The cybersecurity community is witnessing a rise in credential‑stuffing attacks targeting corporate Single Sign‑On (SSO) systems, with recent campaigns focusing on F5 BIG‑IP devices.
To understand the source of the stolen logins, Defused Cyber analyzed a dataset of 70 unique email‑password pairs used in the attack.
When cross‑referenced with Hudson Rock’s cybercrime database of Infostealer infections, 54 of the credentials (77%) were confirmed matches a clear link between Infostealer‑harvested data and brute‑force attempts on corporate SSO infrastructure.
The credentials weren’t stolen from F5 systems directly. Instead, they were extracted from compromised employee devices infected with malware such as RedLine, Raccoon, or Vidar, which collect browser‑saved credentials.
The activity was first identified by Defused Cyber, whose honeypots captured malicious POST requests attempting to authenticate using seemingly legitimate enterprise credentials. One notable attack originated from IP 219.75.254.166 (AS17511, OPTAGE Inc., Japan).
Threat actors then repurpose these for large‑scale credential stuffing against corporate portals like ADFS, OWA, and STS counting on password reuse or weak MFA enforcement.
The “Log‑to‑Lead” Pipeline
This campaign reflects a larger industrialized process where identity theft becomes the main point of entry:
- Infection: An employee’s system is infected by an Infostealer. Browser‑stored credentials, including SSO and ADFS logins, are silently exfiltrated.
- Marketplace: Logs are aggregated and sold on underground markets to Initial Access Brokers (IABs).
- Front‑Door Bypass: Attackers repurpose those credentials against corporate edge systems like F5 BIG‑IP, exploiting their role in authentication.
- Network Compromise: Valid credentials allow direct access logging in, not hacking in.
This “identity as the new perimeter” model illustrates how attackers bypass technical defenses by exploiting password equivalence across multiple systems.visual confirmations of the compromised credentials for Doka, the Belgian Police, Ericsson, and Majid Al Futtaim:
Analysis revealed that employee credentials from major enterprises and government entities were part of the attempted login payload. Affected domains included:
OrganizationSectorCompromised Domain
| Organization | Sector | Compromised Domain |
|---|---|---|
| Rolls‑Royce | Aerospace & Defense | @ps.rolls-royce.com |
| Johnson & Johnson | Pharmaceuticals | @its.jnj.com |
| Ericsson | Telecommunications | @ericsson.com |
| Deloitte | Professional Services | @deloitte.com |
| Belgian Police | Law Enforcement | @police.belgium.eu |
| Queensland Police | Law Enforcement | @police.qld.gov.au |
| Majid Al Futtaim | Retail / Conglomerate | @maf.ae |
| Cellebrite | Digital Intelligence | @cellebrite.com |
| Doka | Engineering | @doka.com |
| Turkish Ministry of Trade | Government | @ticaret.gov.tr |
These findings suggest attackers are relying on sheer volume and statistical success casting a wide net across multiple high‑value targets, expecting at least one credential pair to bypass MFA or trigger user fatigue.
Defenders can no longer rely solely on patch management or device hardening. Protection now demands continuous identity monitoring, dark‑web exposure tracking, and strict MFA enforcement across all perimeter access points.
Hijacked Infrastructure as Attack Proxies
Further analysis of the source IP revealed a compromised Fortinet FortiGate‑60E firewall hosted by OPTAGE Inc., Japan.
The device exposed open ports 541/tcp and 10443/tcp, using a self‑signed SSL certificate. This means attackers may be launching assaults from hijacked network edge devices, effectively turning one organization’s firewall into another’s attack proxy.
This campaign demonstrates how cybercriminal operations have evolved from exploitation to authentication abuse.
Instead of breaching networks via vulnerabilities, attackers purchase Infostealer logs containing real corporate credentials and deploy them in large‑scale brute‑force campaigns.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
