A sweeping brute force assault is currently in progress, with nearly 2.8 million unique IP addresses being used daily to guess login credentials for a wide array of networking devices—including those manufactured by Palo Alto Networks, Ivanti, and SonicWall.
In such brute-force attacks, cybercriminals systematically try countless username and password combinations until they stumble upon the correct credentials. Once they gain access, these attackers can seize control of the device or infiltrate the broader network.
The Shadowserver Foundation, a threat-monitoring organization, reports that this attack has been active since last month. Their data indicates that approximately 2.8 million IP addresses are being employed each day, with about 1.1 million of these originating from Brazil. Other significant contributors include IPs from Turkey, Russia, Argentina, Morocco, and Mexico, among various other countries.
Large increase in web login brute forcing attacks against edge devices seen last few weeks in our honeypots, with up to 2.8M IPs per day seen with attempts (especially Palo Alto Networks, Ivanti, SonicWall etc). Over 1M from Brazil. Source IPs shared in https://t.co/kapIq2pIBI pic.twitter.com/LMhFEvAEEL
— The Shadowserver Foundation (@Shadowserver) February 7, 2025
The primary targets are edge security devices such as firewalls, VPNs, gateways, and other security appliances that are often exposed to the internet to allow for remote management. Many of these devices are produced by well-known brands like MikroTik, Huawei, Cisco, Boa, and ZTE—manufacturers whose equipment is frequently compromised by extensive malware botnets.
In a statement to BleepingComputer, The Shadowserver Foundation confirmed that while the activity has been ongoing for some time, it has recently escalated to a far larger scale. They noted that the attacking IP addresses are distributed across multiple networks and Autonomous Systems, suggesting that the source of the attack might be a botnet or an operation linked to residential proxy networks.
Residential proxies are IP addresses assigned to typical home internet users by ISPs. These proxies are highly prized in cybercrime circles for tasks such as data scraping, bypassing geo-restrictions, ad verification, and even ticket scalping, as they make malicious traffic appear as though it originates from a regular household.
Compromised gateway devices can sometimes serve as proxy exit nodes, routing harmful traffic through an organization’s network. This makes the attacks even more challenging to detect and mitigate, as these nodes benefit from the trusted reputations of established organizations.
To defend against such brute force attacks, security experts advise several measures: replacing default administrator passwords with strong, unique alternatives; enforcing multi-factor authentication (MFA); using allowlists to restrict access to known IP addresses; and disabling web-based administration interfaces when they are not required. Moreover, it is critical to keep all devices updated with the latest firmware and security patches to close any vulnerabilities that threat actors might exploit.
