Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Huge cyber attack under way - 2.8 million IPs being used to target VPN devices

Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol.

  • Millions of devices, likely infected with malware, are being used in a hacking campaign
  • Researchers spotted brute-force attacks against VPN and other internet-connected devices
  • The majority of the IP addresses are located in Brazil

A wide range of Virtual Private Network (VPN) and other networking devices are currently under attack by threat actors trying to break in to wider networks, experts have warned.

Threat monitoring platform The Shadowserver Foundation warned about the ongoing attack on X, noting someone is currently using roughly 2.8 million different IP addresses to try and guess the passwords for VPNs and similar devices built by Palo Alto Networks, Ivanti, SonicWall, and others.

Besides VPNs, the threat actors are going for gateways, security appliances, and other edge devices connected to the public internet.

Brute force

To conduct the attack, the threat actors are using MikroTik, Huawei, Cisco, Boa, and ZTE routers and other internet-connected devices, likely compromised with malware, or broken into themselves, thanks to weak passwords.

Speaking to BleepingComputer, The Shadowserver Foundation said that the attack recently increased in intensity.

From those 2.8 million, the majority (1.1 million) are located in Brazil, with the rest split between Turkey, Russia, Argentina, Morocco, and Mexico.

This is a typical brute-force attack, in which threat actors try to log into a device by submitting an enormous amount of username/password combinations, until one succeeds. Brute-force attacks are usually successful against devices protected with poor passwords (those that don’t have a strong combination of uppercase and lowercase letters, numbers, and special symbols). The whole process is automated, making it possible on a grander scale.

The automation part is made possible through malware. Usually, the devices used in the attack are part of a botnet, or a residential proxy service. Residential proxies are IP addresses assigned to real devices by internet service providers (ISPs). They make it appear as though the user is browsing from a legitimate residential location rather than a data center, which makes them a major target for cybercriminals.

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.