John
One person who speaks Russian compromised more than 600 FortiGate firewalls in fewer than six weeks, affecting networks across 55 nations. Instead of using unknown flaws, they leaned on common setup errors, simple oversights left wide open. Amazon’s team tracking threats pulled apart how it unfolded, showing reliance on public AI tools to speed up attacks.
Campaign Background
Firm protection comes from FortiGate units, built by Fortinet. These act like smart gatekeepers watching data traffic. Instead of just blocking outsider, they handle secure tunnels known as VPNs.
Routing tasks get managed within the system, too. Threat defense is baked into daily operations. Many companies rely on them, especially service providers who manage networks for others.
A single performer-short on expertise- turned to generative AI using it to shape , write code, then carry out strikes. This path led straight into Active Directory flaws and weakened backups, laying groundwork much like early ransomware moves.
Out in the open, sloppy security spilled AImade tools that let one person act like a crew. Before, pulling off big attacks meant working together, yet now it takes just an individual with access.
Left lying around online, automated plans showed up; no teamwork needed anymore. Not a single Amazon server got tangled in this mess, showing how basic safeguards still matter more than fancy hacks.
Initial Access Method
Out of nowhere, hackers began probing FortiGate admin panels accessible online, targeting ports such as 443 and 8443. One step at a time, they hammered these entry points with guesswork attacks.
Weak logins stood no chance,e especially factory presets or passwords pulled from past breaches. Instead of complex checks, the intruders relied on simple trial-and-error on ports 10443 and 4443.
Without the strong authentication layer-access unfolded fast. Default combos cracked open doors others assumed were shut.
What worked came down to neglected fundamentals rather than flaws. Misconfigured systems spilled VPN credentials, access keys, network layouts, rules, and IPsec settings.
With help from machine learning tools, custom Python code broke open and interpreted the data, streamlining movement inside the environment.
Secrets within FortiGate settings pay off because they contain decrypted SSL VPN logins and network layouts, which are rarely checked during reviews.
From behind a keyboard, someone ran a custom-made scanning program named CHECKER2, built with Go, launching waves of probes at virtual gateways spanning more than a hundred nations, tagging each open door for later visits.
Geographic Impact
Out of nowhere, weak spots first piled up in South Asia, then in Latin America, and felt it next. The Caribbean got hit hard, too, followed by West Africa, not far behind.
Northern Europe saw issues, just like Southeast Asia. Looks like shared IPs played a part. Ports might’ve helped spread things. Maybe MSPs were involved; maybe bigger companies. Patterns point that way.
One wrong connection between gadgets can let problems spread through the company’s systems.
Not targeting any one industry meant chasing quick fixes instead of long-term goals.
AI-Generated Tooling
After access was gained, the tool pulled data on network paths using Go and Python. It measured subnet sizes right after pulling route details. Next came port checks powered by Gogo.
Domain controllers showed up during SMB sweeps. HTTP systems got scanned for flaws via Nuclei soon afterward. Discovery unfolded step by step across internal segments.
Lurking inside the code, telltale signs pointed straight to artificial intelligence cluttered notes that repeated themselves, clumsy checks on JSON text, clean layouts too perfect to be human, errors piling up at tricky spots.
Running quietly in the background, ARXON served as a tailored hub linking scout findings to large models such as Claude and DeepSeek, shaping strategies step by step.
Inside nearby directories, more than two hundred results stacked high, Claude’s guesses, hacks, dead ends, all stored without fanfare.
This set includes parsers, scanners, and dashboards for multiple languages, which is unlikely for beginners to handle without artificial intelligence.
Over time, tools such as HexStrike evolved into ARXON, running Impacket, Metasploit, and hashcat independently through smart systems rather than relying on human checks.
Post-Exploitation Steps
Through network paths, Meterpreter ran mimikatz using DCSync to grab AD NTLM hashes, complete login sets spilled out; that single Domain Admin? Their password matched a clear-text FortiGate login. Full access followed.
Finding sideways access meant using stolen hashes or tickets, abusing NTLM through relay attacks, and running commands remotely by manipulating Windows internals.
