- Millions of devices, probably infected with malware, are being used in a piracy campaign
- The researchers saw brute force attacks against VPN and other devices connected to the Internet
- Most IP addresses are found in Brazil
A wide range of virtual private networks (VPN) and other network devices are currently under attack by the threat actors trying to break into wider networks, experts warned.
Threat monitoring platform The Shadowserver Foundation warned about the ongoing attack on X, noting that someone is using approximately 2.8 million IP addresses different to try to guess the vpn passwords and similar devices built by Palo Alto Networks, Ivanti, Sonicwall and others.
In addition to the VPN, the threat actors are looking for link doors, appliances and other edge devices connected to the public internet.
Brute force
To perform the attack, threat actors are using Mikrik, Huawei, Cisco, Boa and Zte and other devices connected to the Internet, probably committed to malware or broken in themselves, thanks to weak passwords.
Talking with BleepingcomputerThe Shadowserver Foundation said the attack recently increased in intensity.
Of those 2.8 million, the majority (1.1 million) are found in Brazil, with the rest divided between Türkiye, Russia, Argentina, Morocco and Mexico.
This is a typical brute force attack, in which threat actors try to log in to a device by sending a huge amount of user/password name combinations, until one is successful. Brute force attacks are usually successful against protected devices with poor passwords (those that do not have a strong combination of special letters, numbers and symbols). The whole process is automated, which makes it possible at a larger scale.
The automation part is possible through malware. In general, the devices used in the attack are part of a botnet or a residential proxy service. Residential proxies are IP addresses assigned to real devices by internet service providers (ISP). They seem to seem that the user is sailing from a legitimate residential location instead of a data center, which makes them an important objective for cybercriminals.
