Over 600 Fortinet FortiGate firewall instances have been hacked in an AI-powered campaign that exploits exposed ports and weak credentials, AWS reports.
The attacks, observed between January 11 and February 18, did not target known vulnerabilities. Instead, they focused on the exploitation of exposed device configurations across globally dispersed appliances.
According to AWS, the campaign was carried out by an unsophisticated threat actor that relied on multiple commercial gen-AI services to implement known attack techniques.
The hackers were seen scanning for management interfaces accessible via ports 443, 8443, 10443, and 4443, and using common credentials for initial access.
“The campaign’s targeting appears opportunistic rather than sector-specific, consistent with automated mass scanning for vulnerable appliances,” AWS notes.
In some cases, multiple FortiGate devices belonging to the same organization were compromised. AWS says that some IP clusters point either to managed service provider deployments or to large organizational networks.
Compromised devices were identified across 55 countries in Africa, Asia, Latin and North America, and Europe.
Following successful compromise, the hackers were seen leveraging open source offensive tools to extract NTLM password hashes, obtain complete domain credential databases, and move laterally through pass-the-hash/pass-the-ticket attacks.
The attackers were also seen targeting Veeam Backup & Replication servers, likely to extract additional credentials and destroy backups in preparation for ransomware attacks.
According to AWS, the hackers used at least two commercial LLMs to plan the attacks, generate tools, and assist with the operation, including duration and success rate assessments.
“These plans reference academic research on offensive AI agents, suggesting the actor follows emerging literature on AI-assisted penetration testing. The AI produces technically accurate command sequences, but the actor struggles to adapt when conditions differ from the plan,” AWS notes.
On the threat actor’s infrastructure, AWS identified multiple scripts likely generated using AI, used to parse configurations, extract credentials, automate VPN connections, perform mass scanning, and aggregate results.
“The volume and variety of custom tooling would typically indicate a well-resourced development team. Instead, a single actor or very small group generated this entire toolkit through AI-assisted development,” AWS says.
The attacks, it notes, were likely mounted by a financially motivated, Russian-speaking threat actor with low-to-medium technical capability, based on the extensive reliance on AI across all operational phases.
Related: Mississippi Hospital System Closes All Clinics After Ransomware Attack
Related: FBI: $20 Million Losses Caused by 700 ATM Jackpotting Attacks in 2025
Related: Fortinet Patches Exploited FortiCloud SSO Authentication Bypass
