Skip to main content
close search
site logo
Dive Brief

Suspected botnet targets edge devices using brute force attacks

Researchers warn of a surge in attempted logins targeting devices from SonicWall, Palo Alto Networks and others.

Published Feb. 7, 2025
David Jones's headshot
Reporter
Green lights show behind plugged-in cables.
gorodenkoff/iStock via Getty Images

Dive Brief:

  • Security researchers warned about a surge in web login brute force attacks against edge devices from a suspected botnet since mid-to-late January, according to a post on X from the Shadowserver Foundation. 
  • The threat activity targeted devices from several major vendors, including Palo Alto Networks, SonicWall and Ivanti, with more than 2.8 million source IPs per day, according to Shadowserver. The observed threat activity goes well beyond scanning and involves actual login attempts, researchers said.
  • “We do not know who is being targeted in particular, we can only observe attacks against our own honeypots,” Piotr Kijewski, CEO of Shadowserver, said via email.

Dive Insight:

The threat activity is a reminder of ongoing concerns about the security of edge devices, which have been increasingly targeted by state-backed threat groups for espionage and other malicious activity.

In order to conduct their main function, edge devices are left exposed to the internet, according to analysts.

“They also often run services (such as VPN) that must be exposed, and these are not immune to bugs and remote exploits,” Charlie Winckless, VP analyst at Gartner, told Cybersecurity Dive via email.

Even if the devices are patched, there is a risk of credential stuffing attacks against VPNs that lack multifactor authentication as well as context-based controls. 

U.S. officials are monitoring the situation. 

“CISA is engaged with Shadowserver and other relevant partners on edge device attack paths,” a CISA spokesperson said via email. “If necessary, we will notify any at risk entities and provide guidance in coordination with our partners.”

More than 1.1 million of the IPs behind the brute force attacks are located in Brazil, but they noted a large concentration of U.S. and Canadian instances.

In late January, attackers targeted a critical vulnerability in SonicWall SMA 1000 series appliances. The vulnerability, listed as CVE-2025-23006, allowed attackers with access to the internal interface to take over the device.

Filed Under: Cyberattacks, Threats

Editors' picks

Company Announcements

View all | Post a press release
c/side's New PCI DSS Dashboard Covers Third-Party Web Script Security
From c/side
January 29, 2025
Invary’s Mission to Ensure the Confidentiality and Security of Systems at Runtime Accelerates …
From Invary
February 03, 2025
Americans Growing More Dependent on Digital Services, but Trust in Data Privacy Remains Low, N…
From Upwind
January 28, 2025
DNS4EU Achieves 2024 Milestones in EU Cybersecurity, Public Resolver Launch Set for 2025
From Whalebone
January 21, 2025
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.