Hundreds of FortiGate instances were breached at scale by a financially motivated threat actor with limited technical expertise using generative artificial intelligence (GenAI) This article explores fortigate vulnerabilities observed. . This demonstrates how AI can scale processes to accommodate threat actors, but it also shows how GenAI is lowering the technical barrier to entry for attackers.

According to Amazon Web Services, a financially motivated cyber threat actor who speaks Russian compromised over 600 instances of Fortinet's FortiGate firewall by using otherwise authentic GenAI services. Between January and February, the compromises were discovered by researchers, who discovered that the devices came from over 55 countries, with concentrations observed in South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and other regions.

Most significantly, a blog post describing the activity claims that "no exploitation of FortiGate vulnerabilities was observed — instead, this campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication, fundamental security gaps that AI helped an unsophisticated actor exploit at scale." ## The Defender Elements of GenAI-Powered Campaigns ## Latin America's Cyber Maturity Trails the Threat Environment The threat actor's use of GenAI tools to carry out such an extensive campaign is noteworthy, but given how many organizations were compromised, it may also serve as a warning to enterprise defenders.

According to Moses, "this campaign succeeded through a combination of exposed management interfaces, weak credentials, and single-factor authentication — all fundamental security gaps that AI helped an unsophisticated actor exploit at scale." "This demonstrates that robust security principles are effective barriers against threats enhanced by artificial intelligence." AWS advises businesses utilizing FortiGate to make sure management interfaces are not online and, if they are, to limit access to known IP address ranges.

Additionally, organizations should rotate SSL-VPN user credentials, audit VPN connection logs for connections from unexpected geographic locations, change all default and common credentials across appliances, and use multifactor authentication (MFA) for all admin and VPN access.

Potentially impacted organizations should keep an eye out for unexpected DCSync operations, new scheduled tasks that are named to look like genuine Windows services, illegal access to backup credential stores, and new accounts that have names that are meant to look like authentic ones.