More than 600 FortiGate devices have been compromised in over 55 countries between January 11 and February 18, 2026, according to a recent report from Amazon Threat Intelligence. This attack, characterized by its focus on exploiting weak credentials exposed on the internet, highlights a growing threat in the field of cybersecurity, where economically motivated actors use artificial intelligence tools to carry out cyberattack campaigns on a scale that previously required a larger and more specialized team.
Going for the weakest target
The attacker focused on the exploitation of FortiGate management interfaces, conducting systematic scans on different ports to identify devices with unique or reused credentials. Once they gained access to the configuration files, which included SSL-VPN user credentials and internal network data, they used AI-driven scripts to organize and decrypt the information. This opportunistic approach was evident in the way the actor attacked multiple devices belonging to the same entity, suggesting methodical planning, although not specific to industrial sectors.
Despite the magnitude of the attack, it was observed that the perpetrator showed limitations in their skills, abandoning targets with effective defenses. This indicates that, although artificial intelligence techniques have transformed the landscape of cybercrime, technical complexity remains a challenge. Amazon warns that organizations with FortiGate devices must act urgently, eliminating exposed management interfaces and applying multifactor authentication to mitigate potential risks.
It is recommended to audit Active Directory activities and be alert to unusual authentication patterns that may indicate attempts at lateral movement in compromised networks. In this regard, the use of open-source tools by the threat actor jeopardizes critical infrastructure, and companies must intensify their security measures to protect their systems.