A massive brute force password attack is currently underway, leveraging nearly 2.8 million IP addresses daily to target networking devices, including those from Palo Alto Networks, Ivanti, and SonicWall. This attack, which began last month, has rapidly increased in scale, raising concerns about the security of edge networking devices like firewalls, VPNs, and security gateways.
The Scope of the Attack
According to The Shadowserver Foundation, the attack involves a vast network of compromised devices attempting to systematically guess login credentials. The highest number of attacking IPs -- 1.1 million -- originate from Brazil, followed by Turkey, Russia, Argentina, Morocco, and Mexico, though the attack spans a wide range of countries.
The devices conducting these brute force attempts largely consist of MikroTik, Huawei, Cisco, Boa, and ZTE routers and IoT devices, which are commonly hijacked by malware-driven botnets. These botnets, in turn, enable large-scale, automated credential-stuffing attacks.
“These devices are designed to be internet-facing, however they are often poorly configured, running outdated firmware, and use weak forms of authentication. Botnet-driven attacks exploit these weaknesses, increasing the risk of network compromise,” said Jason Soroko, Senior Fellow at Sectigo, a provider of comprehensive certificate lifecycle management (CLM).
The Risk to Organizations
The attack underscores the vulnerability of credentials, even in security-focused organizations. The automated nature of brute force attacks means that persistent login attempts are only a matter of time before credentials are compromised.
“This attack highlights the vulnerability of credentials, even at security and infrastructure organizations,” said Kris Bondi, CEO and Co-Founder of Mimoto, an end-to-end recognition company.
“Brute force attacks are automated, so they're implemented at scale. It's not a question of if they can get in with this approach; the question is how many times will the organization be penetrated this way and will the security team know when it happens.”
Complicating matters, residential proxy networks are being leveraged in the attack, making it harder to identify malicious activity. These proxies, assigned to consumer internet users by ISPs, allow attackers to disguise their origins, making them appear as legitimate home users rather than hackers.
Security Implications
This attack could allow adversaries to:
Gain unauthorized access to corporate networks
Hijack security appliances and use them as proxy exit nodes
Launch further attacks from compromised enterprise infrastructure
Create large-scale disruptions by breaching critical security devices
“Because of the swarm effect these attacks cause, they are both more likely to chip away at the protective perimeter and cause a distraction when more sophisticated malicious activities may occur,” Bondi added.
How Organizations Can Defend Against Brute Force Attacks
To mitigate the risk of brute force attacks, security teams should take the following measures:
Change default passwords to strong, unique credentials
Enforce Multi-Factor Authentication (MFA) to prevent unauthorized logins
Restrict remote access through IP allowlists
Disable unnecessary web admin interfaces to reduce attack surfaces
Apply firmware updates and security patches to eliminate known vulnerabilities
Segment networks to limit lateral movement if a breach occurs
“The network equipment industry should consider ways to make it easier for their customers to implement modern forms of authentication. More advanced organizations should consider limiting remote access through IP restrictions, maintaining a strict patching schedule, and implementing network segmentation,” Soroko advised.
Growing Trend of Credential-Based Attacks
This attack follows similar large-scale brute force campaigns in recent months. Last April, Cisco warned of credential-stuffing attacks targeting devices from Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti. In December, Citrix warned of password spray attacks against Citrix Netscaler devices.
With attacks increasing in frequency and sophistication, organizations must move beyond traditional security measures and implement dynamic, real-time detection and response solutions to keep up with evolving threats.