FortiGate NGFW abuse campaign targeting healthcare, government, and managed service providers
Campaign
Summary
Hide ▲
Show ▼
A new FortiGate abuse campaign is using FortiGate NGFW appliances as entry points to breach victim networks, creating immediate risk for healthcare, government, and managed service provider environments. Attackers are exploiting recently disclosed vulnerabilities or weak credentials to steal configuration files, service-account credentials, and network topology data. The activity includes repeated access, credential extraction, and follow-on intrusion steps that can deepen compromise beyond the perimeter device.
Related Happenings
Major South Korean electronics manufacturer hit by data theft breach
Incident
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
Major South Korean electronics manufacturer hit by data theft breach
IncidentAbout this happening: A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
Target Trend
First: 15.04.2026 12:30
Last: 15.04.2026 12:30
Sources 1
About this happening:
A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
Target TrendAbout this happening: A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
2025 Rise in legitimate-access intrusions across enterprise sectors
Target Trend
First: 01.04.2026 17:05
Last: 01.04.2026 17:05
Sources 1
About this happening:
**Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
2025 Rise in legitimate-access intrusions across enterprise sectors
Target TrendAbout this happening: **Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
AI-assisted hacktivist campaign targeting Mexican government agencies
Campaign
First: 06.03.2026 15:37
Last: 06.03.2026 15:37
Sources 1
About this happening:
A **small group of hacktivists** ran an **AI-assisted intrusion campaign** against **at least nine Mexican government agencies**, compromising systems over **multiple months**. Th...
AI-assisted hacktivist campaign targeting Mexican government agencies
CampaignAbout this happening: A **small group of hacktivists** ran an **AI-assisted intrusion campaign** against **at least nine Mexican government agencies**, compromising systems over **multiple months**. Th...
Silver Dragon intrusion and phishing campaign targeting Europe, Southeast Asia, and Uzbekistan
Campaign
First: 04.03.2026 10:14
Last: 04.03.2026 10:14
Sources 1
About this happening:
The **Silver Dragon** campaign is actively using **public-facing internet servers** and **phishing emails with malicious attachments** to gain initial access, expanding risk acros...
Silver Dragon intrusion and phishing campaign targeting Europe, Southeast Asia, and Uzbekistan
CampaignAbout this happening: The **Silver Dragon** campaign is actively using **public-facing internet servers** and **phishing emails with malicious attachments** to gain initial access, expanding risk acros...
Timeline
-
10.03.2026 18:21 2 articles · 2mo ago
FortiGate abuse campaign described in March 2026
Initial DisclosureSentinelOne described a new FortiGate abuse campaign affecting healthcare, government, and managed service provider environments, noting that threat actors used known vulnerabilities or weak credentials on FortiGate Next-Generation Firewall appliances to steal configuration files, extract service account credentials, and gain deeper access; the reporting also tied the campaign to a November 2025 breach that created a local administrator account named "support", a late January 2026 case that deployed Pulseway and MeshAgent, and a February 2026 phase that extracted encrypted LDAP credentials and enabled further access attempts.
Show sources
- FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials — thehackernews.com — 10.03.2026 18:21
- FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials — thehackernews.com — 10.03.2026 18:21