FortiGate VPNs targeted in highly automated AI-driven cyber attacks

A significant cyber threat emerged in early February 2026 after researchers uncovered an intrusion campaign that deeply integrated large language models into the attack lifecycle. A misconfigured server exposed an automated pipeline where threat actors embedded DeepSeek and Claude directly into their workflows, moving beyond basic AI-assisted phishing into full kill chain automation.

The infrastructure focused on targeting FortiGate SSL VPN appliances, using stolen configuration data and credentials to gain access, map internal networks and identify high-value assets. Custom tooling allowed the operators to process thousands of targets simultaneously, with evidence suggesting more than 2,500 devices across 106 countries were analysed in parallel.

Analysts observed a dual-model approach, with DeepSeek used for strategic planning and Claude driving code execution and vulnerability assessments. Once access was achieved, the system autonomously ran tools such as Impacket and Metasploit.

The findings underline the urgency of patching edge devices, auditing VPN access and closely monitoring network activity as AI-driven attacks continue to scale rapidly.

AI-enabled cyber attacks surge as threat actors scale campaigns

The number of AI-enabled cyber attacks has nearly doubled over the past year, according to CrowdStrike’s Global Threat Report 2026. The report warns of an 89 percent increase in activity from so-called “AI-enabled adversaries” in 2025, as threat actors increasingly adopted machine learning and large language models to optimise existing attack techniques.

Rather than creating entirely new attack vectors, attackers are using AI to make familiar methods more effective and scalable. This includes generating more convincing phishing emails in multiple languages, accelerating reconnaissance, and supporting disinformation campaigns. CrowdStrike highlighted campaigns linked to Chinese intelligence services and Russian cyber criminal groups that used AI to increase the credibility and reach of social engineering operations.

The report also notes early experimentation with AI-assisted malware development, including the embedding of LLM prompting into espionage tools. While still limited in impact, CrowdStrike expects this trend to grow, warning organisations to strengthen identity controls, security awareness training and threat intelligence capabilities as the AI arms race intensifies.

Cisco SD-WAN zero-day exploited to add rogue network peers

Cisco has issued an urgent warning after confirming active exploitation of a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN. Tracked as CVE-2026-20127 and rated at the maximum severity of 10.0, the flaw allows remote attackers to compromise SD-WAN controllers and add malicious rogue peers to affected networks.

The vulnerability impacts Cisco Catalyst SD-WAN Controller and Manager deployments, both on-premises and in cloud environments. Exploitation enables attackers to authenticate as a high-privileged internal user, manipulate network configurations and potentially move deeper into enterprise environments through encrypted connections. Cisco Talos has linked the activity to a highly sophisticated threat actor, with evidence suggesting exploitation may date back several years.

In response, US and UK authorities have issued coordinated advisories, with CISA mandating immediate investigation and patching across federal networks. Organisations are strongly advised to audit logs, hunt for unauthorised peering activity and apply Cisco’s updates without delay, as no effective workarounds exist for this vulnerability.

Freight and logistics sector across the USA and Europe targeted by organised phishing campaign

Freight and logistics organisations across the US and Europe have been hit by a large-scale credential phishing operation linked to a financially motivated threat group known as Diesel Vortex. Active since September 2025, the campaign has resulted in the theft of at least 1,649 unique credentials, using more than 50 malicious domains to impersonate platforms relied on daily by the logistics industry.

Researchers uncovered the activity after discovering an exposed phishing repository containing databases, infrastructure details and Telegram communications. Analysis points to a highly organised operation with defined roles, operational tiers and monetisation models, deliberately targeting a sector that often sits outside the focus of traditional enterprise security controls.

The attackers combined email phishing, voice phishing and Telegram-based social engineering with pixel-perfect replicas of legitimate freight and logistics platforms. Stolen credentials and authentication data were then used to facilitate follow-on fraud, including freight impersonation and cargo diversion.

Although the infrastructure has since been disrupted, the campaign highlights the growing cyber risk facing global supply chains and the need for stronger identity protection and user awareness across the sector.

AI chatbot abuse linked to breach of Mexican government networks

A cybercriminal has reportedly used Anthropic’s AI chatbot Claude to compromise multiple Mexican government agencies, stealing large volumes of sensitive tax and voter data. According to Bloomberg, researchers at Israeli security firm Gambit Security uncovered evidence showing the attacker used Claude to identify network vulnerabilities, generate exploit scripts and automate data exfiltration in Spanish-language prompts.

The activity is believed to have run for around a month from December, affecting the Mexican Federal Tax Administration, the National Electoral Institute and regional government bodies. An estimated 150GB of data was stolen, including tax records, voter information, government credentials and population registry files. Gambit does not believe the activity is linked to a foreign state.

Anthropic has confirmed it is investigating and has blocked the associated accounts, while OpenAI said ChatGPT resisted similar misuse attempts. The incident highlights a growing trend of attackers abusing advanced AI coding tools, raising urgent questions around AI safeguards, monitoring and misuse detection as these technologies become more capable.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.