• Over 600 Fortinet FortiGate firewall instances have been hacked in an AI-powered campaign that exploits exposed ports and weak credentials, AWS reports.The attacks, observed between January 11 and February 18, did not target known vulnerabilities. • Instead, they focused on the exploitation of exposed device configurations across globally dispersed appliances.According to AWS, the campaign was carried out by an unsophisticated threat actor that relied on multiple commercial gen-AI services to implement known attack techniques.The hackers were seen scanning for management interfaces accessible via ports 443, 8443, 10443, and 4443, and using common credentials for initial access.“The campaign’s targeting appears opportunistic rather than sector-specific, consistent with automated mass scanning for vulnerable appliances,“AWS notes.In some cases, multiple FortiGate devices belonging to the same organization were compromised. • AWS says that some IP clusters point either to managed service provider deployments or to large organizational networks.Advertisement. • Scroll to continue reading.Compromised devices were identified across 55 countries in Africa, Asia, Latin and North America, and Europe.Following successful compromise, the hackers were seen leveraging open source offensive tools to extract NTLM password hashes, obtain complete domain credential databases, and move laterally through pass-the-hash/pass-the-ticket attacks.The attackers were also seen targeting Veeam Backup & Replication servers, likely to extract additional credentials and destroy backups in preparation for ransomware attacks.According to AWS, the hackers used at least two commercial LLMs to plan the attacks, generate tools, and assist with the operation, including duration and success rate assessments.“These plans reference academic research on offensive AI agents, suggesting the actor follows emerging literature on AI-assisted penetration testing. • The AI produces technically accurate command sequences,

Article Summaries:

  • AWS reports that more than 600 Fortinet FortiGate firewall instances were compromised in an AI‑powered campaign that ran from January 11 to February 18. The attackers did not exploit known vulnerabilities; instead they scanned for exposed management interfaces on ports 443, 8443, 10443 and 4443 and used common credentials to gain initial access. Once inside, they extracted NTLM hashes, harvested domain credential databases, and performed lateral movement via pass‑the‑hash and pass‑the‑ticket techniques. The campaign also targeted Veeam Backup & Replication servers to destroy backups in preparation for ransomware. AWS says the operation was carried out by a financially motivated, Russian‑speaking threat actor who relied on commercial generative‑AI services for planning, tool creation and execution.

Sources: