By rssfeeds-admin .webp?ssl=1 "Hackers Leverage DeepSeek and Claude to Attack FortiGate Devices Worldwide")
A misconfigured server exposed a detailed software pipeline where threat actors integrated DeepSeek and Claude into their attack workflows.
This discovery highlights a dangerous evolution in modern cybercrime, where AI tools are not just generating text but are embedded into the kill chain to automate complex offensive tasks against global targets.
The attack infrastructure specifically targeted FortiGate SSL VPN appliances, utilizing stolen configuration data to breach networks effectively.
By leveraging these compromised credentials, the operators successfully mapped internal infrastructures and identified critical assets.
The operation utilized custom-built tools to orchestrate these attacks, allowing for the simultaneous processing of thousands of targets without requiring manual intervention for every step of the intrusion process.
Evidence indicates that over 2,500 devices across 106 countries were processed in parallel batches.
Cyber and Ramen analysts identified that the threat actors utilized a dual-model approach, using DeepSeek to generate strategic attack plans based on reconnaissance data while employing Claude’s coding capabilities to execute vulnerability assessments.
This level of automation enabled even low-skilled operators to manage a massive volume of intrusions efficiently.
Automated Exploitation Workflow
The core of this operation relies on two custom components named ARXON and CHECKER2. CHECKER2 functions as a Docker-based orchestrator that handles parallel VPN scanning, while ARXON acts as a Model Context Protocol (MCP) server.
This bridge allows the attackers to feed specific network data into the LLMs, which then output actionable exploitation steps. For instance, the intrusion chain diagram illustrates how the system moves from initial access to active exploitation.
Once inside a network, the system uses Claude to run offensive tools like Impacket and Metasploit autonomously.
While the redacted snippet of the vulnerability assessment report found on the server displays how the model documents its findings and suggests prioritized next steps, such as escalating privileges.
The exposed logs confirm that this automated system is actively targeting diverse sectors, including telecommunications.
To mitigate these AI-driven threats, organizations must prioritize patching edge devices immediately, as the speed of automated attacks leaves little room for delay.
Security teams should regularly audit VPN user accounts for unauthorized creations and monitor for unexpected SSH sessions. Additionally, verifying network configurations against known baselines can help detect the subtle modifications typical of this campaign.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Leverage DeepSeek and Claude to Attack FortiGate Devices Worldwide appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.