Ethical Hacking News
Fortinet SSL VPNs have been hit by a global brute-force wave, marking another turning point in the ongoing cat-and-mouse game between threat actors and cybersecurity professionals. The attack, which was observed on August 3, 2025, involved over 780 unique IP addresses participating in the effort, with many of these IP addresses originating from countries including the United States, Canada, Russia, and the Netherlands. As a result, it is essential for organizations to remain vigilant and proactive in their efforts to mitigate threats and stay up-to-date with the latest developments in cybersecurity.
Researchers detected a significant spike in brute-force traffic aimed at Fortinet SSL VPN devices. About 56 unique IP addresses have been classified as malicious, originating from various countries. The attackers were not only targeting the FortiOS profile but also showed signs of precise targeting of Fortinet's SSL VPNs. Two distinct assault waves were identified, one focused on FortiOS and another on FortiManager. The attackers have shifted their tactics from targeting FortiOS to FortiManager, indicating adaptation in their approach.
Cybersecurity researchers have sounded the alarm on a significant spike in brute-force traffic aimed at Fortinet SSL VPN devices, marking another turning point in the ongoing cat-and-mouse game between threat actors and cybersecurity professionals. The coordinated activity, which was observed by threat intelligence firm GreyNoise on August 3, 2025, involved over 780 unique IP addresses participating in the effort.
As many as 56 unique IP addresses have been detected over the past 24 hours, all of which have been classified as malicious. These IP addresses originated from a diverse range of countries, including the United States, Canada, Russia, and the Netherlands. The targets of this brute-force activity included various regions around the world, such as the United States, Hong Kong, Brazil, Spain, and Japan.
GreyNoise has pointed out that the traffic was not only targeting the FortiOS profile but also showed signs of deliberate and precise targeting of Fortinet's SSL VPNs. This level of specificity suggests that the attackers were not simply attempting to gain unauthorized access to the systems; instead, they had a clear objective in mind.
The firm has identified two distinct assault waves spotted before and after August 5: One wave involved a long-running, brute-force activity tied to a single TCP signature that remained relatively steady over time. The other wave, which began on August 5, was characterized by a sudden and concentrated burst of traffic with a different TCP signature.
GreyNoise has noted that while the August 3 traffic targeted the FortiOS profile, the traffic fingerprinted with TCP and client signatures – a meta signature – from August 5 onward consistently targeted the FortiManager. This marked a significant shift in attacker behavior, suggesting that the same infrastructure or toolset had pivoted to a new Fortinet-facing service.
A deeper examination of the historical data associated with the post-August 5 TCP fingerprint has uncovered an earlier spike in June featuring a unique client signature that resolved to a FortiGate device in a residential ISP block managed by Pilot Fiber Inc. This finding raises two possibilities: either the brute-force tooling was initially tested or launched from a home network, or alternatively, it was used as a residential proxy.
The development comes against the backdrop of findings by GreyNoise that spikes in malicious activity are often followed by the disclosure of new CVEs affecting the same technology within six weeks. This pattern is exclusive to enterprise edge technologies like VPNs, firewalls, and remote access tools – the very systems increasingly targeted by advanced threat actors.
These patterns underscore the need for cybersecurity professionals to remain vigilant and proactive in their efforts to mitigate threats. The coordinated nature of this attack highlights the importance of implementing robust security measures, including regular software updates, patch management, and network segmentation.
Moreover, the shift in attacker behavior from targeting FortiOS to targeting FortiManager suggests that threat actors are continually adapting and evolving their tactics. This underscores the need for organizations to stay up-to-date with the latest threat intelligence and best practices in cybersecurity.
As the situation continues to unfold, it is essential for cybersecurity professionals to remain informed about the latest developments and threats in the industry. The continued efforts of firms like GreyNoise in monitoring and analyzing these threats will undoubtedly play a critical role in helping organizations stay ahead of the evolving threat landscape.
Related Information:
https://www.ethicalhackingnews.com/articles/Cybersecurity-Threats-Intensify-Fortinet-SSL-VPNs-Hit-by-Global-Brute-Force-Wave-ehn.shtml
https://thehackernews.com/2025/08/fortinet-ssl-vpns-hit-by-global-brute.html
https://undercodenews.com/massive-global-brute-force-campaign-hits-fortinet-ssl-vpns-what-you-need-to-know/
Published: Tue Aug 12 14:36:36 2025 by llama3.2 3B Q4_K_M
