Fortinet Confirms Customer Data Breach via Third Party

Fortinet has confirmed the compromise of data belonging to a "small number" of its customers, after a hacker using the somewhat colorful moniker "Fortibitch" leaked 440GB of the information via BreachForums this week.

The hacker claimed to have obtained the data from an Azure SharePoint site and alleges they leaked it after the company refused to negotiate with the individual on a ransom demand. The situation once again highlights the responsibility that companies have to secure data held in third-party cloud repositories, researchers say.

Unauthorized Access to SaaS Environment

Fortinet itself has not specifically identified the source of the breach. But in a Sept. 12 advisory, the company said someone had gained "unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party, cloud-based shared file drive."

The security vendor, one of the largest in the world by market cap, identified the issue as impacting less than 0.3% of its more than 775,000 customers worldwide, which would place the number of affected organizations at around 2,325.

Fortinet said it had seen no signs of malicious activity around the compromised data. "Fortinet immediately executed on a plan to protect customers and communicated directly with customers as appropriate and supported their risk mitigation plans," the security vendor noted in the advisory. "The incident did not involve any data encryption, deployment of ransomware, or access to Fortinet’s corporate network." Fortinet said it does not expect the incident to have any material impact on its operations or finances.

In a threat intelligence report shared with Dark Reading, CloudSEK said it had observed a threat actor using the Fortibitch handle leaking what appeared to include not just customer data, but also financial and marketing documents, product information, HR data from India, and some employee data.

"The actor attempted to extort the company but, after unsuccessful negotiations, released the data," CloudSEK said.  The company surmised that the hacker would have attempted to sell the data first, if it had been of any true value.

Fortinet did not confirm or deny if the hacker had attempted to engage with the company on the stolen data.

The hacker's post on BreachForums included somewhat context-free references to Fortinet's acquisitions of Lacework and NextDLP. It also referenced a few other threat actors, the most interesting of whom is a Ukrainian outfit tracked as DC8044. "There are no direct links between Fortibitch and DC8044, but the tone suggests a history between the two," according to CloudSEK. "Based on the available information, we can ascertain with medium confidence that the threat actor is based out of Ukraine."

Breach a Reminder of Cloud Data Exposure Risks

The Fortinet compromise — though apparently not too major — is a reminder of the heightened data exposure risks to enterprise organizations when using software-as-a-service (SaaS) and other cloud services without the appropriate guardrails. A recent scan by Metomic of some 6.5 million Google Drive files showed more than 40% of them containing sensitive data, including employee data and spreadsheets containing passwords.

Often, organizations stored the data on Google Drive files with little protection. More than one-third (34.2%) of the scanned files were shared with external email addresses, and more than 350,000 files had been shared publicly.

Rich Vibert, CEO and founder of Metomic, says there are three fundamental mistakes organizations make when it comes to protecting data in cloud environments: not using multifactor authentication (MFA) to control access to SaaS apps; giving employees too much access to folders and sensitive assets within the app itself; and storing sensitive data for too long.

It's unclear yet how the hacker might have accessed the data from Fortinet's SharePoint environment. But one likely scenario is that the attacker gained access to valid login credentials, via phishing for instance, and then logged in and exfiltrated data from SharePoint and similar environments, says Koushik Pal, threat intelligence reporter at CloudSEK. Information stealers are also a "really common" attack vector, Pal notes.

Rethinking Cloud Security

"Typically, developers should use environment variables, vaults, or encrypted storage for sensitive information, and avoid hardcoding credentials in source code," Pal says. Often developers hardcode access credentials like API keys, username and password into the source code and inadvertently push the code into a public or unsecured private repository from where they can be accessed relatively easily.

"Organizations should make MFA mandatory for accessing SharePoint and other critical systems to prevent unauthorized access even if credentials are compromised," Pal explains. "Monitor repositories on a regular basis for exposed credentials, sensitive data, or misconfigurations, and enforce security best practices across all teams."

Akhil Mittal, senior manager of cybersecurity at Synopsys Software Integrity Group, says incidents like the one Fortinet experienced show why it's a mistake for organizations to leave security around their cloud assets entirely to cloud service providers. "Organizations should rethink how they store customer data in shared drives, ensuring critical information is kept separate from less sensitive files," he says.

It's a good idea too to encrypt sensitive data both in transit and at rest, to mitigate damage even if attackers gain access. Mittal perceives continuous monitoring of cloud assets as fundamental to protecting them. "Applying zero-trust principles to third-party platforms also ensures no external service is trusted automatically, reducing the risk of unauthorized access," he adds.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!