• Neeve
  • Posts
  • 🔐 PAN-OS Under Massive Attack

🔐 PAN-OS Under Massive Attack

Fines, leaks, and hacks—key cyber updates

Author

Alison Bridge
April 08, 2025

Welcome to your essential briefing on threats at the intersection of cybersecurity and critical infrastructure, brought to you by Neeve, the edge cloud security platform for smart buildings, making built spaces secure, intelligent, and sustainable.

This Week’s Cyber Insights

A massive reconnaissance campaign targeting critical security infrastructure has security teams on high alert. Researchers have detected an unprecedented volume of scanning activity specifically targeting Palo Alto Networks' GlobalProtect VPN portals, suggesting a coordinated preparation for exploitation.

  • Nearly 24,000 unique IP addresses have scanned Palo Alto Networks' GlobalProtect VPN portals over a 30-day period, with activity peaking at 20,000 unique IPs daily.

  • Security researchers have identified three distinct JA4h network fingerprint hashes linked to the login scanner tool, enabling better tracking across changing source IPs.

  • Scanning originated predominantly from US and Canadian infrastructure, with most traffic (20,010 IPs) linked to 3xK Tech GmbH under ASN200373.

🤔 The Bigger Picture:

Organizations using Palo Alto Networks products face potential exploitation of past vulnerabilities while attackers probe for new entry points. This scanning pattern often precedes the discovery of new critical vulnerabilities by 2-4 weeks, suggesting attackers may be preparing for future campaigns. Security teams should immediately review March logs, implement enhanced perimeter monitoring, and ensure all PAN-OS systems are fully patched.

Managed Service Providers (MSPs) have become prime targets for sophisticated threat actors seeking maximum impact with minimal effort. A recent attack by the Qilin ransomware group demonstrates how a single compromised admin account can cascade into a widespread security disaster affecting multiple organizations.

  • Qilin ransomware operators successfully breached multiple organizations by targeting a Managed Service Provider (MSP) using a fake ScreenConnect login page that harvested both credentials and MFA tokens.

  • After gaining super administrator access to the MSP's RMM environment, attackers deployed malicious ScreenConnect instances across customer environments to conduct reconnaissance and execute ransomware.

  • The attackers used advanced evasion techniques including Incognito mode for data exfiltration, Safe Mode with networking to bypass endpoint security, and removal of forensic traces.

🤔 The Bigger Picture:

This attack demonstrates how ransomware groups are targeting the supply chain to maximize impact with minimal effort. By compromising a single MSP administrator account, attackers gained access to multiple downstream customer environments. Organizations should implement phishing-resistant authentication like FIDO2-based solutions, restrict administrative logins to managed devices, and prevent unauthorized Safe Mode reboots to counter similar threats.

🧠 New Framework Evaluates AI-Powered Threats

As artificial intelligence advances toward AGI, cybersecurity experts face a dual-edged sword. The same technology that strengthens defenses could potentially supercharge attacks, prompting researchers to develop new evaluation methods to stay ahead of evolving threats.

  • Researchers have developed a comprehensive benchmark framework to evaluate emerging offensive cyber capabilities of AI, covering the entire attack chain from reconnaissance to action on objectives.

  • The analysis drew on over 12,000 real-world attempts to use AI in cyberattacks across 20 countries, identifying seven archetypal attack categories and critical bottleneck stages.

  • Initial evaluations suggest current AI models alone are unlikely to enable breakthrough capabilities for threat actors, but as frontier AI advances, attack capabilities will evolve.

🤔 The Bigger Picture:

This framework represents the first systematic approach to understanding how advanced AI could automate and accelerate cyberattacks, potentially lowering costs and enabling attacks at greater scale. By identifying key bottlenecks in the attack chain, security professionals can prioritize defenses where AI could make attacks faster, cheaper, or easier. Organizations should incorporate these insights into their security planning to prepare for the next generation of AI-powered threats.

The rapid advancement of generative AI technologies brings powerful new capabilities to organizations—and to threat actors. As these systems become more sophisticated and accessible, security professionals face an expanding threat landscape that requires new approaches to defend against AI-enhanced attacks.

  • Deepfakes and automated phishing attacks are becoming more sophisticated, with AI enabling highly personalized social engineering campaigns that can mimic writing styles and personas at scale.

  • AI-powered systems can analyze existing malware, identify successful attack patterns, and generate new variants that evade traditional security measures.

  • Advanced models risk leaking sensitive data in their outputs through "model leakage" or unwanted memorization, potentially exposing trade secrets or personal information.

  • Adversaries are developing specialized attacks against AI systems themselves, using specially crafted inputs to trick models into making incorrect decisions or outputs.

🤔 The Bigger Picture:

As generative AI capabilities grow, cybersecurity teams must adapt their defenses to address these evolving threats. Organizations need a comprehensive security strategy that includes strict access controls, enhanced privacy protections, and continuous monitoring of AI systems for unexpected behaviors. Investing in AI ethics and security training is crucial as human awareness remains the most effective defense against increasingly sophisticated AI-powered attacks.

Further Alerts & Insights

📰 Chain of Thought Exploited to Create Malware

DeepSeek-R1's transparent reasoning system has become a security vulnerability as researchers discovered how attackers can exploit its Chain of Thought process to create sophisticated malware and convincing phishing campaigns. The 671-billion-parameter model inadvertently provides attackers insights into bypassing security measures through its explicit reasoning process.

📰 Balancing AI Safety and Privacy

Regulators face complex challenges in monitoring AI misuse without infringing on legitimate privacy interests. Proposals draw inspiration from frameworks like the Bank Secrecy Act and CSAM reporting laws, but AI interactions may deserve stronger Fourth Amendment protections than traditional records due to their potentially intimate nature.

📰 CISA Adds Actively Exploited Ivanti Vulnerability to KEV

CISA has added CVE-2025-22457, a critical vulnerability in Ivanti Connect Secure, to its Known Exploited Vulnerabilities Catalog. This stack-based buffer overflow allows unauthenticated remote code execution and is being actively exploited by UNC5221, a threat actor linked to China that targets edge devices.

📰 Hunters International Shifts to Extortion-Only

Continuing the ransomware evolution trend, Hunters International (suspected to be a rebrand of Hive) has shifted from traditional encryption tactics to stealthier extortion-focused operations. After briefly announcing a shutdown in late 2024, the group reemerged as "World Leaks" in January 2025, using a sophisticated cross-platform malware written in Rust that targets Windows, Linux, FreeBSD, SunOS, and ESXi systems.