Risk group leverages LLMs to compromise 600 FortiGate firewalls – Cyber Tech

A latest investigation posted Feb. 20 by Amazon Risk Intelligence noticed a Russian-speaking financially motivated risk actor leveraging a number of industrial generative AI (GenAI) companies to compromise greater than 600 Fortinet FortiGate firewalls throughout greater than 55 nations.C.J. Moses, chief info safety officer at Amazon Built-in Safety, mentioned the assaults occurred over 5 weeks from Jan. 11 to Feb. 18, 2026.Amazon didn’t observe any exploitation of FortiGate vulnerabilities, famous Moses. As a substitute, the marketing campaign succeeded by exploiting uncovered administration ports and weak credentials with single-factor authentication, basic safety gaps that AI helped an unsophisticated actor exploit at scale.“This exercise is distinguished by the risk actor’s use of a number of industrial GenAI companies to implement and scale well-known assault methods all through each section of the operations, regardless of their restricted technical capabilities,” wrote Moses.Damon Small, a board member at Xcape, Inc., mentioned that the Amazon report signaled a major turning level: we have entered the age of the “automated assembly-line” cyberattack. In contrast to earlier exploits that trusted particular SSO authentication bypass flaws, Small mentioned this new Russian-speaking risk actor bypassed the necessity for zero-day vulnerabilities or intricate exploits.Small mentioned as an alternative, the group leveraged industrial giant language fashions (LLMs) as a digital “workforce,” automating the brute-force course of for uncovered administration ports and producing subtle Python and Go scripts to decrypt configuration recordsdata at a scale unachievable by human operators.“This enabled a probably lone, low-skilled attacker to handle simultaneous world intrusions by swiftly shifting to ‘softer’ targets when encountering sturdy defenses,” mentioned Small. “For safety groups, the main target ought to shift from the interconnectedness of those assaults to why firewall administration ports are nonetheless accessible from the web and with out sturdy authentication.”Jacob Krell, senior director of safe AI options and cybersecurity at Suzu Labs, identified that the marketing campaign was not the identical exercise because the January wave that focused the patched FortiGate authentication bypass vulnerability.Krell mentioned the reporting in January described exploitation of a particular software program flaw, whereas the Amazon investigation described large-scale entry by uncovered administration interfaces and weak administrative credentials with out MFA: totally different intrusion paths, totally different tradecraft, working in the identical time window.“When a number of unrelated risk actors independently select the identical goal class in the identical window, that’s not coincidence,” mentioned Krell. “That’s a sign about the state of perimeter safety.”“We used to fear about nation-states deploying this degree of offensive functionality. Now we fear about people with a laptop computer and a credit score card,” Krell continued. “Business AI has performed for cyber offense what the web did for fraud. It made one thing that required years of experience and a talented group out there to anybody prepared to subscribe.”