Global Surge in Automated Scanning Activity: Threat Landscape Analysis

The cybersecurity landscape continues to evolve with increasing automation, as evidenced by a 16.7% year-over-year rise in global scanning activity, according to FortiGuard’s 2025 Global Threat Landscape Report¹. Threat actors now execute approximately 36,000 scans per second, targeting exposed services such as RDP, SIP, and IoT protocols like Modbus TCP. This trend highlights the growing efficiency of reconnaissance campaigns and the expanding attack surface facing organizations.

Key Findings from the 2025 Threat Report

The Fortinet report, corroborated by GreyNoise Labs², reveals that Palo Alto Networks PAN-OS portals experienced concentrated probing from 24,000 unique IPs in March 2025. Many scans used identifiable JA4h hashes (e.g., po11nn11enus_967778c7bec7_...), suggesting tool reuse across campaigns. The U.S. bore the brunt of these activities, accounting for 61% of observed attacks, with manufacturing (17%) and business services (11%) as primary targets.

Scanning patterns indicate three strategic objectives: identification of vulnerable services for subsequent exploitation, credential harvesting for brute-force attacks, and infrastructure mapping for lateral movement. GreyNoise data specifically links 20,010 scanning IPs to 3xK Tech GmbH (ASN200373), with probes focusing on /global-protect/login endpoints².

Operational Impact and Defense Strategies

Organizations should prioritize logging review for scanning patterns, particularly:

High-frequency connections to management interfaces (RDP, SSH, PAN-OS)
Geographically anomalous source IPs (70% of cloud breaches originated from unfamiliar locations³)
Protocol-specific anomalies (SIP INVITE floods, Modbus TCP function code probes)

Effective countermeasures include network segmentation, rate limiting for authentication services, and implementation of vendor-specific mitigations. For Palo Alto Networks devices, administrators should:

# Example PAN-OS CLI commands to monitor scanning
> show log system direction equal backward severity equal critical
> show log threat severity equal critical
> show log global-protect filter (eventid eq globalprotectd-login-fail)

Broader Threat Context

The scanning surge coincides with darknet market trends where Cybercrime-as-a-Service offerings now dominate, comprising 20% corporate credentials and 19% RDP access listings¹. This ecosystem fuels credential-stuffing attacks leveraging 1.7 billion traded credentials – a 500% annual increase. KrebsOnSecurity⁴ further reports whistleblower cases involving data exfiltration through short-lived accounts, emphasizing the need for enhanced access monitoring.

Emerging threats like SuperCard X malware demonstrate attacker innovation, enabling NFC relay fraud via Android devices⁵. Meanwhile, AI-powered tools lower the barrier for phishing campaigns, with deepfake audio attacks now targeting physical infrastructure like compromised crosswalks⁶.

Actionable Recommendations

Security teams should adopt these measures:

Priority	Action	Validation
Critical	Patch PAN-OS and monitor for `/global-protect/login` probes	GreyNoise IP blocklist cross-reference
High	Implement network-level rate limiting	SIEM alerts for scan patterns
Medium	Audit credential exposure via Have I Been Pwned	Dark web monitoring integration

Continuous monitoring remains essential given the dynamic nature of scanning campaigns. Organizations should particularly scrutinize March-April 2025 logs for the referenced activity patterns.

Conclusion

The 16.7% increase in automated scanning represents both a quantitative escalation and qualitative shift in attacker methodologies. As reconnaissance becomes more industrialized, defensive strategies must evolve beyond signature-based detection to incorporate behavioral analysis and proactive threat hunting. The integration of scanning data with credential exposure intelligence will be critical for effective risk prioritization in the coming months.