AI Agents Hijacked as 600+ Fortinet Firewalls Breached

◆ DEEP DIVES

1. 01

   Agentic AI Is Under Active Attack — And Your Security Architecture Isn't Ready

   <h3>The Threat Is Live, Not Theoretical</h3><p>Multiple intelligence streams converge on the same conclusion: <strong>autonomous AI agents are a production attack surface being actively probed by adversaries</strong>. Cisco's SVP of AI, DJ Sampath, confirmed at the Cisco AI Summit that agents are being hijacked, impersonated, and manipulated to exfiltrate data at machine speed. Simultaneously, Anthropic's Claude Code now connects to Gmail, Slack, Notion, and calendars via <strong>Model Context Protocol (MCP)</strong> integrations running autonomously on cron schedules — granting persistent OAuth tokens with broad read/write scopes across an organization's most sensitive communication platforms.</p><blockquote>AI agents are the new unmanaged endpoints — if you're not treating them as first-class identities in your zero-trust architecture, you have an attack surface growing at machine speed with no visibility.</blockquote><h3>The Protocol Gap</h3><p>MCP and agent-to-agent communication protocols have scaled far ahead of their security controls. Sampath's critical observation: <em>these protocols scaled faster than the security around them</em>. This mirrors the API security crisis of 2019-2022, but with higher stakes because agents take autonomous actions. At Stripe, agents access <strong>over 400 internal tools via MCP servers</strong> through their centralized "Toolshed" integration, operating autonomously between task assignment and PR submission with no human interaction.</p><table><thead><tr><th>Attack Surface</th><th>Traditional IT Equivalent</th><th>Current Security Maturity</th><th>Risk Level</th></tr></thead><tbody><tr><td>Agent Identity</td><td>Service accounts / API keys</td><td>Low — most agents lack managed identities</td><td>Critical</td></tr><tr><td>MCP / Agent Protocols</td><td>API gateways / service mesh</td><td>Very Low — adopted without security hardening</td><td>Critical</td></tr><tr><td>Agent-to-Agent Communication</td><td>East-west network traffic</td><td>Very Low — largely unmonitored</td><td>High</td></tr><tr><td>Agent Behavioral Baselines</td><td>UEBA for human users</td><td>Minimal — most SOCs lack agent telemetry</td><td>High</td></tr></tbody></table><h3>The Safety Evaluation Gap</h3><p>A Cambridge study quantifies the problem: <strong>only 4 of 30 top AI agents (13%) have published formal safety evaluations</strong>. Browser agents — the most autonomous and highest-risk category — are missing <strong>64% of safety disclosures</strong>. You cannot perform adequate third-party risk assessment on tools that haven't assessed themselves.</p><h3>Dual Threat Model</h3><p>Cisco frames the problem with a useful dual lens that every security team should adopt: enterprises must <strong>protect themselves from their own agents</strong> (compromised or misconfigured agents acting against the organization) and <strong>protect their agents from external threats</strong> (adversaries targeting agents as entry points). The specific vectors — agent hijacking, impersonation, prompt injection, and protocol exploitation — map to gaps most enterprise security architectures were never designed to address. Your firewall rules, EDR agents, and SIEM correlation rules don't see agent-to-agent communication. Your IAM policies probably don't treat AI agents as first-class identities.</p><hr><h3>Compliance Implications</h3><p>Autonomous agents acting on regulated data create accountability challenges. For <strong>SOC 2</strong>: agent actions need audit log fidelity equal to human actions. For <strong>GDPR</strong>: agents processing personal data must be documented in records of processing activities. For <strong>HIPAA</strong>: agents accessing ePHI must be treated as workforce members. <em>Most compliance frameworks haven't caught up — the burden is on you to interpret and apply existing controls.</em></p>

   Action items

   • Audit all agentic AI deployments for agent identity, authentication, and authorization controls — treat agents as first-class identities in IAM/zero-trust architecture by March 15
   • Inventory all MCP connections, OAuth grants, and API keys issued to AI tools across the organization by March 7
   • Implement mandatory human-in-the-loop approval gates for all agent actions affecting privileges, production environments, or sensitive data access by end of Q1
   • Require formal safety evaluation documentation before approving any new AI agent tool for production use, especially browser-based agents
   • Deploy continuous behavioral monitoring for AI agent activity — tool calls, data access patterns, agent-to-agent communication — and establish baselines for anomaly detection this quarter

   Sources:🧠 Intelligence should be owned, not rented · 😺 She forgot 3 emails. Then built this. · The Emerging "Harness Engineering" Playbook · Your 2026 AI Playbook (PDF)

2. 02

   600+ Fortinet Firewalls Breached in Weeks — AI-Augmented Attacks Have Changed the Math

