This campaign involves an AI-augmented threat actor exploiting exposed FortiGate management interfaces (ports 443, 8443, 10443, 4443) and weak credentials with single-factor authentication to gain initial access, rather than exploiting a software vulnerability [aws.amazon.com](https://aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/). Once inside, the actor uses AI-generated tools to extract configuration files and credentials, move laterally via techniques like DCSync and pass-the-hash, and target backup infrastructure [bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/amazon-ai-assisted-hacker-breached-600-fortigate-firewalls-in-5-weeks/). The primary defense is to apply fundamental security hygiene: ensure management interfaces are not exposed to the internet, enforce strong credentials with multi-factor authentication, and implement network segmentation [abit.ee](https://abit.ee/en/cybersecurity/hackers-and-attacks/fortigate-compromise-ai-hacker-amazon-threat-intelligence-cybersecurity-2026-ransomware-fortigate-dc-en).
Network Security Hundreds of FortiGate Firewalls Hacked in AI-Powered Attacks: AWS Threat actors relying on AI have been exploiting exposed ports and weak credentials to take over FortiGate devices. By Ionut Arghire | February 23, 2026 (6:34 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Over 600 Fortinet FortiGate firewall instances have been hacked in an AI-powered campaign that exploits exposed ports and weak credentials, AWS reports. The attacks, observed between January 11 and February 18, did not target known vulnerabilities. Instead, they focused on the exploitation of exposed device configurations across globally dispersed appliances. According to AWS, the campaign was carried out by an unsophisticated threat actor that relied on multiple commercial gen-AI services to implement known attack techniques. The hackers were seen scanning for management interfaces accessible via ports 443, 8443, 10443, and 4443, and using common credentials for initial access. âThe campaignâs targeting appears opportunistic rather than sector-specific, consistent with automated mass scanning for vulnerable appliances,â AWS notes . In some cases, multiple FortiGate devices belonging to the same organization were compromised. AWS says that some IP clusters point either to managed service provider deployments or to large organizational networks. Advertisement. Scroll to continue reading. Compromised devices were identified across 55 countries in Africa, Asia, Latin and North America, and Europe. Following successful compromise, the hackers were seen leveraging open source offensive tools to extract NTLM password hashes, obtain complete domain credential databases, and move laterally through pass-the-hash/pass-the-ticket attacks. The attackers were also seen targeting Veeam Backup & Replication servers, likely to extract additional credentials and destroy backups in preparation for ransomware attacks. According to AWS, the hackers used at least two commercial LLMs to plan the attacks, generate tools, and assist with the operation, including duration and success rate assessments. âThese plans reference academic research on offensive AI agents, suggesting the actor follows emerging literature on AI-assisted penetration testing. The AI produces technically accurate command sequences, but the actor struggles to adapt when conditions differ from the plan,â AWS notes. On the threat actorâs infrastructure, AWS identified multiple scripts likely generated using AI, used to parse configurations, extract credentials, automate VPN connections, perform mass scanning, and aggregate results. âThe volume and variety of custom tooling would typically indicate a well-resourced development team. Instead, a single actor or very small group generated this entire toolkit through AI-assisted development,â AWS says. The attacks, it notes, were likely mounted by a financially motivated, Russian-speaking threat actor with low-to-medium technical capability, based on the extensive reliance on AI across all operational phases. Related: Mississippi Hospital System Closes All Clinics After Ransomware Attack Related: FBI: $20 Million Losses Caused by 700 ATM Jackpotting Attacks in 2025 Related: Fortinet Patches Exploited FortiCloud SSO Authentication Bypass Related: New Wave of Attacks Targeting FortiGate Firewalls Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data Dutch Carrier Odido Discloses Data Breach Impacting 6 Million CISA Warns of Exploited SolarWinds, Notepad++, Microsoft Vulnerabilities Chrome 145 Patches 11 Vulnerabilities ApolloMD Data Breach Impacts 626,000 Individuals Microsoft to Enable âWindows Baseline Securityâ With New Runtime Integrity Safeguards Nucleus Raises $20 Million for Exposure Management Apple Patches iOS Zero-Day Exploited in âExtremely Sophisticated Attackâ Latest News Autonomous AI Agents Provide New Class of Supply Chain Attack Romanian Hacker Pleads Guilty to Selling Access to US State Network Recent RoundCube Webmail Vulnerability Exploited in Attacks Mississippi Hospital System Closes All Clinics After Ransomware Attack PayPal Data Breach Led to Fraudulent Transactions Critical Grandstream Phone Vulnerability Exposes Calls to Interception NISTâs Quantum Breakthrough: Single Photons Produced on a Chip In Other News: Ransomware Shuts US Clinics, ICS Vulnerability Surge, European Parliament Bans AI Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeekâs 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize todayâs ransomware extortion threats. Submit People on the Move Wealth management platform Envestnet announced the appointment of Rich Friedberg as CISO. Yuneeb Khan has been named Chief Financial Officer of KnowBe4, succeeding Bob Reich, who is retiring. Cyera has appointed Brandon Sweeney as President, Shira Azran as Chief Legal Officer and Joseph Iantosca as Chief Financial Officer. More People On The Move Expert Insights How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures donât always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isnât a hypothetical but a natural continuation of the tradecraft weâve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Canât Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) The Upside Down is Real: What Stranger Things Teaches Us About Modern Cybersecurity To all those who are fighting the good fight in the world of cyber, keep collaborating to ensure our world never succumbs to the chaos of the Upside Down. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email