By NHI Mgmt Group Editorial TeamDomain: Breaches & IncidentsSource: ColorTokensPublished October 9, 2025

TL;DR: Cisco firewall flaws, SonicWall VPN abuse, SVG phishing, and exposed healthcare databases show a common pattern: attackers exploit entry points, then move laterally, disable protections, and steal data, according to ColorTokens. The decisive control is limiting blast radius, because perimeter failure becomes survivable only when internal movement is contained.


At a glance

What this is: This is a ransomware protection advisory arguing that modern intrusions succeed by combining initial access with lateral movement, credential abuse, and internal visibility gaps.

Why it matters: It matters because IAM, PAM, and NHI teams must treat stolen credentials, VPN access, and exposed internal trust paths as part of the same containment problem.

By the numbers:

  • The U.S. government even issued an emergency directive, urging agencies to patch or disconnect vulnerable devices within 24 hours.

👉 Read ColorTokens' ransomware protection advisory on Cisco flaws and SonicWall breaches


Context

Ransomware operations rarely end at the point of entry. The operational problem is that exposed VPNs, stolen credentials, and flat internal networks let attackers convert a single foothold into broad access, data theft, and defensive blind spots. For identity and access teams, that means the real control failure is often downstream from authentication, not at the login screen.

In this advisory, ColorTokens ties multiple incidents to the same governance gap: organisations still rely on perimeter controls and assume internal trust will slow attackers. Where that trust includes service accounts, VPN credentials, or other non-human identity pathways, the blast radius can expand faster than patching or alerting can respond.


Key questions

Q: What breaks when a compromised VPN or firewall account still has broad internal access?

A: A single exposed credential or device can become a full breach when it can reach backup servers, directory services, and endpoint management tools without friction. The failure is not only initial access. It is the absence of internal containment, which lets attackers harvest more credentials, disable controls, and expand into systems that should have been isolated.

Q: Why do stolen credentials and OTP seeds still defeat MFA in real incidents?

A: MFA fails when the attacker already controls the secret material that the second factor depends on. In that situation, the system is verifying a compromised identity rather than a legitimate one. The right response is to rotate the underlying secrets, invalidate recovery paths, and reduce how long any authenticator remains usable.

Q: What do security teams get wrong about lateral movement prevention?

A: They often treat lateral movement as a detection problem when it is also a design problem. If internal protocols stay open, control planes stay reachable, and privileged identities stay broad, the attacker still has room to move even when alerts fire. Prevention alone is incomplete unless the network itself limits travel.

Q: How should organisations contain ransomware when exposed devices and stolen credentials are both in play?

A: They should combine rapid edge remediation with internal compartmentalisation. Patch or disconnect exposed devices, then isolate backup, identity, and management systems so compromised access cannot cascade. That approach reduces the chance that one breach path becomes a multi-system incident.


Technical breakdown

VPN entry points and unauthenticated exposure

The advisory highlights a common pattern in perimeter compromise: internet-facing VPN and firewall services become the first stable foothold when authentication is bypassed or credentials are already exposed elsewhere. Once a device is reachable from the internet, the attacker does not need to be sophisticated at the outset. They need a path that is still live, still trusted, and still connected to internal resources. That is why exposed edge infrastructure is a governance issue as much as a vulnerability issue. The business problem is not just code execution. It is whether that entry path leads directly into trusted internal zones and identity-bearing services.

Practical implication: prioritize exposure reduction and rapid patching for externally reachable access devices before treating the issue as a routine vulnerability backlog.

Why stolen credentials and OTP seeds still defeat MFA

The SonicWall example shows that MFA can fail when attackers already possess the underlying identity material, such as stolen credentials or OTP seeds from earlier breaches. In those cases, the control is not bypassed in a technical sense. It is operating on compromised inputs. That matters for NHI and IAM programmes because the same failure mode appears in service accounts, API keys, and delegated access chains. If the secret or seed is exposed, the trust decision made at authentication time is already corrupted. Security teams therefore need to think in terms of authenticator lifecycle and reuse, not just MFA presence.

