According to recent research from the threat intelligence company GreyNoise, this is all part of a NOw coordinated wave of bruteforce attacks. These attacks are very focused on Fortinet SSL VPNs. GreyNoise recorded a median of 56 unique IPs per day in the last 24 hours that matched our malicious classification. These threats originated from multiple nations, including the US, Canada, Russia, and the Netherlands. Specifically, this alarming activity puts the security of Fortinet’s VPN technology at risk.
In short order, attackers appear to have moved much of their malicious activity to the home networks. This indicates that they are either testing or implementing their strategies from home soil. The brute-force attacks against Fortinet SSL VPNs have unfolded in two distinct waves: one prior to and another following August 5.
Distinct Waves of Attack
While the TCP signature based on the initial wave of attacks was still in place, there was a TCPSIG. This phase was marked by a sustained, automated barrage of attacks designed to take advantage of weaknesses in Fortinet’s defenses. Soon after, a second wave came through with red-hot force. This time, the bad guys included a different TCP signature, showing that the adversary had changed approach.
Targets in these waves of attack included countries like the United States, Hong Kong, Brazil, Spain and Japan. On August 3, 2025, a staggering total of over 780 unique IP addresses participated in this organized effort against Fortinet SSL VPNs.
“Critically, the observed traffic was also targeting our FortiOS profile, suggesting deliberate and precise targeting of Fortinet’s SSL VPNs,” – GreyNoise
Historical Context and Patterns
A closer look at historical data related to the post-August 5 TCP fingerprint revealed a prior increase in badness. This increase goes as far back as June. Highly unusual client signature That last surge was marked by a very unusual client signature. It re-routed all HTTPS traffic to a FortiGate device located in a residential ISP block owned by Pilot Fiber Inc. This correlation begs the question of where the infrastructure we enable residential users to share this information could potentially be vulnerable.
Pilot Fiber Inc. has seen a pronounced spike in malicious activity immediately preceding the public disclosure of new Common Vulnerabilities and Exposures (CVEs). This trend usually occurs in the same six-week period for the same technology. This trend is a reminder of the need for continued vigilance in cybersecurity as new threats develop.
“This was not opportunistic — it was focused activity,” – GreyNoise
Evolving Threat Landscape
The cybersecurity threat landscape continues to evolve, with attacks growing in sophistication and changing in purpose. Recent activity targeting Fortinet SSL VPNs illustrate this trend. From one TCP signature attack to the next, attackers continue changing tactics but with no change in the big traffic metric.
“While the August 3 traffic has targeted the FortiOS profile, traffic fingerprinted with TCP and client signatures – a meta signature – from August 5 onward was not hitting FortiOS,” – GreyNoise