Large-Scale Password Spraying Campaign (FortiBleed) Targets Fortinet, Sophos, and MSSQL Devices
What Happened — Unit 42 observed a coordinated password‑spraying operation, dubbed “FortiBleed”, that scans the Internet for exposed Fortinet, Sophos and Microsoft SQL services. Using a curated list of leaked passwords, the actors attempt logins, harvest any credentials they obtain, and then reuse those credentials for further attacks and offline cracking.
Why It Matters for Compliance & Audit Readiness
- The scenario directly tests SOC 2 CC6.1 (Logical Access) and CC6.2 (User Management) controls – organizations must prove they restrict privileged access and detect anomalous login activity.
- Continuous monitoring of remote‑access logs and evidence of MFA enforcement become audit‑ready artifacts that demonstrate due diligence.
- Mapping the credential‑spraying lifecycle to your control framework helps you generate defensible evidence for a SOC 2 audit and for third‑party risk assessments.
Who Is Affected — Enterprises that expose network‑edge devices or database services to the Internet, including technology/SaaS providers, financial institutions, healthcare organizations, and managed‑service providers.
Recommended Actions
- Enable MFA and enforce strong, unique passwords for all privileged accounts on firewalls, VPNs, and database servers.
- Implement automated log‑analysis to flag successful logins that follow large volumes of failed attempts (e.g., SIEM alerts on “login after password‑spray”).
- Conduct a privileged‑access review, remove unnecessary admin accounts, and apply the principle of least privilege.
- Capture and retain remote‑access logs as SOC 2 evidence of logical‑access monitoring.
- Apply vendor hardening guides (e.g., Fortinet/Sophos best‑practice configurations) and patch any privilege‑escalation vulnerabilities.
Source: Palo Alto Unit 42 – Large‑Scale Credential Attacks
Technical Notes — Attack vector: Internet‑wide password spraying → credential harvesting → offline cracking → reuse. The campaign references an undisclosed CVE used for privilege escalation on compromised devices. No malware payloads were observed; the primary risk is credential exposure and persistent admin access.