Security researchers have detected a “sharp rise” in brute-force attempts to hijack SonicWall and Fortinet devices, with the vast majority (88%) appearing to come from the Middle East.
Barracuda said most of these attempts were unsuccessful as they were either blocked outright by security tools or directed at invalid usernames.
Although these attacks may simply have been routed through servers and networks in the region, the timing would seem to coincide with US and Israeli hostilities against Iran.
There have been various reports of attacks from Iranian-affiliated hackers over recent weeks, including raids against US critical infrastructure providers and medtech firms.
The line between state-backed efforts and financially motivated cybercrime is increasingly blurred, as evidenced by the re-emergence of the Pay2Key ransomware group.
Read more on Middle East threats: Hybrid Middle East Conflict Triggers Surge in Global Cyber Activity.
Edge devices such as the VPNs and firewall appliances manufactured by vendors like SonicWall and Fortinet are a popular target for attack given that they are internet-facing but also provide a foothold inside corporate networks.
Barracuda said over half (56%) of all confirmed incidents from February to March related to this type of brute-force attack.
“Attackers are aggressively scanning and testing perimeter devices for weak or exposed credentials,” warned Barracuda senior cybersecurity analyst, Laila Mubashar. “Even when attacks fail, persistent probing raises the risk that a single weak password or misconfiguration could lead to compromise.”
She urged organizations to:
- Enforce strong, unique passwords on all network and security devices
- Enable multi-factor authentication (MFA) on all VPNs, firewalls and remote access services
- Monitor and investigate repeated failed login attempts
- Restrict management interfaces to trusted IP ranges where possible
Rise in ClickFix Attacks
Barracuda also sounded the alarm over a surge in a category of social engineering attacks known as “ClickFix,” in which users are tricked into copying and executing a malicious script in a bid to fix a non-existent technical issue.
Mubashar explained that such attacks exploit user trust and anxiety.
“The attackers use familiar elements and language such as pop-ups, prompts and running a fix,” she added. “Because ClickFix attacks rely on duping users into adding malicious commands themselves, such attacks are harder for automated security systems to spot.”
Organizations should improve end-user education, restrict who can run PowerShell, scripts or command-line tools, and deploy tools to monitor for unusual behavior, Barracuda advised.
