Attackers Use 2.8 Million Devices in Major Brute Force Attack – Source: securityboulevard.com

Threat actors are pounding edge security devices from the likes of Palo Alto Networks, Ivanti, and SonicWall in a massive brute force login attack from as many as 2.8 million IP addresses a day, according to The Shadowserver Foundation.

According to numbers collected by the threat monitoring firm, the campaign to brute force passwords began in early January, gathering steam as the month wore on. The numbers peaked in the last week of January and have been running steadily in the first days of February.

The researchers said in a posting on X (formerly Twitter) that they detected a significant increase in the campaign in recent weeks, capturing login attempts in their honeypots.

Bad actors will use brute force techniques to force their way into devices and accounts, automatically repeatedly running huge numbers of usernames and passwords repeatedly in hopes of finding the right combination that will give them access.

“Cybercriminals are leveraging compromised routers and IoT devices – many forming part of large malware botnets – to conduct large-scale brute force attempts,” Patrick Tiquet, vice president of security and architecture at Keeper Security, told Security Boulevard. “The widespread nature of this attack highlights several ongoing risks, including weak or reused passwords, misconfigured security settings and unpatched firmware.”

According to Kris Bondi, co-founder and CEO of Mimoto, the attack uncovered by The Shadowserver Foundation highlights the vulnerability of credentials, even at security and infrastructure organizations.

“Brute force attacks are automated, so they’re implemented at scale,” Bondi told Security Boulevard. “It’s not a question of if they can get in with this approach. The question is how many times will the organization be penetrated this way and will the security team know when it happens. Because of the swarm effect these attacks cause, they are both more likely to chip away at the protective perimeter and cause a distraction when more sophisticated malicious activities may occur.”

Brute Forcing on the Rise

An increase in such attacks in recent years is illustrative of the greater focus cybercriminals are putting on stolen credentials and identities as access points for compromising systems and individuals. According to a report last year by AI search company Elastic, credential access account for about 23% of all cloud infiltrations by bad actors in 2024, and there was a corresponding 12% jump in the number of brute force techniques used. This was particularly true in Microsoft Azure, where 35% of all techniques used in that cloud environment were brute force methods.

“Organizations must be aware of the increase in Brute Force attacks, an item seen multiple times in different environments throughout our report,” the authors wrote in The 2024 Elastic Global Threat Report. “The emphasis on Credential Access goes a step further for the endpoints in our telemetry.”

Targeting the Edge and IoT

Edge and Internet of Things (IoT) devices are vulnerable to such brute force attacks because most often, due to the nature of what they do, they are exposed to the internet. These security devices, such as firewalls, VPNs, and gateways, also will have default or weak passwords, lack the security capabilities of other systems, and be difficult to patch.

Brute force “targets IoT devices that often have default or weak passwords, leveraging automated software to generate many consecutive guesses. IoT devices are more susceptible to such attacks because of the frequent absence of account lockout policies, allowing unlimited password attempts,” connectivity platform provider Telnyx wrote. “Given the pervasive nature of IoT devices in personal and professional settings, the risks associated with IoT hacking are significant.”

Once in, the attackers can use the devices for a range of operations, from stealing data and accessing systems to distributed denial-of-service (DDoS) attacks.

A Lot of Devices From a Lot of Countries

According to The Shadowserver Foundation, the bulk of the brute force attempts being tracked is coming from South America, followed by Asia and Europe. An overwhelming number are launching from Brazil, with 1.1 million being counted on January 27, the day with the highest peak in the campaign. It was followed by Turkey, Russia, Argentina, and Morrocco, with other attempts stemming from dozens of other countries.

The bad actors are running the attack through more than 400 devices, primarily from networking device maker MikroTik, followed by Huawei, Cisco, Boa, and ZTE. Others on the list include Fortinet, Broadcom, TP-Link, Ubiquiti, and nginx.

More MFA, Better Passwords Needed

Security pros said that as first steps, organizations using such devices will want to change their password and need to implement multifactor authentication (MFA), using biometrics, security keys, or time-based one-time passwords. Such “adaptive MFA further strengthens defenses by detecting suspicious login behavior and requiring extra verification,” Keeper Security’s Tiquet said.

Beyond that, there are other steps to make, including adopting zero-trust and zero-knowledge technologies, continuously monitoring login attempt, updating software and firmware, and disable remote access functions that aren’t needed, he said. Mimoto’s Bondi added that security solutions should be evaluated to ensure they’re dynamic, contextual, and operate in real time.

Jason Soroko, Senior Fellow at Sectigo, added that responsibility also falls on the cybersecurity vendors.

“Stronger credential form factors exist for many of these devices, but are simply not configured to be used,” Soroko told Security Boulevard. “The network equipment industry should consider ways to make it easier for their customers to implement modern forms of authentication.”