AI‑Powered Cybercrime: 600+ FortiGate Devices Compromised Across 55 Countries

February 23, 2026 Faeem BLOGS 0

Amazon Threat Intelligence has revealed a Russian‑speaking, financially motivated threat actor who leveraged commercial generative AI services to compromise over 600 FortiGate devices in 55 countries between January 11 and February 18, 2026.

How the Attack Worked

  • No zero‑days exploited: Instead of advanced vulnerabilities, attackers abused exposed management ports and weak credentials with single‑factor authentication.
  • AI augmentation: Generative AI tools were used for:
    • Tool development
    • Attack planning
    • Command generation
    • Pivoting within compromised networks
  • Assembly line approach: AI generated attack plans, victim configurations, and custom tooling, enabling a low‑skilled actor to scale operations like a larger team.

Post‑Exploitation Activities

Once FortiGate appliances were breached, attackers extracted device configurations, credentials, and network topology data. They then:

  • Conducted reconnaissance with Nuclei scanning.
  • Compromised Active Directory environments via DCSync attacks.
  • Moved laterally using pass‑the‑hash, NTLM relay, and remote execution.
  • Targeted Veeam Backup & Replication servers, exploiting known vulnerabilities (CVE‑2023‑27532, CVE‑2024‑40711).
  • Prepared for ransomware deployment by harvesting credentials and accessing backup infrastructure.

Why It Matters

  • Lower barrier to entry: AI tools allowed a low‑to‑average skilled actor to achieve global scale.
  • Sector‑agnostic targeting: Victims spanned finance, healthcare, education, retail, and technology.
  • Global impact: Compromised clusters detected across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia.
  • AI fingerprints: Source code analysis revealed AI‑assisted development—redundant comments, simplistic architecture, and naive JSON parsing.

Defensive Recommendations

Organizations should strengthen fundamentals:

  • Close exposed management interfaces on FortiGate appliances.
  • Change default and reused credentials; rotate SSL‑VPN accounts.
  • Implement MFA for administrative and VPN access.
  • Audit backup servers and isolate them from general network access.
  • Maintain patch hygiene for perimeter devices and backup solutions.
  • Monitor for post‑exploitation indicators like unusual credential dumps or lateral movement attempts.

Final Thought

This campaign illustrates how AI is reshaping cybercrime economics. What once required a skilled team can now be executed by a single operator with AI assistance. For defenders, the lesson is clear: strong fundamentals—patching, credential hygiene, segmentation—remain the most effective countermeasure against AI‑augmented threats.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.