HUNDREDS of FortiGate Firewalls were hacked in an AI-powered campaign, with over 600 Fortinet FortiGate firewall instances compromised, according to AWS. The attacks, observed between 11 January and 18 February, exploited exposed ports and weak credentials rather than known vulnerabilities, targeting management interfaces on ports 443, 8443, 10443, and 4443.
The campaign’s participants used open source tools to extract NTLM password hashes, obtain complete domain credential databases, and move laterally via pass-the-hash and pass-the-ticket techniques. AWS notes that the attackers used at least two commercial large language models to plan the attacks and generate tools, with some clusters tied to managed service providers or large organisational networks across 55 countries.
The threat actor is described as financially motivated and Russian-speaking, with low-to-medium technical capability, and the operation appears opportunistic rather than sector-specific. According to AWS, the attackers also targeted Veeam Backup & Replication servers to steal credentials and potentially destroy backups in preparation for ransomware. 23 February 2026.