Security researchers have identified a campaign in which a financially motivated threat actor leveraged generative AI (GenAI) services to access more than 600 Fortinet FortiGate firewall instances. This activity, detected between January and February, highlights how automation tools are reducing the technical barriers for threat actors, allowing them to scale operations that previously required larger teams or deeper expertise.
The campaign affected devices in over 55 countries, with significant activity observed in South Asia, Latin America, the Caribbean, West Africa, and Northern Europe. While the scale of the activity is notable, the methods used rely on known security gaps rather than novel vulnerabilities.
Operational Methodology
According to analysis from Amazon Web Services (AWS), the threat actor did not utilize specific software vulnerabilities or Common Vulnerabilities and Exposures (CVEs) to gain access. Instead, the campaign succeeded by identifying and leveraging fundamental configuration weaknesses:
Exposed Management Ports: Management interfaces were accessible via the public internet.
Weak Credentials: The actor utilized commonly reused passwords.
Single-Factor Authentication: Lack of multifactor authentication (MFA) allowed credential reuse to succeed.
CJ Moses, Chief Information Security Officer at Amazon Integrated Security, noted that these are "fundamental security gaps." The findings suggest that while the actor may lack deep technical sophistication, they effectively used GenAI services to bridge capability gaps across multiple phases of the operation.
The Role of AI in Scaling Operations
The threat actor reportedly used GenAI to support network reconnaissance, generate step-by-step technical instructions, and write code for post-access activities. Specific use cases included:
Script Generation: Creating Python scripts to parse, decrypt, and organize configuration files taken including compromised devices.
Task Prioritization: Developing prioritized task trees and guide the sequence of actions.
Tool Creation: Coding custom tools for reconnaissance and lateral movement.
This approach aligns with broader trends in the security field. Reports from ReliaQuest indicate that automated tooling is increasingly common among ransomware-as-a-service groups, helping them accelerate timelines between initial access and wider network compromise. similarly, other research has shown AI being used to refine social engineering and phishing templates.
Despite the use of AI, the actor’s success depended heavily on "softer targets." When they encountered environments with sturdy defenses—such as patched systems or restricted ports—they typically moved on rather than persisting. This reinforces that standard security controls remain highly effective against AI-augmented threats.
Identifying High-Value Targets
Upon gaining access to a network, the threat actor prioritized Veeam Backup & Replication servers. Compromising backup infrastructure is a critical step for actors intending to deploy ransomware, as it prevents organizations from recovering data without paying a ransom.
The actor also sought to access configuration files containing administrative credentials, firewall policies, and network topology maps. To enable lateral movement and domain compromise, they utilized established open-source security tools.
Protective Measures and Recommendations
The success of this campaign emphasizes the importance of security fundamentals. Organizations using FortiGate appliances can effectively shield themselves from similar activities by implementing strict configuration management.
Recommended Actions:
Restrict Management Interfaces: Ensure management ports (such as 443, 8443, 10443, and 4443) are not exposed to the public internet. If remote access is necessary, restrict it to known, trusted IP address ranges.
Enforce Multifactor Authentication (MFA): Require MFA for all administrative access and VPN connections.
Credential Hygiene: Rotate all default and common credentials across appliances. Implement regular rotation for SSL-VPN user credentials.
Monitor Logs: Audit VPN connection logs for activity originating from unexpected geographic locations.
Indicators of Compromise (IoCs):
Security teams should monitor their environments for specific signs of unauthorized activity associated with this campaign:
Unexpected DCSync operations.
New scheduled tasks designed to mimic legitimate Windows services.
Unauthorized access attempts targeting backup credential stores.
Creation of new accounts with naming conventions that attempt to blend in with legitimate users.
By addressing these configuration areas, organizations can significantly reduce their risk profile against both automated scanning and AI-augmented threat actors.