惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The GitHub Blog
The GitHub Blog
P
Privacy International News Feed
博客园_首页
Hugging Face - Blog
Hugging Face - Blog
A
About on SuperTechFans
量子位
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
雷峰网
雷峰网
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V
V2EX
Recent Announcements
Recent Announcements
博客园 - 叶小钗
B
Blog RSS Feed
Apple Machine Learning Research
Apple Machine Learning Research
Microsoft Azure Blog
Microsoft Azure Blog
H
Help Net Security
C
Check Point Blog
N
Netflix TechBlog - Medium
Y
Y Combinator Blog
P
Proofpoint News Feed
T
The Blog of Author Tim Ferriss
D
DataBreaches.Net
月光博客
月光博客
Engineering at Meta
Engineering at Meta
博客园 - 【当耐特】
Martin Fowler
Martin Fowler
小众软件
小众软件
博客园 - 司徒正美
大猫的无限游戏
大猫的无限游戏
爱范儿
爱范儿
M
MIT News - Artificial intelligence
G
Google Developers Blog
MyScale Blog
MyScale Blog
Google DeepMind News
Google DeepMind News
D
Docker
有赞技术团队
有赞技术团队
H
Hackread – Cybersecurity News, Data Breaches, AI and More
V
Visual Studio Blog
Recorded Future
Recorded Future
I
InfoQ
T
Tailwind CSS Blog
MongoDB | Blog
MongoDB | Blog
人人都是产品经理
人人都是产品经理
云风的 BLOG
云风的 BLOG
美团技术团队
Vercel News
Vercel News
GbyAI
GbyAI
aimingoo的专栏
aimingoo的专栏
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
WordPress大学
WordPress大学

