Details of the Story
As reported by Bleeping Computer, a large-scale brute force attack leveraging nearly 2.8 million IP addresses is actively attempting to compromise the credentials of networking devices from major vendors, including Palo Alto Networks, Ivanti, and SonicWall. The ongoing cyber campaign, first detected last month, has rapidly escalated, raising concerns about network security worldwide.
According to The Shadowserver Foundation, a threat monitoring platform, this large-scale attack employs nearly 2.8 million unique IP addresses daily. The majority of these addresses originate from Brazil (1.1 million), followed by Turkey, Russia, Argentina, Morocco, and Mexico. However, the attack infrastructure spans a vast range of networks and geographical locations, suggesting the involvement of a widespread botnet or a network utilizing residential proxies.
The primary targets of these attacks are edge security devices, including firewalls, VPNs, and secure gateways—critical infrastructure that often remains exposed to the internet to enable remote access. Many of the compromised devices facilitating these brute force attempts include MikroTik, Huawei, Cisco, Boa, and ZTE routers, as well as various IoT devices, which are frequently co-opted into malware botnets.
The Role of Botnets and Residential Proxies
Shadowserver reports that the IP addresses involved in this attack are distributed across numerous networks and Autonomous Systems, reinforcing suspicions that a sophisticated botnet or an operation tied to residential proxy networks is at play. Residential proxies, which use legitimate consumer IP addresses from Internet Service Providers (ISPs), are frequently exploited in cybercrime, data scraping, bypassing geo-restrictions, and ad fraud. These proxies make malicious traffic appear as if it originates from legitimate home users, making detection and mitigation significantly more challenging.
Gateway devices, such as those being targeted, can be exploited as proxy exit nodes in these operations. This enables cybercriminals to route their traffic through enterprise networks, leveraging their credibility to bypass security measures while masking the true origins of attacks. These nodes are particularly valuable to attackers, as they blend in with legitimate network activity, making it harder for security teams to identify and block malicious traffic.
Mitigation Strategies
Organizations and individuals using edge security devices are urged to take immediate action to mitigate the risks posed by this brute force campaign. Recommended measures include:
Changing default administrative passwords to strong, unique credentials.
Enforcing multi-factor authentication (MFA) to prevent unauthorized access.
Implementing an allowlist of trusted IP addresses for remote administration.
Disabling web admin interfaces if they are not necessary.
Applying the latest firmware and security patches to eliminate known vulnerabilities.
This latest brute force campaign is part of a broader trend of credential-based cyberattacks targeting networking infrastructure.
Last April, Cisco reported a large-scale credential brute-forcing campaign against devices from Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti. Similarly, in December, Citrix issued warnings about password spraying attacks aimed at Citrix Netscaler devices.
With the frequency and scale of these attacks increasing, organizations must strengthen authentication mechanisms, regularly update software, and monitor for unauthorized access to mitigate the growing threat of brute force attacks.
