Credential stuffing attack with Sophos Firewall and Sophos Endpoint

Credential stuffing attack with Sophos Firewall and Sophos Endpoint

Organization: Financial services industry, Commercial, USA

Solution: Sophos MDR, Sophos Firewall

Adversary behavior

The attack begins with the adversary logging in via the organization's Sophos Firewall VPN using credentials stolen from a different system—they wait two weeks before continuing. The attacker then pivots to an endpoint protected by Sophos MDR from the VPN. Once on the endpoint, the attacker executes a script that runs discovery commands and changes multiple passwords, positioning themselves to expand access and potentially deploy ransomware across the environment.  

Threat detection

A detection is generated in Sophos MDR due to WMIC (Windows Management Instrumentation Command-line) remotely calling an executable from a suspicious directory for ransomware staging. A case is automatically created and assigned to a Sophos MDR analyst for investigation.  

Investigation

Following the investigation, the Sophos MDR analyst confirms the malicious activity and communicates their findings to the customer. By correlating VPN authentication logs with endpoint telemetry, the analyst uncovers the full attack chain: stolen credentials used for initial VPN access, a two-week dormancy period, lateral movement to a protected endpoint, and preparation for ransomware deployment. An active incident is initiated, and the Sophos MDR analyst executes response actions on the customer’s behalf to neutralize the threat.  

Response

The MDR analyst uses the Sophos Active Threat Response feature, creating 'threat indicators' on the Sophos Firewall to block malicious IP addresses. The analyst also removes malicious binaries from the endpoint and recommends resetting user credentials and upgrading the VPN gateway. The case is closed less than four hours from initial detection, preventing ransomware deployment and eliminating the attacker's foothold across both network and endpoint layers.