John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
There’s a class of device that sits at the boundary of every network, handles all the traffic, and gets almost none of the attention. Firewalls. Routers. Switches. The edge.
Two stories this week show just how badly that neglect is going.
Threat actors are actively exploiting FortiGate appliances to break into enterprise networks and steal service account credentials. Not user passwords. Service accounts, the ones that run automated processes and connect systems to each other and almost never get rotated. Once an attacker has those, they don’t need to break in again. They already live there.
Meanwhile, a botnet called KadNap has quietly enslaved more than 14,000 ASUS routers into a proxy network for cybercriminal operations. Your neighbor’s router might be laundering someone else’s ransomware traffic right now.
Different devices. Different attackers. Same structural failure.
FortiGate: When the Firewall Becomes the Foothold
FortiGate firewalls are everywhere. And that ubiquity makes them a high-value target. Attackers have been proving it repeatedly.
The latest campaign hits FortiGate devices for initial access, then harvests service account credentials from the compromised appliance. Service accounts typically have broad permissions and rarely trigger alerts. They’re the perfect persistence mechanism. Quiet, privileged, and forgotten.
This fits an uncomfortable pattern. Ivanti. SonicWall. Cisco ASA. Pulse Secure. Now FortiGate, again. The devices organizations buy specifically to protect their networks keep becoming the way attackers get in.
If you’re running FortiGate: verify your FortiOS version, apply patches, and audit your service accounts for unauthorized access or credential export. And ask yourself honestly whether your org treats firewall patching with the same urgency as endpoint patching. For most, the answer is no.
KadNap: 14,000 Routers You’ll Never Know About
On the consumer side, KadNap tells a grimmer version of the same story. Over 14,000 compromised devices, primarily ASUS routers, conscripted into a proxy network that criminals rent for their operations.
Proxy networks like this are the plumbing of modern cybercrime. Credential stuffing, ransomware C2, phishing infrastructure, attribution laundering. Attackers route through thousands of compromised home routers scattered globally. Each one is a tiny, anonymous relay node. The homeowner has no idea.
ASUS routers keep showing up in these stories because they’re popular, they’re often running outdated firmware, and most owners never touch the admin panel after initial setup.
If you own an ASUS router: log into the admin panel, check your firmware version, and update it. If your router no longer gets firmware updates, replace it. A $60 router isn’t worth being an unwitting accomplice to someone else’s criminal operation.
The Pattern
Step back and the picture is bleak. The entire class of network edge devices is systematically failing. They’re always on. They face the internet directly. They run complex software that’s hard to audit. And they get treated as infrastructure furniture: install, configure, forget.
Nation-state groups like Volt Typhoon built entire campaigns around compromised SOHO routers. Ransomware operators target VPN appliances for initial access. Botnet builders harvest consumer routers by the thousands.
The fix isn’t complicated in theory. Patch edge devices like you patch servers. Monitor them for weird behavior. Rotate their credentials. Replace end-of-life hardware.
In practice, most organizations aren’t doing any of that consistently. And the attackers keep showing up.
What to Do This Week
FortiGate admins: Verify FortiOS patch status now. Audit service accounts for credential compromise or unexpected access patterns.
ASUS router owners: Check firmware and update. If your model’s end-of-life, replace it. Disable remote management if you don’t use it.
Everyone running edge devices: Stop treating them as set-and-forget. They need the same patch cadence, monitoring, and lifecycle management as everything else on your network. The perimeter isn’t a wall anymore. It’s a target.