Low‑skill threat actor leverages AI in FortiGate intrusion activity

Threat summary

On February 20, Amazon Threat Intelligence published a report detailing a campaign that compromised more than 600 FortiGate firewall and virtual private network (VPN) appliances across over 55 countries between January 11 and February 18, 2026.

The activity was opportunistic, with affected devices identified in South and Southeast Asia, Latin America, the Caribbean, West Africa, and Northern Europe. Compromised appliances sharing contiguous IP ranges and exposing non-standard management ports suggested that the campaign may have impacted some managed service provider environments.

The report attributed the activity to a financially motivated Russian‑speaking actor assessed to have limited technical capability enhanced by using multiple commercial generative artificial intelligence (GenAI) services.

The actor mainly targeted devices with externally exposed management interfaces and weak single‑factor credentials. After extracting full FortiGate configurations, the actor was able to obtain credentials and internal network topology. This enabled follow-on attempts to access internal networks, including efforts to compromise Active Directory, harvest additional credentials, and access backup infrastructure.

Operational notes recovered from the actor’s infrastructure documented repeated failures to exploit vulnerabilities such as CVE-2019-7192, CVE-2023-27532, and CVE-2024-40711, as well as failures when encountering hardened environments. This pattern demonstrated that the actor relied heavily on automation and AI rather than technical expertise.

Analysis of the infrastructure showed use of at least two commercial large language model (LLM) services to generate tooling, automate reconnaissance, and produce step‑by‑step attack plans. The tooling included Python and Go‑based reconnaissance utilities, configuration parsers, credential extraction scripts, and automated scanning workflows.

Although the volume of tooling would typically imply a larger team, other evidence indicated a single operator or small group augmented by AI.

Analysis

FortiGate appliances remain attractive targets due to their widespread deployment for perimeter security, remote access, and network segmentation.

The report's findings highlight that exposed management interfaces, weak credentials, and lack of multi-factor authentication continue to drive compromise at scale. The report also illustrates how low-skill actors increasingly use commercial artificial intelligence services to expand their operational reach when opportunity presents itself in the form of exposed interfaces and weak authentication.

Mitigation steps

• Restrict FortiGate management interfaces from internet exposure to reduce the attack surface and place administrative access behind a bastion host or out‑of‑band management network.
• Enforce multi-factor authentication for all administrative and SSL-VPN access limits credential-based compromise.
• Rotate SSL-VPN and administrative credentials, particularly where password reuse may exist, to reduce the value of previously stolen data.
• Review FortiGate configurations for unauthorized accounts or policy changes and audit SSL-VPN logs for anomalous geographic access to increase detection coverage.
• Evaluate credential hygiene across the environment, including reuse between network appliances and Active Directory, to reduce lateral movement opportunities.
• Monitor for post-exploitation indicators such as unexpected domain replication activity, anomalous remote management connections, and unauthorized access to backup infrastructure to strengthen early detection.
• Strengthen backup server isolation and rotating backup credentials to reduce the risk of pre-ransomware staging.

Field Effect MDR reduces the likelihood and impact of this type of intrusion by continuously monitoring for exposed management interfaces, weak authentication patterns, and anomalous access attempts against perimeter devices such as FortiGate appliances.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up