A brute force attack using 2.8 million IPs is targeting VPNs and security devices, posing a serious threat to enterprise networks.
A large-scale brute-force attack is underway, attempting to compromise networking devices from companies like Palo Alto Networks, Ivanti, and SonicWall. The attack uses nearly 2.8 million IP addresses and systematically tries different username and password combinations to gain unauthorized access.
The cybersecurity monitoring group The Shadowserver Foundation reports that the attack has been ongoing for weeks but has recently intensified. Hackers specifically target edge security devices such as firewalls, VPNs, and gateways, which support remote access security infrastructure.
The attack is widespread, with most of the harmful traffic coming from Brazil (1.1 million sources), followed by Turkey, Russia, Argentina, Morocco, and Mexico. Hackers are using compromised routers and Internet of Things (IoT) devices, like MikroTik, Huawei, Cisco, Boa, and ZTE routers, many of which are already known to have security weaknesses.
Security researchers at Shadowserver found that these attacks are being carried out using a large network of infected devices, likely part of a botnet or a residential proxy network. A botnet is a group of hacked devices controlled by cybercriminals, while a residential proxy network disguises attacks by making them appear to be coming from regular home internet users instead of automated hackers.
These networks are commonly used in cybercrime to steal data, bypass location-based restrictions, and even commit fraud. Additionally, hacked security devices might act as proxy exit points, meaning attackers can secretly route their malicious traffic through business networks, making it harder to detect.
Cybersecurity experts stress strong authentication to prevent these attacks. Simple steps like changing default admin passwords, enabling multi-factor authentication (MFA), and limiting access to trusted IPs can make a big difference. It’s also smart to disable any web admin interfaces you don’t need and keep the firmware and security patches up to date to block known vulnerabilities.
A brute force attack of this scale is more than a security incident. It reveals how vulnerable network defenses become when attackers exploit millions of compromised devices. Cybercriminals are no longer just guessing passwords; they are systematically targeting the systems meant to safeguard organizations. The persistence of this campaign shows that traditional defenses are not enough. Businesses need to rethink their security approach with stronger authentication, stricter access controls, and continuous monitoring to stay ahead of new threats.
Monitor login attempts for unusual activity, such as repeated failed logins from different IPs, unexpected locations, or abnormal traffic spikes.
These devices control remote access and network security, making them valuable entry points for attackers seeking unauthorized access.
Immediately change admin credentials, enforce multi-factor authentication (MFA), check logs for suspicious activity, and apply the latest security patches.
No, they have legitimate uses, but cybercriminals often exploit them to mask attack traffic and evade detection.
Enterprises with remote workforces, cloud-based operations, and critical infrastructure relying on VPNs and firewalls are especially vulnerable.