Brute-forcing attacks began last month, but recently they reached an impressive scale: almost 2.8 million IP addresses per day. Most of them (1.1 million) are confined to in Brazil followed by Turkey, Russia, Argentina, Morocco, Mexico, and other countries.
The researchers note that the attacking IP addresses are distributed across multiple networks and ASs and are likely part of a botnet or associated with residential proxies.
The attacking devices are mainly MikroTik, Huawei, Cisco, Boa, and ZTE routers, as well as various IoT devices that often become prey to botnets.
The targets are security devices, including firewalls, VPNs, and gateways that are often accessible via the Internet and can be used for remote access. According to the researchers, such devices could be of interest to attackers as exit nodes for residential proxies: using them, cybercriminals can forward malicious traffic through corporate networks. Such nodes are usually considered ‘high-class’ because organizations owning them have a good reputation, and attacks become more difficult to detect and repel.
Last year, Cisco experts warned of a similar large-scale brute-forcing campaign targeting Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti devices worldwide.
