top of page

AI-Augmented Credential Abuse Campaign Targets Internet-Exposed Fortinet FortiGate Management Interfaces [UPDATED INFORMATION]

March 19th, 2026

Critical

Our Cyber Threat Intelligence Unit is monitoring an active, AI-augmented intrusion campaign targeting internet-exposed Fortinet FortiGate management interfaces. Amazon Threat Intelligence has identified a Russian-speaking, financially motivated threat actor using commercial generative AI services to compromise over 600 FortiGate devices in more than 55 countries between January 11 and February 18, 2026. No FortiGate software vulnerabilities were exploited. Instead, the campaign relied on abusing exposed management interfaces and weak single-factor credentials. AI allowed the threat actor to operate at a scale and speed that would have previously required a larger, more skilled team. After gaining access, the actor extracted full FortiGate configurations, used stolen credentials for internal network access, compromised Active Directory environments, and targeted backup infrastructure, consistent with pre-ransomware activity. Separately, Team Cymru later identified one of the campaign IPs as exposing a CyberStrikeAI banner, an open-source AI-native offensive security platform built in Go and integrating over 100 security tools, suggesting overlap between the campaign's infrastructure and broader CyberStrikeAI deployments. Organizations with internet-exposed FortiGate management interfaces should consider this an active threat and implement the recommended defensive actions immediately.

Technical Details

Threat Type: AI-Augmented Credential Abuse / Internet-Exposed Edge Device Intrusion Campaign

Severity: Critical

Affected Systems: Internet-exposed Fortinet FortiGate management interfaces

Threat Actor: Russian-speaking, financially motivated actor; low-to-medium baseline technical capability significantly augmented by AI (Amazon Threat Intelligence)

AI Services Used: Multiple commercial LLM providers, including Anthropic Claude and DeepSeek

Scale of Compromise: 600+ FortiGate devices across 55+ countries

Amazon Campaign Window: January 11 to February 18, 2026

Threat Actor Assessment:

  • Amazon Threat Intelligence assesses this actor as financially motivated, likely a single individual or small group, and Russian-speaking, based on extensive Russian-language operational documentation.

  • The actor operates with low-to-medium technical skill, significantly enhanced by commercial AI, which they use throughout all operational phases, including tool development, attack planning, command generation, and reporting.

  • When facing hardened environments or non-standard defenses, the actor consistently shifts to softer targets instead of persisting.

    • Their primary advantage is AI-driven efficiency and scale, rather than advanced technical expertise.

CyberStrikeAI Related Infrastructure:

  • Team Cymru identified the Amazon-shared IP 212.11.64[.]250 as exposing a CyberStrikeAI banner, showing infrastructure overlap between this campaign and known CyberStrikeAI deployments.

  • Between January 20 and February 26, 2026, Team Cymru observed 21 unique IPs running CyberStrikeAI.

    • Most were hosted in China, Singapore, and Hong Kong, with additional servers in the United States, Japan, and Switzerland.

Observed Attack Chain:

  • Initial Access, Mass Credential Abuse:

    • The actor conducted a systematic scan of internet-exposed FortiGate management interfaces on ports 443, 8443, 10443, and 4443, followed by authentication attempts using commonly reused credentials against weak single-factor accounts.

      • No exploitation of FortiGate software vulnerabilities was observed during initial access.

  • Collection, Configuration Theft:

    • Following successful authentication, the actor extracted full FortiGate configuration files.

      • These files are high-value targets containing SSL-VPN user credentials with recoverable passwords, administrative credentials, complete network topology and routing information, firewall policies revealing internal architecture, and IPsec VPN peer configurations.

  • Credential Processing, AI-Assisted Parsing:

    • The actor used AI-assisted Python scripts to parse, decrypt, and organize the stolen configuration data at scale.

    • Custom tooling bore clear hallmarks of AI-generated development, including redundant comments, simplistic architecture, and naive JSON parsing; functional for the specific use case but lacking robustness.

  • Internal Reconnaissance, AI-Generated Framework:

    • Following VPN access to victim networks, the actor deployed a custom reconnaissance tool written in Go and Python.

    • The tool ingested target networks from VPN routing tables, classified networks by size, ran service discovery using the open-source port scanner gogo, automatically identified SMB hosts and domain controllers, and integrated vulnerability scanning via Nuclei against discovered HTTP services to produce prioritized target lists.

  • Post-Exploitation:

    • The actor used Meterpreter with the Mimikatz module to perform DCSync attacks against domain controllers, extracting NTLM password hashes from Active Directory.

    • In confirmed compromises, the actor obtained complete domain credential databases.

    • Lateral movement followed via pass-the-hash and pass-the-ticket attacks, NTLM relay attacks, and remote command execution against Windows hosts.

    • The actor specifically targeted Veeam Backup and Replication servers, using PowerShell scripts and compiled decryption tools to extract credentials, and attempted exploitation of known Veeam vulnerabilities.

      • This is consistent with a pre-ransomware posture aimed at destroying recovery capabilities before potential ransomware deployment.

  • AI as Force Multiplier:

    • The actor used at least two commercial LLM providers in complementary roles throughout operations.

