InfoSecBulletin Cybersecurity for mankind
Amazon Threat Intelligence observed that a Russian-speaking hacker used generative AI services to compromise over 600 FortiGate devices in 55 countries between January 11 and February 18, 2026. The attack did not exploit FortiGate vulnerabilities but targeted exposed management ports and weak, single-factor authentication, enabling a less-skilled attacker to exploit these security weaknesses widely.
The threat actor is using various commercial GenAI services to execute and expand familiar attack techniques, even with limited technical skills. Amazon Threat Intelligence shares these insights to help the security community to combat these threats.
OpenAI unveils its first custom chip, Named Jalapeño
Bajaj Auto System Hit by a Ransomware Attack
Cisco Unified CM flaw CVE-2026-20230 exploited in attacks
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CJ Moses, CISO of Amazon Integrated Security, said the compromised firewalls were observed across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia, among other regions.
An AI-powered hacking campaign
The threat actor scanned for FortiGate management interfaces exposed online on ports 443, 8443, 10443, and 4443. They targeted these services opportunistically, not focusing on specific industries.
Once breached, the threat actor extracted the device’s configuration settings, which include:
SSL-VPN user credentials with recoverable passwords
Administrative credentials
Firewall policies and internal network architecture
IPsec VPN configurations
Network topology and routing information
These configuration files were then processed and decrypted using automated tools.
“Following VPN access to victim networks, the threat actor deploys a custom reconnaissance tool, with different versions written in both Go and Python,” explained Amazon.
“Analysis of the source code reveals clear indicators of AI-assisted development: redundant comments that merely restate function names, simplistic architecture with disproportionate investment in formatting over functionality, naive JSON parsing via string matching rather than proper deserialization, and compatibility shims for language built-ins with empty documentation stubs.”
“While functional for the threat actor’s specific use case, the tooling lacks robustness and fails under edge cases—characteristics typical of AI-generated code used without significant refinement.”
by gathering information on the networks, sorting them by size, checking for open ports with the gogo scanner, finding SMB hosts and domain controllers, and using Nuclei to scan for HTTP services.
The campaign targeted Veeam Backup & Replication servers with custom PowerShell scripts and tools for credential extraction, looking to exploit vulnerabilities.
On one of the servers found by Amazon (212[.]11.64.250), the threat actor hosted a PowerShell script named “DecryptVeeamPasswords.ps1” that was used to target the backup application.
As Amazon explains, threat actors often target backup infrastructure before deploying ransomware to prevent the restoration of encrypted files from backups. The threat actors’ “operational notes” also contained multiple references to trying to exploit various vulnerabilities, including CVE-2019-7192 (QNAP RCE), CVE-2023-27532 (Veeam information disclosure), and CVE-2024-40711 (Veeam RCE).
The company advises FortiGate admins to avoid exposing management interfaces online, enable MFA, use different VPN passwords from Active Directory accounts, and strengthen backup systems. Recently, Google noted that cybercriminals are misusing Gemini AI in various stages of their attacks, similar to Amazon’s findings.
Indicators of compromise (IOCs)
| IOC Value | IOC Type | First Seen | Last Seen | Annotation |
| 212[.]11.64.250 | IPv4 | 1/11/2026 | 2/18/2026 | Threat actor infrastructure used for scanning and exploitation operations |
| 185[.]196.11.225 | IPv4 | 1/11/2026 | 2/18/2026 | Threat actor infrastructure used for threat operations |
