This threat describes a coordinated brute-force campaign targeting Fortinet SSL VPN devices, specifically focusing on FortiOS initially and later shifting to FortiManager's FGFM profile. Starting August 3, 2025, security researchers observed a significant spike in brute-force login attempts originating from over 780 unique IP addresses. The campaign consists of two distinct waves: a long-running, persistent brute-force effort against FortiOS VPNs, followed by a sudden surge beginning August 5 that pivoted to targeting FortiManager components. The attackers appear to use a distributed network of IPs, potentially residential or proxy-based, to evade detection and complicate blocking efforts. This distributed nature, combined with the use of proxy or residential IPs, indicates a deliberate and precise attacker methodology with evolving tactics and possible reuse or adaptation of existing attack tooling. Historical analysis suggests that such brute-force spikes often precede the public disclosure of new vulnerabilities within approximately six weeks, implying that attackers may be probing for weaknesses ahead of exploitation opportunities. Although no known exploits are currently active in the wild, the campaign's scale and sophistication warrant heightened vigilance. The attack techniques align with MITRE ATT&CK tactics including brute-force (T1110), exploitation of vulnerabilities (T1190), and credential access (T1078), underscoring the multifaceted nature of the threat. Indicators of compromise include multiple IP addresses from diverse geographies, complicating straightforward IP blocking. Defenders are advised to leverage threat intelligence platforms such as GreyNoise to identify and block malicious IPs associated with this campaign and monitor for evolving attack patterns.

For European organizations, the impact of this campaign could be significant given the widespread use of Fortinet SSL VPNs for secure remote access, especially in sectors such as finance, government, healthcare, and critical infrastructure. Successful brute-force attacks could lead to unauthorized access, allowing attackers to exfiltrate sensitive data, disrupt operations, or establish persistent footholds within networks. The shift from FortiOS to FortiManager targeting suggests attackers aim to compromise management infrastructure, potentially enabling broader network control and lateral movement within enterprise environments. Given the campaign's distributed nature and use of proxy or residential IPs, detection and mitigation may be challenging, increasing the risk of successful intrusions. Moreover, the campaign's timing ahead of potential vulnerability disclosures means organizations may face zero-day exploitation risks if patches are not promptly applied once available. This threat could also strain incident response resources due to the volume and persistence of attack traffic. Overall, European entities relying on Fortinet VPN solutions should consider this campaign a credible and evolving risk to their network security posture, with potential impacts on confidentiality, integrity, and availability of critical systems.

1. Implement strict rate limiting and account lockout policies on Fortinet SSL VPN and FortiManager login interfaces to mitigate brute-force attempts effectively. 2. Enforce multi-factor authentication (MFA) for all VPN and management access to reduce the risk of credential compromise significantly. 3. Regularly monitor VPN and FortiManager logs for unusual login patterns, including repeated failed attempts from multiple IPs, and establish alerting mechanisms. 4. Use threat intelligence feeds such as GreyNoise to identify and block IP addresses associated with this campaign at the firewall or intrusion prevention system level, updating blocklists dynamically. 5. Restrict VPN and management interface access to known, trusted IP ranges where feasible, minimizing exposure to the internet and reducing the attack surface. 6. Keep Fortinet devices updated with the latest firmware and security patches, and prepare to deploy patches promptly upon new vulnerability disclosures, maintaining a proactive patch management process. 7. Conduct regular credential audits and enforce strong password policies to reduce the effectiveness of brute-force attacks and credential stuffing. 8. Deploy network segmentation to limit the impact of potential compromises of VPN or management systems, isolating critical assets. 9. Educate security teams on the evolving tactics observed in this campaign to enhance detection and response capabilities, including recognizing proxy-based attack patterns. 10. Consider deploying anomaly detection tools capable of identifying distributed brute-force patterns and proxy-based attack sources, integrating them with existing security monitoring infrastructure.