- Russian hacker brute-forced FortiGate firewalls using weak credentials
- AI-generated scripts enabled analysis, recognition, and lateral movement of data
- The campaign focused on Veeam servers; The attacker abandoned the hardened systems.
A Russian hacker was recently seen brute-forcing his way into hundreds of firewalls, but what makes this campaign really stand out is the fact that the seemingly unskilled threat actor was able to carry out the attacks with the help of Generative Artificial Intelligence (GenAI).
In a new analysis, Amazon Integrated Security CISO CJ Moses explained how researchers observed a threat actor “systematically” scanning FortiGate management interfaces exposed on ports 443, 8443, 10443, and 4443.
After finding a potential target, they brute-forced their way through, trying countless combinations of weak and commonly used credentials, until one worked.
A little rough on the edges
Once inside, the hacker extracted entire device configuration files (SSL-VPN user credentials with recoverable passwords, administrative credentials, firewall policies and internal network architecture, and more) and analyzed, decrypted, and organized them using AI-generated Python scripts.
They then used the recovered VPN credentials to connect to internal networks, implemented custom AI-generated reconnaissance tools (written in Go and Python), and moved to Active Directory.
“Source code analysis reveals clear indicators of AI-assisted development: redundant comments that simply restate function names, simplistic architecture with a disproportionate investment in formatting over functionality, naive JSON parsing using string matching instead of proper deserialization, and support adjustments for embedded languages with empty documentation stubs,” Moses said.
“While functional for the threat actor’s specific use case, the tool lacks robustness and fails in edge cases, typical characteristics of AI-generated code used without significant refinement.”
The attacker also specifically targeted Veeam Backup & Replication servers, deploying credential extraction tools and attempting to exploit known Veeam vulnerabilities.
All of this was done in a span of just a few weeks, between January 11 and February 18, 2026, leading researchers to believe that the attacker is unskilled, as throughout their operations, they attempted to exploit several CVEs but largely failed when the targets were patched or hardened. They frequently left well-protected environments and headed for easier targets.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
