VTA-004562 – AI Enhanced Campaign Breaches 600+ FortiGate Firewalls Without Zero-Day

Amazon Threat Intelligence has uncovered a Russian-speaking, financially motivated threat actor that leveraged commercial generative AI services to compromise more than 600 FortiGate firewalls across 55+ countries between January 11 and February 18, 2026. Rather than exploiting zero-day vulnerabilities, the campaign focused on exposed management interfaces (ports 443, 8443, 10443, and 4443) and relied on large-scale brute-force credential stuffing. Once access was obtained, attackers extracted configuration files containing administrative credentials, SSL-VPN details, and internal network mappings.

What sets this campaign apart is AI’s role as a true “force multiplier.” The actor used multiple commercial large language models to generate custom Python and Go reconnaissance tools, structured attack plans, and even victim-specific pivot strategies. This AI-assisted workflow enabled an assembly-line approach to intrusion operations, allowing a relatively low-skill operator to scale globally at a pace typically associated with more advanced threat groups.

After initial access, the attacker reused harvested credentials to move laterally within victim networks, targeting domain controllers and conducting credential theft operations such as DCSync attacks using tools like Mimikatz. Backup infrastructure, including platforms like Veeam, was frequently identified as a follow-on target behavior consistent with ransomware staging. Notably, the group prioritized opportunistic access over persistence in hardened environments, favoring techniques such as pass-the-hash and NTLM relay to maximize reach rather than stealth.

Unlike elite advanced persistent threat (APT) actors, this group demonstrated operational shortcuts and visible AI-generated code artifacts, including redundant comments and structural inconsistencies. Investigators also observed operational security failures, such as storing unencrypted victim data on publicly accessible infrastructure.

Severity:
Medium

Attack Surface:
Infrastructure, Remote Access Service, System Management Service, Web Application

Tactics:
Collection, Credential Access, Discovery, Exfiltration, Impact, Initial Access, Lateral Movement

Techniques:
T1595 – Active Scanning
T1133 – External Remote Services
T1078 – Valid Accounts
T1046 – Network Service Discovery
T1550.002 – Pass the Hash
T1550.003 – Pass the Ticket
T1552.001 – Credentials in Files
T1003.006 – OS Credential Dumping: DCSync
T1602.002 – Network Device Configuration Dump
T1021.002 – Remote Services: SMB/Windows Admin Shares
T1490 – Inhibit System Recovery

Indicator of Compromise:
https://otx.alienvault.com/pulse/699b3e50219103b789432b57

References:
1. https://aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/

SuperPRO’s Threat Countermeasures Procedures:
1.Immediately verify that no FortiGate management interface is exposed to the internet on ports 443, 8443, 10443, or 4443.
2. If remote administration is required, restrict access to known IP ranges and use a bastion host or out-of-band management network.
3. Change all default, weak, and commonly reused FortiGate administrative and VPN credentials.
4. Rotate all SSL-VPN user credentials, especially for any FortiGate that is or may have been internet-accessible.
5. Enable MFA for all FortiGate administrative access and all VPN access.
6. Review FortiGate configurations for unauthorized administrator accounts and suspicious policy changes.
7. Audit VPN logs for logins from unexpected countries or unusual locations.
8. Check for password reuse between FortiGate/VPN accounts and Active Directory accounts, and rotate any reused passwords immediately.
9. Monitor for post-compromise activity such as DCSync (Event ID 4662), suspicious scheduled tasks, and unusual remote access from VPN address pools.
10. Harden backup infrastructure by isolating backup servers, patching backup software, and enabling immutable backups.
11. Use behavioral monitoring and investigation context instead of relying only on IOC matches because the actor used common legitimate tools.
12. Block and monitor the reported infrastructure IPs (212.11.64.250 and 185.196.11.225) as supporting indicators, not as the only detection method.

Contributed by: Aiman