   <h3>The Campaign</h3><p>Amazon reported that a <strong>small group of Russian-speaking hackers used commercial AI tools to breach 600+ Fortinet firewalls across 55 countries in weeks</strong>. Amazon explicitly stated this scale would have been <strong>impossible without AI</strong>. The attack vector was mundane — weak passwords and exposed management ports — but the speed and breadth of exploitation represents a paradigm shift in attacker capability.</p><table><thead><tr><th>Dimension</th><th>Traditional Attack</th><th>AI-Augmented Attack (This Campaign)</th></tr></thead><tbody><tr><td>Threat Actor Size</td><td>Large team or state-sponsored</td><td>Small group with commercial AI tools</td></tr><tr><td>Time to Compromise 600+ Devices</td><td>Months to years</td><td>Weeks</td></tr><tr><td>Geographic Scope</td><td>Typically regional</td><td>55 countries simultaneously</td></tr><tr><td>Tooling Cost</td><td>Custom infrastructure</td><td>Commercial AI subscriptions</td></tr></tbody></table><h3>What Changed</h3><p>The MITRE ATT&CK mapping is straightforward: <strong>T1110 (Brute Force)</strong>, <strong>T1133 (External Remote Services)</strong>, and likely <strong>T1078 (Valid Accounts)</strong> post-compromise. The techniques aren't new — the throughput is. AI handles the enumeration, credential testing, and lateral movement planning that previously required human analysts. The old assumption that credential stuffing campaigns are slow and noisy <strong>no longer holds</strong>.</p><blockquote>A small team with commercial AI tools just breached 600+ firewalls in 55 countries in weeks — if your perimeter security still relies on password strength and port hygiene alone, you're already behind the threat curve.</blockquote><h3>Implications for Threat Modeling</h3><p>This campaign should recalibrate how you model attacker capability. A small group achieved nation-state-scale impact using commercially available tools — not custom malware, not zero-days, not nation-state resources. Your red team exercises and tabletop scenarios should now assume attackers can scan, enumerate, and exploit at <strong>10-100x human speed</strong>. Adjust detection thresholds and response timelines accordingly.</p><p>This also intersects with the agentic AI threat: as organizations deploy more autonomous agents with network access and tool integrations, the same AI-augmented attack methodology can be turned against agent infrastructure, MCP endpoints, and agent credential stores.</p>

   Action items

   • Scan your entire Fortinet estate for default/weak credentials and internet-exposed management interfaces immediately — enforce MFA on all admin access
   • Review Fortinet firewall logs for anomalous authentication patterns over the past 60 days and escalate any indicators of compromise to IR
   • Update threat models and red team scenarios to assume AI-augmented attacker throughput (10-100x human speed) by end of Q1
   • Cross-reference your perimeter device inventory against recent Fortinet advisory history and patch any outstanding vulnerabilities within 72 hours

   Sources:😺 She forgot 3 emails. Then built this.

3. 03

   AI-Generated Code at Scale: Your AppSec Program Has a Structural Problem

   <h3>The Paradigm Shift</h3><p>A new engineering paradigm called <strong>"harness engineering"</strong> is moving from experiment to production at major technology companies. The numbers are staggering: Stripe's internal agents produce over <strong>1,000 merged PRs per week</strong>. An OpenAI team built a <strong>million-line internal product with three engineers and zero hand-written code</strong>. A solo developer made 6,600+ commits in a single month running 5-10 agents simultaneously. Anthropic's own research found that agents <strong>falsely mark features as complete</strong> without proper testing.</p><p>From a security standpoint, this breaks fundamental assumptions underlying most AppSec programs. The published playbooks from these organizations focus almost exclusively on productivity guardrails while saying virtually nothing about adversarial threat modeling of the agent infrastructure itself.</p><h3>Novel Attack Vectors</h3><h4>AGENTS.md as a Control Plane</h4><p>The emerging <strong>AGENTS.md convention</strong> places a Markdown file at the repository root that coding agents automatically read at the start of every session. It controls architectural constraints, tool usage patterns, and behavioral guidelines. <em>A malicious modification to this file could instruct agents to bypass security controls, disable linters, or introduce subtle backdoors in all subsequent code generation sessions.</em> There are currently no established integrity controls for these files.</p><h4>MCP Tool Integration Exposure</h4><p>Stripe's agents access <strong>400+ internal tools via MCP servers</strong>, operating autonomously between task assignment and PR submission. If an attacker can influence agent behavior through prompt injection — via code comments, dependency metadata, or crafted error messages — they could pivot through the agent's authenticated tool access to reach internal systems.</p><h4>Unverified Code at Scale</h4><p>Anthropic's Claude Code Security tool achieves <strong>only 50% accuracy on 14.5-hour tasks</strong> and requires limiting to 1-hour tasks for 80% reliability. AI-generated security patches that are wrong half the time create false confidence. Meanwhile, at <strong>3.5 PRs per engineer per day</strong> with throughput increasing, the math doesn't work for meaningful human review of every change.</p><blockquote>Your AppSec program was built for a world where humans write and understand their own code — that world ended, and every week you delay adapting, autonomous agents are shipping thousands of unreviewed lines into your production environment.</blockquote><h3>The Compliance Angle</h3><p>SOC 2 and similar frameworks require demonstrable change management controls. When Greg Brockman says "ensure that some human is accountable for any code that gets merged," he's describing what your auditors will expect. But volume overwhelms reviewers. You need automated controls that are auditable, not just human attestation that becomes a rubber stamp. <em>Brief your auditors proactively — don't let them discover agent-generated code during the audit.</em></p>

