Russian group uses AI to exploit weakly-protected Fortinet firewalls, says Amazon
Russian group uses AI to exploit weakly-protected Fortinet firewalls, says Amazon
Publish Date: 2026-02-23 22:50:00
Source Domain: www.csoonline.com
After stealing admin credentials, firewall policies, network topology, and routing information, as well as IPsec VPN peer configurations, the threat actor used AI-assisted Python scripts to parse, decrypt, and organize these stolen configurations.
Following achieving VPN access to victim networks, Amazon says the threat actor deploys a custom network reconnaissance tool, with different versions written in both Go and Python. Analysis of the source code reveals clear indicators of AI-assisted development such as redundant comments that merely restate function names, simplistic architecture with disproportionate investment in formatting over functionality, naive JSON parsing via string matching rather than proper deserialization, and compatibility shims for language built-ins with empty documentation stubs. While functional for the threat actor’s specific use case, the tooling lacks robustness and fails under edge cases, characteristics, Amazon says, typical of AI-generated code used without significant refinement.
Recommendations
The Amazon report makes a number of recommendations to network admins with FortiGate devices. They include ensuring device management interfaces aren’t exposed to the internet, or, if they have to be, restricting access to known IP ranges and using a bastion host or out-of-band management network. As basic cybersecurity demands, all default and common credentials for FortiGate appliances should be changed. They should ensure multifactor authentication is implemented for all admin and VPN access, and make sure there is no password reuse between FortiGate VPN credentials and Active Directory domain accounts.
