The Shadowserver Foundation, a threat monitoring organization, reported that approximately 2.8 million unique IP addresses are actively attempting to breach VPN services and security appliances from vendors such as Palo Alto Networks, Ivanti, and SonicWall. In addition to VPNs, attackers are also targeting internet gateways, security appliances, and other edge devices exposed to the public internet.
The attackers are leveraging routers and networking hardware from MikroTik, Huawei, Cisco, Boa, and ZTE—many of which are believed to be infected with malware or compromised due to weak passwords. Security experts have noted a recent surge in attack intensity.
A significant portion of the malicious activity originates from Brazil, where 1.1 million of the identified IP addresses are located. Other affected regions include Turkey, Russia, Argentina, Morocco, and Mexico. The attackers are using a brute-force technique, repeatedly guessing login credentials to gain unauthorized access. These attacks are particularly effective against systems with weak passwords that lack complexity, such as those without uppercase and lowercase letters, numbers, or special characters.
To automate the attack, threat actors are leveraging botnets and residential proxy services. These services disguise cybercriminal activity by routing malicious traffic through real users’ IP addresses assigned by internet service providers (ISPs), making it appear as though the attacks originate from legitimate sources rather than known malicious servers.
The scale and persistence of this campaign highlight the urgent need for organizations to enforce strong password policies, implement multi-factor authentication (MFA), and continuously monitor network activity for unauthorized access attempts.
Source: TechRadar
The European Cyber Intelligence Foundation is a nonprofit think tank specializing in intelligence and cybersecurity, offering consultancy services to government entities. To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net, or you can try yourself using check.website.