A hacker was able to compromise 600 FortiGate firewalls thanks to AI.
A Russian attacker compromised more than 600 FortiGate firewalls in 55 countries over a five-week period without using zero-day exploits. He only needed weak passwords and generative AI.
No zero-days, just brute force and AI
According to a report by Amazon CISO CJ Moses, the campaign ran from January 11 to February 18, 2026. The attacker targeted publicly accessible management interfaces on ports 443, 8443, 10443, and 4443.
Instead of exploiting vulnerabilities, brute-force attacks were used against accounts without MFA. Once access was gained, configuration files were stolen, including VPN credentials, admin passwords, and network topology.
Amazon states that AI services were used to:
- develop attack scenarios;
- generate scripts in Python and Go;
- plan lateral movement;
- draft operational documentation;
Backup servers and Active Directory
Active Directory environments were attacked using tools such as Meterpreter and mimikatz. Veeam Backup & Replication servers were also targeted, likely to complicate recovery after ransomware.
A misconfigured server in Switzerland contained more than 1,400 files with stolen configurations, credential dumps, and AI-generated attack scripts. Researchers also found a proprietary Model Context Protocol (MCP) server, according to Bleeping Computer, which sent data directly to commercial LLMs for analysis and planning.