quietly updated ransomware flags on 59 flaws last year Deepfake job seeker applied to work for an AI security firm Deepfake job seeker applied to work for an AI security firm AI-powered cyberattack kits are 'just a matter of time' AI-powered cyberattack kits are 'just a matter of time' FortiGate SSO bug still exploitable despite December patch FortiGate SSO bug still exploitable despite December patch Judge tosses CrowdStrike shareholder suit over 2024 outage DRAM shortage may drive firewall prices higher: analysts Ransomware attacks kept climbing in 2025 as gangs refused to stay dead Around 1,000 systems compromised in ransomware attack on Romanian water agency 1,000 systems pwned in Romanian Waters ransomware attack Half of exposed React servers remain unpatched amid attacks CISA warns spyware crews are breaking into Signal and WhatsApp accounts FCC guts Salt Typhoon telco rules despite espionage risk CISA orders feds to patch Oracle Identity Manager zero-day SEC drops SolarWinds lawsuit that painted a target on CISOs everywhere SEC bails on SolarWinds lawsuit Palo Alto kit sees massive surge in malicious activity Countries use cyber targeting to plan strikes: Amazon CSO Overconfidence is the new zero-day as teams stumble through cyber simulations UK's Cyber Security and Resilience Bill makes Parliamentary debut Cyber insurers paid out over twice as much for UK ransomware attacks last year Cyberpunks mess with Canada's water, energy, and farm systems Trump's workforce cuts blamed as America's cyber edge dulls Feds flag active exploitation of patched Windows SMB vuln How malware vaccines could stop ransomware's rampage Salesforce refuses to pay ransomware crims' extortion demand Germany slams brakes on EU's Chat Control snoopfest Germany slams brakes on EU's Chat Control snoopfest Employees regularly paste company secrets into ChatGPT Oracle tells Clop-targeted EBS users to apply July patch Red Hat repos raided, claims cybercrew, files stolen Suspected Chinese spies broke into 'numerous' enterprises UK gov acknowledges 'strong case' for JLR financial support JLR extends shutdown – again – as toll on workers laid bare UK chancellor blames cyberattacks on Russia despite evidence Fortra discloses 10/10 severity bug in GoAnywhere MFT Entra ID bug could have granted access to every tenant UEFI Secure Boot for Linux Arm64 – where do we stand? JLR says cyber cleanup to take additional week Insider blamed for FinWise data breach affecting nearly 700K Nork snoops whip up fake military ID with help from ChatGPT UK government dragged for incomplete security reforms Church of England abuse victims exposed by lawyer's email US spy chief claims UK backdown on Apple backdoor demand Workday confirms CRM breach via social engineering Black Hat/DEF CON: AI more useful for defense than hacking Ex-White House cyber guru talks Microsoft security fails CISA releases malware analysis for Sharepoint Server attack China: US spies used Microsoft Exchange 0-day to steal info Security pros drowning in threat-intel data Identity attacks surge 156% as phishermen get craftier Organizations can’t keep up with supply chain security musts Amazon CISO: Iranian hacking crews ‘on high alert’ UK data watchdog fines 23andMe £2.3M over 2023 breach Employers are demanding too much from junior cyber recruits FCA warned four staffers who pocketed regulator data Ransomware just wrecked your network – now what? Ivanti RCE attacks 'ongoing,' exploitation hits clouds Ex-NSA listened to Scattered Spider's calls: 'They're good' Snowflake CISO talks lessons learned from breaches, improv Why CVSS is failing us and what we can do about it Infosec pros still aren't nailing the basics of AI security Ransomware crims targeting systems between IT and operations Why aggregating asset inventory leads to better security NCSC and industry at odds over how to tackle shoddy software Powerschool extortionists may not have deleted stolen data CrowdStrike trims workforce by 5 percent, aims to rely on AI NSO Group must pay Meta $168M in WhatsApp spy case Ghost in the shell script: Boffins seek code correctness How Intruder finds what others miss in cloud security Linux malware can avoid syscall-based endpoint protection Infosec pro blabs about alleged malware mishap on LinkedIn The future of AI in cybersecurity in a word – optimistic CVE board 'kept in the dark' on funding, members say Security snafus caused by third parties up from 15% to 30% Blue Shield shared 4.7M people's health info with Google Ads Who needs phishing when your login's already in the wild? US cyber defenses are being dismantled from the inside Bug hunter obtains an SSL cert for Alibaba Cloud in 5 steps
Palo Alto kit sees massive surge in malicious activity amid mystery traffic flood
2025-11-20 · via The Register - Security: CSO

Updated Malicious traffic targeting Palo Alto Networks' GlobalProtect portals surged almost 40-fold in the space of 24 hours, hitting a 90-day high and putting defenders on alert for whatever comes next.

According to GreyNoise, the sudden wave began on November 14, when it logged roughly 2.3 million sessions hammering the "global-protect/login.esp" endpoint used by Palo Alto's PAN-OS and GlobalProtect products. Most of the traffic came from a single network, AS200373 (3xK Tech GmbH), with about 62 percent of the activity geolocated in Germany and another 15 percent in Canada. A second provider, AS208885, also contributed a steady stream of probes.

GreyNoise says the fingerprints suggest this malicious activity is tied to threat actors that have previously hammered Palo Alto kit, pointing to recurring TCP and JA4t signatures and reused infrastructure across multiple campaigns. The scans were aimed at GlobalProtect systems in the US, Mexico, and Pakistan, with each seeing similar levels of attention, suggesting a broad, opportunistic trawl rather than a tightly focused operation.

"GreyNoise has also identified strong connections between this spike and prior related campaigns," said Matthew Remacle, security research architect at GreyNoise. "We assess with high confidence that these campaigns are at least partially driven by the same threat actor."

The pattern mirrors what GreyNoise has observed ahead of past VPN-related incidents. Fortinet appliances, for example, often saw scanning spikes weeks before vulnerabilities were publicly disclosed or actively exploited. "GreyNoise research has shown that spikes in attacker activity often precede new vulnerabilities affecting the same vendor – with 80 percent of observed cases followed by a CVE disclosure within six weeks," the company said in an earlier blog.

That doesn't mean Palo Alto is sitting on an unpatched bug, but the timing and volume of the traffic are enough to make security teams twitchy.

To help customers get ahead of the surge, GreyNoise has pushed out a dedicated Palo Alto blocklist through its Block service and says defenders can generate their own filters keyed to ASN, JA4 fingerprint, destination country, or classification.

There's no confirmed exploit in circulation that maps to the observed scanning, and Palo Alto hasn't issued any fresh advisories that might explain the sudden rush of interest (nor has it responded to The Register's questions). Even so, the mix of large-scale internet probing, repeat attacker infrastructure, and a known history of pre-exploitation scanning is rarely a good sign.

For organizations running exposed GlobalProtect login portals, the advice is the usual blend of caution and paranoia: tighten access controls, watch for login anomalies, and be ready to slap in blocklists or IPS rules if the probing turns into something more serious. ®

Updated to add on November 24:

Palo Alto has been in touch to say it found "no evidence of a compromise" after it investigated "the reported scanning activity." A spokesperson told us: "Palo Alto Networks is protected by our own Cortex XSIAM platform, which stops 1.5 million new attacks daily and autonomously reduces 36 billion security events into the most critical threats to ensure our infrastructure remains secure. We remain confident in our robust security posture and our ability to protect our network."