A large-scale brute force password attack has been observed targeting a broad range of networking devices, including manufactured by Palo Alto Networks, Ivanti, and SonicWall. The attack, which has been underway since last month, uses nearly 2.8 million unique IP addresses to continuously attempt to crack device credentials through repeated login attempts.
According to the threat monitoring platform The Shadowserver Foundation, the brute force attack has been sustained at high volumes, with nearly 2.8 million IP addresses used daily to conduct these attempts. The targeted devices are typically edge security appliances such as firewalls, virtual private networks (VPNs), and gateways that are often exposed to the internet for remote access purposes.
The attack appears to be global, with the majority of the malicious IP addresses originating from Brazil, which accounts for 1.1 million of the compromised addresses. Other countries heavily involved in the attack include Turkey, Russia, Argentina, Morocco, and Mexico.
A significant portion of the attack’s traffic comes from compromised networking equipment, such as MikroTik, Huawei, Cisco, Boa, and ZTE routers, along with a variety of IoT (Internet of Things) devices. These devices are often hijacked by large malware botnets, which enable the attackers to launch distributed brute force attempts across vast networks of compromised devices.