Unidentified software presumed to be a botnet employs brute force methods to infiltrate edge devices.
In a concerning turn of events, the Shadowserver Foundation has reported an increase in web login brute force attacks against edge devices since mid-to-late January 2025. These attacks, which involve more than 2.8 million source IPs per day, have been targeting popular firewall and network edge device login portals, according to various reports.
The specific identities of the threat actors behind these attacks remain undisclosed. However, the activity aligns with broader trends of cybercriminals exploiting vulnerabilities in network edge devices, such as Fortinet FortiGate firewalls and others. For instance, the exploitation of Fortinet zero-day vulnerabilities in January 2025 underscores the vulnerability of edge devices in the current digital landscape.
The targeted devices in these attacks include those from major vendors such as Palo Alto Networks, SonicWall, and Ivanti. Notably, in late January, attackers targeted a critical vulnerability (CVE-2025-23006) in SonicWall SMA 1000 series appliances, allowing attackers with access to the internal interface to take over the SonicWall devices.
Edge devices, often left exposed to the internet to conduct their main function, are a common target due to their role in managing network traffic and securing remote access. According to analysts, these devices often run services such as VPNs, which are not immune to bugs and remote exploits. Even if edge devices are patched, there is a risk of credential stuffing attacks against VPNs that lack multifactor authentication and context-based controls.
U.S. officials are monitoring the situation closely, with the Cybersecurity and Infrastructure Security Agency (CISA) working in coordination with Shadowserver and other relevant partners to address the edge device attack issue. If necessary, CISA will notify any at-risk entities and provide guidance to mitigate these threats.
Interestingly, more than 1.1 million of the IPs behind the brute force attacks are located in Brazil, with a large concentration of U.S. and Canadian instances also observed. This global reach underscores the need for a coordinated and comprehensive response to these cyber threats.
As we navigate this digital age, it is crucial to remain vigilant and proactive in securing our network edge devices. By strengthening our defences and staying informed about the latest threats, we can better protect ourselves against these cyberattacks.
The surge in web login brute force attacks on edge devices, as reported by the Shadowserver Foundation, is a concerning development in the realm of cybersecurity. These attacks, which exploit vulnerabilities in devices from vendors like Fortinet and SonicWall, highlight the vulnerability of network edge technology in the current digital landscape.