How an AI-Assisted Hacker Compromised 600 Firewalls in 5 Weeks
The big picture: An "unsophisticated" hacker recently used generative AI to compromise over 600 FortiGate firewalls in five weeks. This campaign shows how AI can lower the technical bar, allowing less-skilled attackers to carry out large-scale cyberattacks.
Why it matters: You don’t need to be a master hacker to cause major damage anymore. By using AI to automate scanning, planning, and tool development, a small group or even a single person achieved a level of operational scale that once required a large, expert team.
The details: The attackers didn't use complex "zero-day" exploits. Instead, they relied on basic security gaps:
Exposed management ports: They scanned for interfaces left open to the internet.
Weak credentials: They used common, reused passwords.
Lack of MFA: Victims were using single-factor authentication, making it easy to gain access.
Once inside, the hackers moved laterally through networks to steal Active Directory credentials and target backup systems, likely preparing for ransomware attacks. When they hit a secure environment, they simply moved on to an easier target.
What you should do: Good security basics remain your best defense against AI-assisted threats:
Close the doors: Ensure management interfaces are not exposed to the internet. If they must be accessible, restrict them to known, trusted IP addresses.
Use strong credentials: Enforce unique, complex passwords for all administrative and VPN accounts.
Enable MFA: Require multi-factor authentication for every account to stop unauthorized access even if a password is stolen.
The AI Arms Race: Attackers Are Faster Than Ever
The big picture: Cyber adversaries are using artificial intelligence to dramatically speed up their attacks. Security teams must now defend at machine speed to keep up.
Why it matters: In 2025, the "breakout time" (the speed at which an attacker moves from an initial entry point to other parts of your network) fell to an average of 29 minutes. The fastest recorded breakout took just 27 seconds. If your response plan relies on manual human intervention, you are likely too slow.
Key findings:
AI is a dual threat: Attacks by AI-enabled adversaries surged by 89% year-over-year. Beyond using AI to accelerate their work, attackers are targeting internal enterprise AI tools to steal credentials and data.
Malware is fading: 82% of attacks were "malware-free." Instead of using traditional viruses, attackers are "living off the land": using your own legitimate tools, valid credentials, and system settings to blend in and remain undetected.
New attack surfaces: Adversaries are increasingly targeting cloud environments and internet-facing "edge" devices (like firewalls and VPNs) that often lack deep security monitoring.
The bottom line: Traditional, signature-based security is no longer enough. To succeed, you need visibility that spans your entire environment, including identity, cloud, and SaaS combined with automated, real-time response capabilities. Spoiler: this requires deploying an endpoint detection and response (EDR).
Stop Using Display Names for Identity Automation
Why it matters: Many IT teams rely on display names or email addresses to manage user lifecycle workflows. This is a structural mistake that creates silent, persistent automation failures.
The big picture: These attributes are designed for presentation and communication, not for system identification. Names change, email domains migrate, and people share names. When your automation depends on "presentation data" rather than "identity data," you introduce significant risks:
Operational failure: Incorrect onboarding, broken provisioning, and missed offboarding.
Security gaps: Hardcoding administrative roles into display names makes sensitive accounts easier to target.
Scaling issues: These methods might work in small, static environments, but they fail quickly as your organization grows or changes.
The bottom line: Move your account naming and automation logic to immutable system identifiers, like Object ID or authoritative HR attributes. My personal favorite is using the employee ID in the User Principal Name: immutable and unique for the organization.
Quishing: The New Mobile Phishing Threat
Why it matters: Attackers are increasingly using QR codes (a technique called "quishing") to bypass traditional email and network security. By shifting the attack from your corporate network to a user’s personal mobile device, hackers can steal credentials and install malicious apps without leaving a trace on your perimeter defenses.
The big picture: Because QR codes are images, standard security filters often cannot scan the embedded URL. Once a user scans a code, they are often directed to a malicious site outside of your organization’s control.
How it works: Threat actors are using three primary methods to remain evasive:
URL shorteners: These disguise the true, malicious destination, often hiding it behind a reputable service to avoid detection.
In-app deep links: Attackers use these to push content directly into mobile apps, which can be used to steal account credentials or take control of specific app functions.
Direct file downloads: By bypassing official app stores, attackers trick users into installing malicious software directly onto their mobile devices.
Bonus: Additional clicks and CAPTCHA tests: I’ve personally seen cases where the QR landing page is clean, but uses social engineering to get you to click another link to take you to the real payload page. The payload page is behind a CAPTCHA service (typically Cloudflare Turnstile) to prevent security tools from detecting the malicious nature in advance.
What to do:
Update training: Teach end users to treat QR codes with the same skepticism as unsolicited email links.
Deploy mobile defenses: Use mobile threat defense tools that can analyze web traffic on personal devices and block malicious redirects in real time.
Inspect at the gateway: If possible, implement security solutions that can extract and inspect the destination of URLs embedded within QR codes before they reach the user. Microsoft says they are doing it with Defender for Office 365.
Go deeper: https://rhisac.org/threat-intelligence/phishing-on-the-edge-of-the-web-and-mobile-using-qr-codes/
AirSnitch: New Wi-Fi security threat - what you need to know
The big news: A new class of vulnerabilities called "AirSnitch" allows attackers to bypass Wi-Fi client isolation, potentially exposing devices on home, office, and enterprise networks to interception.
Why it matters: Client isolation is a key defense designed to stop devices on the same Wi-Fi network from communicating with each other. By breaking this, an attacker on a guest network could potentially inject traffic into a private network or perform "man-in-the-middle" (MitM) attacks to intercept sensitive data.
How it works:
GTK Abuse: Researchers found that the Group Temporal Key (GTK)—used to protect broadcast/multicast traffic—is often shared among all clients. Attackers can abuse this to inject packets and bypass security controls.
Layer-3 bypass: Many network devices only enforce isolation at the hardware (Layer-2) level. Attackers can get around this by sending traffic addressed to the network gateway, which the access point then forwards to the target.
What you should do:
Use VLANs: Segment your network traffic. Keeping guest and corporate traffic on completely separate virtual networks is the most effective way to block this attack. If you have Cisco Meraki, you should be using NAT Mode with Meraki DHCP.
Enforce strong passwords: Don't rely on simple or publicly known passphrases for any Wi-Fi network pre-shared key.
Keep hardware updated: Monitor your network equipment vendors for firmware patches related to these findings.
Secure your connections: Since attackers can try to decrypt HTTPS traffic once they are in a MitM position, ensure your applications and services use modern, up-to-date TLS implementations.
Really go down the rabbit hole and read the research paper: https://papers.mathyvanhoef.com/ndss2026-airsnitch.pdf
If you have any comments or feedback, just respond to this email!
Thanks for reading and stay secure,
Aaron