2.8 Million IPs Power Large-Scale Attack on VPN and Security Devices

A large-scale brute force password attack using almost 2.8 million IP addresses is currently underway, targeting a wide range of networking devices, including those from Palo Alto Networks, Ivanti, and SonicWall. This sophisticated attack has been ongoing since last month, with cybercriminals attempting to compromise critical security infrastructure.

Understanding Brute Force Attacks

A brute force attack is a method used by threat actors to gain unauthorized access to accounts or devices by systematically trying multiple username and password combinations until the correct one is found. Once attackers successfully authenticate, they can hijack the targeted device or gain entry into a broader network, potentially compromising sensitive data and operational integrity.

According to the cybersecurity monitoring organization, The Shadowserver Foundation, this particular attack campaign leverages nearly 2.8 million different IP addresses daily, making it one of the most aggressive credential-stuffing attempts seen in recent times.

Geographic Distribution of Attack Sources

Shadowserver reports that the majority of attacking IP addresses originate from Brazil (1.1 million), followed by Turkey, Russia, Argentina, Morocco, and Mexico. However, the campaign involves a vast number of countries, indicating a widespread and coordinated cybercriminal operation.

These attacks are primarily targeting edge security devices such as firewalls, VPNs, gateways, and other network security appliances. These devices are typically exposed to the internet to facilitate remote access, making them attractive targets for cybercriminals looking to exploit weaknesses.

Devices Involved in the Attack

The compromised devices being used to launch these attacks include a mix of MikroTik, Huawei, Cisco, Boa, and ZTE routers, as well as various IoT devices. These devices are commonly compromised by large malware botnets, which enable cybercriminals to conduct massive automated attacks with minimal direct intervention.

The Shadowserver Foundation confirmed that the activity has been increasing in scale, posing a significant risk to organizations and individuals worldwide.

The Role of Botnets and Residential Proxy Networks

Shadowserver’s analysis suggests that the attacking IP addresses are spread across multiple networks and Autonomous Systems, indicating that the operation is likely being orchestrated through a botnet or a residential proxy network.

Residential proxies are particularly valuable in cybercrime because they route malicious traffic through legitimate internet users’ connections. Since these proxies use IP addresses assigned to consumer internet customers by Internet Service Providers (ISPs), they help cybercriminals mask their true identities. These techniques are often used for cybercrime, data scraping, geo-restriction bypassing, ad verification fraud, sneaker and ticket scalping, and more.

The impact of these residential proxies is profound, as they allow attackers to appear as regular home users rather than automated bots or hackers. This makes detecting and mitigating the attacks significantly more challenging for security professionals.

Impact on Organizations and Enterprises

The targeted security devices serve as critical infrastructure for businesses, government agencies, and service providers. Gateway devices, such as those under attack, could be leveraged as proxy exit nodes, allowing attackers to route malicious traffic through an organization’s enterprise network. These nodes are highly valued by attackers since enterprise networks typically have strong reputations, making them less likely to be flagged for malicious activity.

A successful breach could result in:

• Unauthorized access to internal networks.
• Data theft and exfiltration.
• Deployment of ransomware or other malware.
• Disruption of business operations.
• Compromise of customer and employee credentials.

Protective Measures Against Brute Force Attacks

Given the severity of the ongoing attack, organizations must take immediate action to secure their network infrastructure. Security professionals recommend the following steps:

Change Default Credentials: Devices should never operate with factory-default administrator passwords. Instead, organizations should enforce strong, unique passwords.

Implement Multi-Factor Authentication (MFA): Enabling MFA significantly reduces the risk of unauthorized access, even if login credentials are compromised.

Restrict Access: Use an allowlist of trusted IPs to limit login attempts to known and authorized locations.

Disable Unnecessary Web Admin Interfaces: If remote access to administrative interfaces is not needed, it should be disabled to reduce exposure to potential attacks.

Regularly Update Firmware and Security Patches: Keeping devices up to date with the latest security patches helps mitigate known vulnerabilities that attackers may exploit.

History of Large-Scale Brute Force Campaigns

This latest campaign is not an isolated incident. Similar large-scale credential brute-forcing attempts have been reported in recent years, highlighting the persistent nature of this attack vector.

April 2023: Cisco warned about a widespread brute force campaign targeting devices from Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti.

December 2023: Citrix issued an alert regarding password spray attacks targeting Citrix Netscaler devices worldwide.

These recurring attacks demonstrate that cybercriminals continue to exploit weak authentication mechanisms and outdated security practices. Organizations must remain vigilant and proactively strengthen their cybersecurity defenses.

Conclusion

The current brute force attack campaign leveraging 2.8 million IPs underscores the evolving sophistication and scale of cyber threats. With the increasing use of botnets and residential proxy networks, detecting and mitigating these attacks has become more challenging than ever. Organizations must adopt robust security measures, including password best practices, MFA enforcement, access controls, and continuous monitoring, to protect their critical network infrastructure. Failure to act could result in severe security breaches, data loss, and operational disruptions.

Cybersecurity teams worldwide should stay alert and ensure that edge security devices are properly configured and secured to withstand these relentless cyber threats. As brute force attacks continue to grow in scale and complexity, proactive security measures are the key to defending against them.