A Russian-speaking, financially motivated actor used commercial generative AI to automate scanning and brute-force attacks against exposed FortiGate management interfaces, compromising over 600 devices in 55 countries. Amazon Threat Intelligence found the campaign leveraged multiple AI tools to scale credential harvesting, Active Directory compromise, and targeting of backup infrastructure consistent with ransomware preparation. #FortiGate #AmazonThreatIntelligence
Keypoints
- Over 600 FortiGate devices across 55 countries were compromised by exploiting exposed management ports and weak single-factor credentials.
- The financially motivated actor relied on multiple commercial generative AI tools to automate tool development, attack planning, and command generation.
- Post-compromise activity included Active Directory breaches, full credential database exfiltration, and attempts to access Veeam backup infrastructure.
- Scanning targeted FortiGate management ports (443, 8443, 10443, 4443) followed by common-credential authentication and Nuclei-based vulnerability scanning.
- Recommended defenses are removing internet-facing management interfaces, enforcing MFA, rotating credentials, patching devices, network segmentation, and isolating backups.
Read More: https://thehackernews.com/2026/02/ai-assisted-threat-actor-compromises.html