AI-Powered Attack Breaches 600 Firewalls

- The attack campaign ran from January 11 to February 18, 2024, and was assessed to be opportunistic, targeting FortiGate management interfaces exposed online with common or reused credentials. - The financially motivated Russian-speaking threat actor is believed to have limited technical skills, using commercial generative AI services to scale and implement well-known attack techniques across all phases of the operation. - This incident exploited several known Fortinet vulnerabilities, including CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475, to gain initial access. - The primary vulnerability, CVE-2023-27997, is a critical heap-based buffer overflow in the SSL-VPN web portal with a CVSS score of 9.8, allowing for remote code execution without authentication. - The ARXON command-and-control (C2) platform provides a centralized interface for managing compromised devices, offering real-time situational awareness, operational planning tools, and the ability to integrate and fuse data from multiple sources. - Generative AI is increasingly being used by threat actors to enhance social engineering, making phishing lures more convincing and harder to detect, as well as to accelerate malware development and reconnaissance. - Following the initial breach, the attacker used AI-assisted Python scripts to parse, decrypt, and organize stolen firewall configurations. - Fortinet has released patches for the exploited vulnerabilities and urges customers to upgrade to the latest FortiOS versions to remove the malicious files and prevent re-compromise.