   Action items

   • Conduct a threat model of AI coding agent infrastructure — including MCP server integrations, agent sandbox boundaries, credential access, and AGENTS.md integrity — by end of March
   • Implement CODEOWNERS rules requiring security team approval for changes to AGENTS.md, CLAUDE.md, or equivalent agent configuration files across all repositories
   • Evaluate whether SAST/DAST/SCA tooling can handle 1,000+ PRs/week and implement risk-based triage: agent PRs touching auth, crypto, or data handling get mandatory human security review
   • Add prompt injection and agent sandbox escape scenarios to red team / penetration testing scope for next engagement

   Sources:The Emerging "Harness Engineering" Playbook · 😺 She forgot 3 emails. Then built this.

4. 04

   Geopolitical and Vendor Ecosystem Risks: DHS Disruption, Iranian Escalation, and SaaS Selloff

   <h3>Federal Cybersecurity Continuity at Risk</h3><p>A partial DHS shutdown caused a <strong>12-hour suspension of TSA PreCheck and Global Entry</strong> before reversal. The deeper concern: DHS houses <strong>CISA</strong>, which provides vulnerability advisories, threat intelligence sharing, and incident response coordination for critical infrastructure. During previous shutdowns, CISA operated with skeleton crews, delaying vulnerability disclosures and reducing proactive threat hunting. The funding dispute appears ongoing with no resolution in sight.</p><h3>Iranian Cyber Escalation Indicators</h3><p>Trump envoy Steve Witkoff publicly stated Iran is <strong>"about a week away"</strong> from nuclear weapons capability. This rhetoric pattern — threat inflation combined with military posturing — has historically preceded both kinetic and cyber escalation from Iranian state actors. Known groups with demonstrated capability against U.S. targets include <strong>APT33/Peach Sandstorm</strong> (energy, aerospace), <strong>APT34/OilRig</strong> (government, financial), <strong>APT35/Charming Kitten</strong> (think tanks, media), and <strong>MuddyWater</strong> (government, telecom). <em>No specific Iranian cyber campaign has been reported in connection with current tensions — this is a preparedness assessment based on historical correlation.</em></p><h3>Cybersecurity Vendor Financial Instability</h3><p>Cybersecurity stocks dropped on Friday, February 20, amid a broader <strong>20-30% YTD SaaS selloff</strong> driven by AI disruption fears. Separately, OpenAI's AI model operating costs <strong>quadrupled in 2025</strong>, with gross margins falling to 33% — signaling that every security vendor marketing "AI-powered" capabilities faces the same inference cost pressure. When vendors can't sustain the economics, they either raise prices, reduce model quality, or cut corners on AI features you're paying for.</p><p>Meanwhile, AI data center talent scarcity — fewer than ~16 executives globally can build at gigawatt scale — means <strong>key-man clauses in project financing</strong> could collapse multi-billion-dollar builds if someone gets poached. Your cloud provider's next data center region may not materialize on schedule.</p><blockquote>When DHS can't keep its own travel security programs running for 12 hours, ask yourself how confident you are that CISA will be fully operational the next time you need them during an incident.</blockquote>

   Action items

   • Catalog which threat intelligence feeds, vulnerability notifications, and incident coordination channels depend on CISA/DHS operations and identify commercial and ISAC alternatives by March 7
   • Refresh Iranian APT detection coverage — validate SIEM/EDR rules for password spraying, DNS tunneling, PowerShell lateral movement, and cloud credential theft for APT33, APT34, APT35, and MuddyWater
   • Review financial health indicators for your top 5 cybersecurity vendors — check stock performance, layoffs, and earnings guidance — and validate contract terms for price escalation clauses before renewal season
   • Stress-test BC/DR assumptions against cloud provider capacity delays — model scenarios where planned regions are delayed 12-18 months due to infrastructure talent scarcity

   Sources:Sunday Afternoon News Updates — 2/22/26 · The Briefing: Nvidia, Salesforce on Deck · Editor's Pick: The $10 Million Power Players of the AI Buildout