Credential Stuffing Campaign Exploits Stolen Employee Logins to Breach Corporate Networks
A sophisticated credential stuffing campaign targeting corporate Single Sign-On (SSO) gateways particularly F5 BIG-IP interfaces has exposed a growing threat: attackers gaining network access not through software vulnerabilities, but by using stolen employee credentials.
First detected on February 23, 2026, by threat intelligence group Defused Cyber, the attack leveraged credentials harvested from infostealer malware infections on employee devices. A single source IP (219.75.254.166, registered to OPTAGE Inc. in Japan) was observed sending large volumes of corporate email and password combinations in automated login attempts.
Analysis by Hudson Rock revealed that 77% of the 70 unique credentials used in the attack matched known infostealer infection logs, confirming they were stolen from compromised endpoints rather than a traditional data breach. The credentials were then repurposed against ADFS, Security Token Services (STS), and OWA portals, demonstrating a shift from mere data theft to coordinated network intrusion.
Affected organizations included high-profile entities such as Rolls-Royce, Johnson & Johnson, Ericsson, Deloitte, Cellebrite, the Belgian Police, Queensland Police, Turkish government ministries, and major retail conglomerates. Attackers targeted these entities knowing that even a small number of valid logins especially in organizations lacking multi-factor authentication (MFA) could provide initial access.
The attack infrastructure further raised concerns, as the source IP was traced to a compromised Fortinet FortiGate-60E firewall with open ports and a self-signed SSL certificate. This indicated attackers were routing traffic through hijacked network devices to target other edge systems, blending stolen credentials with compromised infrastructure.
Researchers described the attack as part of a "Log-to-Lead" pipeline, an industrialized process where infostealer malware logs are aggregated, filtered by corporate domain, and sold to Initial Access Brokers on dark web marketplaces. Attackers then purchase these credential packages and use them in large-scale stuffing attacks until they gain access.
The campaign underscores a critical shift in cyber threats: identity as the new perimeter. Since devices like F5 BIG-IP often accept the same credentials used for internal systems, a single stolen ADFS password could unlock VPNs, SSO portals, or remote access gateways effectively allowing attackers to bypass traditional security measures.
Source: https://cybersecuritynews.com/infostealers-fuel-large-scale-brute-forcing/
Johnson & Johnson cybersecurity rating report: https://www.rankiteo.com/company/johnson-&-johnson
Rolls-Royce cybersecurity rating report: https://www.rankiteo.com/company/rolls-royce
Ericsson cybersecurity rating report: https://www.rankiteo.com/company/ericsson
"id": "JOHROLERI1772202424",
"linkid": "johnson-&-johnson, rolls-royce, ericsson",
"type": "Breach",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Aerospace/Defense',
'name': 'Rolls-Royce',
'type': 'Corporation'},
{'industry': 'Healthcare/Pharmaceutical',
'name': 'Johnson & Johnson',
'type': 'Corporation'},
{'industry': 'Telecommunications',
'name': 'Ericsson',
'type': 'Corporation'},
{'industry': 'Professional Services/Consulting',
'name': 'Deloitte',
'type': 'Corporation'},
{'industry': 'Digital Intelligence/Forensics',
'name': 'Cellebrite',
'type': 'Corporation'},
{'industry': 'Law Enforcement',
'location': 'Belgium',
'name': 'Belgian Police',
'type': 'Government'},
{'industry': 'Law Enforcement',
'location': 'Australia',
'name': 'Queensland Police',
'type': 'Government'},
{'industry': 'Public Sector',
'location': 'Turkey',
'name': 'Turkish government ministries',
'type': 'Government'},
{'industry': 'Retail',
'name': 'Major retail conglomerates',
'type': 'Corporation'}],
'attack_vector': 'Stolen employee credentials via infostealer malware',
'data_breach': {'number_of_records_exposed': '70 unique credentials',
'personally_identifiable_information': 'Employee login '
'credentials',
'sensitivity_of_data': 'High (corporate network access)',
'type_of_data_compromised': 'Employee credentials'},
'date_detected': '2026-02-23',
'description': 'A sophisticated credential stuffing campaign targeting '
'corporate Single Sign-On (SSO) gateways, particularly F5 '
'BIG-IP interfaces, leveraged stolen employee credentials '
'harvested from infostealer malware infections to gain network '
'access. The attack was first detected on February 23, 2026, '
'and involved automated login attempts using credentials '
'repurposed against ADFS, STS, and OWA portals. The campaign '
'highlights a shift from data theft to coordinated network '
'intrusion, exploiting identity as the new perimeter.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'unauthorized access',
'data_compromised': 'Employee credentials, potential access to '
'internal systems',
'identity_theft_risk': 'High (stolen employee credentials)',
'operational_impact': 'Potential unauthorized access to corporate '
'networks',
'systems_affected': ['ADFS',
'Security Token Services (STS)',
'OWA portals',
'F5 BIG-IP interfaces',
'VPNs',
'SSO portals',
'Remote access gateways']},
'initial_access_broker': {'data_sold_on_dark_web': 'Credentials filtered by '
'corporate domain',
'entry_point': 'Stolen employee credentials via '
'infostealer malware',
'high_value_targets': 'Corporate SSO gateways, '
'ADFS, STS, OWA portals'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The incident underscores the critical importance of '
'multi-factor authentication (MFA) and the risks posed by '
'infostealer malware in enabling credential stuffing '
'attacks. Identity is now the new perimeter, and stolen '
'credentials can bypass traditional security measures.',
'motivation': 'Network intrusion, data exfiltration, potential ransomware '
'deployment',
'post_incident_analysis': {'corrective_actions': ['Implement MFA across all '
'systems',
'Enhance endpoint security '
'to detect and prevent '
'infostealer malware',
'Monitor and restrict '
'access to critical '
'systems'],
'root_causes': ['Lack of multi-factor '
'authentication (MFA)',
'Infostealer malware infections on '
'employee devices',
'Use of stolen credentials to '
'bypass security measures']},
'recommendations': ['Implement multi-factor authentication (MFA) for all '
'corporate systems, especially SSO and remote access '
'gateways.',
'Monitor for infostealer malware infections on employee '
'devices.',
'Enforce strict password policies and regular credential '
'rotation.',
'Segment network access to limit lateral movement in case '
'of a breach.',
'Enhance monitoring of login attempts and anomalous '
'access patterns.',
'Educate employees on the risks of malware and credential '
'theft.'],
'references': [{'source': 'Defused Cyber'}, {'source': 'Hudson Rock'}],
'response': {'third_party_assistance': ['Defused Cyber', 'Hudson Rock']},
'threat_actor': 'Initial Access Brokers',
'title': 'Credential Stuffing Campaign Exploits Stolen Employee Logins to '
'Breach Corporate Networks',
'type': 'Credential Stuffing',
'vulnerability_exploited': 'Lack of multi-factor authentication (MFA)'}