88% of Firewall Brute-Force Attacks Now Originate from the Middle East — Saudi Financial Perimeter Security Under Siege

Between January and March 2026, Barracuda Managed XDR's SOC recorded a dramatic spike in confirmed brute-force authentication attempts against SonicWall and FortiGate perimeter devices — with 88% of the attack traffic originating from within the Middle East itself. For Saudi financial institutions relying on these platforms as their first line of defense, this is not a theoretical risk. It is an active campaign on your doorstep.

What the Data Reveals: A Coordinated Regional Assault

According to Barracuda's April 2026 SOC Threat Radar report, brute-force authentication alerts against SonicWall and FortiGate appliances accounted for more than 56% of all confirmed incidents handled by the SOC during February and March 2026 — a figure that analysts describe as unprecedented in concentration. The attacks predominantly targeted VPN endpoints and management interfaces exposed to the internet, probing for weak or default credentials. Most attempts were blocked or directed at invalid usernames, but security researchers are clear: a single misconfiguration or weak password is all it takes for a successful breach. The link to a prior wave of state-sponsored attacks on SonicWall's MySonicWall cloud backup service in late 2025 suggests this is not opportunistic noise — it is deliberate, persistent, and regionally coordinated.

Why Edge Devices Are the Attacker's Preferred Entry Point

Firewalls and VPN concentrators from SonicWall and Fortinet occupy a uniquely dangerous position in the network architecture: they are internet-facing yet provide a trusted gateway deep into the corporate environment. A successful authentication bypass or credential compromise on a FortiGate or SonicWall device grants attackers lateral movement into network segments that internal controls typically assume are already trusted. This is compounded by the reality that many organizations apply patch cycles to perimeter devices less rigorously than they do to endpoint or server infrastructure — leaving known vulnerabilities open for exploitation. FortiGate appliances in particular have a history of high-severity CVEs (CVE-2024-21762, CVE-2024-55591) that threat actors continue to weaponize even after patches are available, because the patch adoption rate in production environments remains slow.

Impact on Saudi Financial Institutions Under SAMA CSCC and NCA ECC

The Saudi Arabian Monetary Authority's Cyber Security Framework (SAMA CSCC) mandates robust controls around network perimeter management, access control, and continuous monitoring — requirements that map directly to this threat. Under SAMA CSCC Domain 4 (Cybersecurity Operations), SAMA-regulated entities are expected to detect and respond to anomalous authentication activity against critical network infrastructure in near-real-time. The NCA Essential Cybersecurity Controls (ECC-1:2018) similarly require that organizations implement multi-factor authentication (MFA) on all remote access interfaces and maintain audit logs of authentication events. An organization running exposed SonicWall or FortiGate management interfaces without MFA, account lockout policies, or geo-based access restrictions is likely non-compliant today — and exposed to the exact attack pattern Barracuda documented in Q1 2026.

Tactical Response: What to Do This Week

1. Audit your perimeter attack surface immediately. Use Shodan, FOFA, or your ASM tool to confirm which SonicWall and FortiGate management interfaces (port 8443, 443, 10443) are reachable from the internet. Any management interface exposed without IP allowlisting is an open invitation.
2. Enforce MFA on all VPN and management access. Both FortiGate (FortiAuthenticator / RADIUS TOTP) and SonicWall (TOTP, Duo, Azure AD) support MFA natively. If MFA is not enforced today, treat it as a P1 remediation item.
3. Implement account lockout and geo-blocking policies. Configure authentication lockout after 5 failed attempts. Restrict management access to Saudi Arabia and your office IP ranges where operationally feasible.
4. Validate patch status against FortiOS and SonicOS advisories. Cross-reference your installed versions against Fortinet's PSIRT advisories and SonicWall's security bulletins. Specifically verify that CVE-2024-21762 and CVE-2024-55591 remediations are in place on all FortiGate devices.
5. Feed failed authentication alerts into your SIEM with geo-enrichment. Configure rules to trigger high-priority alerts when authentication failures spike from regional IP blocks. Integrate with threat intelligence feeds (e.g., Pulsedive, GreyNoise) to correlate with known VPN-spray infrastructure.
6. Review your SAMA CSCC Domain 4 posture. Conduct a gap assessment against the continuous monitoring and incident response requirements — particularly around detection time-to-alert for perimeter authentication events.

The Bigger Picture: Regional Threat Actors Are Getting Bolder

The 88% Middle East attribution figure is significant beyond the raw numbers. It indicates that the organizations or threat actors conducting these campaigns have intimate knowledge of which Saudi and GCC institutions run SonicWall and FortiGate infrastructure — information gathered through prior reconnaissance, leaked procurement data, or regional ISP exposure. The historical precedent of state-sponsored actors targeting SonicWall infrastructure in 2025 reinforces that this is not random scanning. Financial institutions in Saudi Arabia should operate under the assumption that their perimeter devices are being actively and methodically probed by adversaries who understand the regional architecture.

Conclusion

The Q1 2026 brute-force surge against SonicWall and FortiGate is a clear signal that Saudi financial institutions cannot treat perimeter device hardening as a checkbox exercise. The threat is concentrated, regional, and persistent. SAMA CSCC and NCA ECC provide the compliance mandate — but what is needed now is operational urgency: audit your attack surface, enforce MFA, and activate SOC monitoring for perimeter authentication events before the next wave arrives.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment — including a perimeter security review against SAMA CSCC Domain 4 requirements.