Cybercriminals Exploit AI to Launch Automated Attacks on FortiGate Devices
In February 2026, cybersecurity experts uncovered a sophisticated cyberattack campaign that integrates advanced artificial intelligence (AI) tools into its operations. Threat actors have been found leveraging Large Language Models (LLMs) such as DeepSeek and Claude to automate and enhance their intrusion strategies, specifically targeting FortiGate SSL VPN appliances worldwide.
Discovery of AI-Driven Attack Infrastructure
The campaign came to light when a misconfigured server exposed a detailed software pipeline used by the attackers. This pipeline revealed the integration of DeepSeek and Claude into the attack workflow, marking a significant evolution in cybercrime tactics. Unlike traditional methods that rely heavily on manual intervention, this AI-driven approach automates complex offensive tasks, enabling large-scale, efficient attacks.
Targeting FortiGate SSL VPN Appliances
The attackers focused on FortiGate SSL VPN appliances, exploiting stolen configuration data to gain unauthorized access to networks. By utilizing compromised credentials, they effectively mapped internal infrastructures and identified critical assets within the targeted organizations. This strategic targeting underscores the importance of securing VPN appliances, which serve as gateways to sensitive network resources.
Automated Exploitation Workflow
Central to this operation are two custom-built components named ARXON and CHECKER2. CHECKER2 functions as a Docker-based orchestrator that manages parallel VPN scanning, while ARXON acts as a Model Context Protocol (MCP) server. This setup allows the attackers to feed specific network data into the LLMs, which then generate actionable exploitation steps. For instance, the system can autonomously run offensive tools like Impacket and Metasploit, streamlining the attack process.
Scale and Efficiency of the Attack
Evidence indicates that over 2,500 devices across 106 countries were processed in parallel batches. The dual-model approach employed by the attackers uses DeepSeek to generate strategic attack plans based on reconnaissance data, while Claude’s coding capabilities execute vulnerability assessments. This level of automation enables even low-skilled operators to manage a massive volume of intrusions efficiently, highlighting the potential for AI to lower the barrier to entry for cybercriminal activities.
Implications for Cybersecurity
The integration of AI into cyberattack workflows represents a paradigm shift in the threat landscape. Traditional security measures may be insufficient against such automated and adaptive threats. Organizations must recognize the evolving nature of cyber threats and adapt their defense strategies accordingly.
Recommendations for Mitigation
To defend against AI-driven cyberattacks, organizations should implement the following measures:
1. Immediate Patching of Edge Devices: Regularly update and patch VPN appliances and other edge devices to close known vulnerabilities that could be exploited by attackers.
2. Audit VPN User Accounts: Conduct frequent audits of VPN user accounts to detect and remove unauthorized creations, ensuring that only legitimate users have access.
3. Monitor for Unusual SSH Sessions: Implement monitoring systems to detect unexpected SSH sessions, which could indicate unauthorized access or lateral movement within the network.
4. Verify Network Configurations: Regularly compare network configurations against known baselines to identify and remediate subtle modifications that may have been introduced by attackers.
5. Enhance User Training: Educate employees about the risks associated with phishing and social engineering tactics, as human error remains a significant factor in successful cyberattacks.
6. Deploy Advanced Threat Detection Systems: Utilize AI-driven security solutions capable of detecting and responding to sophisticated threats in real-time, providing an additional layer of defense.
Conclusion
The discovery of AI-integrated cyberattack campaigns targeting FortiGate devices underscores the need for a proactive and adaptive approach to cybersecurity. As threat actors continue to evolve their tactics by incorporating advanced technologies, organizations must stay ahead by implementing robust security measures, continuous monitoring, and fostering a culture of cybersecurity awareness.
