Fortinet SSL VPN Targeted by Hackers From 780 Unique IP Addresses

Cybersecurity researchers have identified a significant coordinated brute force campaign targeting Fortinet SSL VPN infrastructure, with over 780 unique IP addresses participating in attacks on August 3, 2025.

The campaign represents the highest single-day volume of malicious activity observed against Fortinet systems in recent months, raising concerns about potential undisclosed vulnerabilities in the platform.

Two-Wave Attack Pattern Emerges

Security analysts at GreyNoise discovered two distinct waves of brute force activity targeting Fortinet systems.

The first wave consisted of long-running attacks tied to a single TCP signature that maintained steady activity levels over time.

However, the second wave marked a dramatic escalation, beginning August 5 with a completely different TCP signature and characterized by sudden, concentrated bursts of traffic.

The attack pattern revealed sophisticated targeting, with traffic initially focused on FortiOS profiles before shifting to FortiManager FGFM profiles.

This behavioral change suggests attackers are systematically probing different Fortinet services, potentially indicating knowledge of specific vulnerabilities or attack vectors.

The precision of this targeting eliminates the possibility of opportunistic scanning, confirming deliberate and coordinated malicious activity.

Infrastructure Analysis Reveals Residential Origins

Technical analysis of the attack infrastructure uncovered several key IP addresses associated with the campaign, including 31.206.51.194, 23.120.100.230, 96.67.212.83, and 104.129.137.162.

Particularly notable was the discovery of traffic originating from a FortiGate device located within a residential ISP block operated by Pilot Fiber Inc., suggesting attackers may be leveraging compromised home networks or residential proxy services.

The use of JA4+ fingerprinting techniques revealed connections between recent attack waves and historical traffic patterns dating back to June 2025.

This clustering analysis indicates potential reuse of attack tooling or network environments, providing investigators with valuable attribution leads.

The geographic distribution of targets primarily focused on Hong Kong and Brazil, suggesting regional targeting strategies.

Security researchers warn that such coordinated campaigns often precede the disclosure of new vulnerabilities, with 80 percent of similar activity patterns followed by CVE publications within six weeks.

Organizations using Fortinet SSL VPN infrastructure are advised to implement enhanced monitoring and consider blocking the identified malicious IP ranges while awaiting potential security updates from the vendor.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

AnuPriya
AnuPriya
Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here