Unit 42 observed a credential theft campaign targeting Fortinet, Sophos, and MSSQL devices through password spraying and credential harvesting. Threat actors use a curated password list derived from previous breaches and exploit vulnerabilities to escalate privileges. Compromised credentials are sold on dark web forums. Mitigation includes multi-factor authentication, Zero Trust Architecture, and patching.