www.infosecurity-magazine.com

Just Three Ransomware Gangs Accounted for 40% of Attacks Last Month Google Chrome Rolls Out Protection Against Infostealers Targeting Session Cookies STX RAT Targets Finance Sector With Advanced Stealth Tactics Bitcoin Depot Reports $3.6m Crypto Theft After System Breach Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings Middle East Hack-for-Hire Operation Traced to South Asian Cyber Espionage Group Governance Gaps Emerge as AI Agents Drive 76% Increase in NHIs Google Warns of New Threat Group Targeting BPOs and Helpdesks Google API Keys Quietly Gain Access to Gemini on Android Devices Critical Vulnerability in Ninja Forms Exposes WordPress Sites Anthropic Launches Project Glasswing to Use AI to Find and Fix Critical Software Vulnerabilities US Thwarts DNS Hijacking Network Controlled by Russian APT28 Hackers Claude Discovers Apache ActiveMQ Bug Hidden for 13 Years Iran‑Backed Threat Actors Hit US CNI Providers via Internet‑Facing OT Assets Russian APT28 Hackers Hijack Routers to Steal Credentials, UK Security Agency Warns GPU Rowhammer Attack Enables Privilege Escalation and Full System Compromise GrafanaGhost Exploit Bypasses AI Guardrails for Silent Data Exfiltration Over $17bn Lost to Cyber Fraud in the Last Year, Warns FBI Storm-1175 Exploits Flaws in High-Velocity Medusa Attacks Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs New 'Storm' Infostealer Remotely Decrypts Stolen Credentials NCSC Issues Security Alert Over Hackers Targeting WhatsApp and Signal Accounts Apple Expands iOS 18 Security Updates Amid DarkSword Threat Researchers Observe Sub-One-Hour Ransomware Attacks GitHub Used as Covert Channel in Multi-Stage Malware Campaign Most CNI Firms Face Up to £5m in Downtime from OT Attacks Google Introduces Android Dev Verification Amid Openness Debate New Venom Stealer MaaS Platform Automates Continuous Data Theft Chinese Hackers Target European Governments in Espionage Campaigns Eight in 10 UK Manufacturers Hit by Cyber Incident in a Year Hackers Hijack Axios npm Package to Spread RATs Maryland Man Charged Over $53m Uranium Finance Crypto Hack Phantom Project Bundles Infostealer, Crypter and RAT For Sale ChatGPT Security Issue Enabled Data Theft via Single Prompt TeamPCP Explores Ways to Exploit Stolen Supply Chain Secrets Employee Data Breaches Surge to Seven-Year High NCSC Urges Immediate Patching of F5 BIG-IP Bug Cybercriminals Exploit Tax Season With New Phishing Tactics Lloyds IT Glitch Exposed Data of Nearly 500,000 Banking Customers DeepLoad Malware Combines ClickFix With AI-Generated Code to Avoid Detection Critical Citrix NetScaler Vulnerability Exploited in the Wild ICO Fines UK Nuisance Call Scammers £100,000 European Commission Confirms Cloud Data Breach New Wave of AiTM Phishing Targets TikTok for Business TeamPCP Targets Telnyx Package in Latest PyPI Software Supply Chain Attack Quantum Computing Threat to Encryption Is Closer Than Expected, Warns Google UK Cracks Down on Chinese Crypto Marketplace for Funding Southeast Asia Scam Hubs Security Researchers Sound the Alarm on Vulnerabilities in AI-Generated Code Attackers Rapidly Weaponize Critical Oracle WebLogic RCE, Honeypot Study Finds EtherRAT Techniques Bypass Security Via Ethereum Smart Contracts AI Becomes the Top Cybersecurity Priority for Defenders as Criminals Exploit It, PwC Warns OpenAI Expands Bug Bounty to Cover AI Abuse and 'Safety' Concerns Iran-Linked Pay2Key Ransomware Group Re-Emerges Invoice Fraud Costs UK Construction Sector Millions, NCA Warns Cloud Phones Linked to Rising Financial Fraud Threat Hackers Exploit Compromised Enterprise Identities at Industrial Scale, Warns SentinelOne US: FCC Bans Foreign-Made Routers Over National Security Concerns TeamPCP Expands Supply Chain Campaign With LiteLLM PyPI Compromise Experts Sound Alarm Over “Prompt Poaching” Browser Extensions Operation Henhouse Nets Over 500 Arrests in UK Fraud Crackdown RSA Conference: UK NCSC Head Urges Industry to Develop Vibe Coding Safeguards Silver Fox Cyber Campaigns Show Shift Toward Dual Espionage Citrix Urges Immediate Patching for Critical NetScaler Vulnerabilities New Npm 'Ghost Campaign' Uses Fake Install Logs to Hide Malware Former Ukrainian Foreign Minister Dmytro Kuleba to Address the New Cyber Frontline at Infosecurity Europe Enterprise Cybersecurity Software Fails 20% of the Time, Warns Absolute Security Russian Initial Access Broker Handed 81-Month Sentence Handala Group Tied to Iranian Hack‑and‑Leak Operations, FBI Reveals Most Cybersecurity Staff Don’t Know How Fast They Could Stop a Cyber-Attack on AI Systems Tycoon2FA Phishing Service Resumes Activity Post-Takedown High-Tech Sector Overtakes Finance as Top Target for Cyber-Attacks, Mandiant Reports Trivy Supply Chain Attack Expands With New Compromised Docker Images CISA Orders US Government to Patch Maximum Severity Cisco Flaw Operation Alice Takes Down 370,000+ Dark Web Sites Hackers Exploit Critical Langflow Bug in Just 20 Hours NCA Boss Warns That Teens Are Being “Radicalized” Into Cybercrime Online Ransomware Affiliate Exposes Details of 'The Gentlemen' Operation Financial Brands Targeted in Global Mobile Banking Malware Surge FCA Updates Cyber Incident and Third-Party Reporting Rules AWS Warns Hackers Have Abused Cisco Firewall Zero-Day Since January UK: Regulation Drives Cyber Spending for Critical Infrastructure Orgs New Ubuntu Flaw Enables Local Attackers to Gain Root Access Crypto Scam "ShieldGuard" Dismantled After Malware Discovery AI-Enabled Adversaries Compress Time-to-Exploit Following Vulnerability Disclosure Vidar Stealer 2.0 Exploits GitHub, Reddit to Deliver Malware via Fake Game Cheats AI Issues Will Drive Half of Incident Response Efforts by 2028, Says Gartner Android OS-Level Attack Bypasses Mobile Payment Security 'CursorJack’ Attack Path Exposes Code Execution Risk in AI Development Environment Surge in Nation State Attacks on UK Firms Amid Cyber Warfare Fears Aeternum Botnet Shifts Command Control to Polygon Blockchain Leading Semiconductor Supplier Advantest Hit by Ransomware Attack Remcos RAT Expands Real-Time Surveillance Capabilities SMEs Wrong to Assume They Won’t Be Hit by Cyber-Attacks, NCSC Boss Warns Google Warns of In the Wild Exploit as It Patches New Chrome Zero Day Phorpiex Phishing Delivers Low-Noise Global Group Ransomware BridgePay Confirms Ransomware Attack, No Card Data Compromised New Hacking Campaign Exploits Microsoft Windows WinRAR Vulnerability Labyrinth Chollima Evolves into Three North Korean Hacking Groups Google Disrupts Extensive Residential Proxy Networks
Russian Cyber Threat Actor Uses GenAI to Compromise Fortinet Firewalls
2026-02-23 · via www.infosecurity-magazine.com

A low-skilled cyber threat actor has been observed leveraging several generative AI (GenAI) tools to deploy a malicious campaign aimed at compromising Fortinet’s FortiGate firewall appliances.

