Fortinet SSL VPN and FortiManager Targeted In A Coordinated Brute Force Campaign

Published Date: August 13, 2025
Category: ShadowOpsIntel
Share:

On August 3, 2025, GreyNoise detected a record spike in brute-force attacks targeting Fortinet SSL VPNs, with over 780 unique IPs flagged in a single day. Historical data shows such spikes often precede disclosure of Fortinet vulnerabilities – 80% within six weeks.

Severity Level: High

Incident Summary

  • Initial Spike (August 3, 2025): Attack traffic focused on FortiOS profiles, characterized by one dominant TCP signature.
  • Evolution (August 5, 2025 onwards): Sudden shift to a different TCP signature, paired with distinct client signatures, indicating a new operational phase. Targeting pivoted from FortiOS to FortiManager (FGFM) services.
  • Geographic Hotspots: Hong Kong and Brazil emerged as top targeted countries over the past 90 days.

Attack Waves Identified

  1. Wave One – Long-Term Campaign:
    • Steady brute-force attempts with a consistent TCP signature.
    • Likely operated by an established threat infrastructure.
  2. Wave Two – Coordinated Burst:
    • Began August 5, featuring a completely different TCP signature.
    • Associated with both VPN and FortiManager targeting, possibly using the same underlying tools.

Infrastructure Notes

  • One FortiGate device linked to a residential ISP (Pilot Fiber Inc.) appeared in testing or early deployment, suggesting possible residential proxy use or pre-campaign staging.
  • IP overlap between the August 3 spike and historical activity hints at toolset reuse or shared operator infrastructure.

Risk Correlation

  • GreyNoise research shows 80% of similar brute-force traffic spikes against Fortinet precede vulnerability disclosures for the same products within six weeks.
  • This increases the urgency for proactive defense before potential exploitation of a zero-day or newly disclosed flaw.

Recommendations

  1. Restrict VPN access from high-risk or non-business regions.
  2. Implement authentication rate limits for VPN services to slow down brute-force attempts.
  3. Enforce MFA for all VPN and FortiManager accounts, especially administrative users.
  4. Ensure Fortinet SSL VPN and FortiManager are running latest security patches.
  5. Track Fortinet security bulletins closely over the next six weeks for potential related CVE disclosures.
  6. Monitor for unusual login activity, such as high-frequency login failures or access from atypical geolocations.
  7. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/5f282a08f09835dba790cf4b6b4cab76c9486aa11514405501e491397a734c0a/iocs

Source:

  • https://www.greynoise.io/blog/vulnerability-fortinet-vpn-bruteforce-spike
  • https://viz.greynoise.io/tags/fortinet-ssl-vpn-bruteforcer

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.