Amazon AI-Assisted Hacker Breaches 600 FortiGate Firewalls in 5 Weeks, Exposing Security Vulnerabilities
A Sophisticated Hacking Campaign Compromises Over 600 FortiGate Firewalls
A sophisticated hacking campaign, leveraging generative AI services, has compromised over 600 FortiGate firewalls across 55 countries in a span of just five weeks.
Campaign Details
The campaign, which took place between January 11 and February 18, 2026, exploited weak credentials and exposed management interfaces to gain access to the targeted firewalls.
According to a report by Amazon’s Integrated Security team, the threat actor behind the campaign used AI-powered tools to automate the process of breaching the firewalls and extracting sensitive configuration settings.
These settings included SSL-VPN user credentials, administrative credentials, firewall policies, and network topology information.
Attack Methods
The attackers used brute-force attacks with common passwords to gain access to the firewalls, rather than exploiting zero-day vulnerabilities.
Once inside, they deployed custom reconnaissance tools, written in Python and Go, to analyze the compromised networks.
These tools were used to identify SMB hosts and domain controllers, run port scans, and look for HTTP services.
Tools and Techniques
The researchers noted that while the tools were functional, they lacked robustness and failed in more hardened environments.
The threat actor also used AI-powered services to generate step-by-step attack methodologies, develop custom scripts, and create reconnaissance frameworks.
Additional Targets
The campaign also targeted Veeam Backup & Replication servers, using custom PowerShell scripts and compiled credential-extraction tools to attempt to exploit vulnerabilities.
The attackers also tried to exploit various vulnerabilities, including CVE-2019-7192, CVE-2023-27532, and CVE-2024-40711, but repeatedly failed when attempting to breach patched or locked-down systems.
Recommendations and Implications
Amazon believes that the threat actor has a low-to-medium skill set, but was greatly amplified by the use of AI.
The company recommends that FortiGate administrators take steps to secure their devices, including not exposing management interfaces to the internet, enabling multi-factor authentication, and hardening backup infrastructure.
The campaign highlights the growing concern of commercial AI services being used by threat actors to carry out attacks that would normally be outside their skill set.
As AI technology continues to advance, it is likely that we will see more sophisticated attacks leveraging these services.
About Author
English