Unit 42 has observed a large-scale credential attack campaign involving password spraying and credential theft, notably against Fortinet (FortiBleed), Sophos, and MSSQL devices. The attackers use curated password lists derived from previous breaches and successful exploitations to attempt internet-wide password spraying. After initial access, they may exploit privilege escalation vulnerabilities to extract device configurations and stored credentials. Offline cracking of stolen credentials feeds back into the password list for further attacks and persistence. An initial access broker has claimed responsibility on a Russian-language cybercrime forum, though Unit 42 has not validated these claims. Palo Alto Networks customers are advised to implement multi-factor authentication, zero trust network access, password complexity policies, and administrative best practices to protect against these attacks. The vendor also highlights that PAN-OS encrypts keys securely and stores salted SHA-256 password hashes. Unit 42 continues to monitor the threat and collaborates with Cyber Threat Alliance members to share intelligence and protections.

The campaign enables threat actors to gain persistent, high-privilege access to targeted devices by leveraging password spraying, privilege escalation, and credential theft. This can lead to unauthorized access to network edge devices and potentially compromise network security. Although Palo Alto Networks devices are not directly targeted, the presence of suspicious login attempts indicates potential reconnaissance or opportunistic targeting. The compromise of credentials and device configurations can facilitate further lateral movement and persistent control within affected networks.

A fix status is not explicitly stated; patch status is not yet confirmed—check vendor advisories for updates. Unit 42 recommends auditing remote access logs for suspicious successful logins following password failure events. Enforce multi-factor authentication for all remote services. Adopt zero trust architecture principles, such as using jump boxes and Zero Trust Network Access (ZTNA) to prevent direct exposure of management interfaces. Change default credentials to strong, complex passwords and disable unused accounts to reduce attack surface. Ensure all devices are updated with the latest software versions and patches to mitigate known vulnerabilities, including privilege escalation issues. Palo Alto Networks customers can leverage built-in protections such as encrypted key storage, salted SHA-256 password hashes, customizable password profiles, and administrative access best practices. Engage Unit 42 Incident Response for compromise assistance or proactive assessments.