Massive Brute Force Attack Utilizes 2.8 Million IPs to Compromise VPN and Firewall Logins

Govind Kumar
Govind Kumar

Co-founder/CPO

 
February 10, 2025 4 min read

A global brute force attack campaign leveraging 2.8 million IP addresses actively targets edge security devices, including VPNs, firewalls, and gateways from vendors such as Palo Alto Networks, Ivanti, and SonicWall. The attack, first detected in January 2025, has intensified in recent weeks, with threat actors attempting to breach login credentials across exposed network infrastructure.

Attack Overview

Brute force attacks involve repeated attempts to guess usernames and passwords until valid credentials are discovered. Once compromised, devices can be hijacked for unauthorized network access, data theft, or integration into botnets. According to threat intelligence firm Shadowserver Foundation, this campaign employs 2.8 million unique IPs daily, with over 1.1 million originating from Brazil, followed by Turkey, Russia, Argentina, Morocco, and Mexico.

"Large increase in web login brute forcing attacks against edge devices seen last few weeks in our honeypots, with up to 2.8M IPs per day seen with attempts (especially Palo Alto Networks, Ivanti, SonicWall etc). Over 1M from Brazil." — The Shadowserver Foundation

The attacking IPs are distributed across residential proxy networks and compromised devices, including MikroTik, Huawei, and Cisco routers, likely orchestrated by a large botnet. The attacks focus on edge devices critical for remote access, such as VPN gateways (Palo Alto Networks GlobalProtect, SonicWall NetExtender) and firewalls (Ivanti, Fortinet). Recent vulnerabilities in Ivanti (CVE-2024-8190) and SonicWall (CVE-2025-23006) highlight risks, with unpatched devices susceptible to exploitation. In response to rising threats, cybersecurity agencies have issued guidance urging manufacturers to improve logging and default security for edge devices.

Widespread Impact on Critical Infrastructure

Edge devices like VPN appliances and firewalls are critical components for securing networks, particularly for enterprises and organizations. These systems are often exposed to the internet, making them high-value targets for threat actors. The scale of the current attack campaign is unprecedented. With millions of IP addresses involved, these attacks are likely being conducted by large-scale botnets comprising compromised devices around the globe. A successful intrusion could potentially lead to ransomware attacks, data theft, or disruption of critical services. Suggested steps for organizations include:

  • Use strong, unique passwords for VPN and firewall logins.
  • Enable multi-factor authentication (MFA) to limit unauthorized access.
  • Update and patch all devices regularly.
  • Monitor network traffic for suspicious activity and block identified malicious IPs.

Organizations can also subscribe to Shadowserver’s free daily reports for details of observed attacks and source IPs.

Geographic Distribution of Attack Sources

Shadowserver reports that the majority of attacking IP addresses originate from Brazil (1.1 million), followed by Turkey, Russia, Argentina, Morocco, and Mexico. However, the campaign's scope includes a vast number of countries, indicating a widespread and coordinated cybercriminal operation. Geographic Distribution of Attack Sources Image courtesy of Shadowserver The compromised devices being used to launch these attacks include a mix of MikroTik, Huawei, Cisco, Boa, and ZTE routers, as well as various IoT devices. These devices are commonly compromised by large malware botnets, enabling cybercriminals to conduct massive automated attacks with minimal direct intervention.

The Role of Botnets and Residential Proxy Networks

The attacking IP addresses are spread across multiple networks and Autonomous Systems, suggesting that the operation is likely orchestrated through a botnet or a residential proxy network. Residential proxies allow cybercriminals to route malicious traffic through legitimate internet users’ connections, masking their true identities. This complicates detection and mitigation for security professionals. The impact on organizations is significant, as these targeted security devices serve as critical infrastructure. Gateway devices could be leveraged as proxy exit nodes, allowing attackers to route malicious traffic through an organization’s network.

Protective Measures Against Brute Force Attacks

Given the severity of the ongoing attack, organizations must take immediate action to secure their network infrastructure. Security professionals recommend:

  1. Change Default Credentials: Devices should never operate with factory-default passwords.
  2. Implement Multi-Factor Authentication (MFA): This significantly reduces the risk of unauthorized access.
  3. Restrict Access: Use an allowlist of trusted IPs to limit login attempts.
  4. Disable Unnecessary Web Admin Interfaces: This reduces exposure to potential attacks.
  5. Regularly Update Firmware and Security Patches: Keeping devices up to date with the latest security patches mitigates known vulnerabilities.

As brute force attacks continue to grow in scale and sophistication, organizations must prioritize securing edge devices—often their first line of defense. With 2.8 million IPs weaponized daily, the campaign underscores the urgent need for MFA, rigorous patch management, and network segmentation. For organizations relying on edge security devices, it is critical to act now to prevent potential breaches and ensure robust cybersecurity measures are in place. Explore how GrackerAI can assist your organization in transforming security news into strategic content opportunities and enhancing your cybersecurity marketing efforts. With our AI-powered platform, you'll stay ahead of emerging trends and threats. Visit us at GrackerAI for more information.

Govind Kumar
Govind Kumar

Co-founder/CPO

 

Product visionary and cybersecurity expert who architected GrackerAI's 40+ portal templates that generate 100K+ monthly visitors. Transforms complex security data into high-converting SEO assets that buyers actually need.

Related Articles

The Question Hub Strategy: How B2B SaaS Companies Capture AI Search Traffic

Learn how B2B SaaS companies use Question Hub strategy to capture ChatGPT, Claude & Perplexity traffic. 5-step process with real case studies & results.

By Deepak Gupta July 23, 2025 3 min read
Read full article

Google Adds Comparison Mode for Real-Time SEO Checks

Use Google’s new Search Console comparison mode for hourly SEO audits. Perfect for SaaS & cybersecurity marketers tracking real-time changes.

By Ankit Agarwal July 18, 2025 3 min read
Read full article

2025 Programmatic SEO Playbook: AI, Real-Time Data, and Market Domination

Master 2025 programmatic SEO with AI-powered content, real-time data integration, and dynamic optimization. Includes implementation guide and competitive advantages.

By Deepak Gupta July 6, 2025 10 min read
Read full article

Quality at Scale: How AI Solves Programmatic SEO's Biggest Challenge

Discover how AI transforms thin programmatic content into high-quality pages that survive Google's 2025 updates. Includes quality metrics and implementation guide.

By Deepak Gupta July 6, 2025 13 min read
Read full article