Practical implication: treat OTP seed recovery, credential reuse, and authenticating secret exposure as lifecycle risks that require rotation and revocation, not just MFA deployment.

Microsegmentation as a containment control for post-compromise movement

Microsegmentation works by breaking the assumption that any authenticated session can move freely once inside the network. That assumption is exactly what lateral movement attackers exploit when they use tools such as directory queries, remote administration, and credential harvesting to expand access. For identity teams, the deeper issue is that standing privilege and broad internal reach often let a compromised account behave like a trusted operator. Microsegmentation constrains the network layer, but it is most effective when paired with identity scoping, service account segmentation, and privilege reduction. Containment is the control objective when prevention fails.

Practical implication: align segmentation boundaries with identity and privilege boundaries so that a compromised credential cannot open broad internal reach.


Threat narrative

Attacker objective: The objective is to turn a single external foothold into persistent internal access that supports ransomware, theft, mining, and defensive evasion.

  1. Entry occurs through exposed firewall and VPN interfaces, or through phishing files that launch malware on the endpoint.
  2. Credential access follows when attackers use stolen credentials, OTP seeds, or browser and directory tools to harvest additional access.
  3. Escalation and lateral movement happen as attackers query directory services, target backup servers, and disable endpoint protection to widen control.
  4. Impact is achieved through persistent malware, data exfiltration, crypto mining, and broad compromise across internal systems.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Perimeter compromise is now an identity problem, not just a network problem. When VPNs and firewalls remain exposed, they become trusted authentication paths into the enterprise, and that trust is exactly what attackers convert into lateral movement. The control question is no longer whether the edge can be attacked, but whether identity-bound access inside the environment is narrowly enough scoped to fail safely. Practitioners should treat exposed remote access as a cross-domain IAM and resilience issue, not a siloed infrastructure ticket.

Stolen MFA inputs collapse the assumption that authentication proves legitimacy. The SonicWall example shows that possession of a valid seed or reused credential can make MFA irrelevant because the verification step is already compromised. This is a strong argument for tighter authenticator lifecycle management, especially where service accounts, tokens, and recovery factors persist longer than intended. Practitioners should assume that authentication strength is only as good as secret hygiene and revocation discipline.

Microsegmentation is increasingly a blast-radius control for identity failures. Once attackers obtain a working account, the deciding factor becomes how far that account can move before it is contained. That is why segmentation, privilege minimisation, and internal authentication boundaries should be designed together. Practitioners should measure not only initial access resistance, but the distance a compromised identity can travel after first use.

Continuous detection is not enough when post-compromise tooling is commodity-grade. The advisory names BloodHound, Impacket, dsquery, and remote management techniques that are built for fast discovery and expansion. Those tools are effective because many environments still preserve broad internal trust for administrators and service accounts. Practitioners should focus on removing standing reach and mapping the internal paths an attacker would actually use.

Ransomware resilience now depends on governance of non-human identity pathways. Where attackers pivot through backup servers, directories, APIs, and machine-access channels, the enterprise is really facing NHI sprawl under pressure. Blast-radius containment: the specific failure mode this advisory exposes, where one exposed access path turns into enterprise-wide movement because internal identity boundaries are too loose. Practitioners should use that concept to prioritise which access paths need the fastest redesign.

From our research:

  • 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to The Secret Sprawl Challenge.
  • 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks.
  • That pattern makes The 52 NHI breaches Report the natural next reference for teams mapping where exposed credentials turn into real-world compromise.

What this signals

Credential exposure and lateral movement are converging into one governance problem. The operational boundary is no longer between perimeter security and identity security, because exposed access devices and stolen authenticator material now serve the same attack chain. Teams that still separate network containment from access governance will miss where the breach actually becomes operationally expensive.

Identity boundary design needs to reach beyond users and into machine-access paths. Backup systems, directory services, and management planes are often protected by long-lived service identities that behave like hidden privileged users. That is why the most durable control is to reduce the internal reach of those identities before an attacker can reuse them across systems.

