The Shadowserver Foundation uncovered a large brute force attack, with approximately 2.8 million IPs launching attacks on edge devices like firewalls, routers, and VPNs. Continue to read this Cybersecurity Threat Advisory to learn how you can mitigate the risks of a brute force attack.
What is the threat?
Brute force attacks involve repeatedly attempting all possible usernames and passwords until the attacker finds the correct one. Their effectiveness depends on the attack method, available computational resources, and password complexity. There are two main types of brute force attacks: Simple and Dictionary.
Simple attacks are less effective and resemble manual attempts, often lacking context about the targeted accounts. Password spraying is an example of this type. Dictionary attacks, on the other hand, target more complex passwords. Attackers use software to test common words, phrases, and intelligent substitutions for numbers and special characters based on password trends. Credential stuffing, a highly effective dictionary attack, uses passwords obtained from previous data breaches.
Why is it noteworthy?
The attack uses residential proxies from compromised routers and devices, making identifying malicious IPs with traditional methods difficult. Since most of these connections come from legitimate Internet service providers, most are unreported. The high volume of IPs suggests the activity is botnet-driven, indicating abundant resources. While the attack’s motive remains unclear, employees should remain vigilant as it may pave the way for future phishing and spam campaigns.
What is the exposure or risk?
The attack targets VPN accounts and login pages of firewalls and routers. For authentication with LDAP/LDAPS to VPN, it is best to have a separate VPN organization unit and ensure only active users are members.
Ensure vulnerable firmware code such as SonicWall SMA client (CVE-2024-53705), SonicOS up to versions 7.1.1-7058, 7.1.2-7019, 8.0.0-8035, Ivanti CSA version 5.0.5 or below, and PANOS 11.2, 11.1, 11.0, 10.2, 10.2 (CVE-2025-0109, CVE-2025-0110) are updated to the recommended versions to prevent exploitation.
What are the recommendations?
Barracuda recommends the following actions to limit the impact of a brute force attack:
- Use long, complex, and unique passwords, and store them within a trusted password manager.
- Disable any unused accounts in Active Directory. This limits the attack surface greatly and will reduce the number of alerts down to only the accounts in use, providing a clearer picture for investigating.
- Maintain a consistent update schedule for firewalls, routers, and VPN software.
- Regularly monitor edge devices. Raise concerns if something does not seem right. If you are consistently locked out of your account, this may indicate an attack is taking place.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-exploitable-sslvpn-bug-immediately
- https://thehackernews.com/2025/02/ivanti-patches-critical-flaws-in.html
- https://www.tomsguide.com/computing/vpns/2-8-million-ip-addresses-being-used-in-brute-force-attack-on-vpns
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
