Middle East login assaults target firewalls

A sharp jump in brute-force attacks against SonicWall and Fortinet devices has put security teams on alert, after Barracuda said such activity made up more than half of the confirmed incidents its SOC tracked during February and March, with about 88% of the attacking IP addresses geolocated to the Middle East. The company said most attempts failed because they were blocked or aimed at invalid usernames, but the scale of the campaign points to sustained probing of internet-facing network defences.

The pattern matters because these products often sit at the network edge, protecting remote access, VPN connections and firewall management. That makes them attractive initial targets: a successful login can hand an intruder a foothold inside a corporate environment. Barracuda’s April threat radar said SonicWall and FortiGate devices were the main focus of the activity, and that repeated password-guessing attempts had become one of the clearest trends seen by its managed detection teams in the first quarter of 2026.

Barracuda has stopped short of claiming that the campaign was launched by actors physically based in the region. Its researchers noted that the assessment rests on geolocation of source IP addresses, which can be misleading because attackers frequently route traffic through rented infrastructure, compromised servers or proxy networks. That caveat is significant at a time when cyber activity linked to geopolitical tension is drawing intense scrutiny. The firm’s wording suggests a concentration of infrastructure rather than definitive proof of attribution.

Even so, the timing has intensified concern. Barracuda’s findings emerged days after U. S. agencies warned that Iranian-affiliated cyber actors had escalated operations against internet-exposed industrial and critical infrastructure systems, including programmable logic controllers used in water, energy and government services. A joint advisory dated April 7 said some victims had already suffered operational disruption and financial loss. Reuters reported that U. S. officials tied the increase in such activity to the hostilities involving Iran, the United States and Israel, while stopping short of saying every attack wave observed in parallel was part of the same campaign.

That distinction is central to understanding the present threat. Brute-force attacks are often noisy, broad and opportunistic, relying on weak passwords, reused credentials or poorly protected administration portals rather than sophisticated zero-day exploits. They can be run by criminal crews, contractors, botnet operators or state-aligned groups. Anthony Fusco of Barracuda told Cybersecurity Dive that IP addresses alone are not a reliable indicator, though he said it was reasonable to suspect a mix of professional and opportunistic actors.

Security specialists say the focus on perimeter appliances is no surprise. Over the past year, network edge devices have become prized targets because they combine high privileges with direct internet exposure. Amazon Web Services said in February that a threat actor had gained access to FortiGate devices at scale through credential-based abuse of exposed management interfaces, underscoring how valuable such systems are to attackers seeking administrative credentials, VPN data and network maps. SonicWall, for its part, warned customers in August 2025 that brute-force password and MFA attacks against SSL VPN services were more feasible on systems lacking newer protections.

The broader backdrop suggests this is part of a sustained industry problem rather than an isolated burst. In February 2025, defenders tracked a massive password-spraying campaign using roughly 2.8 million IP addresses against VPNs and security devices from several vendors, including SonicWall. That episode showed how cheaply and widely brute-force infrastructure can be assembled, and why edge devices remain under constant pressure even outside moments of geopolitical strain.

For enterprises, the practical lesson is less about geography than exposure. Barracuda’s guidance is blunt: enable multifactor authentication on firewalls, VPNs and remote access systems; enforce strong unique passwords; restrict management portals to trusted IP ranges; and monitor repeated failed logins. Those steps are basic, but the pattern of attacks suggests many organisations still leave administrative interfaces too open or depend on credentials that can be guessed, reused or stolen.