Massive Brute Force Attack Uses 2.8 Million IPs to Target VPNs and Firewalls

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
Loading...
Massive Brute Force Attack 2025

Overview of the Attack

Currently, enormous brute force attack campaigns target the VPN, firewalls, and network security gateways to guess the login credentials and sneak in illegally. While it has been for quite some time since January 2025, it has ramped up of late.

What makes the current onslaught more disturbing, however, is its scale and sophistication: the attackers are employing 2.8 million unique IP addresses every day, making it one of the most significant brute force attacks ever recorded.

The attack focuses on critical edge security equipment often exposed to the internet, such as Palo Alto Networks GlobalProtect, SonicWall NetExtender, Ivanti firewalls, and Fortinet devices.

It was first discovered by The Shadowserver Foundation, a cybersecurity research organization, in early 2025. Since then, the account of the ongoing attack has been on the rise.

The attackers are subjecting their brute force on such huge operational networks of compromised devices, residential proxy networks, and botnets, which makes it an uphill task to detect and hinder.

How Brute Force Attack Works?

A brute force attack is an attack that involves the attacker guessing unsuccessfully several passwords or corresponding usernames until he finds a valid set, allowing him or her access.

Other methods include brute force attacks based on:

  1. Dictionary attacks: These extract likely passwords from hacked databases.
  2. Credential stuffing: Use login credentials stolen from some other breach.
  3. Bots: These would test out thousands of combinations very quickly.

Once attackers gain access, the system becomes open to anything:

  • They can hijack the device to have remote-controlled access.
  • They can use it to gain other entry into corporate networks.
  • They can steal sensitive data like credentials, emails, and IP.
  • They can also corrupt the very same device and use it as a bot to inflict further attacks.

Scale and Geographic Distribution of Attacks

As per Shadowserver, brute-force attacks consist of:

  • 2.8 million unique IPs daily, bringing brute-force attempts.
  • 1.1 million attacking IPs from Brazil followed by: Turkey, Russia, Argentina, Morocco, Mexico

Attacks are globally distributed by nature, affecting several networks and autonomous systems.

Devices & Vendors Under Attack

General targets of the attack campaign are edge security devices, which serve as the first line of defense for corporate networks. These devices consist of:

VPN Gateways

  • Palo Alto Networks GlobalProtect
  • SonicWall NetExtender

Firewalls

  • Ivanti
  • Fortinet

Routers & IoT Devices

  • MikroTik, Huawei, Cisco, Boa, ZTE routers
  • IoT (Internet of Things) security appliances and network gateways

Many of these devices are directly connected to the internet, thus in high risk. Once compromised, they can be used as proxy nodes for routing malicious traffic, thus masquerading cybercriminal activity as legitimate enterprise traffic.

Use of Malware Botnets & Residential Proxy Networks

The attack is being executed by a gigantic botnet, which makes use of:

Compromised Routers and IoT Devices

  • Most attacking IPs belong to hijacked MikroTik, Huawei, Cisco, and ZTE routers.
  • These devices with malware botnets allow attackers to coordinate brute-force attempts at scale.

Residential Proxy Networks

  • Shadowserver found that much of the attack IPs fell under residential proxy networks.
  • These proxies allow for masking the attackers’ true identity on voyeuristic grounds while making it seem that the attack traffic is from legitimate home users.
  • Consequently, residential proxies are much acclaimed in cybercrime since they tend to be difficult to block without harming legitimate users.

Proxy Exit Nodes for Malicious Traffic

Compromised devices being employed provide proxy exit nodes, therefore allowing attackers to do the following:

  • Route malicious traffic through corporate and enterprise networks.
  • Bypass traditional security measures and reputation-based blocking.
  • Hide attack origins, which leads to difficulty in detection. 

This campaign is a key part of growing efforts at cybercriminals to attack and compromise edge security devices.

