ChannelLife India - Industry insider news for technology resellers
Story image

Fortinet breach exposes 440GB of data; no ransom paid

Thu, 26th Sep 2024

A recent security incident involving cyber security company Fortinet's third-party cloud storage has resulted in unauthorised access to a small number of files.

According to an analysis by Tesserent's Security Operations Centre (SOC), the breach affected less than 0.3% of Fortinet's customers.

Patrick Butler, who runs Tesserent's SOC, has provided a comprehensive summary of the incident. He noted that there is no evidence of malicious activity affecting customers.

The scope of the breach did not include data encryption, ransomware, or access to Fortinet's corporate network. Butler stated, "Fortinet's operations, products, and services remain unaffected."

The incident, which reportedly occurred in August 2024, involved approximately 440GB of data, as confirmed by the threat actor. The unauthorised access was through the third-party cloud storage platform, SharePoint, and primarily impacted customers based in the APAC region. Fortinet swiftly contained the issue, terminated unauthorised access, notified law enforcement, and engaged external forensics for validation. Enhanced security measures have since been implemented.

The threat actor behind the breach, identified as "Fortibitch," attempted to extort Fortinet for ransom, though no payment was made. The stolen data was subsequently posted in an S3 bucket, with credentials shared among other threat actors.

Butler emphasised the importance of vigilance, stating, "While there is no direct, immediate impact on individuals, it is crucial to be cautious of unusual communications or requests and report any suspicious activity."

The incident underscores the importance of having a robust Cyber Threat Intelligence (CTI) program, as the leaked data was initially discovered on a hacking forum. "Regular monitoring of such data sources can aid in early detection of potential threats," Butler added.

Furthermore, the incident highlights the significance of third-party risk management. Effective risk management includes evaluating access controls, implementing Multi-Factor Authentication (MFA), and reviewing who has access to third-party platforms.

"This incident reminds us of the need for rigorous assessment of data-sharing practices and access permissions, including those involving contractors and third parties," noted Butler.

Proactive monitoring and detection are also crucial. Implementing Data Loss Prevention (DLP) systems can monitor and protect sensitive data from unauthorised access or leaks. Additionally, Managed Detection and Response (MDR) services can detect and respond to threats in real-time. "Ensuring that monitoring and detection use cases are well-defined and effectively cover potential attack vectors is vital," Butler stated.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X