‘Next level’ brute-force attack uses 2.8 million IPs to target VPNs

A large brute-force attack that’s using nearly 2.8 million IP source addresses daily has been under way since last month, aiming to steal the credentials of multiple networking devices, including from Palo Alto Networks, Ivanti, and SonicWall.

The Shadowserver Foundation, which reported the case, said most of the IP addresses emanate from Brazil, followed by Turkey, Russia, Argentina, Morocco, and Mexico.

In a brute-force attack, threat actors repeatedly log into an account using many users names and passwords until they find the correct combination. Once the attack find the right credential, they can access the device.

 “This is a massive escalation,” said Chloe Messdaghi, founder of SustainCyber. “A brute-force attack with 2.8 million IPs is next-level. If attackers crack VPN credentials, they get direct access to corporate networks — it’s not something to take lightly. This attack shows how adversaries are using massive botnets to steamroll traditional security measures, making immediate action non-negotiable."

Messdaghi said teams should act fast to enable MFA, enforce stronger passwords, update VPN software, monitor for unusual logins, block shady IPs, and rethink perimeter security with a zero-trust approach.

“Every request should be verified, logged, and monitored — even inside the network,” said Messdaghi. “Limit VPN access wherever possible. Stay ahead by tracking emerging threats, sharing intel with industry peers, and keeping an up-to-date incident response plan ready. Cybersecurity isn’t just about defense — it’s about proactive resilience against evolving threats.”

Kris Bondi, co-founder and CEO of Mimoto, said the attack highlights the vulnerability of credentials, even at security and infrastructure organizations. Bondi said brute-force attacks are automated, so they're implemented at scale: it's not a question of if they can get in with this approach, the question is how many times will the organization get penetrated this way and will the security team know when it happens. 

“Because of the swarm effect these attacks cause, they are both more likely to chip away at the protective perimeter and cause a distraction when more sophisticated malicious activities may occur,” said Bondi. “Without context, alerts alone, if they are even happening, will overwhelm the SOC. Changing passwords is a small first step. Organizations must look at human-based security methods that can balance recognition with user privacy. 

Jason Soroko, senior fellow at Sectigo, said these devices are designed to be internet-facing. However, they are often poorly configured, running outdated firmware, and use weak forms of authentication. Botnet-driven attacks exploit these weaknesses, increasing the risk of network compromise, said Soroko.

“At a minimum, security teams must change default passwords to strong, unique passwords,” said Soroko. “While stronger credential form factors exist for many of these devices, they are simply not configured to be used. The network equipment industry should consider ways to make it easier for their customers to implement modern forms of authentication. More advanced organizations should consider limiting remote access through IP restrictions, maintaining a strict patching schedule and implementing network segmentation.”