Credential-Stuffing Attacks Target Corporate SSO Systems via Infostealer-Mined Logins A surge in credential-stuffing attacks is targeting corporate Single Sign-On (SSO) systems, with recent campaigns focusing on F5 BIG-IP devices. Security firm Defused Cyber analyzed 70 unique email-password pairs used in the attacks, finding that 77% (54 credentials) matched data from Infostealer infections malware like RedLine, Raccoon, and Vidar that harvests browser-saved logins from compromised employee devices. The attacks, first detected by Defused Cyber’s honeypots, involved malicious authentication attempts from a Japanese IP (219.75.254.166, AS17511, OPTAGE Inc.). Threat actors repurposed stolen credentials to bypass defenses, targeting corporate portals such as ADFS, OWA, and STS, often exploiting weak multi-factor authentication (MFA) enforcement or password reuse. The campaign highlights an industrialized "log-to-lead" pipeline: 1. Infection: Employees’ devices are compromised by Infostealers, which exfiltrate stored credentials. 2. Marketplace: Stolen logs are sold on underground forums to Initial Access Brokers (IABs). 3. Front-Door Bypass: Attackers use valid credentials to access corporate systems like F5 BIG-IP, leveraging their role in authentication. 4. Network Compromise: Legitimate logins grant direct access, bypassing traditional security measures. Compromised credentials linked to high-profile organizations were identified, including Rolls-Royce, Johnson & Johnson, Ericsson, Deloitte, Belgian and Queensland Police, Majid Al Futtaim, Cellebrite, Doka, and Turkey’s Ministry of Trade. The attacks cast a wide net, relying on volume to exploit gaps in MFA or user fatigue. Further investigation revealed the attacks originated from a compromised Fortinet FortiGate-60E firewall hosted by OPTAGE Inc., exposing open ports (541/tcp, 10443/tcp) with a self-signed SSL certificate. This indicates attackers are hijacking network edge devices to launch assaults, turning one organization’s infrastructure into an attack proxy for another. The campaign underscores a shift in cybercriminal tactics from exploiting vulnerabilities to abusing legitimate authentication emphasizing the growing threat of identity-based attacks.