An enormous spike in brute-force assaults focused Fortinet SSL VPNs earlier this month, adopted by a change to FortiManager, marked a deliberate shift in focusing on that has traditionally preceded new vulnerability disclosures.
The marketing campaign, detected by risk monitoring platform GreyNoise, manifested in two waves, on August 3 and August 5, with the second wave pivoting to FortiManager focusing on with a unique TCP signature.
As GreyNoise beforehand reported, such spikes in deliberate scanning and brute-forcing precede the disclosure of latest safety vulnerabilities 80% of the time.
Typically, such scans purpose at enumerating uncovered endpoints, evaluating their significance, and estimating their exploitation potential, with precise assault waves following shortly after.
“New analysis reveals spikes like this typically precede the disclosure of latest vulnerabilities affecting the identical vendor — most inside six weeks,” warned GreyNoise.
“Actually, GreyNoise discovered that spikes in exercise triggering this actual tag are considerably correlated with future disclosed vulnerabilities in Fortinet merchandise.”
On account of this, defenders should not dismiss these spikes in exercise as failed makes an attempt to take advantage of previous, patched flaws, however relatively deal with them as potential precursors to zero-day disclosure and strengthen safety measures to dam them.
The Fortinet brute-force assaults
On August 3, 2025, GreyNoise recorded a spike in brute-forcing makes an attempt focusing on Fortinet SSL VPN as a part of a gentle exercise it has been monitoring since earlier.
JA4+ fingerprint evaluation, a community fingerprinting technique for figuring out and classifying encrypted visitors, linked the spike to June exercise originating from a FortiGate system on a residential IP tackle related to Pilot Fiber Inc.
“This overlap would not affirm attribution, but it surely suggests attainable reuse of tooling or community environments,” commented GreyNoise in its bulletin.
Supply: GreyNoise
Two days later, on August 5, a brand new brute-force marketing campaign from the identical attacker emerged, which switched focusing on from FortiOS SSL VPN endpoints to FortiManager’s FGFM service.
“Whereas the August 3 visitors has focused the FortiOS profile, visitors fingerprinted with TCP and consumer signatures — a meta signature — from August 5 onward was not hitting FortiOS,” defined GreyNoise.
“As an alternative, it was constantly focusing on our FortiManager – FGFM profile albeit nonetheless triggering our Fortinet SSL VPN Bruteforcer tag.”
This shift instructed that both the identical attackers or the identical toolset/infrastructure moved from making an attempt to brute-force VPN logins to making an attempt to brute-force FortiManager entry.
The IP addresses related to this exercise, and which ought to be positioned on blocklists, are:
- 31.206.51.194
- 23.120.100.230
- 96.67.212.83
- 104.129.137.162
- 118.97.151.34
- 180.254.147.16
- 20.207.197.237
- 180.254.155.227
- 185.77.225.174
- 45.227.254.113
GreyNoise notes that the tracked malicious exercise is evolving with time and is related to a particular origin cluster that almost definitely performs adaptive testing.
Normally, this exercise is unlikely to be researcher scans, that are sometimes broader in scope and restricted in charge, and would not contain credential brute-forcing, which is seen as an obvious intrusion try.
Therefore, defenders ought to block the listed IPs, enhance login safety on Fortinet units, and harden exterior entry the place attainable, proscribing entry solely to trusted IP ranges and VPNs.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration traits.