A massive cyber attack campaign targeting major VPN and security devices is currently underway, utilizing approximately 2.8 million compromised IP addresses daily according to the Shadowserver Foundation, a nonprofit cybersecurity organization.
The ongoing attack specifically targets edge security devices from leading manufacturers including Palo Alto Networks, Ivanti, and SonicWall through automated brute force attempts to breach accounts.
The attacking IP addresses span multiple networks globally, with 1.1 million originating from the United States. Other major source countries include Turkey, Russia, Argentina, Morocco, and Mexico. Security researchers believe the attack is being conducted through a botnet comprised of hijacked consumer devices, including Huawei, Cisco, Boa, and ZTE routers.
"This appears to be one of the largest coordinated attacks we've seen targeting enterprise VPN infrastructure," noted cybersecurity experts monitoring the situation. The compromised devices are being used to route malicious traffic through organizational networks.
The US Cybersecurity and Infrastructure Security Agency (CISA) is actively tracking the threat and working with partners to assess its scope. The agency stands ready to alert vulnerable organizations and provide mitigation guidance.
Security professionals recommend organizations take immediate protective steps, including:
- Changing default administrative passwords
- Implementing multi-factor authentication
- Creating allowlists of trusted IP addresses
- Disabling unnecessary web admin interfaces
- Applying all security updates promptly
This attack follows a similar large-scale campaign in recent months that targeted devices from major security vendors including Cisco, CheckPoint, Fortinet, and others.
Organizations are urged to remain vigilant and monitor their systems for suspicious login attempts or unusual network traffic patterns that could indicate compromise.