Attackers Love Your VPN To-Do List

This Huntress blog outlines real SOC-observed incidents where VPN credential compromises (FortiGate and SonicWall) enabled attackers to deploy publicly available exploitation tools (BlueHammer, RedSun, UnDefend attributed to Nightmare-Eclipse), perform environment discovery and persistence (including BYOVD tactics), and attempt Play ransomware; the post emphasizes missing logs, absent MFA, and lack of segmentation as primary enablers and recommends enforcing MFA, auditing privileged accounts, centralizing logs, and monitoring anomalous logins.