All news with #brute force tag

🔒 Security researchers have observed a sharp rise in brute-force attempts aimed at edge devices, notably SonicWall and Fortinet appliances, with 88% of observed traffic traced to the Middle East. Barracuda reports most attempts failed, often blocked or directed at invalid usernames. The activity peaked between February and March and accounted for 56% of confirmed incidents targeting perimeter devices. Analysts warn these probes increase the risk posed by weak credentials or misconfigurations and urge stronger controls.

🔎 The Huntress Tactical Response Team describes how a seemingly routine RDP brute-force alert exposed a larger ransomware-as-a-service ecosystem. Investigators found one successful login used from multiple geographically distributed IPs, domain enumeration activity, and unusual manual searches for credential files rather than typical credential dumping tools. Further pivots on TLS certificates and domains tied the activity to a privacy-focused VPN service and related infrastructure, and the report provides specific IOCs for defenders.

🔒OpenClaw addressed a high‑severity vulnerability codenamed ClawJacked that allowed attacker‑controlled webpages to connect to a local OpenClaw gateway, brute‑force its password (no rate limiting), and register as a trusted device with admin privileges because localhost registrations were silently approved. The vendor released 2026.2.25 on Feb 26, 2026, and urges immediate updates, access audits, and stronger governance for agent identities.

🔒 Attackers frequently exploit common endpoint weaknesses—exposed Remote Desktop Protocol (RDP), sophisticated phishing, abused Remote Monitoring and Management (RMM) tools, and unpatched software—to gain access and persist. The article shows how brute-force RDP, AI-enhanced phishing, and misconfigured RMMs enable lateral movement and stealthy persistence. Implement MFA, regular patching, EDR, RMM audits, and user training to reduce risk.

🔍 Amazon says a Russian-speaking threat actor used commercial AI services to help breach over 600 FortiGate firewalls across 55 countries during a five-week campaign in early 2026. The attacker did not rely on zero-day exploits but instead scanned internet-facing management ports and used brute-force attempts against weak credentials lacking MFA. After gaining access, the actor extracted device configurations (including SSL‑VPN and administrative credentials) and deployed AI-assisted Python and Go tools to parse settings, map networks, and automate reconnaissance. Amazon urges administrators to remove exposed management interfaces, enable MFA, ensure VPN passwords differ from Active Directory credentials, and harden backup systems.

🔐 Researchers at Flare Systems uncovered a botnet, dubbed SSHStalker, that brute-forces weak SSH passwords and had compromised an estimated 7,000 Linux servers by the end of January, with roughly half located in the United States. The toolkit combines fileless malware, rootkits, log cleaners and a library of kernel exploits — some dating to 2009 — and can harvest AWS credentials. Flare characterizes it as a "scale-first" operation focused on persistence; observed capabilities include DDoS and cryptomining, though monetization has not yet been seen. Immediate mitigations include disabling SSH password authentication, switching to key-based or short-lived credentials, and restricting and rate-limiting SSH access.

🔒 A new wave of GoBruteforcer attacks is targeting cryptocurrency and blockchain project databases by exploiting weak, reused credentials and exposed services such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux hosts. Check Point Research reports the Golang-based botnet deploys obfuscated IRC bots and web shells, leverages XAMPP FTP as an initial vector, and uses brute-force modules to expand, host payloads, and act as backup C2.

🔒 Check Point Research (CPR) reports that the GoBruteforcer botnet is actively targeting internet‑facing Linux servers, using large‑scale brute‑force attacks against services such as FTP, MySQL, PostgreSQL and phpMyAdmin. The latest Go‑based variant, observed since mid‑2025, introduces heavier obfuscation, stronger persistence and techniques to hide malicious processes. Compromised hosts become scanning and attack nodes, enabling data theft, backdoors, resale of access and further propagation. Analysts also recovered tools used to sweep TRON and Binance Smart Chain assets, underscoring a financial motive behind some campaigns.

🔐 A new wave of GoBruteforcer botnet attacks is targeting exposed FTP, MySQL, PostgreSQL and phpMyAdmin services used by cryptocurrency and blockchain projects. Check Point reports the Golang-based botnet brute-forces weak or default credentials—often from servers deployed with AI-generated configuration snippets—and then deploys web shells and downloader stages. The malware scans random public IPv4s, spawning up to 95 threads while skipping private, AWS, and U.S. government ranges. Administrators are advised to remove defaults, audit exposed services, and replace outdated stacks like XAMPP.

🔐 Beginning December 2, a campaign using more than 7,000 IPs from German host 3xK GmbH (AS200373) carried out brute-force login attempts against Palo Alto GlobalProtect portals and soon pivoted to scanning SonicWall SonicOS API endpoints. GreyNoise links the activity to three recurring client fingerprints seen in prior scans and to earlier campaigns that generated millions of HTTP sessions. Organizations should monitor authentication velocity and failures, block implicated IPs and fingerprints, and enforce MFA to reduce credential abuse.

