threat_intelligence1320 wordsRead on Arc Codex

Threat Brief: Mitigating Large

Unit 42 is aware of a large-scale password spraying and credential theft campaign (“FortiBleed”) against Fortinet devices. We observed attempts targeting MSSQL devices as well, and have seen reports of Sophos devices also being targeted. While this activity is not targeting Palo Alto Networks devices, Unit 42 has observed suspicious login attempts in customer telemetry and we are providing this report out of an abundance of caution to ensure our customers have the latest intelligence and product recommendations to protect, detect and respond to attacks to their network. The threat actors are using a curated password list to attempt password spraying against services exposed to the internet. Unit 42 assesses that the initial password list for this activity was likely developed through a mix of previous breaches, including the successful exploitation of vulnerabilities. Once they obtain credentials, they add them to their password list for future attempts against additional targets, as well as for logging into accounts they successfully compromised. The threat actors are leveraging a multi-stage process to gain persistent, high-privilege access: - Password spraying for initial access: Massive internet-wide scanning and password spraying attempts against Fortinet, Sophos and MSSQL services - Configuration Extraction: Depending on the permissions of their initial access, the actor may exploit a privilege escalation vulnerability prior to pulling device configuration files, including stored credentials - Offline Cracking: Offline password cracking of the stolen credentials adds to the password list used in step one to target new devices, as well as to log into compromised devices to establish persistence as an administrator Unit 42 observed an initial access broker (IAB) on the Russian-language cybercrime forum Exploit[.]in claiming responsibility for this campaign, referencing a CVE (no further information), and offering the harvested credentials for sale on June 16, 2026. Unit 42 has not validated their claims at this time. Unit 42 recommends auditing remote access logs for suspicious activity with a focus on successful logins shortly after large volume password failure events. We also recommend reviewing and implementing the hardening guidance below for edge devices. SOCRadar provided the initial reporting on the targeting of FortiGate devices. We observed attempts targeting MSSQL devices as well, and have seen reports of Sophos devices also being targeted. Palo Alto Networks customers receive assistance protecting against and mitigating credential attacks in the following ways: - PAN-OS uses a Master Key to encrypt cryptographic keys in either ES-256-CBC or AES-256-GCM encryption algorithm - PAN-OS only stores SHA-256 encrypted and salted hashes - Customers can integrate several MFA platforms to enhance their security posture - Customers can customize Password Profiles and complexity - Customers can follow our Administrative Access Best Practices Palo Alto Networks also recommends the following hardening guidelines: - Require MFA: Require strong phishing-resistant multi-factor authentication for all remote services. NGFW customers can integrate several MFA platforms (including Palo Alto Networks Idira MFA) and customize their Password Profiles and complexity to enhance their security posture. - Adopt Zero Trust Architecture: Leverage “jump boxes” and Zero Trust Network Access (ZTNA) policies to ensure management interfaces are never exposed directly to the public internet, further narrowing the attack surface for configuration extraction. - Change Default Credentials: Change the credentials for default accounts, ensuring long, complex passwords are used to mitigate the risk of password guessing attempts. Ideally onboard accounts to Privileged Access Management (PAM) system and rotate passwords automatically on-time and on-use. - Implement ITDR: Timely detect malicious access attempts and accelerate response with automated identity-centric actions. - Disable Unused Accounts: Run continuous discovery of privileged accounts. Onboard and disable unused accounts to limit the attack surface. - Update and Patch: Ensure you have the latest software versions and patches installed to mitigate known vulnerabilities, including local privilege escalation vulnerabilities. The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk. Conclusion Unit 42 will continue to monitor the situation for updated information. We encourage customers to implement the hunting and hardening recommendations to identify, mitigate, and prevent credential attacks against their networks. Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members, including Fortinet. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance. Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available. Palo Alto Networks Product Protections and Consulting Services Palo Alto Networks customers can leverage a variety of product protections and consulting services to identify and defend against this threat. If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call: - North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42) - UK: +44.20.3743.3660 - Europe and Middle East: +31.20.299.3130 - Asia: +65.6983.8730 - Japan: +81.50.1790.0200 - Australia: +61.2.4062.7950 - India: 000 800 050 45107 - South Korea: +82.080.467.8774 Deep and Darkweb Monitoring Unit 42's Deep and Dark Web (DDW) monitoring is a service that assists clients in identifying sensitive information and leaked credentials that surface on the dark web, providing critical insights to reduce risk exposure and reduce the time between detection and response. Cortex Cloud Cortex Cloud Identity Security encompasses Cloud Infrastructure Entitlement Management (CIEM), Identity Security Posture Management (ISPM), Data Access Governance (DAG) as well as Identity Threat Detection and Response (ITDR) and provides clients with the necessary capabilities to improve their identity related security requirements. By providing visibility into cloud based identities, and their permissions, Cortex Cloud can detect misconfigurations, unwanted access to sensitive data and real-time analysis surrounding usage and access patterns. Additionally, Cortex Cloud provides protections against credentials that were compromised, lost or exposed being leveraged against cloud resources, such as those discussed within this article. Idira Identity Threat Protection Idira Identity Threat Protection (ITP) enables security teams to counter identity-based attacks targeting Idira Next Generation Identity (NGI) Platform and the identities it secures. Using near real-time detection, powered by CORA AI, and leveraging Idira’s visibility across multiple contexts (like PAM, authentication, SSO, cloud, endpoints, browsers, and more), Idira ITP can apply automated, tailored non-disruptive in-session response to contain and minimize potential identity-based threats. Idira MFA Idira MFA helps protect organizations against password spraying, credential theft, and other identity-based attacks by verifying that the person signing in is the legitimate user, not just someone with a valid password. Using phishing-resistant MFA, including passkeys, biometrics, and FIDO2 security keys, along with adaptive, risk-based authentication, Idira evaluates signals such as device trust, location, and login behavior. When risk is detected, it requires additional verification before granting access, helping prevent account compromise while keeping access simple for trusted users. Idira Privileged Access Management Idira Privileged Access Management is a SaaS-delivered Privileged Access Management (PAM) solution that mitigates credential compromise and password spraying by prioritizing automated discovery, onboarding, and rotation. The platform continuously scans hybrid environments and infrastructure to detect unmanaged local, domain, service accounts and cloud roles. Discovered credentials are automatically onboarded into a hardened digital vault for centralized management. Privilege Cloud then enforces programmatic transactional credential rotation using complex, randomized strings. This eliminates the static, predictable passwords exploited during spraying attacks, removing standing privileges and blocking lateral movement across the network infrastructure and devices. References - Analysis of Reported Credential Compromise of Fortigate Devices — Fortinet - FortiBleed Breach: How 80,000+ Corporate Firewalls Were Quietly Compromised — SOCRadar - What is Zero Trust Network Access (ZTNA)? — Palo Alto Networks - Next-Generation Firewall: Multi-Factor Authentication— Palo Alto Networks, Tech Docs - Administrative Access Best Practices - Palo Alto Networks, Tech Docs - Panorama Administrator's Guide: Configure Panorama Password Profiles — Palo Alto Networks, Tech Docs Updated June 26, 2026 at 1:00 p.m. PT to add product protection for Idira Security and Cortex Cloud, and more information to the hardening guidelines section.

How it works

Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content — general knowledge won't be enough. Score 70+ to count toward your certificate.

Questions are cached — you'll always get the same 5 for this article.