FortiGate Firewalls Exposed: AI-Powered Hacking Campaign on AWS

Post Views: 14

Cyberattacks Compromise Hundreds of FortiGate Firewall Instances Worldwide

A recent campaign of cyberattacks has compromised hundreds of FortiGate firewall instances worldwide, leveraging a combination of exposed ports and weak credentials to gain initial access.

Attack Methodology

The attacks, which took place between January 11 and February 18, were carried out by a relatively unsophisticated threat actor who relied heavily on commercial artificial intelligence (AI) services to implement known attack techniques.

According to an analysis of the campaign, the attackers scanned for management interfaces accessible via specific ports, including 443, 8443, 10443, and 4443, and used common credentials to gain initial access to the FortiGate devices.

The campaign’s targeting appeared to be opportunistic, with the attackers scanning a wide range of IP addresses in search of vulnerable appliances.

Scope of the Attacks

In many cases, multiple FortiGate devices belonging to the same organization were compromised, with some IP clusters pointing to managed service provider deployments or large organizational networks.

Compromised devices were identified in 55 countries across Africa, Asia, Latin and North America, and Europe.

Post-Compromise Activity

Following successful compromise, the attackers used open-source offensive tools to extract NTLM password hashes, obtain complete domain credential databases, and move laterally through pass-the-hash/pass-the-ticket attacks.

The attackers also targeted Veeam Backup & Replication servers, likely in an effort to extract additional credentials and destroy backups in preparation for ransomware attacks.

Use of Artificial Intelligence

Notably, the attackers used at least two commercial large language models (LLMs) to plan the attacks, generate tools, and assist with the operation.

The LLMs were used to produce technically accurate command sequences, although the attackers struggled to adapt when conditions differed from the plan.

Infrastructure and Attribution

An analysis of the threat actor’s infrastructure revealed multiple scripts likely generated using AI, which were used to parse configurations, extract credentials, automate VPN connections, perform mass scanning, and aggregate results.

The volume and variety of custom tooling suggested a well-resourced development team, but it is believed that a single actor or very small group generated the entire toolkit through AI-assisted development.

The attacks are believed to have been mounted by a financially motivated, Russian-speaking threat actor with low-to-medium technical capability, based on the extensive reliance on AI across all operational phases.