HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Large-Scale Password Spraying Campaign (FortiBleed) Targets Fortinet, Sophos, and MSSQL Devices

Unit 42 reports a coordinated password‑spraying operation (FortiBleed) that scans the Internet for exposed Fortinet, Sophos and MSSQL services. The campaign harvests credentials, cracks them offline, and reuses them for persistent admin access – a direct test of SOC 2 access‑control requirements.

LiveThreat™ Intelligence · 📅 June 20, 2026· 📰 unit42.paloaltonetworks.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
5 recommended
📰
Source
unit42.paloaltonetworks.com

Large-Scale Password Spraying Campaign (FortiBleed) Targets Fortinet, Sophos, and MSSQL Devices

What Happened — Unit 42 observed a coordinated password‑spraying operation, dubbed “FortiBleed”, that scans the Internet for exposed Fortinet, Sophos and Microsoft SQL services. Using a curated list of leaked passwords, the actors attempt logins, harvest any credentials they obtain, and then reuse those credentials for further attacks and offline cracking.

Why It Matters for Compliance & Audit Readiness

  • The scenario directly tests SOC 2 CC6.1 (Logical Access) and CC6.2 (User Management) controls – organizations must prove they restrict privileged access and detect anomalous login activity.
  • Continuous monitoring of remote‑access logs and evidence of MFA enforcement become audit‑ready artifacts that demonstrate due diligence.
  • Mapping the credential‑spraying lifecycle to your control framework helps you generate defensible evidence for a SOC 2 audit and for third‑party risk assessments.

Who Is Affected — Enterprises that expose network‑edge devices or database services to the Internet, including technology/SaaS providers, financial institutions, healthcare organizations, and managed‑service providers.

Recommended Actions

  • Enable MFA and enforce strong, unique passwords for all privileged accounts on firewalls, VPNs, and database servers.
  • Implement automated log‑analysis to flag successful logins that follow large volumes of failed attempts (e.g., SIEM alerts on “login after password‑spray”).
  • Conduct a privileged‑access review, remove unnecessary admin accounts, and apply the principle of least privilege.
  • Capture and retain remote‑access logs as SOC 2 evidence of logical‑access monitoring.
  • Apply vendor hardening guides (e.g., Fortinet/​Sophos best‑practice configurations) and patch any privilege‑escalation vulnerabilities.

Source: Palo Alto Unit 42 – Large‑Scale Credential Attacks

Technical Notes — Attack vector: Internet‑wide password spraying → credential harvesting → offline cracking → reuse. The campaign references an undisclosed CVE used for privilege escalation on compromised devices. No malware payloads were observed; the primary risk is credential exposure and persistent admin access.

📰 Original Source
https://unit42.paloaltonetworks.com/large-scale-credential-attacks/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →