The cybersecurity landscape is currently facing a significant surge in credential-stuffing attacks specifically targeting corporate Single Sign-On (SSO) systems, with recent campaigns zeroing in on F5 BIG-IP devices. This alarming trend underscores the increasingly sophisticated methods employed by cybercriminals, necessitating urgent attention from cybersecurity professionals and organizations alike.
In an effort to unravel the origins of these stolen credentials, the investigative firm Defused Cyber undertook an analysis of a dataset consisting of 70 unique email-password pairs utilized in these attacks. Remarkably, when these pairs were cross-referenced with Hudson Rock’s cybercrime database, a staggering 54 of the credentials—equating to 77%—were confirmed as matches. This correlation points to a clear link between data harvested from Infostealer infections and brute-force attempts aimed at corporate SSO infrastructure.
It is crucial to note that the credentials used in these nefarious activities were not directly pilfered from F5 systems. Instead, they were extracted from compromised employee devices that had fallen victim to malware such as RedLine, Raccoon, or Vidar. These malicious programs are notorious for collecting browser-stored credentials, thereby creating a treasure trove of login information for attackers.
The activity was first detected by Defused Cyber, whose honeypots captured malicious POST requests attempting to authenticate using what appeared to be legitimate enterprise credentials. One notable instance of these attacks originated from IP address 219.75.254.166, associated with OPTAGE Inc. in Japan.
Following the path of these threats, it becomes evident that threat actors are adeptly repurposing credentials for large-scale credential stuffing targeting various corporate portals, including Active Directory Federation Services (ADFS), Outlook Web Access (OWA), and Security Token Services (STS). It is clear that these attackers are counting on a combination of password reuse and inadequate multi-factor authentication (MFA) enforcement to achieve their objectives.
Defused Cyber elaborated on this campaign, labeling it a reflection of a larger industrialized process where identity theft serves as the principal entry point for attackers. The “Log-to-Lead” pipeline consists of several stages:
- Infection: An employee’s system becomes infected with an Infostealer, which silently exfiltrates browser-stored credentials, including SSO and ADFS logins.
- Marketplace: The stolen logs are aggregated and subsequently sold on underground markets to Initial Access Brokers (IABs).
- Front-Door Bypass: Armed with these credentials, attackers target corporate edge systems like F5 BIG-IP, exploiting their role in authentication.
- Network Compromise: With valid credentials, attackers are able to gain direct access through logging in rather than hacking in.
This model of “identity as the new perimeter” illustrates the alarming ease with which attackers can penetrate what were once considered secure defenses. Visual confirmations of compromised credentials have emerged from various organizations, including Doka, the Belgian Police, Ericsson, and Majid Al Futtaim.
Analysis of these attempted logins revealed that employee credentials from a range of prominent enterprises and government entities were included in the payloads. Affected domains spanned various sectors, showcasing the widespread nature of this threat:
- Rolls-Royce (Aerospace & Defense)
- Johnson & Johnson (Pharmaceuticals)
- Ericsson (Telecommunications)
- Deloitte (Professional Services)
- Belgian Police (Law Enforcement)
The attackers seem to be leveraging sheer volume and the likelihood of statistical success, casting a wide net across multiple high-value targets, and banking on at least one credential pair precluding MFA or triggering user fatigue.
Unfortunately, cybersecurity defenders can no longer rely solely on traditional measures like patch management or device hardening. To fend off these sophisticated attacks, continuous identity monitoring is essential. Organizations must also engage in dark-web exposure tracking and enforce strict MFA policies across all points of perimeter access.
Additionally, deeper analysis of the source IP has uncovered a compromised Fortinet FortiGate-60E firewall hosted by OPTAGE Inc. in Japan. This device was found to be exposing vulnerabilities through open ports utilizing a self-signed SSL certificate. This revelation indicates that attackers may be launching assaults from hijacked network edge devices, effectively turning one organization’s firewall into another’s attack proxy—a concerning development illustrating the evolving nature of cybercriminal operations.
In summary, this ongoing campaign highlights a significant paradigm shift in how cybercriminals conduct their operations. Instead of breaching networks via vulnerabilities, they now exploit Infostealer logs containing real corporate credentials, utilizing them in extensive brute-force campaigns. As attackers increasingly focus on authentication abuse, the necessity for robust cybersecurity measures becomes all the more critical.