Surge in Brute-Force Attacks on Fortinet SSL VPNs Precedes Focus on FortiManager

August 12, 2025
Threat Intelligence / Enterprise Security

Cybersecurity experts are reporting a significant increase in brute-force traffic directed at Fortinet SSL VPN devices. A coordinated effort, noted by threat intelligence firm GreyNoise, was detected on August 3, 2025, involving over 780 unique IP addresses participating in the attack. In the last 24 hours alone, 56 unique malicious IP addresses have been identified, originating from countries including the United States, Canada, Russia, and the Netherlands.

Targets of this brute-force activity span across the United States, Hong Kong, Brazil, Spain, and Japan. GreyNoise emphasized that the attacks were specifically aimed at their FortiOS profile, indicating a deliberate targeting strategy rather than opportunistic behavior. The firm also reported observing two distinct waves of assaults before and after August 5, with one being a prolonged brute-force attack.

Fortinet SSL VPNs Targeted by Surge in Brute-Force Attacks as Threat Actors Shift Focus to FortiManager

August 12, 2025
Threat Intelligence / Enterprise Security

Cybersecurity experts have identified a notable increase in brute-force attack traffic directed at Fortinet SSL VPN devices, raising alarms in the cybersecurity community. According to the threat intelligence firm GreyNoise, this orchestrated activity came to light on August 3, 2025, involving over 780 unique IP addresses participating in the assault. Within the last 24 hours, an alarming 56 of these IP addresses have been identified, all categorized as malicious. The perpetrators appear to originate from diverse locations, including the United States, Canada, Russia, and the Netherlands.

The targets of this significant wave of brute-force attacks include regions such as the United States, Hong Kong, Brazil, Spain, and Japan. GreyNoise emphasized that the traffic detected was not arbitrary; it specifically targeted Fortinet’s SSL VPNs and associated FortiOS profiles, indicating a focused and methodical approach rather than opportunistic probing. “This was not a random act; it was a deliberate operation,” the firm noted.

Remarkably, GreyNoise has documented two distinct waves of attack before and after August 5. The initial phase appears to have set the stage for a sustained brute-force effort, potentially exploiting various vulnerabilities linked to remote access capabilities in Fortinet’s offerings. Given the sophistication of this attack, it suggests that the threat actors are familiar with the technology and are employing targeted tactics to gain unauthorized access.

Initial access mechanisms commonly used in such attacks could include credential dumping and brute-force login attempts. By attempting to compromise VPN credentials, the attackers may exploit methods outlined in the MITRE ATT&CK framework, which categorizes tactics like “Initial Access” and “Credential Dumping” as critical components of such assault strategies. The goal of these actions typically centers on obtaining footholds within targeted networks, leading to potential further exploits and data exfiltration.

The ongoing threat is compounded by the attackers’ apparent shift towards FortiManager, indicating a strategic move to exploit management systems associated with Fortinet products. This shift is alarming, given that FortiManager enables centralized control over multiple Fortinet devices, and successful breaches here could grant attackers administrative capabilities across a wide range of environments.

In response to this increasing threat landscape, business owners using Fortinet products are urged to enhance their security postures. This can include implementing multifactor authentication, conducting routine password audits, and utilizing advanced intrusion detection systems to monitor for unauthorized access attempts.

As the situation develops, it is evident that vigilance is paramount. With the evolving tactics of cyber adversaries, staying informed and prepared is critical to mitigating the impacts of such attacks.

Source link

Related Posts

From HealthKick to GOVERSHELL: Tracing the Development of UTA0388’s Espionage Malware

Oct 09, 2025
Cyber Espionage / Artificial Intelligence

A China-aligned threat group referred to as UTA0388 has been linked to a series of spear-phishing campaigns targeting North America, Asia, and Europe, with the intent of deploying a Go-based implant known as GOVERSHELL. According to a report from Volexity, “The initial campaigns were meticulously crafted for specific targets, using messages that appeared to come from senior researchers and analysts at convincingly fake organizations.” The aim of these spear-phishing efforts was to manipulate targets into clicking links leading to a remotely hosted archive containing a malicious payload. Over time, the threat actor has employed various lures and invented identities, utilizing multiple languages, including English, Chinese, Japanese, French, and German. Early versions of these campaigns often included links to phishing content hosted on either cloud services or their own infrastructure.

Google Uncovers Three New Malware Families Linked to Russian COLDRIVER Hackers

October 21, 2025
Cyber Espionage / Threat Intelligence

Google’s Threat Intelligence Group (GTIG) has revealed that the hacking group COLDRIVER, associated with Russia, has introduced a new suite of malware, indicating an intensified operational pace. Since May 2025, the group has shown a knack for rapid development and refinement, unveiling these new malware families just five days after the release of their previously documented LOSTKEYS. While the exact duration of development for the new malware remains unclear, GTIG noted a complete absence of LOSTKEYS activities since its disclosure. The newly identified threats—codenamed NOROBOT, YESROBOT, and MAYBEROBOT—constitute a “collection of related malware families interconnected through a delivery chain,” according to GTIG researcher Wesley Shields in a Monday analysis. These recent attack strategies mark a significant shift from COLDRIVER’s standard operational patterns.

Bearlyfy Targets Russian Companies with Custom GenieLocker Ransomware

Mar 27, 2026
Threat Intelligence / Vulnerability

The pro-Ukrainian group Bearlyfy has carried out over 70 cyber attacks on Russian firms since emerging in January 2025, deploying a custom Windows ransomware strain known as GenieLocker in their latest campaigns. According to Russian security firm F6, “Bearlyfy (also referred to as Labubu) is a dual-purpose group focused on maximizing damage to Russian businesses, aiming for both financial extortion and acts of sabotage.” The group was first identified by F6 in September 2025, noted for using encryptors linked to LockBit 3 (Black) and Babuk, initially targeting smaller companies before escalating to ransom demands around €80,000 (approximately $92,100). By August 2025, Bearlyfy had claimed at least 30 victims. Additionally, starting in May 2025, the group began to use a modified version of PolyVice, a ransomware variant associated with Vice Society.