Fortibleed – PwnDefend

In the ‘world of Mythos’ and other such overhyped AI buzz words…. the fundamentals of digital security still apply. Don’t get me wrong, I think LLMs are great, as a digital defender, I’ve been using LLMs relatively for a long time now (from offence to defence to general CTI/Research) so I’m not a hater, they are like an Iron Man suit! But we still need our Tony Stark and Pepper Potts!

It’s very easy in a world full of complexity to oversimplify, it’s very easy to focus on one class of threat and ignore another. Zero days sound cool, when mass exploration occurs, it’s a real problem, but for the day to day in an org, authentication attacks (identity plane) are the number one thing you will likely be seeing (if you look at our logs… you have logs right???)

What occurred?

A threat actor operating from AS211486 has been running a campaign attacking authentication services across a range of technology including Fortinet/Fortiweb/Fortigate, MSSQL and probably other services.

Thanks to IPInfo

Also if you are running an edge device check vendor guidance e.g. https://www.fortiguard.com/psirt

There’s been some configuration file exposure vulnerabilities in the past (and a recent CVE about info disclosure). The TA might have been using a combo of software vulnerability exploits + creds (I’ve only seen evidence of creds from the honeypot data I’ve seen so far)

Am I affected?

You can heck out the resources from SOCRADAR or HUDSON ROCK but also:

The best source of truth is your own devices and logs!

Remember they didn’t seem to just ‘attack’ Fortiweb devices. The source IP have is: https://ipinfo.io/85.11.187.8

Confirmation of some TTPs via Defused

So I worked with Simo from Defused to see if we can identify activity from the TA, and guess what? We can! There’s logs in the platform from the TA sending a lot of credential attempts…..

This not only shows the use of honeypots for detection but also for confirmation of TA activity and TTPs.

We can see here as well evidence of the types (and makeup) of credentials used by the TA.

Tag Teaming Honeypots

See one thing in this game is that there’s often value from multi spaces, so I headed over to greynoise (love Ghosty!):

We can see here traffic affecting a range of services being attacked.

We can also see the date first seen, March 2026!

Some interesting observations on the TA

What can we learn about the TA and their TTPs?

There are Russian language comments in the scripts
They used hashtopolis ( a web based distributed cracking platform)
They also were using an ‘AI pentesting platform’ (don’t lose your minds if they aren’t using LLMs in 2026 you would have to question why)
They aren’t doing anything super smart
They aren’t very neat (no really…. and that says something)
They left their python server with no auth exposing an Open Directory (so they mess up just like everyone else)
It’s not to my mind sophisticated or advanced, they have used some scale but really they just tried. The delta between doing and not doing in terms of improvement of success odds!

This campaign is clearly not very clever but it is BIG! There’s been billions of auth attempts…. and lots of them seem to have worked! Remember, no one cares how smart something is, it doesn’t change the ‘did it work?’ question.

When are we going to learn?

If you search for this ASN you will find cybercrime reports from it for years. Not only that but wea also have to think about, what could we as society could do to prevent these kinds of events being so impactful/successful?

The credentials used to compromise devices are, frankly shocking, not only in their makeup but also in the level of re-use between orgs.
The level of monitoring must be frankly tragic given how many compromises occurred and this was only really detected after someone found the Open Directory (possible via honeypot logs etc.)
We are clearly paying peanuts and getting monkeys when it comes to deploying a really sensitive edge devices. Admin interfaces exposed, account lockouts not working, lack of hardening and monitoring. The foundations that have been known for decades are just still not being done.

In the ‘age of mythos’ where marketing hype and buzz words dominate, the cyber reality is often far simpler. Restrict, Harden, Test, Monitor…. go a really long way still.

as always we have some good guidance from NCSC UK:

https://www.ncsc.gov.uk/guidance/guidance-on-digital-forensics-protective-monitoring

https://www.ncsc.gov.uk/collection/device-security-guidance/infrastructure/network-architectures

https://www.ncsc.gov.uk/blog-post/protect-your-management-interfaces

As always the devil is in the details, the cyber security challenge is one that you don’t want to rush….. because that’s how we get mistakes.

Cyber Myth: Attackers only have to be right once, Defenders have to be right all the time!

ai Authenticaiton CyberSecurity Fortibleed Fortinet Foundations Frontier Identity Attacks LLMs Mythos reality