AI-Powered Assembly Line Breaches 600+ FortiGate Devices Across 55 Countries

600+ FortiGate Devices Compromised: AI Scales Attacks Faster Than Teams Can Respond

A financially motivated actor used commercial AI services to compromise more than 600 FortiGate devices across 55+ countries between January 11 and February 18, 2026. No zero-days. No flashy exploits. Just exposed management interfaces, weak or reused credentials, and an assembly-line workflow powered by large language models.

The signal for operations teams is clear: AI is lowering the barrier to run large campaigns. Defenders don't just need better tools-they need tighter basics and faster detection loops.

What Happened

The attacker ran wide internet scans against FortiGate management interfaces and SSL-VPN portals, focusing on common ports (443, 8443, 10443, 4443). Initial access was purely credential-based, using weak or reused passwords without multi-factor authentication.

Once in, FortiGate configuration files were the jackpot. They held SSL-VPN user credentials (in recoverable form), admin accounts, network maps, IPsec peers, and firewall policies. The actor used AI-assisted Python scripts to parse and organize data, turning scattered configs into a credential and targeting library at scale.

Targeting looked opportunistic, but patterns showed multiple devices from the same organizations-including MSP-managed clusters-were hit. Hotspots appeared in South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia.

AI as the Operational Backbone

Analysts confirmed the actor relied on at least two commercial LLM providers across all phases. One served as the "toolsmith and planner," the other as a "pivot assistant" for movement inside networks. In at least one case, the actor pasted a full victim network map-IPs, hostnames, creds, services-into an AI service and asked for step-by-step lateral movement guidance.

The result looked like an AI-powered assembly line: fast research, quick scripting, repeatable actions. Volume over depth.

Post-Exploitation Playbook Observed

The actor deployed common offensive frameworks and attempted DCSync to pull full NTLM credential databases from domain controllers. At least one environment fell because a Domain Admin used a weak or reused plaintext password found in FortiGate configs. Lateral movement used pass-the-hash, pass-the-ticket, and NTLM relay.

Backup infrastructure was a priority. Veeam Backup & Replication servers were targeted with scripts and tools to position the actor to remove recovery paths ahead of potential ransomware.

Despite the breadth, the operator's ceiling showed. They consistently failed against hardened environments and moved on. Their AI-generated tooling (Go/Python) showed basic engineering pitfalls: redundant comments, naive JSON handling, empty docs.

CVEs Seen in This Campaign

• CVE-2019-7192 - FortiOS - CVSS 9.8 - Path traversal enabling unauthenticated credential access
• CVE-2023-27532 - Veeam Backup & Replication - CVSS 7.5 - Unauthenticated API access for credential extraction
• CVE-2024-40711 - Veeam Backup & Replication - CVSS 9.8 - Remote Code Execution via deserialization

Indicators of Compromise

• 212[.]11[.]64[.]250 - IPv4 - First Seen: Jan 11, 2026 - Last Seen: Feb 18, 2026 - Used for scanning and exploitation
• 185[.]196[.]11[.]225 - IPv4 - First Seen: Jan 11, 2026 - Last Seen: Feb 18, 2026 - Used for threat operations

What Operations Teams Should Do Now

• Shut internet exposure for FortiGate management. Limit admin access to a dedicated management network or a bastion with MFA and IP restrictions.
• Enforce MFA on all VPN and administrative access. Block default, weak, and reused passwords with a policy and continuous checks.
• Rotate credentials at scale: SSL-VPN users, FortiGate admin accounts, and any creds stored in device configs or backups. Treat them as compromised.
• Audit Active Directory for DCSync activity (Event ID 4662) and unexpected replication. Investigate any account with Replication permissions.
• Harden and patch Veeam. Restrict who can access backup servers, watch for unauthorized PowerShell module loads, and validate you're covered for the listed CVEs.
• Monitor behaviors, not just IOCs: unusual VPN sign-ins, lateral movement patterns (e.g., pass-the-hash/ticket), DC replication from non-DC hosts, and sudden backup job changes.
• Segment critical services. Domain Controllers and backup servers should be reachable only from tightly controlled admin segments with logging and alerts.
• Centralize and retain logs from FortiGate, VPN, AD, and backup platforms. Build detections for failed vs. successful admin logins, config downloads, and policy changes.
• Patch and confirm FortiOS/FortiGate and Veeam against the cited CVEs. Validate with config reviews and exposure scans.
• If compromise is suspected: isolate affected appliances, revoke tokens/sessions, rotate secrets, review AD replication logs, and rebuild trust for impacted accounts.

Detection Focus Areas

• FortiGate exposure: validate no management interface is reachable from the internet. Review port usage (443, 8443, 10443, 4443) and geofencing.
• AD replication misuse: alert on Event ID 4662 with Replication-Get-Changes/All on DCs by non-DC accounts or unexpected hosts.
• Identity abuse: spikes in failed logins followed by success, admin logins from new locations, and sudden role changes on service accounts.
• Backup tampering: unexpected PowerShell activity on backup servers, service restarts, encryption setting changes, and job deletions/pauses.
• Known-tool telemetry: activity patterns associated with credential dumping and lateral movement, even if the tools are renamed.

Why This Matters for Ops

AI didn't make the attacker smarter. It made them faster. At scale, average skill plus automation beats scattered defenses. The fix is boring and effective: reduce exposure, enforce MFA, watch identity flows, and protect backups like they're production.

You don't need a bigger team-you need tighter defaults and automated detection where it counts.

Helpful Resources

• Microsoft documentation: Event ID 4662 (track DCSync-related access)
• MITRE ATT&CK: OS Credential Dumping - DCSync

Level Up Team Readiness

• AI Learning Path for Network Administrators - strengthen monitoring of network appliances and lock down exposed management interfaces.
• AI Learning Path for Systems Administrators - harden AD and backup systems, and build AI-assisted auditing for behaviors like DCSync.