Credential-Stuffing Attacks Target Corporate SSO Systems via Infostealer-Mined Logins
A surge in credential-stuffing attacks is targeting corporate Single Sign-On (SSO) systems, with recent campaigns focusing on F5 BIG-IP devices. Security firm Defused Cyber analyzed 70 unique email-password pairs used in the attacks, finding that 77% (54 credentials) matched data from Infostealer infections malware like RedLine, Raccoon, and Vidar that harvests browser-saved logins from compromised employee devices.
The attacks, first detected by Defused Cyber’s honeypots, involved malicious authentication attempts from a Japanese IP (219.75.254.166, AS17511, OPTAGE Inc.). Threat actors repurposed stolen credentials to bypass defenses, targeting corporate portals such as ADFS, OWA, and STS, often exploiting weak multi-factor authentication (MFA) enforcement or password reuse.
The campaign highlights an industrialized "log-to-lead" pipeline:
- Infection: Employees’ devices are compromised by Infostealers, which exfiltrate stored credentials.
- Marketplace: Stolen logs are sold on underground forums to Initial Access Brokers (IABs).
- Front-Door Bypass: Attackers use valid credentials to access corporate systems like F5 BIG-IP, leveraging their role in authentication.
- Network Compromise: Legitimate logins grant direct access, bypassing traditional security measures.
Compromised credentials linked to high-profile organizations were identified, including Rolls-Royce, Johnson & Johnson, Ericsson, Deloitte, Belgian and Queensland Police, Majid Al Futtaim, Cellebrite, Doka, and Turkey’s Ministry of Trade. The attacks cast a wide net, relying on volume to exploit gaps in MFA or user fatigue.
Further investigation revealed the attacks originated from a compromised Fortinet FortiGate-60E firewall hosted by OPTAGE Inc., exposing open ports (541/tcp, 10443/tcp) with a self-signed SSL certificate. This indicates attackers are hijacking network edge devices to launch assaults, turning one organization’s infrastructure into an attack proxy for another.
The campaign underscores a shift in cybercriminal tactics from exploiting vulnerabilities to abusing legitimate authentication emphasizing the growing threat of identity-based attacks.
Source: https://gbhackers.com/massive-brute-force-attacks/
Ericsson cybersecurity rating report: https://www.rankiteo.com/company/ericsson
Defused cybersecurity rating report: https://www.rankiteo.com/company/defused
Johnson & Johnson cybersecurity rating report: https://www.rankiteo.com/company/johnson-&-johnson
Rolls-Royce cybersecurity rating report: https://www.rankiteo.com/company/rolls-royce
VIDARA Turkey Kimya Tic. A.Ş. cybersecurity rating report: https://www.rankiteo.com/company/vidaraturkey
"id": "ERIDEFJOHROLVID1772180734",
"linkid": "ericsson, defused, johnson-&-johnson, rolls-royce, vidaraturkey",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Aerospace/Defense',
'name': 'Rolls-Royce',
'type': 'Corporation'},
{'industry': 'Healthcare/Pharmaceutical',
'name': 'Johnson & Johnson',
'type': 'Corporation'},
{'industry': 'Telecommunications',
'name': 'Ericsson',
'type': 'Corporation'},
{'industry': 'Professional Services/Consulting',
'name': 'Deloitte',
'type': 'Corporation'},
{'industry': 'Law Enforcement',
'location': 'Belgium',
'name': 'Belgian Police',
'type': 'Government'},
{'industry': 'Law Enforcement',
'location': 'Australia',
'name': 'Queensland Police',
'type': 'Government'},
{'industry': 'Retail/Conglomerate',
'location': 'UAE',
'name': 'Majid Al Futtaim',
'type': 'Corporation'},
{'industry': 'Digital Intelligence',
'name': 'Cellebrite',
'type': 'Corporation'},
{'industry': 'Construction/Engineering',
'name': 'Doka',
'type': 'Corporation'},
{'industry': 'Government/Trade',
'location': 'Turkey',
'name': 'Turkey’s Ministry of Trade',
