// TEMPLARSEC //
[ 2026-02-21 ] -- /posts/ai-assisted-hacker-fortigate

AI-Assisted Hacker Breaches 600+ FortiGate Firewalls

A Russian-speaking hacker leveraged multiple generative AI services in a campaign that compromised over 600 FortiGate firewalls across 55 countries between January 11 and February 18, 2026.

The Threat

The attacker targeted exposed management interfaces and weak credentials lacking multi-factor authentication (MFA). Instead of exploiting zero-day vulnerabilities, the hacker employed brute-force attacks with common passwords. After gaining access, the attacker used AI to automate access to other devices within the breached network. This incident demonstrates the increasing accessibility and impact of AI-augmented cyber threats.

Impact

Compromised FortiGate devices were observed across various regions, including South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia. Once a firewall was breached, the attacker extracted configuration settings, including:

  • SSL-VPN user credentials with recoverable passwords
  • Administrative credentials
  • Firewall policies and internal network architecture
  • IPsec VPN configurations
  • Network topology and routing information

The extracted configuration files were then parsed and decrypted using AI-assisted Python and Go tools. Following VPN access, a custom reconnaissance tool was deployed to gather further information. This access could lead to significant data exposure, unauthorized network access, lateral movement, and potential ransomware attacks.

Remediation

To mitigate the risk of similar attacks, TemplarSec recommends the following actions:

  • Enforce Multi-Factor Authentication (MFA): Implement MFA for all user accounts, especially those with administrative privileges.
  • Strengthen Passwords: Enforce strong password policies and regularly audit user accounts for weak or default credentials.
  • Limit Exposure of Management Interfaces: Ensure FortiGate management interfaces are not directly exposed to the internet. If remote access is necessary, use a VPN with MFA.
  • Keep Systems Updated: Regularly patch FortiGate devices with the latest security updates to address known vulnerabilities.
  • Monitor for Suspicious Activity: Implement network monitoring and intrusion detection systems to identify and respond to suspicious activity.
  • Review Firewall Configurations: Regularly review firewall configurations to ensure they adhere to security best practices and restrict unnecessary access.
  • Disable FortiCloud SSO Login: Consider temporarily disabling the FortiCloud Single Sign-On (SSO) login feature on FortiGate devices as a precaution.
  • Change Default Passwords: Change any default passwords immediately.
  • Assume Hashed Credentials are Compromised: If malicious logins are detected, assume hashed firewall credentials have been compromised and reset them immediately.

Source: BleepingComputer

[ BACK TO BLOG ]