AWS FortiGate Firewall Attacks Show How AI Is Scaling Basic Cyber Intrusions

A new threat intelligence report highlighted by The Register should be a wake-up call for every organization that still treats perimeter appliances as “set and forget” infrastructure. AWS reported that a financially motivated, Russian-speaking threat actor used commercial generative AI tools to compromise more than 600 internet-exposed FortiGate firewalls across 55 countries between January 11 and February 18, 2026. The campaign did not rely on a novel FortiGate zero-day. It succeeded by abusing exposed management interfaces, weak credentials, and single-factor authentication at scale.

That distinction matters. The real story is not just that AI is now helping attackers move faster. The real story is that basic security gaps are still giving them a way in.

AI Is Lowering the Barrier to Entry for Real-World Attacks

According to AWS, this was not a highly advanced threat actor with elite tradecraft. The actor was assessed as low-to-medium skill but heavily augmented by commercial AI tools, which were used to generate attack plans, scripts, parsing tools, and operational workflows. AWS’ analysis found the tooling was functional but unsophisticated, yet still effective enough to automate mass scanning, credential abuse, and post-compromise reconnaissance.

This is one of the clearest examples yet of what security leaders need to internalize in 2026: AI does not need to create breakthrough exploits to increase cyber risk. It only needs to make known tactics cheaper, faster, and easier to scale.

In practical terms, this means organizations can no longer assume that an attacker needs deep expertise to chain together credential abuse, lateral movement, and backup targeting. AI is compressing the skill gap. Controls that were once “good enough” against less capable adversaries are becoming inadequate when those same adversaries can use AI as a force multiplier.

The Initial Access Was Not Sophisticated. That Is the Problem.

AWS said the attacker systematically scanned for FortiGate management interfaces exposed to the internet on ports including 443, 8443, 10443, and 4443, then attempted to log in with commonly reused credentials. Once inside, the actor extracted firewall configurations containing administrative credentials, VPN details, network topology information, and policy data.

This is exactly why internet-facing security appliances are such high-value targets. A compromised firewall is not just a single compromised device. It can become a blueprint for the rest of the environment.

From an InfoSight perspective, this is the bigger operational lesson: perimeter devices often sit at the intersection of identity, remote access, segmentation, and visibility. When they are exposed, misconfigured, or poorly governed, they can give attackers a direct path to broader business disruption.

Firewall Compromise Quickly Became Identity and Ransomware Risk

AWS reported that the threat actor used stolen FortiGate data and credentials to move deeper into victim environments, including attempts to compromise Active Directory, harvest credentials, and access backup infrastructure such as Veeam servers. AWS explicitly characterized this behavior as consistent with pre-ransomware operations.

That progression is critical.

Too many organizations still treat firewall hardening, identity security, and backup resilience as separate workstreams. They are not separate. They are linked. Once a perimeter device exposes credentials or network intelligence, the next stage often targets domain privilege, lateral movement, and recovery systems.

This is where many incident response timelines collapse:

Initial access begins at the edge

Identity compromise follows

Backup infrastructure is targeted

Recovery options shrink

Business disruption expands

The FortiGate campaign reinforces a core reality: if attackers can reach your management plane, your directory services, and your backups, the blast radius can escalate quickly.

What This Means for Security Leaders

The AWS findings reinforce that organizations should stop focusing only on “latest vulnerability” headlines and refocus on attack path reduction. In this campaign, the attacker largely failed when encountering patched systems, closed ports, or hardened environments, and often moved on when simple automated paths did not work.

That means defensive fundamentals are still highly effective. It also means many organizations are still leaving easy wins on the table.

For CISOs, IT leaders, and risk owners, the strategic takeaway is simple: AI is accelerating attacker throughput, but poor exposure management is what makes that acceleration dangerous.

The InfoSight Perspective: Exposure, Identity, and Resilience Must Be Managed Together

This incident is not just a firewall story. It is a cyber risk management story.

At InfoSight, the right response to campaigns like this is not panic over AI hype. It is disciplined control over the conditions that enable scale:

1. Remove unnecessary internet exposure

If administrative interfaces are reachable from the public internet, the attack surface is already too large. External management access should be restricted, segmented, and tightly controlled.

2. Treat credential hygiene as a frontline control

Weak or reused passwords remain one of the fastest ways to turn an exposed appliance into a domain-level incident. Password rotation, uniqueness, and MFA are no longer optional baseline practices.

3. Assume perimeter compromise can become identity compromise

If a network appliance stores or exposes credential paths into VPN, AD, or privileged access, then its compromise should trigger identity-focused investigation and response immediately.

4. Harden backup infrastructure before an incident

AWS observed explicit targeting of backup systems. That aligns with what mature defenders already know: attackers go after recovery to increase leverage. Backup systems must be isolated, monitored, patched, and protected with immutability where possible.

5. Prioritize behavioral detection, not just IOC matching

AWS noted that traditional IOC-based detection is limited here because the actor relied heavily on legitimate open-source tools. Detection needs to focus on abnormal authentication patterns, suspicious AD replication activity, unusual remote management behavior, and lateral movement indicators.

Immediate Actions Organizations Should Take

AWS recommended that organizations running FortiGate appliances ensure management interfaces are not exposed to the internet, change default or common credentials, rotate SSL-VPN credentials, implement MFA for administrative and VPN access, review for unauthorized admin accounts or policy changes, and audit VPN logs for unexpected geographies. AWS also advised reviewing password reuse between FortiGate and Active Directory accounts, rotating service account credentials, monitoring for post-exploitation indicators such as unexpected DCSync activity, and hardening backup environments.

For most organizations, that translates into a near-term checklist:

Audit all internet-facing firewall and VPN management interfaces

Eliminate public exposure where possible

Enforce MFA on all administrative and remote access paths

Rotate credentials tied to firewalls, VPNs, and privileged accounts

Review AD for unusual replication, new accounts, and lateral movement behavior

Validate backup isolation and recovery integrity

Reassess whether your monitoring is catching attack-path behavior, not just malware signatures

Final Takeaway

The AWS FortiGate campaign proves that AI is making common attack methods more scalable, more accessible, and more dangerous. But it also proves something else: organizations with strong fundamentals still force these attackers to fail.

The lesson is not that AI has made defense impossible.

The lesson is that exposed management interfaces, weak passwords, poor segmentation, and weak monitoring are now even more costly than they were before.

For security leaders, the mandate is clear: reduce exposed attack paths, strengthen identity controls, harden backups, and improve visibility into post-compromise activity. Because in the AI era, attackers do not need to be brilliant to be effective. They just need you to leave the door open.

Concerned about internet-exposed security appliances, credential reuse, or ransomware attack paths? InfoSight helps organizations assess firewall exposure, strengthen identity controls, validate backup resilience, and improve detection across the environments attackers target first.