Cybersecurity researchers have warned of “critical spikes” in brute force traffic targeting Fortinet SSL VPN devices.
Coordinated activities per threat information company Greynoise were observed on August 3, 2025, with over 780 unique IP addresses participating in this effort.
Up to 56 unique IP addresses have been detected in the last 24 hours. All IP addresses are malicious and IPS originates from the US, Canada, Russia and the Netherlands. Targets for brute force activities include the United States, Hong Kong, Brazil, Spain and Japan.
“Critical, the observed traffic targets our Fortios profile, suggesting intentional and accurate targeting of Fortinet’s SSL VPN,” Greynoise said. “This was not opportunistic. It was a focused activity.”
The company also noted that it identified two different assault waves discovered around the time of August 5th. Two include long-term brute-force activities tied to one TCP signature that is relatively stable over time, and a sudden burst of intensive traffic with another TCP signature.
“The traffic on August 3rd targets the Fortios profile, but TCP and client signatures (meta signatures) were fingerprinted since August 5th, but they didn’t hit Fortios,” the company said. “Instead, it was consistently targeting our forty managher.”
“This was indicating a change in the behavior of the attacker. It indicates pivoting to a new Fortinet service in a new infrastructure or toolset.”
In addition, a deeper look into historical data related to the August 5th TCP fingerprint reveals an early June spike featuring unique client signatures resolved to Fortigate Device, a residential ISP block managed by pilot Fiber Inc.
This increased the likelihood that the brute force tool was first launched from a test or home network. Another hypothesis is the use of housing agents.
This development contradicts the background of the findings that, following a surge in malicious activity, the disclosure of new CVEs affecting the same technology often continues within six weeks.
“These patterns were exclusive to enterprise edge technologies such as VPNs, firewalls, and remote access tools. This is the same type of system that is increasingly targeted by sophisticated threat actors.”
Hacker news has been contacted Fortinet for further comments and will be updated if there is a reply.
Source link