Hardcoded secret exposure is still accelerating across the wider ecosystem. Our research on secrets sprawl shows 28.65 million new hardcoded secrets in public GitHub commits in 2025 alone, a pace that reinforces why containment must assume credentials will leak. The programme implication is clear: discovery, revocation, and segmentation need to operate as one workflow, not three separate projects.


For practitioners

  • Reduce exposed edge access immediately Inventory internet-facing VPN, firewall, and remote administration services, then prioritize patching, isolation, or removal for anything still reachable from the public internet. Treat exposed access devices as entry amplifiers, not routine assets, and validate whether each one still needs to be externally reachable.
  • Reset and rotate credentials tied to VPN and MFA recovery Force credential resets where OTP seeds, reused passwords, or recovery factors could have been harvested in prior incidents. Include administrative accounts, remote access identities, and any shared credentials that bridge remote connectivity into internal systems.
  • Segment backup, directory, and endpoint-management paths Place backup servers, directory services, and endpoint control planes into tighter network and identity boundaries so a compromised session cannot reach them by default. Use separate trust zones and review whether service accounts have more reach than their task requires.
  • Monitor for post-compromise tooling and discovery activity Look for BloodHound, Impacket, dsquery, unusual SMB and RDP activity, and abnormal authentication to backup or management systems. These signals often indicate that the attacker has moved beyond entry and is mapping internal trust relationships.
  • Treat healthcare and high-data environments as containment priorities For environments holding regulated records, test whether internal access paths can be confined quickly after one account is compromised. Validate that sensitive data stores and administrative systems are not reachable through flat network paths or overbroad service identities.

Key takeaways

  • This advisory shows that ransomware succeeds when external exposure is paired with weak internal containment, not when perimeter controls fail in isolation.
  • Stolen credentials, OTP seeds, and overbroad internal access turn MFA and patching into incomplete defences if the underlying identity paths remain reusable.
  • Practitioners should prioritise segmentation, secret rotation, and access-path reduction around the systems attackers actually target after first entry.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Internal access scoping and segmentation are central to stopping lateral movement.
NIST SP 800-53 Rev 5AC-6Least privilege is the core control for limiting how far compromised identities can move.
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , ImpactThe advisory follows credential abuse into internal spread and operational disruption.
CIS Controls v8CIS-6 , Access Control ManagementAccess control management directly addresses the overbroad trust paths used here.

Use ATT&CK to map exposed edge devices, stolen secrets, and internal propagation to concrete detection and containment gaps.


Key terms

  • Lateral Movement: Lateral movement is the phase of an attack where an intruder expands from the first compromised system into other internal assets. It usually relies on valid credentials, weak segmentation, or overbroad trust, which is why containment matters as much as initial detection.
  • Microsegmentation: Microsegmentation is the practice of dividing networks and workloads into small, tightly controlled trust zones. It limits how far a compromised identity or device can travel, reducing the blast radius of a breach even when the attacker has already gained a foothold.
  • Authenticator Lifecycle Management: Authenticator lifecycle management is the governance of a credential from issuance to renewal, replacement, and retirement. For human identity programmes, it ensures that keys, smart cards, and certificates stay tied to the right user and are removed when the user, role, or device is no longer trusted.
  • Blast Radius: Blast radius is the amount of damage a compromise can cause before it is contained. In identity-heavy environments, it is shaped by privilege scope, internal trust, segmentation, and the reach of service accounts as much as by endpoint or perimeter controls.

What's in the full article

ColorTokens' full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step guidance on containing lateral movement with microsegmentation across hybrid environments.
  • Specific remediation actions for Cisco ASA/FTD and SonicWall VPN exposure, including prioritisation logic.
  • Practical indicators for spotting post-compromise activity such as RDP, SMB, BloodHound, Impacket, and dsquery usage.
  • Examples of how the advisory connects internal visibility gaps to ransomware spread and data theft.

👉 ColorTokens' full advisory covers the attack paths, containment actions, and post-compromise signals in more detail.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is designed for practitioners who need to connect identity controls to operational containment and lifecycle discipline.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org