Threat Brief: Mitigating Large-Scale Credential Attacks

Unit 42 is aware of a large-scale password spraying and credential theft campaign (“FortiBleed”) against Fortinet devices. We observed attempts targeting MSSQL devices as well, and have seen reports of Sophos devices also being targeted. While this activity is not targeting Palo Alto Networks devices, Unit 42 has observed suspicious login attempts in customer telemetry and we are providing this report out of an abundance of caution to ensure our customers have the latest intelligence and product recommendations to protect, detect and respond to attacks to their network. The threat actors are using a curated password list to attempt password spraying against services exposed to the internet. Unit 42 assesses that the initial password list for this activity was likely developed through a mix of previous breaches, including the successful exploitation of vulnerabilities. Once they obtain credentials, they add them to their password list for future attempts against additional targets, as well as for logging into accounts they successfully compromised. The threat actors are leveraging a multi-stage process to gain persistent, high-privilege access: Password spraying for initial access: Massive internet-wide scanning and password spraying attempts against Fortinet, Sophos and MSSQL services Configuration Extraction: Depending on the permissions of their initial access, the actor may exploit a privilege escalation vulnerability prior to pulling device configuration files, including stored credentials Offline Cracking: Offline password cracking of the stolen credentials adds to the password list used in step one to target new devices, as well as to log into compromised devices to establish persistence as an administrator Unit 42 observed an initial access broker (IAB) on the Russian-language cybercrime forum Exploit[.]in claiming responsibility for this campaign, referencing a CVE (no further information), and offering the harvested credentials for sale on June 16, 2026. Unit 42 has not validated their claims at this time. Figure 1. Darkweb post of IAB selling credentials. Unit 42 recommends auditing remote access logs for suspicious activity with a focus on successful logins shortly after large volume password failure events. We also recommend reviewing and implementing the hardening guidance below for edge devices. SOCRadar provided the initial reporting on the targeting of FortiGate devices. We observed attempts targeting MSSQL devices as well, and have seen reports of Sophos devices also being targeted. Palo Alto Networks customers receive assistance protecting against and mitigating credential attacks in the following ways: PAN-OS uses a Master Key to encrypt cryptographic keys in either ES-256-CBC or AES-256-GCM encryption algorithm PAN-OS only stores SHA-256 encrypted and salted hashes Customers can integrate several MFA platforms to enhance their security posture Customers can customize Password Profiles and complexity Customers can follow our Administrative Access Best Practices Palo Alto Networks also recommends the following hardening guidelines: Require MFA: Require multi-factor authentication for all remote services. NGFW customers can integrate several MFA platforms and customize their Password Profiles and complexity to enhance their security posture. Adopt Zero Trust Architecture: Leverage “jump boxes” and Zero Trust Network Access (ZTNA) policies to ensure management interfaces are never exposed directly to the public internet, further narrowing the attack surface for configuration extraction. Change Default Credentials: Change the credentials for default accounts, ensuring long, complex passwords are used to mitigate the risk of password guessing attempts. Disable Unused Accounts: Disable unused accounts to limit the attack surface. Update and Patch: Ensure you have the latest software versions and patches installed to mitigate known vulnerabilities, including local privilege escalation vulnerabilities. The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk. Conclusion Unit 42 will continue to monitor the situation for updated information. We encourage customers to implement the hunting and hardening recommendations to identify, mitigate, and prevent credential attacks against their networks. Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members, including Fortinet. