Palo Alto Networks Warns of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways
Palo Alto Networks Warns of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways
Palo Alto Networks Warns of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways
Information: Palo Alto Networks is a cybersecurity company that provides advanced firewalls and cloud-based security solutions to protect networks, users, and data from cyber threats.
Incident: Palo Alto Networks has revealed that it's observing brute-force login attempts against PAN-OS GlobalProtect gateways, days after threat actors warned of a surge in suspicious login scanning activity targeting its appliances.
"Our teams are observing evidence of activity consistent with password-related attacks, such as brute-force login attempts, which does not indicate exploitation of a vulnerability," a spokesperson for the company told The Hacker News. "We continue to actively monitor this situation and analyze the reported activity to determine its potential impact and identify if mitigations are necessary."
The development comes after threat intelligence firm GreyNoise alerted of a spike in suspicious login scanning activity aimed at PAN-OS GlobalProtect portals.
The company further noted that the activity commenced on March 17, 2025, hitting a peak of 23,958 unique IP addresses before dropping off towards the end of last month. The pattern indicates a coordinated effort to probe network defenses and identify exposed or vulnerable systems.
The login scanning activity has primarily singled out systems in the United States, the United Kingdom, Ireland, Russia, and Singapore.
It's currently not known how widespread these efforts are and if they are the work of any specific threat actor at this stage.
Recommendation: In the interim, all customers are encouraged to ensure that they are running the latest versions of PAN-OS. Other mitigations include enforcing multi-factor authentication (MFA), configuring GlobalProtect to facilitate MFA notifications, setting up security policies to detect and block brute-force attacks, and limiting unnecessary exposure to the internet.
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)
References: https://thehackernews.com/2025/04/palo-alto-networks-warns-of-brute-force.html
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2025-2783 |
26/3/2025 |
28/3/2025 |
Google Chrome |
Remote Code Execution |
6.0 |
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. |
Update Google Chrome to version 134.0.6998.177 or later. |
https://vuldb.com/?id.301394 |
| 2 |
CVE-2025-29635 |
25/3/2025 |
25/3/2025 |
D-Link DIR-823X versions 240126 and 240802 |
Command Injection |
6.3 |
A command injection vulnerability has been discovered in D-Link DIR-823X versions 240126 and 240802, allowing an authenticated attacker to execute arbitrary commands on remote devices by sending a POST request to the /goform/set_prohibiting endpoint via the corresponding function, leading to remote command execution. |
Update the D-Link DIR-823X firmware to the latest version. |
|
| 3 |
CVE-2025-32138 |
4/4/2025 |
4/4/2025 |
Easy Google Maps Plugin |
XML External Entity Reference |
6.6 |
An Improper Restriction of XML External Entity Reference (XXE) vulnerability in Easy Google Maps plugin allows for XML Injection. |
Update the Easy Google Maps plugin to the latest version. |
https://nvd.nist.gov/vuln/detail/CVE-2025-32138?utm_source=chatgpt.com
|
| 4 |
CVE-2025-31334 |
3/4/2025 |
3/4/2025 |
WinRAR versions prior to 7.11 |
Unsafe Action Warning |
6.8 |
This vulnerability arises from an issue in WinRAR versions prior to 7.11, where the "Mark of the Web" security warning function can be bypassed when opening a symbolic link that points to an executable file. If a specially crafted symbolic link is opened on the affected product, arbitrary code may be executed. |
Update WinRAR to version 7.11 or later. |
|
| 5 |
CVE-2025-30065 |
1/4/2025 |
1/4/2025 |
Apache Parquet versions 1.15.0 and earlier. |
Remote Code Execution |
10.0 |
A remote code execution (RCE) vulnerability has been discovered in the parquet-avro module of Apache Parquet versions 1.15.0 and earlier. The vulnerability arises from unsafe schema parsing, allowing attackers to craft malicious Parquet files that, when processed by a vulnerable system, can execute arbitrary code. |
Upgrade to Apache Parquet version 1.15.1 or later. |
https://nvd.nist.gov/vuln/detail/CVE-2025-30065?utm_source=chatgpt.com |
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
Carding tool abusing WooCommerce API downloaded 34K times on PyPI |
06/04/2025 |
malicious libraries, sensitive information stealer |
A malicious PyPi package named 'Disgrasya' has been discovered, targeting WooCommerce, an open-source Ecommerce plugin for WordPress used by small to large online merchants. Disgrasya accesses credit card information from the Dark Web, uses existing cardholder data to create counterfeit cards, a technique known as Credit Card Stuffing or Carding, and proceeds to make small-value purchases across multiple WooCommerce stores to evade detection. Disgrasya has been downloaded more than 34,000 times. Additionally, similar packages with names like bitcoinlibdbfix and bitcoinlib-dev have been downloaded more than 1,000 times |
|
Ref: https://thehackernews.com/2025/04/malicious-python-packages-on-pypi.html
17 April 2025
Viewed 114 time
