Summary (Bottom Line Up Front)
A US-based actor conducted focused vulnerability scanning and FortiGate SSL VPN exploitation attempts against internet-facing infrastructure over a 2-hour window on 2026-02-28. The activity generated 125 events targeting a single destination port, indicating automated tooling focused on specific attack vectors. The observed behavior suggests an opportunistic threat actor conducting reconnaissance and exploitation attempts against enterprise VPN infrastructure.
Activity Timeline
UPDATE 12026-03-14T17:23:38Z
Source: Analyst Manual Entry
A US-based actor conducted focused vulnerability scanning and FortiGate SSL VPN exploitation attempts against internet-facing infrastructure over a 2-hour window on 2026-02-28. The activity generated 125 events targeting a single destination port, indicating automated tooling focused on specific attack vectors. The observed behavior suggests an opportunistic threat actor conducting reconnaissance and exploitation attempts against enterprise VPN infrastructure.
New findings
The actor utilized multiple protocols including HTTP, TCP, TCP/SYN, and TLS/1.0 in their attack sequence. Primary attack vectors included vulnerability path scanning (MITRE ATT&CK T1595.002 - Active Scanning: Vulnerability Scanning) with 6 observed attempts targeting common web application paths. FortiGate SSL VPN login exploitation attempts (2 instances) align with T1190 - Exploit Public-Facing Application, specifically targeting SSL VPN authentication mechanisms. The concentration on a single destination port indicates targeted reconnaissance rather than broad port scanning. Traffic analysis revealed the use of legacy TLS/1.0 protocol, suggesting either older tooling or deliberate protocol downgrade attempts to exploit weaker cryptographic implementations.
INITIAL REPORT2026-03-14T16:29:56Z
Source: Analyst Manual Entry
Internet-facing sensors observed 125 malicious events from IP 216.180.246.68 over a 2-hour window on 2026-02-28, targeting FortiGate SSL VPN infrastructure and conducting vulnerability scanning. The threat actor demonstrated focused reconnaissance behavior with medium-severity exploitation attempts against enterprise VPN gateways. Activity patterns indicate automated tooling with specific targeting of Fortinet infrastructure vulnerabilities.
Technical details
The threat actor utilized HTTP, TCP, TCP/SYN, and TLS/1.0 protocols during the observed attack sequence. Primary attack vectors included vulnerability path scanning (6 instances) mapped to MITRE ATT&CK T1595.002 (Active Scanning: Vulnerability Scanning) and FortiGate SSL VPN login attempts (2 instances) corresponding to T1078 (Valid Accounts) and T1133 (External Remote Services). The actor concentrated activity on a single destination port, indicating targeted reconnaissance rather than broad port scanning. SSL VPN exploitation attempts suggest targeting of CVE-related vulnerabilities in Fortinet SSL VPN implementations, though specific CVE identifiers were not definitively observed in the traffic patterns. Traffic analysis revealed structured HTTP requests consistent with automated vulnerability assessment tools probing for known FortiGate SSL VPN weaknesses.
IOCs
IP:216.180.246.68
COUNTRY:US