Fortinet has acknowledged the breach of data pertaining to a “small number” of its clients, following the disclosure of 440GB of information by a hacker using the alias “Fortibitch” on BreachForums this week.
The hacker stated that the data was obtained from an Azure SharePoint site and was leaked after the company refused to engage in ransom negotiations. This incident underscores the importance of securing data stored in third-party cloud repositories, according to researchers.
Unauthorized Access to SaaS Environment
Fortinet has not specifically pinpointed the source of the breach. However, in a advisory dated Sept. 12, the company mentioned that an individual gained “unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party, cloud-based shared file drive.”
The security vendor, a major player in the industry, stated that less than 0.3% of its over 775,000 customers worldwide were affected by the incident, translating to approximately 2,325 organizations.
Fortinet assured that there were no signs of malicious activity surrounding the compromised data. The company acted swiftly to protect customers and communicated directly with them, implementing risk mitigation measures. The incident did not involve data encryption, ransomware deployment, or access to Fortinet’s corporate network. Fortinet does not anticipate any significant impact on its operations or finances as a result of the incident.
CloudSEK, in a threat intelligence report shared with Dark Reading, noted that the hacker using the Fortibitch alias leaked not only customer data but also financial and marketing documents, product information, HR data from India, and some employee data.
The actor attempted to extort the company but, after unsuccessful negotiations, released the data. CloudSEK speculated that the hacker would have tried to sell the data first if it held substantial value.
Fortinet neither confirmed nor denied whether the hacker had reached out to the company regarding the stolen data.
The hacker’s post on BreachForums included vague references to Fortinet’s acquisitions of Lacework and NextDLP, as well as mentions of other threat actors, including a Ukrainian group identified as DC8044. While there are no direct connections between Fortibitch and DC8044, CloudSEK suggested a historical relationship between the two. Based on available information, it is believed that the threat actor operates out of Ukraine.
Breach a Reminder of Cloud Data Exposure Risks
The Fortinet breach serves as a reminder of the risks associated with data exposure for enterprise organizations utilizing software-as-a-service (SaaS) and other cloud services without adequate safeguards. A recent scan of 6.5 million Google Drive files by Metomic revealed that over 40% contained sensitive information, such as employee data and password-containing spreadsheets.
Many organizations stored data in Google Drive files with minimal protection, with a significant portion shared externally or made public. Rich Vibert, CEO of Metomic, highlighted three common mistakes made by organizations in cloud data protection: inadequate use of multifactor authentication (MFA) for SaaS app access, excessive employee access to sensitive assets, and prolonged storage of sensitive data.
The method by which the hacker gained access to data from Fortinet’s SharePoint environment remains unclear. However, it is plausible that the attacker acquired valid login credentials, possibly through phishing, and proceeded to exfiltrate data from SharePoint and similar platforms. Information theft is a prevalent attack vector, as noted by Koushik Pal, threat intelligence reporter at CloudSEK.
Rethinking Cloud Security
Developers are advised to use environment variables, vaults, or encrypted storage for sensitive data and avoid hardcoding credentials in source code, according to Pal. Hardcoded access credentials in source code can be easily accessed if inadvertently exposed in public or unsecured repositories.
Organizations should enforce mandatory MFA for accessing critical systems like SharePoint to prevent unauthorized access in case of compromised credentials. Regular monitoring of repositories for exposed credentials, sensitive data, and misconfigurations, along with adherence to security best practices, is essential across all teams.
Akhil Mittal, senior manager of cybersecurity at Synopsys Software Integrity Group, emphasized the significance of organizations taking ownership of cloud asset security rather than solely relying on cloud service providers. He suggested segregating critical information from less sensitive files in shared drives and encrypting sensitive data in transit and at rest to mitigate potential damage from unauthorized access. Continuous monitoring of cloud assets and implementing zero-trust principles for third-party platforms are also recommended.
Stay informed with the latest Dark Reading Confidential podcast, featuring discussions with cybersecurity professionals who were unexpectedly arrested in Iowa for conducting pen-testing activities. Listen now!