A recent investigation posted Feb. 20 by Amazon Threat Intelligence observed a Russian-speaking financially motivated threat actor leveraging multiple commercial generative AI (GenAI) services to compromise more than 600 Fortinet FortiGate firewalls across more than 55 countries.C.J. Moses, chief information security officer at Amazon Integrated Security, said the attacks took place over five weeks from Jan. 11 to Feb. 18, 2026.Amazon did not observe any exploitation of FortiGate vulnerabilities, noted Moses. Instead, the campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication, fundamental security gaps that AI helped an unsophisticated actor exploit at scale.“This activity is distinguished by the threat actor’s use of multiple commercial GenAI services to implement and scale well-known attack techniques throughout every phase of the operations, despite their limited technical capabilities,” wrote Moses.Damon Small, a board member at Xcape, Inc., said that the Amazon report signaled a significant turning point: we've entered the age of the "automated assembly-line" cyberattack. Unlike previous exploits that depended on specific SSO authentication bypass flaws, Small said this new Russian-speaking threat actor bypassed the need for zero-day vulnerabilities or intricate exploits.Small said instead, the group leveraged commercial large language models (LLMs) as a virtual "workforce," automating the brute-force process for exposed management ports and generating sophisticated Python and Go scripts to decrypt configuration files at a scale unachievable by human operators.“This enabled a potentially lone, low-skilled attacker to manage simultaneous global intrusions by swiftly shifting to ‘softer’ targets when encountering robust defenses,” said Small. “For security teams, the focus should shift from the interconnectedness of these attacks to why firewall management ports are still accessible from the internet and without robust authentication.”Jacob Krell, senior director of secure AI solutions and cybersecurity at Suzu Labs, pointed out that the campaign was not the same activity as the January wave that targeted the patched FortiGate authentication bypass vulnerability.Krell said the reporting in January described exploitation of a specific software flaw, while the Amazon investigation described large-scale access through exposed management interfaces and weak administrative credentials without MFA: different intrusion paths, different tradecraft, running in the same time window.“When multiple unrelated threat actors independently choose the same target class in the same window, that’s not coincidence,” said Krell. “That’s a signal about the state of perimeter security."“We used to worry about nation-states deploying this level of offensive capability. Now we worry about individuals with a laptop and a credit card," Krell continued. "Commercial AI has done for cyber offense what the internet did for fraud. It made something that required years of expertise and a skilled team available to anyone willing to subscribe.”
Application security, AI/ML, Generative AI, Identity, SSO/MFA, Threat Management, Threat Intelligence

Threat group leverages LLMs to compromise 600 FortiGate firewalls

(Adobe Stock)

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



