Barracuda Warns of Surge in Brute-Force Attacks on SonicWall and Fortinet Devices from Middle East
Researchers at Barracuda report a sharp rise in brute-force attacks targeting SonicWall and Fortinet edge devices, with 88% of attempts originating from Middle Eastern IPs amid heightened US-Israeli hostilities with Iran.
Security researchers at Barracuda have detected a sharp rise in brute-force attempts to hijack SonicWall and Fortinet edge devices, with the vast majority of attacks appearing to originate from the Middle East. According to a report published today, 88% of the observed brute-force attempts came from IP addresses in the region, and over half (56%) of all confirmed incidents from February to March 2026 involved this type of attack. While most attempts were blocked by security tools or targeted invalid usernames, the persistent probing raises the risk that a single weak password or misconfiguration could lead to a full compromise.
The timing of the campaign coincides with heightened US and Israeli hostilities against Iran, and researchers note that the line between state-backed efforts and financially motivated cybercrime is increasingly blurred. Recent weeks have seen multiple reports of attacks from Iranian-affiliated hackers, including raids against US critical infrastructure providers and medtech firms, as well as the re-emergence of the Pay2Key ransomware group. Barracuda senior cybersecurity analyst Laila Mubashar warned that attackers are aggressively scanning and testing perimeter devices for weak or exposed credentials.
Edge devices such as VPNs and firewall appliances from vendors like SonicWall and Fortinet are a popular target because they are internet-facing and provide a foothold inside corporate networks. The Barracuda report notes that even when brute-force attempts fail, the persistent probing raises the risk that a single weak password or misconfiguration could lead to compromise. The company urged organizations to enforce strong, unique passwords on all network and security devices, enable multi-factor authentication (MFA) on all VPNs, firewalls, and remote access services, monitor and investigate repeated failed login attempts, and restrict management interfaces to trusted IP ranges where possible.
In addition to the brute-force campaign, Barracuda also sounded the alarm over a surge in a category of social engineering attacks known as "ClickFix." In these attacks, users are tricked into copying and executing a malicious script to fix a non-existent technical issue. Mubashar explained that such attacks exploit user trust and anxiety, using familiar elements such as pop-ups, prompts, and instructions to run a fix. Because ClickFix attacks rely on duping users into adding malicious commands themselves, they are harder for automated security systems to detect.
Barracuda advised organizations to improve end-user education, restrict who can run PowerShell, scripts, or command-line tools, and deploy tools to monitor for unusual behavior. The dual warnings highlight the evolving threat landscape where both technical brute-force attacks and social engineering tactics are being used to target perimeter devices and end users alike.
The findings come as geopolitical tensions in the Middle East continue to drive cyber activity. The convergence of state-sponsored and financially motivated threats, combined with the persistent targeting of edge devices, underscores the need for organizations to strengthen their perimeter defenses and user awareness training. Barracuda's recommendations provide a practical roadmap for mitigating these risks.