MOSCOW: A hacker using artificial intelligence tools has breached more than 600 FortiGate firewalls in at least 55 countries over a five-week campaign, security researchers reported, exposing weak credentials and misconfigured systems rather than exploiting technical vulnerabilities.
According to a threat intelligence report released Friday by Amazon Integrated Security, the intrusions occurred between Jan. 11 and Feb. 18. The Russian-speaking actor used commercially available generative AI services to help automate attacks and scale operations, in some cases compensating for limited technical skill.
“No exploitation of FortiGate vulnerabilities was observed — instead, this campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication,” said CJ Moses, chief information security officer at Amazon Integrated Security.
Investigators found that the attacker scanned for publicly accessible FortiGate management interfaces on common ports, then used brute-force log-in attempts against weak or reused passwords. Once inside, the hacker extracted full device configurations, including administrative credentials, network topology and SSL-VPN details.
Those configuration files, parsed with AI-assisted scripts, helped the actor map internal networks, harvest additional credentials and probe deeper into compromised environments. In several cases, the activity extended into Windows Active Directory systems and backup servers, which security analysts say are often prerequisites for ransomware campaigns.
Amazon’s report emphasized that the actor did not appear to employ novel zero-day exploits, but leveraged basic security gaps. The company urged organizations to avoid exposing firewall management interfaces to the internet, enforce multi-factor authentication and strengthen credential hygiene to reduce the risk of similar attacks.
The findings illustrate how AI tools are lowering the bar for cybercrime, enabling relatively unsophisticated actors to conduct large-scale intrusions by automating routine phases of an attack.