Massive Brute Force Attack Targets VPN Devices with 2.8 Million IPs

A coordinated cyber assault is underway, taking advantage of an astonishing 2.8 million IP addresses to execute brute force attacks on a variety of VPN and networking devices. This operation seeks to compromise devices from manufacturers such as Palo Alto Networks, Ivanti, and SonicWall.

Large increase in web login brute forcing attacks against edge devices seen last few weeks in our honeypots, with up to 2.8M IPs per day seen with attempts (especially Palo Alto Networks, Ivanti, SonicWall etc). Over 1M from Brazil. Source IPs shared in https://t.co/kapIq2pIBI pic.twitter.com/LMhFEvAEEL

— The Shadowserver Foundation (@Shadowserver) February 7, 2025

Attack Overview

The attack, which began last month, has significantly escalated, according to threat monitoring platform The Shadowserver Foundation. The majority of the attacking IPs, over 1.1 million, originate from Brazil, with additional sources in Turkey, Russia, Argentina, Morocco, and Mexico. This diverse geographic distribution suggests a sophisticated operation likely involving botnets or residential proxy networks.

MikroTik, Huawei, Cisco, Boa, and ZTE routers are primarily being manipulated in this attack, indicating they might have been previously compromised by malware. This campaign is particularly concerning as it targets edge security devices like firewalls and gateways, which are crucial for protecting network boundaries.

Implications and Mitigation

The attackers aim to infiltrate networks by guessing password combinations through brute force methods. Such attacks exploit weak passwords, making it crucial for organizations to strengthen their security protocols. Recommendations for protection include setting strong, unique passwords, enabling multi-factor authentication (MFA), and applying the latest security updates.

Often used in these attacks, residential proxies disguise malicious activity by routing it through legitimate IP addresses, making detection challenging. Therefore, securing network devices with robust configurations is vital.

Organizations should also consider implementing an IP allowlist and disabling unnecessary web admin interfaces to reduce exposure. These steps, combined with regular security audits, can significantly reduce the risk of such intrusions.

The cyber attack’s scale and persistence show the importance of vigilance and proactive cybersecurity strategies. How do you ensure your network devices are protected against such threats? Share your thoughts in the comments.