A large-scale brute force attack is targeting edge security devices from companies like Palo Alto Networks, Ivanti, and SonicWall. The Shadowserver Foundation, a nonprofit security organization, reported that the attack uses nearly 2.8 million compromised devices daily to attempt to breach accounts. The attacking IP addresses are spread across numerous networks and Autonomous Systems, suggesting the involvement of a botnet or residential proxy networks.
Cybercriminals are automating the use of compromised consumer accounts and devices to conduct this extensive attack. Of the 2.8 million IP addresses, 1.1 million are found in the United States, with significant numbers also originating from Turkey, Russia, Argentina, Morocco, and Mexico. The devices conducting the attacks include Huawei, Cisco, Boa, and ZTE routers and IoTs, commonly compromised by large malware botnets.
Brute-force attack on edge devices
The targeted edge security devices, such as firewalls, VPNs, and gateways, are often exposed to the internet to facilitate remote access. If compromised, these devices could be exploited as proxy exit nodes, routing malicious traffic through an organization’s network.
To protect against brute force attacks, experts recommend changing default admin passwords, enforcing multi-factor authentication, using an allowlist of trusted IPs, disabling unnecessary web admin interfaces, and regularly applying security updates. The US Cybersecurity and Infrastructure Security Agency (CISA) is monitoring the attack and coordinating with cybersecurity partners to assess the threat. They are prepared to notify at-risk entities and provide guidance if necessary.
This attack follows similar campaigns in recent months, including a large-scale credential brute-forcing campaign last April that targeted Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti devices worldwide, and a warning issued by Citrix in December about potential threats to its devices.
