A Russian-speaking, financially motivated threat actor used generative AI to breach hundreds of FortiGate firewalls, targeting credentials and backups for potential follow-on ransomware. The campaign compromised more than 600 Fortinet FortiGate instances, according to Amazon Web Services, with devices traced to more than 55 countries and clusters across South Asia, Latin America, the Caribbean, West Africa, Northern Europe and beyond.
Notably, researchers saw no FortiGate vulnerabilities being exploited; the attacker succeeded by exploiting exposed management ports and weak credentials with single-factor authentication. The actor reportedly developed AI-assisted Python tooling to parse, decrypt and organise stolen configurations and to facilitate post-exploitation activities such as domain compromise and lateral movement.
AWS’s blog post details how the threat actor used GenAI services throughout every phase of operations, underscoring the ease with which AI can scale attacks for less sophisticated actors. Fortinet did not immediately respond to requests for comment.