A financially motivated threat actor leveraged commercial generative AI tools to breach over 600 FortiGate appliances by exploiting exposed management ports and weak credentials, bypassing the need for technical sophistication.
A Russian-speaking cybercriminal group has compromised more than 600 Fortinet FortiGate appliances across 55 countries using commercially available generative AI tools, according to new research from Amazon Threat Intelligence. The campaign, observed between January and February 2026, represents a concerning evolution in how AI lowers barriers to entry for cybercrime.
The AI-Powered Attack Chain
CJ Moses, Chief Information Security Officer at Amazon Integrated Security, stated: "No exploitation of FortiGate vulnerabilities was observed—instead, this campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication, fundamental security gaps that AI helped an unsophisticated actor exploit at scale."
The threat actor—assessed as financially motivated rather than state-sponsored—used multiple generative AI services to automate attack phases that would typically require advanced skills:
- Infrastructure Scanning: Systematic scanning of FortiGate management interfaces exposed on ports 443, 8443, 10443, and 4443 using IP address 212.11.64[.]250
- Credential Compromise: Brute-force attacks against default and reused credentials
- Configuration Extraction: Harvesting full device configurations to map network topology and steal credentials
- Tool Development: AI-generated source code for custom reconnaissance tools (written in Go/Python) showing hallmarks of automation, including redundant comments and simplistic architecture
Post-Exploitation Tactics
After breaching FortiGate VPN gateways, the actor executed an "AI-powered assembly line" for cybercrime:
- Deployed Nuclei for vulnerability scanning
- Compromised Active Directory via DCSync attacks
- Executed lateral movement using pass-the-hash and NTLM relay techniques
- Targeted Veeam Backup & Replication servers (CVE-2023-27532/CVE-2024-40711) to disable recovery options
Ransomware preparation was a key objective, though the actor abandoned targets with robust defenses.
Critical Defensive Measures
Organizations using FortiGate appliances should implement these fundamental protections:
- Network Hygiene
- Immediately remove internet exposure of management interfaces
- Implement strict network segmentation for administrative interfaces
- Authentication Controls
- Enforce multi-factor authentication for all VPN and administrative access
- Rotate all default credentials and enforce strong password policies
- System Hardening
- Apply all security patches to FortiGate devices and backup systems
- Audit for unauthorized administrative accounts weekly
- Monitoring
- Detect scan patterns from 212.11.64[.]250
- Monitor for abnormal nslookup/dig commands (potential C2 signaling)
Moses emphasized: "Strong defensive fundamentals remain the most effective countermeasure against AI-augmented threats: patch management for perimeter devices, credential hygiene, network segmentation, and robust detection for post-exploitation indicators." The incident demonstrates how generative AI enables novice threat actors to achieve enterprise-scale compromise previously requiring advanced skills—a trend expected to intensify throughout 2026.
Comments
Please log in or register to join the discussion