Fortinet Infrastructure Targeted in Campaign Using Open-Source AI Offensive Framework

Credited by Freepik
VTA-004563 – Fortinet Infrastructure Targeted in Campaign Using Open-Source AI Offensive Framework

CyberStrikeAI marks a new era in cyber threats, where an open-source AI-native platform designed for offensive security testing has been weaponized in real-world attacks. Developed by a China-based coder known as Ed1s0nZ, this Go-built tool integrates over 100 security tools, an intelligent orchestration engine, role-based testing, specialized skills and lifecycle management for vulnerability discovery and attack-chain analysis. Unlike traditional scanners that rely on static rules, CyberStrikeAI uses generative AI services like Anthropic Claude and DeepSeek to automate and enhance targeting, making it a step up in sophistication for threat actors.

What sets CyberStrikeAI apart from typical malware or scanning tools is its dual nature as both a legitimate red-team platform and a ready-made weapon for adversaries. While marketed for “research and learning,” it powers mass scanning and reconnaissance, as seen in attacks on over 600 Fortinet FortiGate appliances across 55 countries by a suspected Russian-speaking actor using IP 212.11.64.250. Its dashboard provides intuitive visualization of results, lowering the skill barrier for complex operations, something rare in conventional tools that demand manual expertise and enabling rapid deployment from servers in China, Singapore, Hong Kong and beyond, with 21 unique IPs detected between January 20 and February 26, 2026.

The tool’s uniqueness is amplified by Ed1s0nZ’s background, including ties to Chinese state-affiliated entities like Knownsec 404 (linked to the Ministry of State Security and PLA) and a now-scrubbed award from the CNNVD vulnerability database, suggesting potential state-sponsored proliferation. This blend of open-source accessibility, AI augmentation and obscured government connections distinguishes CyberStrikeAI from generic exploits, positioning it as a proliferator for AI-driven attacks on edge devices.

AI isn’t just helping defenders analyze threats, it’s now embedded into the offensive workflows themselves. 

Severity:
Medium

Attack Surface:
Infrastructure, Server OS

Tactics:
Command and Control, Discovery, Execution, Initial Access, Reconnaissance

Techniques:
T1595 – Active Scanning
T1190 – Exploit Public-Facing Application
T1078 – Valid Accounts
T1059 – Command and Scripting Interpreter
T1046 – Network Service Discovery
T1071 – Application Layer Protocol (C2 over HTTPS)

Indicator of Compromise:
https://otx.alienvault.com/pulse/69a79cc4dd04933f4441be76

References:
1. https://github.com/Ed1s0nZ/CyberStrikeAI
2. https://www.team-cymru.com/post/tracking-cyberstrikeai-usage

SuperPRO’s Threat Countermeasures Procedures:

1. Patch Specific FortiOS Versions. Immediately audit and upgrade vulnerable versions (FortiOS 7.0.x → upgrade to 7.0.14 or later, FortiOS 7.2.x → upgrade to 7.2.6 or later,  FortiOS 6.4.x → upgrade to 6.4.15 (final patched release))
2. Disable WAN-Exposed Management Interface. If not required, disable HTTPS admin interface on public IP, restrict management access.
3. Enforce MFA on SSL-VPN. Enable FortiToken hardware or mobile token and disable password-only VPN login
4. Block Suspicious Scanning Patterns. Deploy IDS/IPS rules to detect mass scanning behavior, repeated /remote/login access attempts and high-frequency API calls against firewall management endpoints
5. Monitor for AI-Automated Behavior. Look for rapid sequential activity (Recon → Authentication attempts → Config enumeration). Detect abnormal command execution bursts from single IP sources

Contributed by: Thivya