Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks
Cybersecurity researchers are tracking a massive spike in automated network intrusions targeting Fortinet’s FortiGate SSL VPN appliances. However, unlike traditional botnet scanning, these attacks are being orchestrated by "CyberStrikeAI," a highly sophisticated, open-source offensive AI framework originally designed for corporate red-teaming.
Released on GitHub late last year, CyberStrikeAI utilizes a locally hosted, fine-tuned Large Language Model (LLM) to dynamically assess target networks, generate evasive payloads on the fly, and pivot through lateral defenses. While the original developers implemented safety guardrails to prevent the tool from executing live exploits without authorization, threat actors quickly forked the repository, stripped the ethical constraints, and weaponized the underlying model.
The current campaign is specifically targeting a chain of recently disclosed heap-based buffer overflows in legacy FortiOS versions. By utilizing the AI framework, the attackers are able to automate the reconnaissance and exploitation phases with unprecedented speed, automatically rewriting obfuscated Python scripts to bypass standard Web Application Firewalls (WAFs) based on the specific telemetry of the target.
"We are witnessing a fundamental paradigm shift in offensive operations," warned a senior threat intelligence analyst from Mandiant in a morning briefing. "We are no longer fighting static, pre-compiled scripts written by human operators. We are fighting an adaptive algorithm that actively learns from failed connection attempts, rewrites its own exploit logic in real-time, and tries again until it breaches the perimeter."
Once initial access is established on the FortiGate device, CyberStrikeAI autonomously deploys living-off-the-land (LotL) techniques to scrape credentials and establish persistence before handing the session over to human ransomware operators or initial access brokers on the dark web.
The incident has violently reignited the debate surrounding the ethics of open-source offensive AI. While the original GitHub repository for CyberStrikeAI was taken down following numerous DMCA and abuse reports, localized, uncensored versions of the model continue to circulate heavily on decentralized file-sharing networks.
Fortinet has issued a critical advisory urging administrators to immediately patch all perimeter devices to the latest FortiOS releases and to deploy multi-factor authentication across all VPN interfaces. Security teams are also being advised that traditional signature-based detection is proving largely ineffective against dynamically generated AI payloads, necessitating a shift toward behavioral monitoring.