Why is someone mass-scanning Juniper and Palo Alto Networks products?

Updated Someone or something is probing devices made by Juniper Networks and Palo Alto Networks, and researchers think it could be evidence of espionage attempts, attempts to build a botnet, or an effort to exploit zero-day vulnerabilities.

On Wednesday, SANS Institute's Johannes Ullrich said he noticed a surge in scans for the username "t128," which, when accompanied by the password "128tRoutes," is a well-known default account for Juniper's Session Smart Networking products.

"About 3,000 source IPs took part in these scans," reported Ullrich, the dean of research at the infosec education and training outfit.

"Many of the sources taking part in the scan are well known for scanning [the Secure Shell protocol] SSH and are likely part of some 'Mirai Type' botnet," he added, noting that the uptick in scans occurred between March 23 and 28.

Juniper’s Smart Session Routers (SSRs) are part of its software-defined WAN portfolio. The Gin Palace acquired them in 2020 along with networking firm 128 Technologies. We’re told the IT giant hasn’t changed the product much, and that means default usernames and passwords are unchanged, which makes it especially easy for criminals attempting to compromise poorly configured routers and then launch other attacks from the hijacked devices.

The Register asked Juniper for comment and hasn’t received a response. We will update this story if Juniper offers substantial info.

In the meantime we wholeheartedly second Ullrich's advice to ensure you're not using the default password for the root or t128 account, although we note that some users report difficulties when trying to create new credentials.

• Hm, why are so many DrayTek routers stuck in a bootloop?
• This is the FBI, open up. China's Volt Typhoon is on your network
• Ransomware criminals love CISA's KEV list – and that's a bug, not a feature
• Why is my Mitel phone DDoSing strangers? Oh, it was roped into a new Mirai botnet

Internet scanning security firm GreyNoise has also spotted mass probing, in this case directed at the login portals of Palo Alto Networks’s PAN-OS GlobalProtect remote access products. GreyNoise thinks anonymous scanners are searching for exposed or vulnerable product, and noted almost 24,000 unique IP addresses attempting to login over the past 30 days.

The spike began on March 17, and eventually saw logon attempts from almost 20,000 unique IPs per day before tapering off on March 26. The security shop classifies most of the activity (23,800 IPs) as suspicious, but labelled 154 of the IP addresses from which probes were launched as malicious.

According to company execs, these scans may indicate the existence of undisclosed bugs.

"Over the past 18 to 24 months, we've observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies," wrote Bob Rudis, VP of data science at GreyNoise. "These patterns often coincide with new vulnerabilities emerging two to four weeks later."

A Palo Alto Networks spokesperson told The Register that customer security "is always our top priority."

"Palo Alto Networks is aware of a recent blog posted by GreyNoise regarding scanning activity targeting PAN-OS GlobalProtect portals," the spokesperson wrote in an emailed statement. "Our teams are actively monitoring this situation and analyzing the reported activity to determine its potential impact and identify if mitigations are necessary. We encourage all customers to follow best practice of running the latest versions of PAN-OS."

According to GreyNoise, this surge in scans resembles a 2024 espionage campaign that targeted perimeter network devices. At the time, Cisco’s Talos infosec team attributed the incident to Chinese state-sponsored snoops. ®

Updated to add on April 3, 2025

A spokesperson for Juniper has been in touch to say they are on the case:

Updated to add on April 11, 2025

After analyzing the scanning activity, Palo Alto Networks has determined that someone is trying to break into its customers' remote access gear. In an updated statement sent to The Register, a spokesperson confirmed GreyNoise's earlier report of mass-probing targeting PAN-OS GlobalProtect portals - but noted that this activity doesn't mean there's a zero-day.

"Our teams are observing evidence of activity consistent with password-related attacks, such as brute force login attempts, which does not indicate exploitation of a vulnerability," the Palo Alto Networks spokesperson said. "We continue to actively monitor this situation and analyze the reported activity to determine its potential impact and identify if mitigations are necessary."