FortiGate Devices Compromised: Large-Scale Cyberattack Exposes 600+ Devices Across 55 Countries
Financially Motivated Threat Actor Compromises Over 600 FortiGate Devices Across 55 Countries
A financially motivated threat actor, leveraging commercial artificial intelligence (AI) services, has successfully compromised over 600 FortiGate devices across 55 countries. According to Amazon Threat Intelligence, the campaign, which occurred between January 11 and February 18, 2026, exploited exposed management ports and weak credentials, rather than vulnerabilities in the FortiGate devices themselves.
Attack Methods and Tools
The threat actor, described as having limited technical capabilities, utilized multiple commercial AI tools to facilitate various phases of the attack cycle, including tool development, attack planning, and command generation. One AI tool served as the primary backbone of the operation, while a second AI tool was used as a fallback to assist with pivoting within compromised networks.
Attack Cycle
The attacks involved systematic scanning of FortiGate management interfaces exposed to the internet, followed by attempts to authenticate using commonly reused credentials. The scans originated from the IP address 212.11.64[.]250, and the stolen data was used to burrow deeper into targeted networks and conduct post-exploitation activities.
Post-Exploitation Activities
The threat actor’s post-exploitation activities included domain compromise via DCSync attacks, lateral movement across the network via pass-the-hash/pass-the-ticket attacks, NTLM relay attacks, and remote command execution on Windows hosts. They also targeted Veeam Backup & Replication servers to deploy credential harvesting tools and programs aimed at exploiting known Veeam vulnerabilities.
Mitigation and Recommendations
To mitigate these types of attacks, organizations should ensure that management interfaces are not exposed to the internet, change default and common credentials, rotate SSL-VPN user credentials, implement multi-factor authentication for administrative and VPN access, and audit for unauthorized administrative accounts or connections. Additionally, isolating backup servers from general network access, keeping software programs up-to-date, and monitoring for unintended network exposure are essential.
Conclusion
As AI-augmented threat activity is expected to continue growing in volume, organizations should anticipate that both skilled and unskilled adversaries will leverage AI to facilitate their attacks. Strong defensive fundamentals, including patch management, credential hygiene, network segmentation, and robust detection for post-exploitation indicators, remain the most effective countermeasures.
About Author
English