Threat Brief: Mitigating Large-Scale Credential Attacks

Unit 42 is aware of a large-scale password spraying and credential theft campaign (“FortiBleed”) against Fortinet devices. We observed attempts targeting MSSQL devices as well, and have seen reports of Sophos devices also being targeted. While this activity is not targeting Palo Alto Networks devices, Unit 42 has observed suspicious login attempts in customer telemetry and we are providing this report out of an abundance of caution to ensure our customers have the latest intelligence and product recommendations to protect, detect and respond to attacks to their network.

The threat actors are using a curated password list to attempt password spraying against services exposed to the internet. Unit 42 assesses that the initial password list for this activity was likely developed through a mix of previous breaches, including the successful exploitation of vulnerabilities. Once they obtain credentials, they add them to their password list for future attempts against additional targets, as well as for logging into accounts they successfully compromised.

The threat actors are leveraging a multi-stage process to gain persistent, high-privilege access:

• Password spraying for initial access: Massive internet-wide scanning and password spraying attempts against Fortinet, Sophos and MSSQL services
• Configuration Extraction: Depending on the permissions of their initial access, the actor may exploit a privilege escalation vulnerability prior to pulling device configuration files, including stored credentials
• Offline Cracking: Offline password cracking of the stolen credentials adds to the password list used in step one to target new devices, as well as to log into compromised devices to establish persistence as an administrator

Unit 42 observed an initial access broker (IAB) on the Russian-language cybercrime forum Exploit[.]in claiming responsibility for this campaign, referencing a CVE (no further information), and offering the harvested credentials for sale on June 16, 2026. Unit 42 has not validated their claims at this time.

SOCRadar provided the initial reporting on the targeting of FortiGate devices. We observed attempts targeting MSSQL devices as well, and have seen reports of Sophos devices also being targeted.

Palo Alto Networks customers receive assistance protecting against and mitigating credential attacks in the following ways:

• PAN-OS uses a Master Key to encrypt cryptographic keys in either ES-256-CBC or AES-256-GCM encryption algorithm
• PAN-OS only stores SHA-256 encrypted and salted hashes
• Customers can integrate several MFA platforms to enhance their security posture
• Customers can customize Password Profiles and complexity
• Customers can follow our Administrative Access Best Practices

Palo Alto Networks also recommends the following hardening guidelines:

• Require MFA: Require multi-factor authentication for all remote services. NGFW customers can integrate several MFA platforms and customize their Password Profiles and complexity to enhance their security posture.
• Adopt Zero Trust Architecture: Leverage “jump boxes” and Zero Trust Network Access (ZTNA) policies to ensure management interfaces are never exposed directly to the public internet, further narrowing the attack surface for configuration extraction.
• Change Default Credentials: Change the credentials for default accounts, ensuring long, complex passwords are used to mitigate the risk of password guessing attempts.
• Disable Unused Accounts: Disable unused accounts to limit the attack surface.
• Update and Patch: Ensure you have the latest software versions and patches installed to mitigate known vulnerabilities, including local privilege escalation vulnerabilities.

The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.

Conclusion

Unit 42 will continue to monitor the situation for updated information. We encourage customers to implement the hunting and hardening recommendations to identify, mitigate, and prevent credential attacks against their networks.

Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members, including Fortinet. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.

Palo Alto Networks Product Protections and Consulting Services

Palo Alto Networks customers can leverage a variety of product protections and consulting services to identify and defend against this threat.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 000 800 050 45107
• South Korea: +82.080.467.8774

Deep and Darkweb Monitoring  

Unit 42's Deep and Dark Web (DDW) monitoring is a service that assists clients in identifying sensitive information and leaked credentials that surface on the dark web, providing critical insights to reduce risk exposure and reduce the time between detection and response.

References

• Analysis of Reported Credential Compromise of Fortigate Devices — Fortinet
• FortiBleed Breach: How 80,000+ Corporate Firewalls Were Quietly Compromised — SOCRadar
• What is Zero Trust Network Access (ZTNA)? — Palo Alto Networks
• Next-Generation Firewall: Multi-Factor Authentication— Palo Alto Networks, Tech Docs
• Administrative Access Best Practices - Palo Alto Networks, Tech Docs
• Panorama Administrator's Guide: Configure Panorama Password Profiles — Palo Alto Networks, Tech Docs