A financially motivated threat actor used commercial generative AI tools to compromise more than 600 FortiGate devices across 55 countries. According to Amazon Threat Intelligence, the activity took place between January 11 and February 18, 2026.
Importantly, the attacker did not exploit any new FortiGate vulnerability. Instead, they targeted devices with exposed management ports and weak single-factor credentials. Basic security gaps — combined with AI assistance — allowed a relatively low-skilled actor to operate at large scale.
Amazon assessed that the attacker relied heavily on AI for planning attacks, generating commands, writing custom tools, and organizing operations. When one AI tool failed, another was used as backup. Researchers described the setup as an “AI-powered assembly line” for cybercrime.
How the Attacks Worked
The campaign focused on internet-exposed FortiGate management interfaces on common ports such as 443 and 8443. The attacker scanned for accessible devices and attempted logins using commonly reused credentials. Once inside, full device configurations were extracted, exposing credentials, network details, and VPN access.
After gaining VPN entry, the attacker moved deeper into networks. In several cases, Active Directory environments were compromised and credential databases were stolen. Backup systems were also targeted, suggesting possible ransomware preparation.
Key Post-Compromise Activities
- Extracted FortiGate configuration files and credentials
- Performed DCSync attacks to gain domain-level access
- Used pass-the-hash and NTLM relay for lateral movement
- Scanned networks with tools like Nuclei
- Targeted Veeam backup servers and known vulnerabilities
- Deployed AI-assisted custom reconnaissance tools
Interestingly, when facing hardened environments with proper security controls, the attacker often abandoned the target and shifted to easier victims. This reinforces that the campaign relied on automation and scale rather than advanced exploitation skills.
The compromised organizations were spread across South Asia, Latin America, Northern Europe, West Africa, Southeast Asia, and the Caribbean.
The Bigger Picture
This case highlights a growing trend: AI is lowering the barrier to entry for cybercrime. Tools that once required experienced teams can now be assembled and executed by smaller groups using AI support.
The lesson is clear. Organizations must close exposed management ports, enforce multi-factor authentication, rotate credentials, secure backup infrastructure, and maintain strong patch management.
As AI-assisted attacks increase, strong security fundamentals remain the best defense.
Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!
Leave A Comment