Brute-Force Attacks from Middle East Surge Massively in Q1 2026 — SonicWall and FortiGate Devices Hit Hardest

Summary

A new report from Barracuda reveals a massive surge in brute-force authentication attacks during Q1 2026, with nearly 90% of the threat activity originating from Middle East IP addresses. The attacks primarily targeted SonicWall and Fortinet FortiGate network devices, accounting for more than half of all threat activity tracked between February and March.

Barracuda’s Anthony Fusco noted that while IP geolocation alone isn’t definitive, it’s “safe to assume” a mix of state-linked, professional, and opportunistic groups were involved. The surge coincided with increased Iranian-nexus threat activity following the U.S. and Israeli bombing campaign launched in late February. The FBI and CISA issued a warning last week that Iran-linked hackers have been targeting water, energy, and other critical infrastructure in the U.S.

Security teams are urged to enforce multifactor authentication on firewalls and VPNs, use complex passwords, and monitor for repeated failed login attempts.

Source

Cybersecurity Dive — Brute-force cyberattacks originating in Middle East surge in Q1

Commentary

The correlation with geopolitical events is hard to ignore. When kinetic conflict escalates, cyber operations follow — and perimeter devices like SonicWall and FortiGate are the low-hanging fruit. These devices sit at the network edge, often with exposed management interfaces and credentials that haven’t been rotated since deployment.

The fact that brute-force attacks — one of the oldest and crudest techniques in the book — still account for over half of tracked threat activity tells you everything about the state of basic security hygiene. If your edge devices don’t have MFA enforced and you’re not monitoring failed auth attempts, you’re essentially leaving the front door unlocked during a crime wave.