April 2024: Cisco urged the industry to what it warned was a large-scale credential brute-forcing campaign directed at:

  • Check Point
  • Fortinet
  • SonicWall
  • Ubiquiti VPN devices

December 2024: Citrix claimed password spray attacks targeting Citrix Netscaler devices.

  • Ongoing: Attackers are increasingly using botnets, journal residential proxy servers, and combinations of credential stuffing to breach enterprise networks.

Brute force attacks continue to rise, and there are prospects for more vendors and regions getting targeted.

Risk and Impact

Unassigned Network Access

Vaulting is done against the opposition of VPNs and firewalls by attackers to gain control over the corporate neighbor and kill all defenses.

Data and Corporate Stef or Espionage

Critics victimize information hackers, including sensitive data like trade/fiscal/inherited/fates of customer data.

Botnet Expansion and Abuse on Corporate Networks

Compromise devices can be leveraged as suitable botnets that worsen cyber threats.

Regulatory and Compliance Violations

Companies that may not secure their infrastructure may incur fines and other dire legal consequences.

How to Protect Against Brute Force Attacks?

Organizations need to beef up security protocols for edge devices designed to protect them from brute force attacks on a grand scale.

Enforce Multi-Factor Authentication (MFA)

  • MFA should be enabled for every VPN, firewall, and administrative login.
  • Severely counter-acts credential theft.

Strong & Unique Passwords

  • Change the default admin password on all network devices.
  • Using complex, randomly generated passwords will reduce the odds of success from brute force attacks.

Restrict Access with IP Allowlisting

  • Restricting the addresses to which a VPN and firewalls can be reached is crucial.
  • Those with threat intelligence feeds should be adept at detecting and blocking bad ones.

Regularly Patch & Update Firmware

  • All known vulnerabilities of an appliance are to be secured with security updates. A publicly known vulnerability to be patched includes CVE-2024-8190 (Ivanti) and CVE-2025-23006 (SonicWall).
  • The devices will remain vulnerable to attacks if the old firmware is still used.

Disable Unnecessary Web Admin Interfaces

  • If remote access is not used, turn off the public admin interfaces.
  • Instead, management console access is carried out through VPNs.

Implement Rate Limiting & Account Lockout Policies

  • Following failed login attempts, basic logging and account lockout policies allow a simple approach of temporarily locking the account after a limited number of incorrect tries.
  • If repeated failures occur, implementing progressive delay will curtail their chances of success against brute force attacks.

Deploy AI-Based Intrusion Detection Systems (IDS/IPS)

  • AI intrusion detection systems can also readily identify bots attempting brute-force attacks.
  • They can detect suspicious user log-in attempts while logging continuously in real-time.

Disable the Malicious Traffic

  • Use threat intelligence feeds to block IP addresses associated with brute-force attacks.
  • Use geoblocking to restrain access from high-risk regions.

Preventing Cyber Theft with Automated Monitoring from SiteLock

As the cyber landscape adopts rapid and continual transformations, these massive brute force attacks increasingly threaten businesses, individuals, and governmental agencies. Many of this sham’s robotics use botnets, residential proxies, and compromised routers to circumnavigate traditional security protections and go deeper into corporate frameworks.

Defensive structures to conceal these traits should embrace offense as a strategy for eliminating them by adopting strong authentication practices, applying security patches, winding access, and employing AI-powered monitoring solutions.

Certainly, prevention against cyber theft and brute force attacks is, to an extent, possible when using a powerful automated monitoring solution like SiteLock.

Why Choose SiteLock?

24/7 Automated Threat Monitoring – Identify and prevent brute force attacks before they reach success.

Real-Time Security Patching – Safeguard against attacks aiming at firewalls, VPNs, and other networking devices.

Strong Intrusion Detection – Immediately recognize and stop suspicious login attempts.

WAF – Instant charge of smashing attackers against critical system access.

Complete Cybersecurity Solution – Protect your website, network, and digital assets.

Don’t delay; rely on SiteLock’s monitored digital security and beat forthcoming cybercriminals to the chase. Protect the entire net alone with SiteLock!

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.