Hackers Use AI Services to Hack 600+ FortiGate Devices
2 min. read 
Published on
A Russian-speaking threat actor used commercial AI services to hack over 600 FortiGate firewalls across 55+ countries from January 11 to February 18, 2026. This group targeted exposed management interfaces with weak passwords. No zero-day exploits were needed. Basic credential stuffing worked on ports 443, 8443, 10443, and 4443.
The stolen configs revealed high-value data. Attackers grabbed SSL-VPN credentials, admin logins, network maps, IPsec VPN setups, and firewall rules. AI-powered Python scripts parsed and decrypted this info at scale. One compromised network map went straight into an AI tool for lateral movement plans.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Amazon Threat Intelligence calls this an “AI-powered assembly line for cybercrime.” The actor had medium skills but scaled attacks with two LLMs. One built tools and planned. The other guided pivots inside networks. Hits concentrated in South Asia, Latin America, West Africa, Northern Europe, and Southeast Asia. Multiple devices per org got owned, including MSP clusters.
Post-breach moves were textbook ransomware prep. Meterpreter with Mimikatz ran DCSync on domain controllers for NTLM hashes. Pass-the-hash and NTLM relay spread laterally. Veeam Backup servers faced PowerShell attacks to kill recovery options.
Attack Techniques
The group scanned with custom Go/Python recon tools. Code showed newbie errors like redundant comments and sloppy JSON. They used open-source helpers: Impacket, gogo, Nuclei.
Amazon found attacker infra at 212.11.64.250 leaking files: configs, AD maps, creds, vuln scans, AI plans. ARXON fed recon to DeepSeek and Claude for structured attack steps.
| CVE ID | Product | CVSS | Description |
|---|---|---|---|
| CVE-2019-7192 | FortiOS | 9.8 | Path traversal creds access​ |
| CVE-2023-27532 | Veeam Backup | 7.5 | Unauth API creds grab​ |
| CVE-2024-40711 | Veeam Backup | 9.8 | RCE deserialization ​ |
Key Indicators
- 212.11.64.250 (IPv4): Scanning/exploits, Jan 11-Feb 18​
- 185.196.11.225 (IPv4): Ops hub, same dates​
Watch VPN oddities, AD replication (Event ID 4662), PowerShell on backups.
Amazon shared IOCs with partners for disruptions.
Fortinet urges: Hide management from internet, enforce MFA, rotate creds, audit AD.
Protection Steps
- Remove mgmt interfaces from public access.
- Mandate MFA on all admin/VPN logins.
- Review configs for weak/reused passwords.
- Monitor for DCSync and backup access anomalies.
FAQ
Weak creds on exposed mgmt ports. No vulns exploited.
Commercial LLMs like DeepSeek/Claude for planning/scripts. Names partially redacted.
VPN creds, admin logins, network topology, firewall rules.
High. Targeted backups for wipe prep.
MFA, no public mgmt, AD audits, anomaly detection.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages