Threat Brief: Mitigating Large-Scale Credential Attacks

Unit 42 reports a large-scale credential spraying and credential-theft campaign targeting internet-exposed Fortinet, MSSQL, and Sophos services: actors use curated password lists for mass password spraying, exploit privilege escalation when possible to extract device configurations and stored credentials, crack credentials offline to expand their lists and establish persistent admin access, and an initial access broker claimed to be selling harvested credentials on Exploit.in; Unit 42 provides recommended hunting and hardening steps (MFA, zero trust, changing defaults, disabling unused accounts, patching) and offers incident response assistance.