This threat describes a coordinated brute-force campaign targeting Fortinet SSL VPN devices, specifically focusing on FortiOS and later shifting to FortiManager's FGFM profile. Beginning August 3, 2025, security researchers observed a significant spike in brute-force login attempts originating from over 780 unique IP addresses. The campaign consists of two distinct waves: an ongoing long-term brute-force effort against FortiOS VPNs, followed by a sudden surge starting August 5 that pivoted to targeting FortiManager components. The attackers appear to use a distributed network of IPs, potentially residential or proxy-based, to evade detection and complicate blocking efforts. The campaign is deliberate and precise, indicating an evolving attacker methodology and possible reuse or adaptation of existing attack tooling. Historical analysis suggests that such brute-force spikes often precede the public disclosure of new vulnerabilities within approximately six weeks, implying that attackers may be probing for weaknesses ahead of exploitation opportunities. Although no known exploits are currently active in the wild, the campaign's scale and sophistication warrant heightened vigilance. Defenders are advised to leverage threat intelligence platforms such as GreyNoise to identify and block malicious IPs associated with this campaign. The attack techniques align with MITRE ATT&CK tactics including brute-force (T1110), exploitation of vulnerabilities (T1190), and credential access (T1078), underscoring the multifaceted nature of the threat.

For European organizations, the impact of this campaign could be significant given the widespread use of Fortinet SSL VPNs for secure remote access, especially in sectors such as finance, government, healthcare, and critical infrastructure. Successful brute-force attacks could lead to unauthorized access, allowing attackers to exfiltrate sensitive data, disrupt operations, or establish persistent footholds within networks. The shift from FortiOS to FortiManager targeting suggests attackers aim to compromise management infrastructure, potentially enabling broader network control and lateral movement. Given the campaign's distributed nature and use of proxy or residential IPs, detection and mitigation may be challenging, increasing the risk of successful intrusions. Moreover, the campaign's timing ahead of potential vulnerability disclosures means organizations may face zero-day exploitation risks if patches are not promptly applied once available. This threat could also strain incident response resources due to the volume and persistence of attack traffic. Overall, European entities relying on Fortinet VPN solutions should consider this campaign a credible and evolving risk to their network security posture.

1. Implement strict rate limiting and account lockout policies on Fortinet SSL VPN and FortiManager login interfaces to mitigate brute-force attempts. 2. Enforce multi-factor authentication (MFA) for all VPN and management access to reduce the risk of credential compromise. 3. Regularly monitor VPN and FortiManager logs for unusual login patterns, including repeated failed attempts from multiple IPs. 4. Use threat intelligence feeds such as GreyNoise to identify and block IP addresses associated with this campaign at the firewall or intrusion prevention system level. 5. Restrict VPN and management interface access to known, trusted IP ranges where feasible, minimizing exposure to the internet. 6. Keep Fortinet devices updated with the latest firmware and security patches, and prepare to deploy patches promptly upon new vulnerability disclosures. 7. Conduct regular credential audits and enforce strong password policies to reduce the effectiveness of brute-force attacks. 8. Deploy network segmentation to limit the impact of potential compromises of VPN or management systems. 9. Educate security teams on the evolving tactics observed in this campaign to enhance detection and response capabilities. 10. Consider deploying anomaly detection tools capable of identifying distributed brute-force patterns and proxy-based attack sources.