Ethical Hacking News
A sophisticated cyberattack was carried out by an AI-assisted hacker who breached over 600 Fortinet firewalls across 55 countries in just five weeks. The attack highlights the growing threat posed by commercial AI services being used by threat actors to carry out complex attacks.
Over 600 Fortinet firewalls across 55 countries were breached by an AI-assisted hacker. The attack used multiple generative AI services to automate access to other devices on the breached network. The threat actor targeted exposed management interfaces and weak credentials without relying on exploits. The breach occurred between January 11 and February 18, 2026, across various regions. The attackers used AI-powered tools to parse and decrypt configuration files and extract sensitive information. The attack was opportunistic, using brute-force attacks with common passwords to gain access. The attack highlights the growing threat posed by commercial AI services being used by threat actors. Amazon recommends several precautions to prevent similar breaches, including securing management interfaces and VPN passwords.
Amazon has issued a warning about a sophisticated cyberattack that was carried out by an AI-assisted hacker, who successfully breached over 600 Fortinet firewalls across 55 countries in just five weeks. The attack, which was discovered by Amazon's integrated security team, involved the use of multiple generative AI services to automate access to other devices on the breached network.
According to a recent report by CJ Moses, CISO of Amazon Integrated Security, the hacking campaign occurred between January 11 and February 18, 2026, and did not rely on any exploits to breach Fortinet firewalls. Instead, the threat actor targeted exposed management interfaces and weak credentials that lacked MFA protection, then used AI to help automate access to other devices on the breached network.
The report reveals that the compromised firewalls were observed across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, and Southeast Asia, among other regions. An AI-powered hacking campaign was used by the attacker, which involved the use of multiple language model providers throughout the campaign to generate step-by-step attack methodologies, develop custom scripts in multiple programming languages, create reconnaissance frameworks, plan lateral movement strategies, draft operational documentation, and more.
The attackers reportedly submitted a full internal victim network topology, including IP addresses, hostnames, credentials, and known services, to an AI service and asked for help spreading further into the network. They also used AI-assisted Python and Go tools to parse and decrypt configuration files, which included SSL-VPN user credentials with recoverable passwords, administrative credentials, firewall policies and internal network architecture, IPsec VPN configurations, network topology and routing information.
The attack was characterized by its opportunistic nature, with the attacker using brute-force attacks with common passwords to gain access to devices. Once breached, the threat actor extracted configuration settings that included detailed information about the device's configuration, including SSL-VPN user credentials, administrative credentials, firewall policies, and internal network architecture.
However, the attack was not without its limitations. The attackers' tools were found to be functional but lacking robustness and failed under edge cases, characteristic of AI-generated code used without significant refinement. Additionally, the attackers repeatedly failed when attempting to breach patched or locked-down systems, and instead moved on to easier targets.
The report highlights the growing threat posed by commercial AI services being used by threat actors to carry out sophisticated attacks that would normally be outside their skill set. The use of these services can amplify an attacker's capabilities and make it more difficult for defenders to detect and respond to attacks.
Amazon recommends that FortiGate admins take several precautions to prevent similar breaches, including not exposing management interfaces to the internet, ensuring MFA is enabled, ensuring VPN passwords are not the same as those for Active Directory accounts, and hardening backup infrastructure. The company also emphasizes the need for organizations to stay vigilant in monitoring their networks for suspicious activity.
The recent attack serves as a reminder of the importance of staying ahead of emerging threats in the rapidly evolving landscape of cyberattacks. As threat actors continue to exploit vulnerabilities in commercial AI services, it is essential for defenders to develop and implement robust security measures to prevent similar breaches.
Related Information:
https://www.ethicalhackingnews.com/articles/Ai-Assisted-Hacker-Breach-600-Fortinet-Firewalls-in-Five-Weeks-A-Glimpse-into-the-Dark-Side-of-Commercial-AI-Services-ehn.shtml
https://www.bleepingcomputer.com/news/security/amazon-ai-assisted-hacker-breached-600-fortigate-firewalls-in-5-weeks/
https://deep-mindset.hashnode.dev/amazon-ai-assisted-hacker-breached-600-fortigate-firewalls-in-5-weeks
https://www.techinasia.com/news/amazon-flags-rise-of-ai-driven-cyber-attacks-after-600-breaches
Published: Sat Feb 21 11:00:16 2026 by llama3.2 3B Q4_K_M
