- Russian hackers use weak credentials to brute force FortiGate firewalls
- AI-generated scripts now enable data parsing, reconnaissance, and lateral movement
- This campaign targeted Veeam servers. Attacker abandoned hardened system
Recently, Russian hackers were witnessed brute force attacks on hundreds of firewalls. But what makes this attack stand out is the fact that seemingly unskilled attackers were able to pull it off with the help of generative artificial intelligence (GenAI).
In a new analysis, Amazon Integrated Security CISO CJ Moses described how researchers observed attackers “systematically” scanning exposed FortiGate management interfaces across ports 443, 8443, 10443, and 4443.
After finding a potential target, they brute force their way in, trying countless combinations of commonly used and weak credentials until one works.
A little rough around the edges
Once inside, the hackers extracted the complete device configuration files, including SSL-VPN user credentials including recoverable passwords, administrative credentials, firewall policies, internal network architecture, and used AI-generated Python scripts to parse, decrypt, and organize them.
We then used the recovered VPN credentials to connect to our internal network, deployed a custom AI-generated reconnaissance tool (written in Go and Python), and migrated it to Active Directory.
“Analysis of the source code revealed clear signs of AI-assisted development, including redundant comments that simply restate function names, a simple architecture with a disproportionate investment in formatting rather than functionality, simple JSON parsing with string matching rather than proper deserialization, and built-in language compatibility shims with empty documentation stubs,” said Moses.
“While this tool works for the attacker’s specific use case, it lacks robustness and fails in edge cases, which is typical of AI-generated code used without significant refinement.”
The attackers also specifically targeted Veeam Backup & Replication servers and deployed credential extraction tools to attempt to exploit known Veeam vulnerabilities.
All of this took place in just a few weeks, from January 11, 2026, to February 18, 2026, leading researchers to believe that the attackers were fairly unskilled. Attackers attempted to exploit various CVEs throughout the campaign, but were largely unsuccessful as targets were patched and hardened. They frequently abandoned well-protected environments and moved to easier targets.
via peepee computer
The best antivirus tool for every budget
Follow TechRadar on Google News and Add us as a preferred source Get expert news, reviews, and opinions in your feed. Be sure to click the follow button!
Of course you can also do Follow TechRadar on TikTok Check out news, reviews, and unboxings in video format and stay updated regularly. whatsapp Too.
