AWS describes the campaign as an ‘AI-powered assembly line for cybercrime’.
Commercial AI services are lowering the technical barrier needed to commit cybercrimes, and Amazon warns that this trend will continue.
Amazon Web Services (AWS) says it has observed what it describes as a Russian-speaking financially motivated threat actor that leveraged multiple commercial generative AI (GenAI) services to compromise more than 600 FortiGate devices across more than 55 countries over the past month.
FortiGate is a newer generation firewall that provides advanced network protection when compared to more traditional ones.
AWS describes the hacker as an “unsophisticated” individual or small group armed with AI tools that helps them achieve operational scale to commit crime, something that would have previously required a significantly larger and more skilled team.
The campaign struck out to AWS because of the hacker group’s use of multiple commercial GenAI services. AWS describes the campaign as an “AI-powered assembly line for cybercrime, helping less skilled workers produce at scale,” according to a blog authored by CJ Moses, who leads security engineering and operations at Amazon.
The threat actor compromised globally dispersed FortiGate appliances, accessing credentials and device configuration information. They then used these stolen credentials to connect to the victim’s internal networks to access more credentials, and attempts to access backup infrastructure.
According to AWS’ observations, FortiGate vulnerabilities were not exploited by the hacker. Instead, the campaign exploited exposed management ports and weak credentials with single-factor authentication.
Moreover, when the group encountered more secure environments, they moved on to softer targets, rather than persisting. Meaning, their power lies in AI-augmented efficiency and scale, not deeper technical skills.
The group’s targeting seemed opportunistic rather than sector-specific, targeting vulnerable appliances via mass scanning using AI tools, AWS adds.
The threat actor in this campaign is not known to be associated with any advanced persistent threat group with state-sponsored resources, the blog explains. Amazon says it was not compromised in this incident.
AWS recommends that organisations running FortiGate appliances should ensure management interfaces are not exposed to the internet. It advices that organisations change all default and common credentials on FortiGate appliances, including administrative and VPN user accounts. In addition, AWS recommends organisations enforce unique, complex passwords for all accounts.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.