AI-Assisted Campaign Compromises 600+ FortiGate Devices Globally
These articles are AI-generated summaries. Please check the original sources for full details.
AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries
Amazon Threat Intelligence identified a Russian-speaking threat actor using commercial generative AI to scale attacks against FortiGate appliances. The campaign successfully breached over 600 devices in 55 countries by exploiting fundamental security gaps rather than zero-day vulnerabilities.
Why This Matters
This incident highlights the emergence of the AI-powered assembly line for cybercrime, where low-skill actors achieve the operational scale of state-sponsored groups. While technical models emphasize sophisticated defense, this campaign proved that AI allows even novice attackers to systematically exploit basic hygiene failures like exposed management ports (443, 8443) and single-factor authentication across 55 countries.
Key Insights
- Amazon Threat Intelligence tracked the AI-augmented campaign between January 11 and February 18, 2026.
- The threat actor utilized commercial generative AI for tool development, attack planning, and command generation to bridge technical skill gaps.
- Reconnaissance involved automated mass scanning of FortiGate ports 443, 8443, 10443, and 4443 from IP address 212.11.64[.]250.
- Post-exploitation activities included DCSync attacks for domain compromise and lateral movement via pass-the-hash and NTLM relay.
- Targeting of Veeam Backup & Replication servers was observed, specifically exploiting vulnerabilities like CVE-2023-27532 and CVE-2024-40711.
Practical Applications
- Infrastructure Hardening: Disable internet-facing FortiGate management interfaces and enforce multi-factor authentication for all VPN access. Pitfall: Relying on single-factor authentication allows AI-driven credential stuffing to succeed rapidly.
- Backup Protection: Isolate backup infrastructure from the general network and monitor for unauthorized access to Veeam servers. Pitfall: Unpatched backup servers provide a direct path for threat actors to neutralize recovery options before ransomware deployment.
References:
Continue reading
Next article
Anthropic Launches Claude Code Security: AI-Powered Vulnerability Scanning for Enterprise Codebases
Related Content
175,000 Publicly Exposed Ollama AI Servers Found Across 130 Countries
Over 175,000 publicly exposed Ollama AI servers have been discovered across 130 countries, with nearly half enabling tool-calling capabilities that allow code execution and LLMjacking abuse.
ThreatsDay Bulletin: WhatsApp Hijacks, MCP Leaks, AI Recon, React2Shell Exploit and 15 More Stories
This week's ThreatsDay Bulletin highlights a surge in threat actor adaptability, with a WhatsApp hijack campaign exploiting legitimate features and 1,000 exposed MCP servers leaking sensitive data.
DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide
A China-linked threat actor compromised 8.8 million users over seven years with malicious browser extensions designed for data theft and corporate espionage.