Amazon published a detailed analysis of an unpublished campaign in which a Russian-speaking actor was able to commit more than 600 FortiGate firewalls in 55 countries in just five weeks, between January 11 and February 18, 2026. It was not an exploitation of unpublished vulnerabilities. or a zero-day: the attackers took advantage of Internet-accessible management interfaces and weak credentials without protection of multifactor authentication to open the doors to the affected networks. You can read Amazon's technical report on his official technical blog Here..
The mode of operation was, in appearance, quite simple and dangerous for the effective: massive scanning of ports associated with management panels (including 443, 8443, 10443 and 4443), brute force attempts with common passwords and access to management consoles when the defenses were minimal. Once inside, the attackers removed the complete device configurations: recoverable SSL-VPN credentials, administrative credentials, firewall policies, IPsec configurations, and network map and internal routing. This data set gave them the visibility to move laterally within the victim networks.
The part that differentiates this incident from traditional attacks is the mix of conventional tools with capabilities generated by IA models. Amazon documents that the stolen configuration files were processed and decipher by tools in Python and Go that show clear signs of being designed with the assistance of language models: redundant comments that repeat what functions do, thick architecture focused more on presentation than on resilience, naive parseus of JSON by coincidentally chain and "shims" with empty documentation. These prints speak of code produced by IA and used without a deep review, functional in simple but fragile scenarios to tighter defenses.
With credentials and topology in hand, the attackers automated recognition tasks: they analyzed routing tables, classified subnetworks by size, executed port scans with public tools such as the gogo scanner, found SMB hosts and domain controllers and used Nuclei to detect exposed web services. The same operational notes found on the attacker-controlled servers describe the use of Meterpreter and Mimikatz to perform DCSync attacks against Active Directory controllers and extract hashes NTLM, which facilitates lateral movement and increased privileges.
The researchers also found marked attention to the backup infrastructure: the attackers developed and hosted specific scripts for targeting Veeam Backup & Replication, including a PowerShell named as DecryptVeeamPasswords.ps1. Attacking the backups is a classic tactic before deploying ciphers: if you manage to inuse or steal the backups, the victim has less options to recover. Amazon also documented attempts to exploit known vulnerabilities, such as CVE-2019-7192 about QNAP and several Veeam related warnings ( CVE-2023-27532 and CVE-2024-40711), although many of these holdings failed to deal with stamped and hardened systems.
A particularly disturbing aspect is the way the IA was used to scale human capacities. Amazon describes that the actor used at least two language model providers to generate step-by-step attack methodologies, create scripts in different languages, design recognition frameworks, plan side movements and even write internal operational documentation. On a documented occasion, the attacker turned an internal map of the victim network - with IP addresses, host names, credentials and services identified - into an IA service and requested instructions to spread further. That illustrates how IA commercial services can drastically reduce the technical barrier for actors with basic skills.
Amazon itself qualifies the attacker with a technical capacity between low and medium, but stresses that the combination of basic knowledge with IA-assisted tools increased its effectiveness. Automatic tools were sufficient for unprotected networks, although in more rigid environments they usually failed. When a target was patched or configured with good practice, the actor simply passed to the next most vulnerable target rather than trying to exploit it thoroughly.
From a defensive perspective, the recommendations are the usual but with renewed urgency: do not expose management interfaces to the Internet unless it is essential and are protected by strong methods; apply multifactor authentication in administrative access and VPN; avoid using equal passwords between VPN services and Active Directory accounts; and protect and segment backup infrastructures so that they are not at the mercy of the same set of stolen credentials. These basic measures put a stop to the tactics observed in the campaign.
Beyond the point corrections, the episode brings a clear message to security officials and administrators: the proliferation of code assistants and generative intelligence is transforming the threat profile. Tools that facilitate scripts writing, playbook generation and recognition automation allow attackers with limited knowledge to mount campaigns to scale. Technology not only offers new tools to defenders, but also democratizes offensive capacities.
To mitigate this new context, it is appropriate to combine digital hygiene with technical and process defenses: network segmentation that limits the portability of credentials, monitoring of administrative access with anomalies detection, telemetry records that allow for the reconstruction of side movements, regular backups restoration tests in isolated environments, and regular audits that identify exposed interfaces and weak credentials. In-depth defense is again the best response to campaigns that seek the easiest way.
The Amazon report is publicly available and documents in detail the technical artifacts found on the attacker's controlled servers, which may be useful for response teams and threat hunters. You can consult it in the official AWS publication Here. and verify the references to tools and CVE in the sources listed above. It is also recommended to review vendor security bulletins and confirm that the versions deployed in each organization are patched and configured according to official guides.
In strategic terms, this incident recalls that the IA revolution will have a double edge: acceleration of useful capacities for good, but also e-security risk amplification. The response must be a mix of better defensive technology, continuous training of equipment, and policies that reduce the exposure surface. If one thing is clear, the battle to protect critical infrastructure is no longer only against those who dominate the most sophisticated explosion, but also against those who know how to combine accessible tools with creativity enough to exploit basic configuration errors.
If you manage FortiGate or any remote access platform, check management settings, activate MFA on all privileged accounts, check logs and configuration snapshots for unusual activity and strengthen your backups. Small technical gestures today can prevent tomorrow's automation from making you one more statistic.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...