Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others
Summary
A cybercriminal group known as Storm-2561 is impersonating legitimate enterprise VPN clients from vendors like Cisco, Fortinet, and Check Point. The attackers trick victims into downloading these fake clients, which are designed to steal their credentials. After obtaining credentials, the attackers reportedly direct victims to the legitimate vendor download pages to further conceal their malicious activity.
IFF Assessment
This is bad news for defenders as it highlights a sophisticated social engineering tactic targeting widely used enterprise security tools to steal credentials.
Defender Context
Defenders need to be aware of this credential-stealing technique that leverages trust in established VPN vendors. Organizations should educate users about the risks of downloading software from unofficial sources and implement multi-factor authentication to mitigate the impact of credential compromise.