Credential Attack Campaigns Against Security Vendors Expose Risk in Trusted Infrastructure
Large-scale credential attacks are targeting security vendors' devices and infrastructure, putting downstream customers at risk. Unit 42 publishes mitigation guidance as these campaigns remain actively exploited.
Affected
Unit 42 has identified a coordinated campaign targeting credential systems within security vendor environments. Rather than attacking end-customer networks directly, threat actors are focusing on vendors' own infrastructure and device management platforms, a strategy that amplifies impact across entire customer bases. This reflects a shift in attacker targeting logic: compromise the trusted intermediary to gain privileged access to protected networks.
The technical approach likely combines password spraying, credential stuffing, and exploitation of weak authentication controls on vendor appliances and cloud management consoles. Security vendors present attractive targets because their devices sit at network perimeters and management boundaries, giving attackers access to traffic inspection, logging systems, and cross-customer visibility. Many organisations maintain less rigorous security hygiene around vendor infrastructure than their own production systems, assuming that purchased security solutions come hardened.
This campaign affects a broad customer base indirectly. Any organisation using affected vendors' products may have been exposed to reconnaissance, data exfiltration, or lateral movement depending on attacker persistence and objectives. The risk extends to managed security service providers and large enterprise customers who depend on vendor infrastructure for threat intelligence and incident response coordination.
Defenders should prioritise multi-factor authentication enforcement on all vendor console access, implement strict network segmentation between vendor management interfaces and production systems, and audit authentication logs for anomalous access patterns. Organisations should also verify that vendors themselves maintain adequate credential hygiene and rotate administrative credentials following any suspected compromise.
This campaign underscores a structural vulnerability in modern security architecture: defenders rely on vendors they cannot fully audit, creating an asymmetric trust relationship that attackers actively exploit. The shift toward supply-chain compromise will likely continue as security around end-customer networks improves, making trusted intermediaries increasingly valuable targets.
Sources