In an Amazon Web Services (AWS) Security blog published on February 20, CJ Moses, CISO of Amazon Integrated Security, shared findings about the campaign.

Amazon Threat Intelligence assessed that the attacker was a Russian-speaking, financially motivated threat actor with limited technical capabilities.

The threat actor used multiple commercial GenAI services to implement and scale well-known attack techniques throughout every phase of their operation.

AWS assessed the campaign ran from January 11 to February 18, 2026, and compromised over 600 FortiGate devices across more than 55 countries.

Amazon Threat Intelligence noted that AWS infrastructure was not involved in this campaign and that no exploitation of FortiGate vulnerabilities was observed.

FortiGate Compromise: Attack Workflow Explained

This campaign was deemed opportunistic rather than targeted.

The threat actor scanned FortiGate management interfaces exposed to the internet and tried gaining access to them using commonly reused credentials.

They developed AI-assisted Python scripts to parse, decrypt and organize these stolen configurations.

Once VPN access to victim networks was gained, the threat actor deployed a custom reconnaissance tool, also likely developed with the use of AI services, with different versions written in both Go and Python.

Indicators of AI involvement in this tool included redundant comments that merely restate function names, simplistic architecture with disproportionate investment in formatting over functionality, naive JSON parsing via string matching rather than proper deserialization and compatibility shims for language built-ins with empty documentation stubs.

“While functional for the threat actor’s specific use case, the tooling lacks robustness and fails under edge cases – characteristics typical of AI-generated code used without significant refinement,” Moses noted.

The post-VPN reconnaissance access tool workflow performed tasks such as ingesting target networks from VPN routing tables, classifying networks by size, running service discovery using gogo, an open-source port scanner, automatically identifying SMB hosts and domain controllers and integrating vulnerability scanning using Nuclei, an open-source vulnerability scanner, against discovered HTTP services to produce prioritized target lists.

Once inside victim networks, the threat actor followed a standard approach leveraging well-known open-source offensive tools, including:

  1. Domain compromise using Meterpreter, an open-source post-exploitation toolkit, with the Mimikatz module to perform DCSync attacks against domain controllers, allowing the actor to extract NTLM password hashes from Active Directory
  2. Lateral movement by attempting to expand access through pass-the-hash/pass-the-ticket attacks against additional infrastructure, NTLM relay attacks using standard poisoning tools and remote command execution on Windows hosts
  3. Backup infrastructure targeting by deploying multiple tools for extracting credentials, including PowerShell scripts, compiled decryption tools and exploitation attempts leveraging known vulnerabilities in Veeam Backup & Replication servers
  4. Limited exploitation success (e.g. CVE-2019-7192, CVE-2023-27532, CVE-2024-40711)

“However, a critical finding from this analysis is that the threat actor largely failed when attempting to exploit anything beyond the most straightforward, automated attack paths. Their own documentation records repeated failures: targeted services were patched, required ports were closed, vulnerabilities didn’t apply to the target OS versions,” Moses wrote.

Threat Actor’s Multifaceted Use of GenAI

The Amazon Threat Intelligence analysis revealed that the actor used at least two distinct commercial large language model (LLM) providers throughout their operations.

It used AI for multiple tasks, including:

  • Attack planning: generate comprehensive attack methodologies complete with step-by-step exploitation instructions, expected success rates, time estimates and prioritized task trees
  • Multi-model operational workflow: for instance, one model served as the primary tool developer, attack planner, and operational assistant, while a second is used as a supplementary attack planner when the actor needs help pivoting within a specific compromised network
  • Compromise planning tool: in one observed instance, the actor submitted the complete internal topology of an active victim (IP addresses, hostnames, confirmed credentials, and identified services) and requested a step-by-step plan to compromise additional systems they could not access with their existing tools
  • Infrastructure building: beyond the reconnaissance framework, the actor’s infrastructure contains numerous scripts in multiple programming languages bearing hallmarks of AI generation, including configuration parsers, credential extraction tools, VPN connection automation, mass scanning orchestration and result aggregation dashboards

Amazon Threat Intelligence said it expects cybercriminals with low-to-medium skill levels to continue leveraging commercial AI tools for malicious purposes in 2026.

“Strong defensive fundamentals remain the most effective countermeasure: patch management for perimeter devices, credential hygiene, network segmentation and robust detection for post-exploitation indicators,” outlined Moses.

The AWS Security blog also provided defenders with a long list of mitigation recommendations built around four pillars: FortiGate appliance audit, credential hygiene, post-exploitation detection and backup infrastructure hardening.

Read now: Low-Skilled Cybercriminals Use AI to Perform "Vibe Extortion" Attacks