Massive Brute Force Attack Utilizes 2.8 Million IPs to Compromise VPN and Firewall Logins

A global brute force attack campaign leveraging 2.8 million IP addresses actively targets edge security devices, including VPNs, firewalls, and gateways from vendors such as Palo Alto Networks, Ivanti, and SonicWall. The attack, first detected in January 2025, has intensified in recent weeks, with threat actors attempting to breach login credentials across exposed network infrastructure.

Attack Overview

Brute force attacks involve repeated attempts to guess usernames and passwords until valid credentials are discovered. Once compromised, devices can be hijacked for unauthorized network access, data theft, or integration into botnets. According to threat intelligence firm Shadowserver Foundation, this campaign employs 2.8 million unique IPs daily, with over 1.1 million originating from Brazil, followed by Turkey, Russia, Argentina, Morocco, and Mexico.

"Large increase in web login brute forcing attacks against edge devices seen last few weeks in our honeypots, with up to 2.8M IPs per day seen with attempts (especially Palo Alto Networks, Ivanti, SonicWall etc). Over 1M from Brazil." — The Shadowserver Foundation

The attacking IPs are distributed across residential proxy networks and compromised devices, including MikroTik, Huawei, and Cisco routers, likely orchestrated by a large botnet. The attacks focus on edge devices critical for remote access, such as VPN gateways (Palo Alto Networks GlobalProtect, SonicWall NetExtender) and firewalls (Ivanti, Fortinet). Recent vulnerabilities in Ivanti (CVE-2024-8190) and SonicWall (CVE-2025-23006) highlight risks, with unpatched devices susceptible to exploitation. In response to rising threats, cybersecurity agencies have issued guidance urging manufacturers to improve logging and default security for edge devices.

Widespread Impact on Critical Infrastructure

Edge devices like VPN appliances and firewalls are critical components for securing networks, particularly for enterprises and organizations. These systems are often exposed to the internet, making them high-value targets for threat actors. The scale of the current attack campaign is unprecedented. With millions of IP addresses involved, these attacks are likely being conducted by large-scale botnets comprising compromised devices around the globe. A successful intrusion could potentially lead to ransomware attacks, data theft, or disruption of critical services. Suggested steps for organizations include:

• Use strong, unique passwords for VPN and firewall logins.
• Enable multi-factor authentication (MFA) to limit unauthorized access.
• Update and patch all devices regularly.
• Monitor network traffic for suspicious activity and block identified malicious IPs.

Organizations can also subscribe to Shadowserver’s free daily reports for details of observed attacks and source IPs.

Geographic Distribution of Attack Sources

Shadowserver reports that the majority of attacking IP addresses originate from Brazil (1.1 million), followed by Turkey, Russia, Argentina, Morocco, and Mexico. However, the campaign's scope includes a vast number of countries, indicating a widespread and coordinated cybercriminal operation. Image courtesy of Shadowserver The compromised devices being used to launch these attacks include a mix of MikroTik, Huawei, Cisco, Boa, and ZTE routers, as well as various IoT devices. These devices are commonly compromised by large malware botnets, enabling cybercriminals to conduct massive automated attacks with minimal direct intervention.

The Role of Botnets and Residential Proxy Networks

The attacking IP addresses are spread across multiple networks and Autonomous Systems, suggesting that the operation is likely orchestrated through a botnet or a residential proxy network. Residential proxies allow cybercriminals to route malicious traffic through legitimate internet users’ connections, masking their true identities. This complicates detection and mitigation for security professionals. The impact on organizations is significant, as these targeted security devices serve as critical infrastructure. Gateway devices could be leveraged as proxy exit nodes, allowing attackers to route malicious traffic through an organization’s network.

Protective Measures Against Brute Force Attacks

Given the severity of the ongoing attack, organizations must take immediate action to secure their network infrastructure. Security professionals recommend:

1. Change Default Credentials: Devices should never operate with factory-default passwords.
2. Implement Multi-Factor Authentication (MFA): This significantly reduces the risk of unauthorized access.
3. Restrict Access: Use an allowlist of trusted IPs to limit login attempts.
4. Disable Unnecessary Web Admin Interfaces: This reduces exposure to potential attacks.
5. Regularly Update Firmware and Security Patches: Keeping devices up to date with the latest security patches mitigates known vulnerabilities.

As brute force attacks continue to grow in scale and sophistication, organizations must prioritize securing edge devices—often their first line of defense. With 2.8 million IPs weaponized daily, the campaign underscores the urgent need for MFA, rigorous patch management, and network segmentation. For organizations relying on edge security devices, it is critical to act now to prevent potential breaches and ensure robust cybersecurity measures are in place. Explore how GrackerAI can assist your organization in transforming security news into strategic content opportunities and enhancing your cybersecurity marketing efforts. With our AI-powered platform, you'll stay ahead of emerging trends and threats. Visit us at GrackerAI for more information.