Emerging ThreatsMalware & Ransomware

Credential Attacks Target Fortinet, Sophos, MSSQL Devices in Large-Scale Campaign

Analyst 207||Source: Unit42
Rows of network equipment and devices on racks in a dimly lit, empty server room.

“FortiBleed” — Unit 42 is aware of a large‑scale password spraying and credential theft campaign against Fortinet devices.

The FortiBleed campaign and observed scope

Unit 42 reports a coordinated campaign of massive internet‑wide scanning and password spraying that is targeting Fortinet devices and has also seen attempts against MSSQL services and reports of Sophos devices being targeted. The advisory makes clear the activity is not targeting Palo Alto Networks devices specifically, though Unit 42 has observed suspicious login attempts in customer telemetry and issued guidance out of an abundance of caution.

Unit 42 observed an initial access broker (IAB) on the Russian‑language cybercrime forum Exploit[.]in claiming responsibility for the campaign, referencing a CVE and offering harvested credentials for sale on June 16, 2026. Unit 42 has not validated those forum claims.

How the adversary operates: three stages

Unit 42 describes a multistage approach the threat actors use to obtain and expand access:

  • Password spraying for initial access: attackers use a curated password list to try common or reused passwords against internet‑exposed services (Fortinet, Sophos, MSSQL).
  • Configuration extraction and privilege escalation: where initial access permits, the actor may exploit a local privilege escalation vulnerability prior to pulling device configuration files, including stored credentials.
  • Offline cracking and reuse: stolen credentials are cracked offline, added to the actor’s password list, and reused to pivot into more devices and to establish persistent, administrative access.

Detection and immediate hunting recommendations

Unit 42 emphasizes active hunting of remote access logs. Teams should audit for suspicious patterns, with particular attention to successful logins that occur shortly after large volumes of failed password attempts. The advisory also recommends implementing the hardening guidance it provides for edge devices to reduce the chance that password spraying leads to configuration theft or escalation.

SOCRadar is cited as the initial reporter on FortiGate targeting; Palo Alto Networks shared its findings with Cyber Threat Alliance members, including Fortinet, so that partners can deploy protections and coordinate disruption.

Palo Alto Networks mitigations and hardening guidance

Palo Alto Networks sets out both platform protections and specific hardening steps:

  • Platform controls: PAN‑OS uses a Master Key to encrypt cryptographic keys (either ES‑256‑CBC or AES‑256‑GCM) and stores only SHA‑256 encrypted and salted hashes. Customers can integrate multiple MFA platforms, customize Password Profiles, and follow Administrative Access Best Practices.
  • Hardening recommendations: require multi‑factor authentication for all remote services; adopt Zero Trust architecture (use jump boxes and ZTNA so management interfaces are not exposed directly to the internet); change default credentials to long, complex passwords; disable unused accounts; and ensure software is up to date to mitigate known vulnerabilities, including local privilege escalation vulnerabilities.

What this means for technologists, procurement leaders, and incident responders

  • Technologists and security teams: prioritize log hunts for rapid‑succession failed attempts followed by a success, enforce MFA on remote access, and apply password profile and account‑management hardening to reduce credential exposure.
  • Procurement and IT leaders: verify that perimeter and edge devices are configured to meet the guidance above, require vendors to support MFA and ZTNA patterns, and ensure patching processes cover local privilege escalation fixes.
  • Incident responders and vendors: Unit 42 can be engaged for reactive incident response or proactive assessments; the advisory lists regional Unit 42 contact numbers and notes Deep and Dark Web monitoring as a service to detect leaked credentials.

Next steps and where to get help

Unit 42 will continue to monitor and update its findings. Organizations that suspect compromise are advised to contact the Unit 42 Incident Response team using the regional numbers provided in the advisory. The advisory also highlights collaborative sharing through the Cyber Threat Alliance as a mechanism used to rapidly deploy protections to customers and to systematically disrupt malicious actors.

For the record and further detail, read the original Unit 42 advisory: https://unit42.paloaltonetworks.com/large-scale-credential-attacks/

Emerging ThreatsFortinetRussiaCredential AttacksInitial Access BrokerSophosFortibleedMSSQLPassword SprayingExploit Forum
Related Intelligence

Continue Reading

Server room with equipment racks, cables, and blurred monitors.

Klue OAuth Breach Expands as Icarus Hackers Claim Multiple Victims

Klue's CEO Jason Smith revealed that on June 12, unauthorized activity was detected in their integration infrastructure, prompting a thorough investigation with cybersecurity experts to understand the breach and support affected customers. The incident allowed hackers to steal OAuth tokens through a compromised legacy credential, impacting connections to third-party platforms like Salesforce.

Analyst 207
Cluttered office desk with laptop showing empty interface, symbolizing WordPress site vulnerability.

Hackers Exploit Gravity SMTP Plugin Bug on 100,000 WordPress Sites

A critical bug in the Gravity SMTP plugin is being exploited by hackers on over 100,000 WordPress sites, putting sensitive information at risk. Update to version 2.1.5 or later to patch the vulnerability.

Analyst 207
Cluttered office workstation with laptop and security software dashboard.

Gentlemen Ransomware Targets 400 Security Processes with GentleKiller EDR Framework

Meet GentleKiller, a sophisticated EDR-killer framework used by The Gentlemen ransomware-as-a-service operation to evade detection by targeting 400 security processes from 48 distinct programs. This framework comes in eight variants, each designed to mimic a legitimate product and exploit a vulnerable driver.

Analyst 207
A sleek computer chip on a clean workbench surrounded by scientific instruments and tools in a bright laboratory setting.

Apple SecureROM Exploit Bypasses Patching on A12, A13 Chips

Security researchers have uncovered a major vulnerability in Apple's A12 and A13 chips, exploiting a flaw in the Synopsys DWC2 USB controller to gain bootROM-level control and bypass patching. This breakthrough could pave the way for new avenues of attack on Apple devices.

Analyst 207