A massive brute force attack is hammering VPNs and security appliances, with attackers using nearly 3 million IP addresses to flood these devices with credential-guessing attempts. According to reports, the attack has been ongoing for over a month, with 2.8 million unique IPs observed daily.
The attack is one of the largest in recent years. It primarily targets security appliances from major vendors, including Palo Alto Networks, Ivanti, and SonicWall. The attack's volume suggests a coordinated effort that could have serious consequences for businesses relying on these devices for remote access and network security.
Anatomy of the Attack: How It Works
Brute force attacks overwhelm systems with relentless login attempts. Attackers use automated scripts to bombard login portals with exhaustive username and password combinations, hoping to crack weak or default credentials. This attack is being carried out through botnets using compromised routers and IoT devices, distributing the attack load across millions of IP addresses to make blocking efforts more difficult.
Reports from The Shadowserver Foundation indicate that Brazil, Turkey, Russia, and Argentina are among the biggest contributors. These regions have long been hotbeds for botnet activity, often due to a combination of outdated or poorly secured infrastructure and lax enforcement against cybercrime.
Who’s Behind It? Possible Threat Actors and Motivations
While it’s unknown who is behind the attack, its characteristics suggest it’s the work of well-organized cybercriminal groups rather than nation-state actors. The widespread use of compromised routers and IoT devices points to known botnets, which are typically leveraged for large-scale credential stuffing, ransomware deployment, or selling illicit access to corporate networks.
This campaign fits the pattern of previous botnet-driven attacks linked to malware families that specialize in brute force techniques. Many of the compromised devices being used in the attack—such as MikroTik and Huawei routers—have been targeted in past campaigns, often due to unpatched vulnerabilities or unchanged default credentials.
The motives behind the attack could vary. Infiltrating VPNs and security appliances provides a gateway into corporate networks, where attackers can steal data, plant malware, or launch ransomware. There’s also the possibility of espionage, as VPNs are commonly used by governments and enterprises to protect sensitive communications. Whether the goal is financial gain, intelligence gathering, or laying the groundwork for future attacks, the scale of this campaign makes it a major threat.
The Risk to Organizations: Why This Matters
Security appliances and VPNs are prime targets for attackers because these devices can provide direct access to internal systems, bypassing traditional security measures. Unlike endpoints or email accounts, which often have layered defenses, a compromised VPN or firewall can act as a backdoor, allowing attackers to move laterally across a network undetected.
For enterprises, the consequences of such a breach are severe. If attackers gain control of these devices, they can intercept sensitive data, deploy malware, or even manipulate network traffic. Cloud-based infrastructure is also at risk, as many organizations use VPNs to link on-premises networks to cloud environments. A compromised security appliance could provide an entry point for attackers to pivot into cloud workloads, potentially exposing vast amounts of business-critical information.
Once inside, attackers can escalate their access, disable security controls, and exfiltrate data before deploying ransomware or other destructive payloads. “It’s not a question of if they can get in with this approach—the question is how many times will the organization be penetrated this way, and will the security team know when it happens,” says Kris Bondi, CEO and co-founder of Mimoto AI. This swarm effect not only increases the risk of a breach but can also overwhelm security teams, making it harder to detect and respond before real damage is done.
Defensive Strategies: How to Protect Against Brute Force Attacks
Defending against brute force attacks requires a comprehensive defense strategy. Attackers are betting on weak passwords and lax security settings, so the first step is to make authentication as strong as possible. Multi-factor authentication (MFA) is essential, adding an extra layer of security through biometrics, security keys, or Time-Based One-Time Passwords (TOTP). Strong, unique passwords and enforced account lockouts after repeated failed attempts can further limit exposure.
Another key defense is reducing unnecessary exposure. Security teams should restrict remote access to only essential users and configure VPNs with hardened security settings. Default credentials should be changed immediately, and organizations should limit access to security appliances by implementing IP restrictions or requiring VPN authentication before reaching internal resources. More advanced organizations should consider network segmentation to contain potential breaches.
Detection and response are important as well. Security Information and Event Management (SIEM) tools, behavioral analytics, and real-time threat intelligence feeds can help identify brute force attempts before they succeed. Without proper monitoring, even a failed attack can provide valuable insights to attackers for future attempts. a
Finally, keeping security appliances up to date is critical. Regularly patching VPNs, firewalls, and networking devices helps close security gaps. “These devices are designed to be internet-facing, however they are often poorly configured, running outdated firmware, and use weak forms of authentication,” says Jason Soroko, Senior Fellow at Sectigo. Addressing these issues an prevent attackers from using known vulnerabilities to breach networks.
The Bigger Picture: What This Attack Says About Cybersecurity Today
This attack is a stark reminder of the ongoing challenge of securing edge devices. VPNs, firewalls, and other security appliances are supposed to protect networks, yet they remain some of the most targeted entry points for attackers. The problem isn’t just weak passwords—it’s the broader issue of network devices being exposed to the internet with poor configurations, outdated firmware, and inadequate monitoring.
IoT devices are making this problem worse. The rise of compromised routers and connected devices fueling this attack highlights how IoT has become a key tool for cybercriminals. Many IoT products lack strong security controls, and once they’re hijacked, they become part of massive botnets capable of launching brute force campaigns at an unprecedented scale.
Good network hygiene is just as important as advanced security tools. Changing default settings, limiting unnecessary exposure, and treating all connected devices as potential security risks should be standard practice. Attackers are always looking for weak links, and as this attack shows, they have millions of opportunities to find them.