      • One served as the primary tool developer, attack planner, and operational assistant.

      • A second was used as a supplementary planner when pivoting within specific victim networks.

    • In one documented instance, the actor submitted a complete internal network topology, including IP addresses, hostnames, confirmed credentials, and identified services, to a commercial AI service and requested a step-by-step plan to further compromise the network.

Image by ThisisEngineering

Impact

  • Credential Compromise: Full extraction of FortiGate configuration files yields SSL-VPN credentials, administrative passwords, and complete network topology, providing attackers with a comprehensive map of the internal environment before VPN access is even attempted.

  • Active Directory Compromise: Confirmed compromises included full extraction of domain credential databases via DCSync attacks, providing the actor with persistent, broad access to internal environments.

  • Pre-Ransomware Positioning: Targeting Veeam backup infrastructure to extract credentials and destroy recovery capabilities is a well-established precursor to ransomware deployment.

  • Broad Attack Surface: Targeting was opportunistic and geographically broad, spanning South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia, among other regions.

  • Regulatory and Business Exposure: Compromise of domain credentials and internal network access may trigger regulatory obligations, incident response costs, and reputational harm where sensitive or regulated data is affected.

Detection Method

  • Management Interface Exposure and Authentication:

    • Monitor for repeated or failed authentication attempts against FortiGate management interfaces, particularly from external IP addresses.

    • Audit VPN connection logs for connections from unexpected geographic locations or IP ranges.

    • Alert on any new administrative account creation on FortiGate appliances.

  • Post-VPN Internal Activity:

    • Monitor for unexpected DCSync operations (Windows Event ID 4662 with replication-related GUIDs), which indicate an attempt to extract the full Active Directory credential database.

    • Alert on new scheduled tasks named to mimic legitimate Windows services.

    • Detect unusual remote management connections originating from VPN address pools.

    • Monitor for LLMNR/NBT-NS poisoning artifacts in network traffic, indicating NTLM relay attack attempts.

  • Backup Infrastructure:

    • Monitor for unauthorized access to Veeam Backup and Replication servers.

    • Alert on unusual PowerShell module loading on backup servers.

    • Monitor for unauthorized access to backup credential stores.

  • Outbound and Configuration Activity:

    • Monitor for unexpected outbound connections from FortiGate devices to external IPs, particularly those in the IOC table below.

    • Alert on unexpected configuration export or download activity from FortiGate management interfaces.

Indicators of Compromise

Type 

Indicator 

Description 

IP Address 

212.11.64[.]250 

Amazon-shared campaign IP; later observed by Team Cymru exposing a CyberStrikeAI banner 

IP Address 

185.196.11[.]225 

Threat actor infrastructure used for scanning and exploitation operations (Amazon Threat Intelligence) 


mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Audit and Restrict Management Interface Exposure Immediately:

    • Ensure FortiGate management interfaces are not exposed to the internet.

    • If remote administration is required, restrict access to known IP ranges and route through a bastion host or out-of-band management network.

  • Rotate All Credentials:

    • Change all default and commonly reused credentials on FortiGate appliances, including administrative and SSL-VPN user accounts.

      • Audit for password reuse between FortiGate VPN credentials and Active Directory domain accounts.

  • Enforce MFA Across All Remote Access: Implement multi-factor authentication for all administrative and VPN access.

  • Audit FortiGate Configurations for Unauthorized Changes: Review all FortiGate appliances for unauthorized administrative accounts, unexpected policy changes, and anomalous configuration exports.

  • Harden and Monitor Backup Infrastructure:

    • Isolate Veeam Backup and Replication servers and other backup infrastructure from general network access.

    • Patch backup software against known credential extraction vulnerabilities.

    • Implement immutable backup copies and monitor backup servers for unauthorized PowerShell activity.

  • Strengthen Post-Exploitation Detection: Deploy behavioral detection for DCSync operations, NTLM relay activity, new scheduled tasks mimicking legitimate services, and unusual lateral movement from VPN address pools.

  • Block Known Campaign Infrastructure:

    • Implement firewall and proxy rules to block the AWS-attributed campaign IPs immediately.

      • Note that because the actor uses legitimate open-source tools, IP blocking should complement behavioral detection rather than replace it.

Conclusion

This campaign represents a major shift in the threat landscape. Commercial AI services now allow individuals with limited technical skills to conduct large-scale intrusion operations that previously required larger, more skilled teams. By exploiting exposed management interfaces and weak single-factor credentials, a single financially motivated actor compromised over 600 FortiGate devices in 55 countries, extracted complete domain credential databases from multiple organizations, and prepared for potential ransomware attacks. Team Cymru’s separate identification of CyberStrikeAI infrastructure in connection with this campaign highlights the rapid adoption of AI-native offensive tools by financially motivated actors. Defending against this threat does not require new controls. Restricting management interface exposure, enforcing multi-factor authentication, maintaining strong credential practices, and deploying behavioral detection for post-exploitation activity are recommended to mitigate associated risks. Organizations that have not implemented these measures should act immediately.

bottom of page