Threat Brief: Mitigating Large-Scale Credential Attacks
Palo Alto Networks, Friday, June 26th, 2026
Unit 42 details a large-scale credential-theft campaign hitting internet-exposed Fortinet, Sophos, and MSSQL devices.
Unit 42 reported a large-scale credential theft campaign targeting Fortinet, Sophos, and MSSQL devices exposed to the internet.
Attackers used password spraying with curated lists from prior breaches, then extracted configuration files containing additional credentials for offline cracking and future attacks.
The group established persistent administrative access through a multi-stage process, and an initial access broker claimed responsibility on Russian cybercrime forums on June 16, 2026.
Palo Alto Networks recommends MFA, zero trust architecture, and privileged access management to defend against the activity.