🔒 Huntsman Security's analysis of ICO reports from Q3 2024 to Q2 2025 indicates the retail and manufacturing sector experienced only minor seasonal peaks, with 1,381 incidents overall and quarterly counts clustered in the mid-300s. The firm reported 618 breaches caused by brute force, misconfigurations, malware, phishing and ransomware, and urged a shift to continuous assurance so defenses do not drift into vulnerable states. Other vendors cautioned that more than half of recent ransomware incidents occurred on weekends or holidays, while researchers warned of AI-enabled fake e-commerce sites, typosquatted domains and package-tracking scams targeting shoppers.

🔍 Researchers at GreyNoise have identified a large-scale, multi-country botnet that began targeting Remote Desktop Protocol (RDP) services in the United States on October 8. The campaign uses over 100,000 IP addresses and employs two RDP-specific techniques: RD Web Access timing attacks to infer valid usernames and RDP Web Client login enumeration to observe differing server behaviors. Nearly all sources share a common TCP fingerprint, indicating coordinated clusters. Administrators should block attacking IPs, review RDP logs, and avoid exposing remote desktop services to the public internet—use VPNs and enable multi-factor authentication.

🛡️ GreyNoise researchers uncovered a massive RDP attack wave using more than 100,000 IP addresses across over 100 countries, which analysts link to a single large botnet targeting U.S. Remote Desktop infrastructure. The attackers used two enumeration techniques — an RD Web Access timing attack to infer valid usernames and an RDP Web Client login enumeration to guess credentials — enabling efficient compromise while reducing obvious alerts. GreyNoise published a dynamic blocklist template, microsoft-rdp-botnet-oct-25, and recommends that organizations review logs for unusual RDP access patterns and automatically block associated IPs at the network edge.

🔒 SonicWall has confirmed that an unauthorized actor accessed firewall configuration backup files stored in its cloud backup service for customers. The files include encrypted credentials and device configuration data; while encryption remains in place, SonicWall warned that possession of these backups could increase the risk of targeted attacks. The vendor says access was achieved via brute-force attacks and that suspicious activity was first detected in early September 2025. Working with Mandiant, SonicWall has issued remediation tools, published impacted device lists in the MySonicWall portal, and is notifying affected partners and customers.

🔐 SonicWall released an advisory after identifying unauthorized access to a subset of customer cloud backup preference files stored via the MySonicWall portal. SonicWall’s investigation indicates a threat actor used brute force methods against MySonicWall.com to retrieve preference files that, while containing encrypted credentials, included other device-specific data that could enable access to SonicWall firewall devices. CISA urges customers to log into their accounts to verify exposures and to follow the advisory’s containment and remediation steps immediately.

🔒 SonicWall is urging customers to reset credentials after detecting suspicious activity that exposed firewall configuration backup files stored in MySonicWall cloud for under 5% of users. Although stored credentials were encrypted, the preference files contained information that could help attackers exploit related firewalls; the company says this was a series of brute-force accesses, not a ransomware event. Customers should verify backups, disable remote management and VPN access, reset passwords and TOTPs, review logs, and import the provided randomized preferences file that resets local passwords, TOTP bindings, and IPSec keys.

🔒 SonicWall has disclosed a security incident affecting its cloud backup service for firewalls, reporting that threat actors accessed stored preference files for roughly 5% of its install base. While credentials inside those files are encrypted, exposed metadata such as serial numbers could enable future targeting. SonicWall said this was not a ransomware event but a series of brute-force attempts. Impacted customers are asked to check MySonicWall, restrict WAN access, follow the vendor's remediation checklist, and import a supplied preferences file that randomizes local passwords and IPSec keys.

🔒 SonicWall warned that brute-force attacks against its firewall API used for cloud backups may have exposed preference files stored in customers' MySonicWall.com portals. The vendor has disabled the cloud backup capability and is urging admins to restrict or disable SSLVPN and Web/SSH management over the WAN, then reset passwords, keys, and secrets. Less than 5% of the install base had backups in the cloud, but that could still affect thousands of organizations. SonicWall has provided remediation guidance and will notify customers if their accounts show impacted serial numbers.

🔎 Security researchers observed a large surge in network scans probing Cisco ASA login portals and Cisco IOS Telnet/SSH endpoints, with GreyNoise recording two major spikes in late August 2025. The second wave on August 26, 2025, was largely (about 80%) driven by a Brazilian botnet using roughly 17,000 IPs and overlapping Chrome-like user agents that suggest a common origin. Administrators are urged to apply the latest patches, enforce MFA for remote ASA logins, avoid exposing management pages and services directly, and use VPN concentrators, reverse proxies, geo-blocking, and rate limiting to reduce risk.

🔒 Intrinsec reports that Ukraine-based autonomous system FDN3 (AS211736) conducted widespread brute-force and password-spraying campaigns targeting SSL VPN and RDP endpoints between June and July 2025, with activity peaking July 6–8. The firm links FDN3 to two other Ukrainian ASes (AS61432, AS210950) and a Seychelles operator (AS210848) that frequently exchange IPv4 prefixes to evade blocklisting. Intrinsec highlights ties to bulletproof hosting providers and a Russian-associated Alex Host LLC, stressing that offshore peering arrangements complicate attribution and takedown efforts.