Fortinet SSL VPNs Targeted in Significant Brute-Force Attack Spike
Cybersecurity researchers are sounding the alarm over a notable surge in brute-force traffic specifically targeting Fortinet SSL VPN devices. The coordinated malicious activity, meticulously tracked by threat intelligence firm GreyNoise, commenced on August 3, 2025, and involved an extensive network of over 780 unique IP addresses. This focused assault highlights a growing trend of attackers honing in on critical enterprise security infrastructure, potentially exposing sensitive corporate data and network access.
The sophisticated nature of the attacks is underscored by the persistent detection of malicious IP addresses, with as many as 56 distinct IPs observed actively participating in the campaign over a single 24-hour period. These compromised IP addresses have been geographically traced to origins in the United States, Canada, Russia, and the Netherlands, while the intended targets span across the United States, Hong Kong, Brazil, Spain, and Japan. This broad geographical distribution suggests a highly organized and well-resourced threat actor.
Shifting Tactics and Evolving Signatures
GreyNoise emphasized that the observed traffic was not indiscriminate but rather demonstrated a deliberate and precise targeting of Fortinet’s SSL VPNs, indicated by its specific targeting of the FortiOS profile. This was explicitly stated as not being opportunistic, but rather a focused and deliberate effort by malicious actors. The threat intelligence firm identified two distinct phases within the observed assault waves, occurring before and after August 5, 2025. The first phase, a prolonged brute-force campaign, maintained a relatively consistent tempo, characterized by a singular TCP signature.
In contrast, the activity observed from August 5 onwards exhibited a dramatic shift. This second phase was marked by a sudden and concentrated burst of traffic, leveraging a distinctly different TCP signature. Crucially, the traffic fingerprinting associated with this later wave, while sharing a meta-signature of TCP and client signatures, was no longer targeting the FortiOS profile. Instead, it consistently focused on FortiManager, indicating a potential pivot in the attackers’ methodology or a strategic redirection of their efforts. This suggests the same infrastructure or toolset may have been repurposed to attack a different Fortinet-facing service.
Historical Patterns and Potential Implications
Further investigation into the historical data associated with the post-August 5 TCP fingerprint revealed an earlier spike in malicious activity during June. This prior incident featured a unique client signature that was traced back to a FortiGate device located within a residential ISP block managed by Pilot Fiber Inc. This discovery lends credence to the hypothesis that the brute-force tooling may have been initially tested or launched from a home network environment, or alternatively, that residential proxies were employed to mask the attackers’ true origins.
This development aligns with broader cybersecurity observations that spikes in malicious traffic targeting specific technologies are frequently followed, within approximately six weeks, by the disclosure of new Common Vulnerabilities and Exposures (CVEs) affecting the same systems. GreyNoise’s “Early Warning Signals” report, published late last month, noted that such patterns were particularly prevalent concerning enterprise edge technologies, including VPNs, firewalls, and remote access tools – precisely the types of systems increasingly favored by advanced threat actors for their potential to grant wide-ranging network access.
The ongoing nature of these attacks and the evolving tactics of the threat actors necessitate a vigilant approach from organizations utilizing Fortinet devices. Continued monitoring of network traffic for anomalous patterns and a proactive stance on patching and security configurations are paramount. The cybersecurity community will be closely watching for any further developments, including potential new CVE disclosures or adaptations in attacker methodologies, that could provide additional insights into the motivations and capabilities behind this sophisticated brute-force campaign.