A weeks-long brute force attack campaign by malicious actors has reached mammoth proportions, according to a non-profit security organization.
The Shadowserver Foundation reports that the campaign, which has been ongoing since January, involves as many as 2.8 million IP addresses daily, targeting VPN devices, firewalls, and gateways from vendors like Palo Alto Networks, Ivanti, and SonicWall.
“The recent wave of brute force attacks targeting edge security devices, as reported by Shadowserver, is a serious concern for cybersecurity teams,” said Brent Maynard, senior director for security technology and strategy at Akamai Technologies, a content delivery network service provider, in Cambridge, Mass.
“What makes this attack stand out is both its scale — millions of unique IPs attempting access daily — and the fact that it’s hitting critical security infrastructure like firewalls, VPNs, and secure gateways,” Maynard told TechNewsWorld.
“These aren’t just any devices. They’re the frontline defenses that protect organizations from external threats. If an attacker gains control over them, they can bypass security controls entirely, leading to data breaches, espionage, or even destructive attacks.”
In a brute force attack, waves of passwords and usernames inundate a login target in an attempt to discover valid login credentials. Compromised devices may be used for data theft, botnet integration, or illegal network access.
Massive Botnet Threat Escalates
“This type of botnet activity is not new. However, the scale is worrisome,” observed Thomas Richards, a network and red team practice director at Black Duck Software, an applications security company in Burlington, Mass.
“Depending on the type of device compromised, the attackers could leverage their access to disable internet access to the organization, disrupt networks communicating or facilitate their own access inside the network,” Richards told TechNewsWorld. “The attack, even if unsuccessful in gaining access to the devices, can cause harm by attempting too many login attempts and having valid accounts locked out.”
Patrick Tiquet, vice president for security and architecture at Keeper Security, a Chicago-based password management and online storage company, explained that brute force attacks are significant because they exploit weak or reused passwords, one of the most persistent vulnerabilities in cybersecurity.
“Beyond immediate data loss, these breaches can disrupt operations, damage an organization’s reputation, and erode customer trust — leading to long-term financial and security consequences,” he told TechNewsWorld.
Erich Kron, a security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla., added that the source of these attacks is millions of smaller devices spread around the globe, making them extremely difficult to defend against.
“Many consumers have old and outdated devices in their homes connecting to the internet,” Kron told TechNewsWorld. “These vulnerable devices are being exploited and used to drive cyberattacks like this.”
“Traditional approaches such as geoblocking and disallowing large blocks of IP addresses could actually block legitimate web traffic, costing some organizations sales and appearing as if the website is down to potential customers,” he said.
Credential-Based Attacks Overwhelm Defenses
Kris Bondi, CEO and co-founder of Mimoto, a threat detection and response company in San Francisco, asserted that the campaign exposed by Shadowserver highlights the vulnerability of credentials, even at security and infrastructure organizations.
“Brute force attacks are automated, so they’re implemented at scale,” Bondi told TechNewsWorld. “It’s not a question of if they can get in with this approach. The question is how many times the organization will be penetrated this way, and will the security team know when it happens.”
Akamai’s Maynard explained: “Attackers no longer need to sit at a keyboard guessing passwords. They deploy massive botnets that can test thousands of credentials in minutes.”
“Using an attack called password spraying, attackers can use a known username or email address and pair it with tens of thousands of the most common passwords with software that will then try to log into various exposed devices,” added KnowBe4’s Kron. “With several million devices available to be attempting these logins, the success rate is liable to be high.”
Bondi noted that the number and size of brute force attacks are rising. “Automation and generative AI have made it easier to implement this type of attack,” she said.
“They are hitting the large vulnerability that credentials represent,” she continued. “The attackers know that if they send enough attacks, some percentage will get through. In the meantime, security teams are overwhelmed and aren’t able to address all the attacks in real time, particularly without additional context.”
The explosion of internet-connected devices and the continued use of weak credentials also contribute to increased brute force attacks.
“With remote work, smart devices, and cloud adoption, more organizations rely on edge security devices that must be accessible from the internet,” Maynard said. “This makes them natural targets.”
“Despite years of warnings,” he added, “many companies still use default or weak passwords, especially on infrastructure devices.”
AI’s Role in Cyberattack Defense and Prevention
While artificial intelligence contributes to the rise in brute force attacks, it may also foil them. “AI has the potential to be a game-changer in defending against brute force and credential stuffing attacks,” Maynard said.
He noted that security teams are using AI-driven solutions to detect anomalies, analyze behavior, and automate responses to attacks.
“AI is very good at spotting anomalies and patterns. Therefore, AI can be very useful at looking at attempted logins, finding a pattern, and hopefully suggesting ways to filter the traffic,” Kron explained.
Jason Soroko, senior vice president of product at Sectigo, a global digital certificate provider, acknowledged that AI could help defenses by detecting anomalous login patterns and throttling suspicious activity in real time, but advised that strong authentication be prioritized first.
“While strong authentication needs identity management to scale and digital certificates and other strong asymmetric form factors need provisioning and lifecycle management, they can yield very strong security benefits,” Soroko told TechNewsWorld.
However, Bondi predicted AI will eventually vacate the need for credentials. “AI enables combining anomaly detection with advanced pattern matching to recognize specific people, not credentials, with significantly lower rates of false positives,” she said.
AI can also help deliver context with alerts, which will enable security teams to prioritize and respond faster to true alerts while reducing false positives, she added.
“The expectation is that in the near future, AI will also be able to help predict intent based on specific actions and techniques of an attack,” Bondi observed. “While LLMs aren’t capable of this yet, they could be within a few quarters.”
