A massive, ongoing brute force attack is targeting networking devices worldwide, and MSPs need to be aware of the risks and take immediate action to protect their clients. This campaign, which has been escalating since last month, leverages nearly 2.8 million IP addresses to compromise the credentials of networking devices from major vendors like Palo Alto Networks, Ivanti, and SonicWall.
Scope of the Attack
The Shadowserver Foundation, a threat monitoring platform, reports that the attack uses nearly 2.8 million unique IP addresses daily, originating primarily from Brazil, Turkey, Russia, Argentina, Morocco, and Mexico. The widespread nature of the attack suggests the involvement of a sophisticated botnet or a network utilizing residential proxies. These residential proxies make it appear as though malicious traffic is coming from legitimate home users, making the attacks harder to detect and stop.
Devices at Risk
The primary targets are edge security devices, including firewalls, VPNs, and secure gateways. These are critical infrastructure components that are often exposed to the internet to enable remote access. Many of the compromised devices facilitating these brute force attempts include routers from MikroTik, Huawei, Cisco, Boa, and ZTE, as well as various IoT devices.
Why This Matters to MSPs
As an MSP, you are on the front lines of cybersecurity for your clients. A successful brute force attack can lead to:
- Data breaches: Attackers can gain access to sensitive data.
- Network downtime: Compromised devices can disrupt network operations.
- Reputational damage: A security breach can erode trust with your clients.
- Financial losses: Remediation costs and potential legal liabilities can be significant.
Mitigation Strategies for MSPs
Here's what you need to do *now* to protect your clients:
- Change Default Passwords: Ensure all networking devices have strong, unique administrative passwords. This is the most basic, yet most critical step.
- Enable Multi-Factor Authentication (MFA): Implement MFA on all accounts, especially those with administrative privileges.
- Implement IP Allowlisting: Restrict remote administration access to a list of trusted IP addresses.
- Disable Web Admin Interfaces: If the web admin interface isn't needed, disable it.
- Apply Latest Patches: Keep firmware and security patches up to date to address known vulnerabilities.
- Monitor for Unauthorized Access: Implement monitoring tools to detect and respond to suspicious activity.
A Growing Threat
This latest brute force campaign is part of a broader trend of credential-based cyberattacks targeting networking infrastructure. As a reminder, similar attacks have been reported against devices from Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti.
It's clear that brute force attacks are becoming more frequent and sophisticated. MSPs must take proactive steps to strengthen authentication mechanisms, regularly update software, and monitor for unauthorized access to mitigate this growing threat.
Source Links
ChannelE2E Staff: https://tinyurl.com/ycxbkymb
TrollEye Security: https://tinyurl.com/23jatu2e
Steve Zurier, SC Media: https://tinyurl.com/387aarez
Bill Toulas, Bleeping Computer: https://tinyurl.com/4epa8rav
Photo: https://pixabay.com/photos/hacker-cyber-illegal-technology-6586113/
