A recent investigation by Amazon Threat Intelligence has revealed that a financially motivated threat actor has successfully compromised over 600 FortiGate devices in 55 countries. This activity occurred between January 11 and February 18, 2026, and highlights the increasing use of artificial intelligence (AI) in cybercrime.
Methodology of the Attack
According to CJ Moses, Chief Information Security Officer at Amazon Integrated Security, the attackers did not exploit any FortiGate vulnerabilities. Instead, they took advantage of exposed management ports and weak credentials protected by single-factor authentication. This approach demonstrates fundamental security gaps that were exploited at scale, aided by commercial generative AI tools.
Profile of the Threat Actor
The threat actor is described as having limited technical skills, which they overcame by utilizing multiple AI tools for various phases of the attack, including tool development and command generation. The specific names of these AI tools have not been disclosed. The campaign appears to be financially motivated, with no links to state-sponsored advanced persistent threats (APTs).
Impact and Scope of Compromise
Amazon’s findings indicate that the attackers compromised multiple organizations’ Active Directory environments, extracted credential databases, and targeted backup infrastructures, likely in preparation for ransomware deployment. The attacks were characterized by systematic scanning of FortiGate management interfaces exposed to the internet, specifically targeting ports 443, 8443, 10443, and 4443.
Recommendations for Organizations
To mitigate the risks associated with such attacks, organizations are advised to ensure that management interfaces are not exposed to the internet, change default credentials, implement multi-factor authentication for administrative access, and isolate backup servers from general network access. Regular audits for unauthorized accounts and connections are also recommended.
The investigation underscores the need for strong defensive measures, including patch management for perimeter devices and maintaining credential hygiene. As AI-augmented threat activities are expected to grow, organizations must remain vigilant and proactive in their cybersecurity strategies.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