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance. Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available. Palo Alto Networks Product Protections and Consulting Services Palo Alto Networks customers can leverage a variety of product protections and consulting services to identify and defend against this threat. If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call: North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42) UK: +44.20.3743.3660 Europe and Middle East: +31.20.299.3130 Asia: +65.6983.8730 Japan: +81.50.1790.0200 Australia: +61.2.4062.7950 India: 000 800 050 45107 South Korea: +82.080.467.8774 Deep and Darkweb Monitoring   Unit 42's Deep and Dark Web (DDW) monitoring is a service that assists clients in identifying sensitive information and leaked credentials that surface on the dark web, providing critical insights to reduce risk exposure and reduce the time between detection and response. References Analysis of Reported Credential Compromise of Fortigate Devices — Fortinet FortiBleed Breach: How 80,000+ Corporate Firewalls Were Quietly Compromised — SOCRadar What is Zero Trust Network Access (ZTNA)? — Palo Alto Networks Next-Generation Firewall: Multi-Factor Authentication— Palo Alto Networks, Tech Docs Administrative Access Best Practices - Palo Alto Networks, Tech Docs Panorama Administrator's Guide: Configure Panorama Password Profiles — Palo Alto Networks, Tech Docs Back to top TAGS Credential theft Fortibleed Password spraying Threat Research Center Next: Pickle in the Middle – Hijacking Vertex AI Model Uploads for Cross-Tenant RCE TABLE OF CONTENTS Conclusion Palo Alto Networks Product Protections and Consulting Services Deep and Darkweb Monitoring References RELATED ARTICLES Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments Threat Actors Rapidly Adopt Web3 IPFS Technology Meddler-in-the-Middle Phishing Attacks Explained Related General Resources INSIGHTS April 23, 2026 Frontier AI and the Future of Defense: Your Top Questions Answered GenAI LLM N-day Read now INSIGHTS April 20, 2026 Fracturing Software Security With Frontier AI Models AI Attack path Data exfiltration Read now INSIGHTS March 18, 2026 Navigating Security Tradeoffs of AI Agents Agentic AI Privilege escalation Unit 42 Incident Response Report Read now INSIGHTS June 12, 2026 Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered Digital forensics MacOS Read now INSIGHTS June 8, 2026 When “Hi, This Is IT” Comes Through Microsoft Teams Cloaked Ursa Identity Phishing Read now INSIGHTS May 28, 2026 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface Fiddling Scorpius Fighting Ursa Muddled Libra Read now INSIGHTS May 27, 2026 Out of the Crypt: The Evolving Cyber Extortion Economy Bling Libra Extortion Frontier AI Read now INSIGHTS May 1, 2026 Essential Data Sources for Detection Beyond the Endpoint Cloud Security IAM Incident response Read now INSIGHTS April 24, 2026 TGR-STA-1030: New Activity in Central and South America TGR-STA-1030 Read now INSIGHTS April 23, 2026 Frontier AI and the Future of Defense: Your Top Questions Answered GenAI LLM N-day Read now INSIGHTS April 20, 2026 Fracturing Software Security With Frontier AI Models AI Attack path Data exfiltration Read now INSIGHTS March 18, 2026 Navigating Security Tradeoffs of AI Agents Agentic AI Privilege escalation Unit 42 Incident Response Report Read now INSIGHTS June 12, 2026 Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered Digital forensics MacOS Read now INSIGHTS June 8, 2026 When “Hi, This Is IT” Comes Through Microsoft Teams Cloaked Ursa Identity Phishing Read now INSIGHTS May 28, 2026 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface Fiddling Scorpius Fighting Ursa Muddled Libra Read now INSIGHTS May 27, 2026 Out of the Crypt: The Evolving Cyber Extortion Economy Bling Libra Extortion Frontier AI Read now INSIGHTS May 1, 2026 Essential Data Sources for Detection Beyond the Endpoint Cloud Security IAM Incident response Read now INSIGHTS April 24, 2026 TGR-STA-1030: New Activity in Central and South America TGR-STA-1030 Read now INSIGHTS April 23, 2026 Frontier AI and the Future of Defense: Your Top Questions Answered GenAI LLM N-day Read now INSIGHTS April 20, 2026 Fracturing Software Security With Frontier AI Models AI Attack path Data exfiltration Read now INSIGHTS March 18, 2026 Navigating Security Tradeoffs of AI Agents Agentic AI Privilege escalation Unit 42 Incident Response Report Read now