Cybersecurity News and Headlines
  • All Technology
  • AI
  • Autonomy
  • B2B Growth
  • Big Data
  • BioTech
  • ClimateTech
  • Consumer Tech
  • Crypto
  • Cybersecurity
  • DevOps
  • Digital Marketing
  • Ecommerce
  • EdTech
  • Enterprise
  • FinTech
  • GovTech
  • Hardware
  • HealthTech
  • HRTech
  • LegalTech
  • Nanotech
  • PropTech
  • Quantum
  • Robotics
  • SaaS
  • SpaceTech
AllNewsDealsSocialBlogsVideosPodcastsDigests

Cybersecurity Pulse

EMAIL DIGESTS

Daily

Every morning

Weekly

Sunday recap

NewsDealsSocialBlogsVideosPodcasts
CybersecurityNewsInfostealers Drive Massive Brute-Force Attacks on Corporate SSO Gateways with Stolen Credentials
Infostealers Drive Massive Brute-Force Attacks on Corporate SSO Gateways with Stolen Credentials
Cybersecurity

Infostealers Drive Massive Brute-Force Attacks on Corporate SSO Gateways with Stolen Credentials

•February 27, 2026
0
GBHackers On Security
GBHackers On Security•Feb 27, 2026

Why It Matters

The abuse of real user credentials turns identity data into a direct attack vector, forcing enterprises to rethink perimeter security and enforce robust, universal MFA.

Key Takeaways

  • •77% of used credentials linked to Infostealer infections
  • •Attackers leverage stolen SSO logins for credential stuffing
  • •Compromised firewalls act as proxy launch points
  • •MFA gaps enable successful brute‑force attempts
  • •Continuous identity monitoring essential for defense

Pulse Analysis

The recent campaign uncovered by Defused Cyber illustrates a maturing threat model where attackers bypass traditional perimeter defenses by buying real user credentials harvested by Infostealers such as RedLine, Raccoon, and Vidar. Instead of exploiting software bugs, threat actors aggregate browser‑saved SSO and ADFS logins from infected employee devices, sell them on underground markets, and then launch high‑volume credential‑stuffing attacks against corporate edge appliances like F5 BIG‑IP. This “identity as the new perimeter” approach turns stolen passwords into direct entry points, dramatically reducing the need for sophisticated exploit development.

The breach affected credentials from high‑profile organizations across aerospace, pharmaceuticals, telecom and law‑enforcement sectors, demonstrating that even well‑resourced enterprises are vulnerable when password reuse or weak multi‑factor authentication (MFA) persists. Defenders observed that a single compromised Fortinet firewall in Japan served as a proxy, amplifying the attack surface by routing traffic through hijacked network‑edge devices. These findings compel security teams to move beyond patch management toward continuous identity monitoring, dark‑web exposure checks, and enforcing MFA on every SSO gateway, regardless of perceived internal trust.

Mitigation strategies now focus on reducing credential exposure at the source. Organizations should deploy endpoint detection and response solutions capable of identifying Infostealer activity, enforce strict browser credential storage policies, and regularly rotate privileged passwords. At the network level, zero‑trust architectures that require re‑authentication for each service, coupled with adaptive MFA that challenges anomalous login patterns, can thwart large‑scale stuffing attempts. Finally, threat‑intelligence sharing about compromised infrastructure, such as the hijacked FortiGate observed in this campaign, enables faster blocklisting and limits the use of compromised devices as attack proxies.

Infostealers Drive Massive Brute-Force Attacks on Corporate SSO Gateways with Stolen Credentials

Read Original Article
0

Comments

Want to join the conversation?

Loading comments...