Attention turned to Veeam backup systems once scripts like DecryptVeeamPasswords.ps1 appeared, along with built executables that probed weak spots to grab high-level credentials and bypass restore options, just before ransomware struck.
A few attempts hit dead ends when updates blocked access, doors stayed shut, and different software versions mismatched. Some systems deemed too tough were left behind without a second look. Instead, easier spots drew attention fast.
AI Force Multiplier
A sudden shift occurred when AI took charge of plotting, laying out, and assigning phases, odds, and deadlines, drawing on studies of aggressive automated agents.
The main language model generated tools and blueprints, while a second one adjusted paths based on network shapes, working through IP strings, passwords, and service logs provided to it.
When actions strayed beyond preset lines, performance dipped, trouble hit with code building, error fixing, rerouting – but sheer output grew thanks to machine-made bulk.
Actor Profile
Starting without deep resources, someone who speaks Russian used artificial intelligence at every stage to get things done – operations wide in reach yet thin in depth.
Because money mattered most, efforts stayed focused on that rather than precision. Later, security mistakes revealed unprotected files and passwords lying around.
After hitting tougher defenses, it shifted toward easier opportunities nearby. No ties exist to known advanced threat groups; probably one person or a small circle boosted by smart tools.
Amazon Action
A shift happened when Amazon passed threat details to allies-working together to break attacker flows, effectiveness dipped worldwide.
From that point, joint efforts slowed down malicious campaigns, cutting strength through shared actions. Networks began resisting more effectively once coordination across borders took hold.
FortiGate Hardening
Start by locking down web-facing entry points, only allowing access through approved jump servers or known IP ranges.
A fresh set of credential should replace any preset logins used for vpn. Multi-factor checks must be in place between admin role and remote connection.
Look closely at login records- hunting for strange location or repeated password that match domain entries. Keep systems used for control tasks split off from regular traffic.
Credential Practices
Check FortiGate AD password reuse, enable MFA for VPN, use strong, unique Domain Admin passwords, and update backup service credentials.
Detection Signals
Fake scheduled jobs might appear where they shouldn’t. Replication GUIDs tied to Event ID 4662 need to be closely monitored over time. Remote sessions arriving via a VPN could mask odd behavior within normal traffic. When LLMNR meets NBT-NS tricks, names get twisted on purpose.
Backup storage pokes happen at quiet moments, often overlooked. New user profiles appear mixed into regular flows, blending too well.
Backup Protections
Shut off network links to Veeam machines now. Fix flaws that let hackers steal passwords before they’re exploited.
Watch PowerShell tools closely; some turn dangerous without warning. Lock backups so nothing can alter them, ever.
AWS Defenses
When GuardDuty spots odd API or credential behavior, it flags potential misuse. Instead of waiting, the inspector steps in to check systems for open weaknesses or exposed assets. Security Hub tracks how secure things look across accounts overall.
Patch Manager makes sure EC2 machines stay up to date on fixes automatically. After someone slips past outer defenses, IAM replay helps identify the actions taken with stolen access.
| IOC Value | IOC Type | First Seen | Last Seen | Annotation |
|---|---|---|---|---|
| 212.11.64.250 | IPv4 | 1/11/2026 | 2/18/2026 | Scanning/exploitation infra. |
| 185.196.11.225 | IPv4 | 1/11/2026 | 2/18/2026 | Threat ops infra. |
Implications Forward
By 2026, attacks may rise sharply – AI opens doors even for less skilled hackers. Still, solid basics like updates, multi-step logins, and network splits help block many threats.
Creativity stays beyond machines, though they handle repetition well. Clusters make managed providers juicy targets. Right now is a good moment to check where risks hide.
FAQ
Inside ARXON, Claude joined forces with DeepSeek to shape strategies and pick resources – Amazon stayed quiet on exact details.
Not really – just poor passwords sitting out in the open, along with doors left wide open on the network.
A public server holding software, blueprints, files on targets.
Site: thecybrdef.com
Reference: Source
