Malicious actors gain authenticated access to devices by finding default credentials through searching the web. Malicious actors use default credentials for VPN access to internal networks, and default administrative credentials to gain access to web applications and databases.
Source: US-CERT