Fortinet reported unauthorized access to a third-party cloud-based file drive affecting a limited APAC customer base. A threat actor claimed to have exfiltrated 440 GB via Azure SharePoint and an S3 bucket, but the authenticity of the claim is unverified and Fortinet says operations remained unaffected. #Fortinet #IntelBroker
Keypoints
- Incident Acknowledgment: Fortinet reported unauthorized access to a third-party cloud service.
- Impact: Affected a small number of customers, primarily in the Asia-Pacific region.
- Threat Actor Claims: A hacker claimed to have accessed 440 GB of data from Fortinet’s Azure SharePoint.
- Verification Issues: The authenticity of the threat actor’s claims remains unverified, raising skepticism among users.
- Fortinet’s Response: The company communicated with affected customers and implemented security measures to prevent further breaches.
- Additional Claims and Scrutiny: Forum discussions and IntelBroker’s involvement added to questions about claim validity.
MITRE Techniques
- [T1078] Initial Access – Use of compromised credentials to gain unauthorized access. (‘Use of compromised credentials to gain unauthorized access.’)
- [T1041] Data Exfiltration – Threat actor claims to have exfiltrated data to an S3 bucket. (‘Threat actor claims to have exfiltrated data to an S3 bucket.’)
- [T1003] Credential Dumping – Use of valid credentials to access sensitive data. (‘Use of valid credentials to access sensitive data.’)
Indicators of Compromise
- [Cloud Storage] Azure SharePoint – data claimed/exfiltration and accessed files on Fortinet’s third-party instance; 440 GB mentioned
- [Cloud Storage] S3 bucket – data hosted on an S3 bucket; access via S3 client rather than a browser
- [Threat Actor] IntelBroker, CyberNiggers – referenced as Dark Web actors involved in discussions about the breach
- [Forum/Platform] BreachForums – platform referenced in discussions about the breach
Read more: https://socradar.io/fortinet-data-breach-what-we-know-so-far/