HQ/EMEAFind out how we can help your business
A newly discovered massive brute force attack that employs about 2.8 million IP addresses is trying to guess the credentials of various networking devices.
This campaign occurs when a threat actor attempts to repeatedly log into an account or device with many usernames and passwords until they acquire the correct combination. Once they obtain the necessary credentials, threat actors can use them to hijack a device or gain access to a network.
Researchers reported that this attack has been ongoing since last month, with around 2.8 million source IP addresses used daily. The majority of these addresses are from Brazil, followed by Turkey, Russia, Argentina, Morocco, and Mexico, but various countries of origin are also involved in the activity.
These are edge security equipment, such as firewalls, VPNs, gateways, and other security appliances, which are frequently exposed to the internet to allow remote access. The devices used in these attacks are primarily MikroTik, Huawei, Cisco, Boa, and ZTE routers and IoTs, which are frequently hacked by big malware botnets.
The new brute force attack is possibly part of a botnet operation.
According to the investigation, the brute force attack using IP addresses is dispersed across multiple networks and Autonomous Systems. This detail could imply that it is most likely part of a botnet or an operation related to residential proxy networks.
Residential proxies are IP addresses provided to ISP consumer customers, making them popular among threat actors who want to execute cybercriminal activities, such as scraping, geo-restriction bypasses, ad verification, and sneaker/ticket scalping.
These proxies redirect internet traffic over residential networks, giving the impression that the user is a typical home user rather than a bot, data scraper, or hacker.
Gateway devices targeted by this activity may be utilised as proxy exit nodes in residential proxying operations, passing malicious traffic through an organisation’s enterprise network. In addition, these nodes are rated high-quality since the companies have a good reputation, and the assaults are more difficult to identify and prevent.
Therefore, organisations should change the default admin password to something unique, enforce multi-factor authentication (MFA), use an allowlist of trustworthy IP addresses, and disable web admin interfaces if they aren’t required to defend edge devices from brute-force attacks.
Firms should implement the most recent firmware and security upgrades to those devices to address vulnerabilities that threat actors can exploit to get initial access.