'type': 'Government'}],
'attack_vector': 'Stolen credentials from Infostealer malware (RedLine, '
'Raccoon, Vidar)',
'data_breach': {'number_of_records_exposed': '70 unique email-password pairs '
'(54 matched Infostealer logs)',
'personally_identifiable_information': 'Potential '
'(browser-saved '
'credentials may '
'include PII)',
'sensitivity_of_data': 'High (corporate authentication '
'credentials, potential PII)',
'type_of_data_compromised': ['Browser-saved logins',
'Corporate SSO credentials']},
'description': 'A surge in credential-stuffing attacks is targeting corporate '
'Single Sign-On (SSO) systems, with recent campaigns focusing '
'on F5 BIG-IP devices. Threat actors repurposed stolen '
'credentials to bypass defenses, targeting corporate portals '
'such as ADFS, OWA, and STS, often exploiting weak '
'multi-factor authentication (MFA) enforcement or password '
'reuse. The campaign highlights an industrialized '
"'log-to-lead' pipeline involving Infostealer infections, "
'underground marketplace sales, and direct access to corporate '
'systems.',
'impact': {'brand_reputation_impact': 'Potential reputational damage for '
'affected organizations',
'data_compromised': 'Browser-saved logins, corporate SSO '
'credentials',
'identity_theft_risk': 'High (stolen credentials, PII exposure)',
'operational_impact': 'Bypassed authentication, potential '
'unauthorized access to corporate networks',
'systems_affected': ['F5 BIG-IP devices',
'ADFS',
'OWA',
'STS portals',
'Fortinet FortiGate-60E firewalls']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (stolen logs sold on '
'underground forums)',
'entry_point': 'Stolen credentials from Infostealer '
'logs',
'high_value_targets': ['Corporate SSO systems (F5 '
'BIG-IP, ADFS, OWA, STS)']},
'investigation_status': 'Ongoing (as per Defused Cyber’s analysis)',
'lessons_learned': 'The campaign underscores the shift from exploiting '
'vulnerabilities to abusing legitimate authentication, '
'highlighting the growing threat of identity-based '
'attacks. Organizations must enforce strong MFA, monitor '
'for credential leaks, and secure network edge devices to '
'prevent such attacks.',
'motivation': 'Unauthorized access to corporate systems, data exfiltration, '
'potential financial gain',
'post_incident_analysis': {'corrective_actions': ['Strengthen MFA policies',
'Deploy endpoint detection '
'for Infostealer malware',
'Secure and monitor network '
'edge devices',
'Implement credential leak '
'monitoring'],
'root_causes': ['Infostealer malware infections on '
'employee devices',
'Weak MFA enforcement or password '
'reuse',
'Exposed network edge devices '
'(e.g., Fortinet FortiGate-60E '
'with open ports)',
'Lack of monitoring for credential '
'leaks']},
'recommendations': ['Enforce strong multi-factor authentication (MFA) across '
'all corporate systems',
'Monitor for credential leaks and Infostealer infections '
'on employee devices',
'Secure network edge devices (e.g., firewalls, VPNs) and '
'close unnecessary open ports',
'Educate employees on password hygiene and the risks of '
'password reuse',
'Implement adaptive behavioral WAFs and enhanced '
'monitoring for authentication anomalies',
'Segment networks to limit lateral movement in case of a '
'breach'],
'references': [{'source': 'Defused Cyber'}],
'response': {'third_party_assistance': 'Defused Cyber (security firm)'},
'threat_actor': 'Initial Access Brokers (IABs), cybercriminals leveraging '
'Infostealer logs',
'title': 'Credential-Stuffing Attacks Target Corporate SSO Systems via '
'Infostealer-Mined Logins',
'type': 'Credential Stuffing',
'vulnerability_exploited': 'Weak multi-factor authentication (MFA) '
'enforcement, password reuse, exposed network edge '
'devices (e.g., Fortinet FortiGate-60E with open '
'ports)'}