Cybercrime sophistication is no longer primarily determined by technical mastery but by the ability to industrialize opportunities as well. An anonymous, Russian-speaking threat actor quietly orchestrated a campaign over five weeks ago that compromised more than 600 FortiGate devices in 55 countries, without the use of zero-day discoveries or complex exploit chains.
The technology relied instead on commercially available generative artificial intelligence services which were repurposed to automate reconnaissance, credential testing, and large-scale targeting with disturbing efficiency.
According to Amazon Threat Intelligence’s findings published in January 2026, the activity occurred during this period, unfolding with a consistency indicating that process rather than improvisation played a significant role.
A noteworthy finding of the investigation is that no new FortiGate vulnerabilities have been exploited. The breach occurred as a result of identifying exposed management ports and using weak credentials protected only by single-factor authentication fundamental security weaknesses that, when amplified by artificial intelligence-assisted automation, permitted even the least sophisticated actors to operate on a global scale.
The success of the campaign was not a result of technical innovation, but rather of systematic exploitation of neglected basics, as CJ Moses, Chief Information Security Officer of Amazon Integrated Security, pointed out in the report.
Further, technical analysis indicates that less emphasis was placed on software flaws than on operational exposure during the campaign.
It appears that the actor has identified FortiGate management interfaces accessible via the public internet by scanning for services that operate on ports 443, 8443, 10443, and 4443, indicating opportunistic targeting rather than sector-specific targeting. The reconnaissance pattern suggests broad reconnaissance for administrative access.
A sustained brute force authentication attempt, using commonly reused or weak passwords was used to carry out the intrusions rather than the use of zero-day exploits, which are often associated with perimeter appliances attacks. Once administrative access had been established to the compromised firewalls, the actor was able to extract complete configuration files quickly from the compromised firewalls using complete configuration files.
Data contained in these files included highly sensitive operational information, such as SSL-VPN credentials and passwords, administrative account information, firewall policies, internal network segmentation rules, IPsec VPN configurations, routing tables, and information relating to broader network topology.
In addition to providing immediate control over the appliance, these datasets provide an in-depth blueprint of the appliance’s internal environment, allowing for lateral movement and follow-up.
The investigation led to the identification of server hosting tooling associated with the campaign, which drew the attention of Amazon’s security teams.
The exfiltrated configuration files were then decoded and parsed using what appeared to be artificial intelligence-assisted Python and Go utilities, thus expediting the extraction of credential information and architectural insights.
With the help of automation, the acto
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
With the help of automation, the acto
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: