Cybersecurity Update: AI-Powered Attack on Fortinet Firewalls and Other Breaches
In a recent development in the cybersecurity landscape, a financially motivated threat actor, reportedly Russian-speaking, has leveraged commercial AI toolkits to compromise over 600 Fortinet firewalls. This operation was first identified by the AWS security team, indicating that the activity commenced around January 11. Importantly, the attacker did not exploit any zero-day vulnerabilities but instead focused on FortiGate devices that had weak passwords, lacked multi-factor authentication (MFA), and had their management ports exposed online.
Once inside, the attacker utilized a series of scripts reportedly generated by AI tools such as Claude and DeepSeek. These scripts facilitated reconnaissance activities and configurations extraction from the compromised devices. Notably, AWS has characterized the sophistication of the attacker as suboptimal. Their approach appeared to prioritize the scale of attacks over the complexity of techniques, with indications that they would abandon harder targets for softer ones.
Following lateral movement from the Fortinet devices, compromised systems included victims’ Active Directory environments. This enabled the attacker to extract database credentials and attempt access to backup infrastructures. The profile of this threat actor suggests they function as an initial access broker (IAB), gaining footholds in corporate networks and selling access on underground platforms. Insights from cybersecurity researchers Cyber and Ramen reveal that this campaign may have roots as early as December, with activities indicative of experimentation prior to execution.
Cybersecurity experts have noted that the significance of this operation is not limited to any single technique but stems from the integration and application of large language models (LLMs) across the attack stages. This emergent complexity, coupled with a likely single operator managing multiple intrusions across various countries, exemplifies a concerning trend in cyber threats.
In parallel news, Ivanti disclosed a 2021 data breach that involved Chinese hackers exploiting vulnerabilities in its Secure Connect VPN product, allowing access to its internal network and a California data center. The company claims, however, that the hackers did not penetrate its core internal network, indicating potential limitations in the impact of the incident.
Furthermore, Chinese state-sponsored hackers have breached Italy’s special investigations police division (DIGOS), obtaining a list containing the names of over 5,000 police officers. Although officials asserted that sensitive data related to active investigations remained untouched, the motivations behind the attack appear centered on monitoring Chinese dissidents in Italy.
Other incidents include a data leak at PayPal identified in its loan application program, which exposed sensitive customer information for nearly six months, and a ransomware attack on Japanese semiconductor manufacturer Advantest. Additionally, a significant security breach revealed that malware was found on a global supermarket chain’s website, showcasing the pervasive nature of web skimming threats.
Accompanying these breaches, reports of targeted Russian cyber activities have emerged, with an ongoing investigation into potential breaches involving Russian cryptocurrency exchanges aiding the evasion of international sanctions.
With cybersecurity threats evolving rapidly, understanding the applicable MITRE ATT&CK tactics—such as initial access, credential dumping, and lateral movement—provides a crucial framework for business owners. By recognizing these tactics and their potential application in recent incidents, organizations can better prepare their defenses against such persistent and sophisticated threats.
This overview reflects an ongoing trend wherein lower-tier threat actors utilize advanced day-to-day resources, raising essential questions for businesses about their own security protocols and resilience in an increasingly interconnected digital environment.