Fortinet has acknowledged the breach of data belonging to a small number of its customers, following the leak of 440GB of information by a hacker using the alias “Fortibitch” on BreachForums this week. The hacker claimed to have acquired the data from an Azure SharePoint site and released it after Fortinet declined to engage in ransom negotiations. This incident sheds light on the importance of securing data stored in third-party cloud repositories, as highlighted by researchers.
While Fortinet has not pinpointed the exact source of the breach, the company stated in a September 12 advisory that an unauthorized individual gained access to a limited number of files on Fortinet’s instance of a third-party, cloud-based shared file drive. The security firm clarified that the breach impacted less than 0.3% of its extensive customer base, which amounts to approximately 2,325 organizations worldwide. Fortinet assured that there were no signs of malicious activity surrounding the compromised data and that the incident did not involve data encryption, ransomware deployment, or access to Fortinet’s corporate network.
A threat intelligence report shared with Dark Reading by CloudSEK revealed that the leaked data included customer information, financial and marketing documents, product details, HR data from India, and some employee data. The hacker, under the alias Fortibitch, reportedly attempted to extort Fortinet but proceeded to release the data after failed negotiations. Fortinet neither confirmed nor denied if the hacker had contacted them regarding the stolen data.
The hacker’s post on BreachForums made vague references to Fortinet’s acquisitions of Lacework and NextDLP, as well as other threat actors, including a Ukrainian group known as DC8044. CloudSEK stated that while there are no direct connections between Fortibitch and DC8044, the tone of the messages indicates a possible history between the two entities. Based on available information, CloudSEK surmised that the threat actor operates from Ukraine.
The breach at Fortinet serves as a reminder of the risks associated with cloud data exposure for enterprise organizations utilizing software-as-a-service (SaaS) and other cloud services without proper safeguards. A recent scan conducted by Metomic on 6.5 million Google Drive files revealed that over 40% contained sensitive information, including employee data and password spreadsheets. The scan further disclosed that a significant number of files were shared externally and publicly, emphasizing the need for improved data protection measures.
Rich Vibert, CEO of Metomic, identified three common mistakes organizations make when safeguarding data in cloud environments, which include the failure to implement multifactor authentication (MFA) for SaaS app access, excessive employee access to sensitive assets, and prolonged retention of sensitive data. Koushik Pal, a threat intelligence reporter at CloudSEK, suggested that attackers may have gained access to Fortinet’s SharePoint environment through valid login credentials obtained via phishing or information stealers.
To enhance cloud security, developers should avoid hardcoding sensitive information and implement multifactor authentication to control access. Continuous monitoring of cloud assets, encryption of sensitive data, and the adoption of zero-trust principles for third-party platforms are essential for protecting data in cloud environments. Akhil Mittal, senior manager of cybersecurity at Synopsys Software Integrity Group, advises organizations to rethink their approach to storing customer data in shared drives and ensure critical information is separated from less sensitive files.
Overall, the breach at Fortinet underscores the critical need for robust cloud security measures and proactive risk management strategies to mitigate the increasing threats faced by organizations in cloud environments. As cyberattacks continue to evolve, businesses must prioritize data protection and implement comprehensive security protocols to safeguard their digital assets effectively.