Dive Brief:
Security researchers warned about a surge in web login brute force attacks against edge devices from a suspected botnet since mid-to-late January, according to a post on X from the Shadowserver Foundation.
The threat activity targeted devices from several major vendors, including Palo Alto Networks, SonicWall and Ivanti, with more than 2.8 million source IPs per day, according to Shadowserver. The observed threat activity goes well beyond scanning and involves actual login attempts, researchers said.
“We do not know who is being targeted in particular, we can only observe attacks against our own honeypots,” Piotr Kijewski, CEO of Shadowserver, said via email.
Dive Insight:
The threat activity is a reminder of ongoing concerns about the security of edge devices, which have been increasingly targeted by state-backed threat groups for espionage and other malicious activity.
In order to conduct their main function, edge devices are left exposed to the internet, according to analysts.
“They also often run services (such as VPN) that must be exposed, and these are not immune to bugs and remote exploits,” Charlie Winckless, VP analyst at Gartner, told Cybersecurity Dive via email.
Even if the devices are patched, there is a risk of credential stuffing attacks against VPNs that lack multifactor authentication as well as context-based controls.
U.S. officials are monitoring the situation.
“CISA is engaged with Shadowserver and other relevant partners on edge device attack paths,” a CISA spokesperson said via email. “If necessary, we will notify any at risk entities and provide guidance in coordination with our partners.”
More than 1.1 million of the IPs behind the brute force attacks are located in Brazil, but they noted a large concentration of U.S. and Canadian instances.
In late January, attackers targeted a critical vulnerability in SonicWall SMA 1000 series appliances. The vulnerability, listed as CVE-2025-23006, allowed attackers with access to the internal interface to take over the device.
