Brute force attack targets VPNs with 2.8 million IPs

A brute force attack using 2.8 million IPs is targeting VPNs and security devices, posing a serious threat to enterprise networks.

What happened

A large-scale brute-force attack is underway, attempting to compromise networking devices from companies like Palo Alto Networks, Ivanti, and SonicWall. The attack uses nearly 2.8 million IP addresses and systematically tries different username and password combinations to gain unauthorized access.

The cybersecurity monitoring group The Shadowserver Foundation reports that the attack has been ongoing for weeks but has recently intensified. Hackers specifically target edge security devices such as firewalls, VPNs, and gateways, which support remote access security infrastructure.

Going deeper

The attack is widespread, with most of the harmful traffic coming from Brazil (1.1 million sources), followed by Turkey, Russia, Argentina, Morocco, and Mexico. Hackers are using compromised routers and Internet of Things (IoT) devices, like MikroTik, Huawei, Cisco, Boa, and ZTE routers, many of which are already known to have security weaknesses.

Security researchers at Shadowserver found that these attacks are being carried out using a large network of infected devices, likely part of a botnet or a residential proxy network. A botnet is a group of hacked devices controlled by cybercriminals, while a residential proxy network disguises attacks by making them appear to be coming from regular home internet users instead of automated hackers.

These networks are commonly used in cybercrime to steal data, bypass location-based restrictions, and even commit fraud. Additionally, hacked security devices might act as proxy exit points, meaning attackers can secretly route their malicious traffic through business networks, making it harder to detect.

In the know

Cybersecurity experts stress strong authentication to prevent these attacks. Simple steps like changing default admin passwords, enabling multi-factor authentication (MFA), and limiting access to trusted IPs can make a big difference. It’s also smart to disable any web admin interfaces you don’t need and keep the firmware and security patches up to date to block known vulnerabilities.

The big picture

A brute force attack of this scale is more than a security incident. It reveals how vulnerable network defenses become when attackers exploit millions of compromised devices. Cybercriminals are no longer just guessing passwords; they are systematically targeting the systems meant to safeguard organizations. The persistence of this campaign shows that traditional defenses are not enough. Businesses need to rethink their security approach with stronger authentication, stricter access controls, and continuous monitoring to stay ahead of new threats.

FAQs

How can organizations detect if they are being targeted?

Monitor login attempts for unusual activity, such as repeated failed logins from different IPs, unexpected locations, or abnormal traffic spikes.

Why are VPNs and security devices prime targets?

These devices control remote access and network security, making them valuable entry points for attackers seeking unauthorized access.

What should companies do if they suspect a breach?

Immediately change admin credentials, enforce multi-factor authentication (MFA), check logs for suspicious activity, and apply the latest security patches.

Are residential proxy networks always malicious?

No, they have legitimate uses, but cybercriminals often exploit them to mask attack traffic and evade detection.

What industries are most at risk from this attack?

Enterprises with remote workforces, cloud-based operations, and critical infrastructure relying on VPNs and firewalls are especially vulnerable.