Key Highlights
A significant surge in reconnaissance scans has been detected targeting Palo Alto Networks login portals, particularly GlobalProtect and PAN-OS profiles. Experts reported a 500% increase in scanning activity, with over 1,285 unique IPs involved on October 3. Additionally, exploitation attempts targeting the Grafana CVE-2021-43798 vulnerability have been observed, indicating ongoing threats to unpatched systems.

Impact
Organizations using Palo Alto Networks products or unpatched Grafana instances may be at risk of targeted attacks. The scanning activity suggests potential reconnaissance for future exploitation, while the Grafana vulnerability has a history of being used in zero-day attacks.

Details
GreyNoise observed a dramatic increase in scanning activity targeting Palo Alto Networks GlobalProtect and PAN-OS login portals. The scanning activity peaked on October 3, with over 1,285 unique IPs involved. This is a significant rise compared to the usual daily average of under 200 IPs.

Two distinct activity clusters were observed—one targeting the United States and another focusing on Pakistan. These clusters had distinct TLS fingerprints, though some overlap was noted. Nearly all activity was directed at emulated Palo Alto profiles, reinforcing the targeted nature of the scans. The majority of IPs were geolocated in the U.S., with smaller clusters from the U.K., Netherlands, Canada, and Russia.

Exploitation Activity
In addition to the Palo Alto scans, researchers observed exploitation attempts against Grafana’s CVE-2021-43798 path traversal vulnerability. This flaw was previously exploited in December 2021 in zero-day attacks, underscoring the importance of patching. On September 28, 110 unique malicious IPs—mostly from Bangladesh—launched attacks targeting systems in the U.S., Slovakia, and Taiwan. The consistent destination ratios suggest automated exploitation.

Mitigation Strategies
Organizations are advised to:
Monitor for unusual scanning activity targeting Palo Alto Networks login portals.
Ensure all Grafana instances are patched against CVE-2021-43798.
Review logs for path traversal requests that may indicate exploitation attempts.
Consider blocking the 110 malicious IP addresses identified in the Grafana exploitation attempts to reduce exposure.