Amazon is warning {that a} Russian-speaking hacker used a number of generative AI companies as a part of a marketing campaign that breached greater than 600 FortiGate firewalls throughout 55 nations in 5 weeks.
A brand new report by CJ Moses, CISO of Amazon Built-in Safety, says that the hacking marketing campaign occurred between January 11 and February 18, 2026, and didn’t depend on any exploits to breach Fortinet firewalls.
As an alternative, the menace actor focused uncovered administration interfaces and weak credentials that lacked MFA safety, then used AI to assist automate entry to different gadgets on the breached community.
Moses says the compromised firewalls had been noticed throughout South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia, amongst different areas.
An AI-powered hacking marketing campaign
Amazon says it realized concerning the marketing campaign after discovering a server internet hosting malicious instruments used to focus on Fortinet FortiGate firewalls.
As a part of the marketing campaign, the menace actor focused FortiGate administration interfaces uncovered to the web by scanning for companies working on ports 443, 8443, 10443, and 4443. The concentrating on was reportedly opportunistic slightly than towards any particular industries.
Quite than exploiting zero-days, as we generally see concentrating on FortiGate gadgets, the actor used brute-force assaults with widespread passwords to realize entry to gadgets.
As soon as breached, the menace actor extracted the gadget’s configuration settings, which embody:
- SSL-VPN consumer credentials with recoverable passwords
- Administrative credentials
- Firewall insurance policies and inside community structure
- IPsec VPN configurations
- Community topology and routing data
These configuration recordsdata had been then parsed and decrypted utilizing what seems to be AI-assisted Python and Go instruments.
“Following VPN entry to sufferer networks, the menace actor deploys a customized reconnaissance instrument, with completely different variations written in each Go and Python,” defined Amazon.
“Evaluation of the supply code reveals clear indicators of AI-assisted growth: redundant feedback that merely restate operate names, simplistic structure with disproportionate funding in formatting over performance, naive JSON parsing by way of string matching slightly than correct deserialization, and compatibility shims for language built-ins with empty documentation stubs.”
“Whereas purposeful for the menace actor’s particular use case, the tooling lacks robustness and fails beneath edge instances—traits typical of AI-generated code used with out vital refinement.”
These instruments had been used to automate reconnaissance on the breached networks by analyzing routing tables, classifying networks by dimension, working port scans utilizing the open-source gogo scanner, figuring out SMB hosts and area controllers, and utilizing Nuclei to search for HTTP companies.
The researchers say that whereas the instruments had been purposeful, they generally failed in additional hardened environments.
Operational documentation written in Russian detailed easy methods to use Meterpreter and mimikatz to conduct DCSync assaults towards Home windows area controllers and extract NTLM password hashes from the Energetic Listing database.
The marketing campaign additionally particularly focused Veeam Backup & Replication servers utilizing customized PowerShell scripts, compiled credential-extraction instruments, and tried to use Veeam vulnerabilities.
On one of many servers discovered by Amazon (212[.]11.64.250), the menace actor hosted a PowerShell script named “DecryptVeeamPasswords.ps1” that was used to focus on the backup utility.
As Amazon explains, menace actors typically goal backup infrastructure earlier than deploying ransomware to stop the restoration of encrypted recordsdata from backups.
The menace actors’ “operational notes” additionally contained a number of references to making an attempt to use varied vulnerabilities, together with CVE-2019-7192 (QNAP RCE), CVE-2023-27532 (Veeam data disclosure), and CVE-2024-40711 (Veeam RCE).
The report says that the attacker repeatedly failed when making an attempt to breach patched or locked-down techniques, however as a substitute of constant to attempt to achieve entry, they moved on to simpler targets.
Whereas Amazon believes the menace actor has a low-to-medium talent set, that talent set was vastly amplified via the usage of AI.
The researchers say the menace actor utilized a minimum of two massive language mannequin suppliers all through the marketing campaign to:
- Generate step-by-step assault methodologies
- Develop customized scripts in a number of programming languages
- Create reconnaissance frameworks
- Plan lateral motion methods
- Draft operational documentation
In a single occasion, the actor reportedly submitted a full inside sufferer community topology, together with IP addresses, hostnames, credentials, and recognized companies, to an AI service and requested for assist spreading additional into the community.
Amazon says the marketing campaign demonstrates how business AI companies are decreasing the barrier to entry for menace actors, enabling them to hold out assaults that may usually be outdoors their talent set.
The corporate recommends that FortiGate admins not expose administration interfaces to the web, guarantee MFA is enabled, guarantee VPN passwords aren’t the identical as these for Energetic Listing accounts, and harden backup infrastructure.
Google lately reported that menace actors are abusing Gemini AI throughout all levels of cyberattacks, mirroring what Amazon noticed on this marketing campaign.
Fashionable IT infrastructure strikes sooner than handbook workflows can deal with.
On this new Tines information, learn the way your staff can scale back hidden handbook delays, enhance reliability via automated response, and construct and scale clever workflows on prime of instruments you already use.
