- Russian hacker brute-forces FortiGate firewalls using weak credentials
- AI-generated scripts enabled data parsing, reconnaissance and lateral movement
- The campaign targeted Veeam servers; the attacker left hardened systems
A Russian hacker was recently seen brute-forcing their way into hundreds of firewalls – but what makes this campaign really stand out is the fact that the apparently low-skilled threat actor was able to pull off the attacks using Generative Artificial Intelligence (GenAI).
In a new analysis, Amazon Integrated Security CISO CJ Moses explained how researchers observed a threat actor “systematically” scanning for exposed FortiGate management interfaces across ports 443, 8443, 10443 and 4443.
After finding a potential target, they forced their way in, trying countless combinations of commonly used and weak credentials until one worked.
A little rough around the edges
Once inside, the hacker extracted full device configuration files (SSL-VPN user credentials with recoverable passwords, administrative credentials, firewall policies and internal network architecture, and more) and analyzed, decrypted, and organized them using AI-generated Python scripts.
They then used the recovered VPN credentials to connect to internal networks, deploy custom AI-generated reconnaissance tools (written in Go and Python), and migrate to Active Directory.
“Analysis of the source code reveals clear indicators of AI-assisted development: redundant comments that merely repeat function names, simplistic architecture with disproportionate investment in formatting over functionality, naive JSON parsing via string matching rather than proper deserialization, and compatibility shims for language built-in documents,” Moses said.
“While functional for the threat actor’s specific use case, the tool lacks robustness and fails under edge-cases—characteristics typical of AI-generated code used without significant sophistication.”
The attacker also specifically targeted Veeam Backup & Replication servers, implementing credential extraction tools and attempting to exploit known Veeam vulnerabilities.
All of this was done over the course of just a few weeks, between January 11 and February 18, 2026, leading the researchers to believe that the attacker was rather unskilled – as throughout their operations they attempted to exploit various CVEs, but largely failed as targets were patched or hardened. They often left well-protected environments and moved on to easier targets.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
