TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

GreyNoise

A Coordinated Brute Force Campaign Targets Fortinet SSL VPN

2025-08-12 · Read original ↗

ATT&CK techniques detected

5 predictions
T1110Brute Force
91%
“brazil. a tale of two brute force waves against fortinet when we reviewed a two week window of traffic matching the fortinet ssl vpn bruteforcer tag, two distinct waves emerged : - wave one : a long - running set of brute - force activity tied to a single tcp signature that remai…”
T1110Brute Force
87%
“a coordinated brute force campaign targets fortinet ssl vpn on august 3, greynoise observed a significant spike in brute - force traffic targeting fortinet ssl vpns. over 780 unique ips triggered our fortinet ssl vpn bruteforcer tag in a single day — the highest single - day volu…”
T1190Exploit Public-Facing Application
58%
“percent of observed cases followed by a cve disclosure within six weeks. defender recommendations use greynoise to : - search for this traffic using our fortinet ssl vpn bruteforcer tag. - block malicious ips using our dynamic ip blocklist for this tag. please contact your greyno…”
T1090.003Multi-hop Proxy
46%
“- not detected as a residential proxy or host of vpn services by spur. us. - recent detections by abusedb. - not seen on virustotal. notably, traffic tied to that same client signature in june was later seen paired with the same tcp signature associated with the longer - running …”
T1584.008Network Devices
35%
“triggering our fortinet ssl vpn bruteforcer tag. this indicated a shift in attacker behavior — potentially the same infrastructure or toolset pivoting to a new fortinet - facing service. ips associated with the meta signature : 31. 206. 51. 194 23. 120. 100. 230 96. 67. 212. 83 1…”

Summary

On August 3rd, 2025 GreyNoise observed a significant spike in brute-force traffic targeting Fortinet SSL VPNs. Over 780 unique IPs triggered our Fortinet SSL VPN Bruteforcer tag in a single day — the highest single-day volume seen on this tag in recent months.