The Shadowserver Foundation is warning of an alarming surge in brute force login attacks targeting web logins for multiple network devices, especially Palo Alto Networks, Invanti, and SonicWall.
Honeypots are being bombarded with login attempts, meaning that all vulnerable network devices are also in danger.
Over the last few weeks, web login panels were targeted from up to 2.8 million IP addresses per day. As of January 9th, 2025, the number of participating IPs was over 1.7 million.
For comparison, before January 18th, 2025, the figure was fluctuating below 100,000.
Shandowserver Foundation’s report identifies hosts that have been observed performing HTTP-based scanning activity, including exploitation attempts. HTTP scanning may sometimes be benign when a search engine is indexing the web or researchers are looking for open or vulnerable services.
Large increase in web login brute forcing attacks against edge devices seen last few weeks in our honeypots, with up to 2.8M IPs per day seen with attempts (especially Palo Alto Networks, Ivanti, SonicWall etc). Over 1M from Brazil. Source IPs shared in shadowserver.org/what-we-do/n...
undefined The Shadowserver Foundation (@shadowserver.bsky.social) February 7, 2025 at 11:08 AM
[image or embed]
However, the large surge indicates that this activity may be part of a larger attack or exploit attempt coming from a botnet that’s actively hunting for new sites or devices to infect.
Recently, a few major vendors of VPNs and other network appliances disclosed critical security vulnerabilities.
SonicWall, a network security solutions provider, alerted users about a critical flaw affecting its secure access gateways from the SMA 1000 series. Fortinet devices have been under active exploitation due to authentication bypass vulnerability. Ivanti’s appliances have been attacked by suspected Chinese hackers, exploiting two zero days. Similarly, hundreds of Palo Alto Networks firewalls remain vulnerable.
The current brute force login attacks campaign mostly originate from Brazilian IP addresses. Shadowserver calculated over 1.1 million Brazilian IPs during the peak, followed by 135,000 IPs from Turkey, 133,000 from Russia, 99,000 from Argentina, and hundreds of thousands from other countries.
Most of the identified compromised devices are produced by MikroTik, Huawei, and Cisco. However, in many cases, Shadowserver couldn’t map the source IP address to a device, or the actual involved device could be behind the identified one.
The researchers continue to monitor the situation and are encouraging network administrators to investigate malicious activity on their networks.
“If you receive an alert from us about an IP in your constituency seen attacking, please investigate and reach out to us with your findings,” Shadowserver said.
Your email address will not be published. Required fields are markedmarked