Fortinet, a multinational cybersecurity firm and the world’s seventh largest retail IT company, has confirmed that it’s been hacked, according to reports. The news of this major breach at a company whose business model is built on keeping corporate networks safe is an ominous sign of where digital security is headed now. The company’s data on customers was exposed.
The Breach: A Targeted Attack on Fortinet
The threat actor who took credit for the breach was going by the name ‘Fortibitch’ and claimed to have stolen some 440 GB of sensitive data from the Fortinet’s server on Microsoft Azure SharePoint. The attacker also posted access credentials to what appeared to be an Amazon S3 bucket containing the stolen data on a hacking forum, as if to offer the now-compromised information to the broader criminal underground.
Fortinet acted quickly, confirming that an unauthorized third party had broken into a ‘third-party cloud-based shared file drive’, and that customer data had been compromised. The company has not yet disclosed the details of the breach, but according to preliminary reports, less than 0.3 percent of its customer base was affected. Fortinet says there is ‘no evidence that any activity, malicious or otherwise, has targeted customers.
Fortinet’s Immediate Response
After the breach was discovered, Fortinet promptly took steps to minimize the fallout. The firm elaborated on the responses in its incident report, stating that it:
- Launch an immediate investigation: A full internal investigation launched to find out the extent of the data breach and how the attacker has managed to gain access to the systems.
- Terminating unauthorized access: Fortinet was quick to sever the unauthorized access path the intruder used to get inside.
- Reporting the breach to law enforcement: The breach was reported to law enforcement authorities and computer emergency response teams around the world to assist in a response to the breach.
- Enlisting external forensic suppliers: Fortinet hired an external forensics supplier to confirm their findings and assess the actual fallout from the attack.
So far, those steps have helped stem the attack; and while Fortinet’s response has reduced the cerberus threat, it is still evaluating the full downstream impact of the breach.
Cybersecurity Companies Under Siege: A Growing Trend
Not only are there more incidents of cyberattacks than ever before, but the scale, frequency, and sophistication of such cyberattacks have grown exponentially over the past several years. For instance, the IBM 2023 Cost of a Data Breach Report put the global average cost of a data breach at an unprecedented $4.45 million, highlighting a persistent financial trend with regard to cyber incidents. All of this:
- Ransomware accounted for 28 percent of breaches in 2023, and 94 percent of all ransomware attacks last year targeted backup files to make it harder to recover data.
- There has also been a rise of more than 50 percent in supply-chain attacks as attackers look to exploit a trusted software vendor or third-party software provider.
- According to Check Point Software, the global average of weekly cyberattacks per organization increased by 38 percent in 2022, marking a clear jump in threat actor activity across industries.
These statistics support the notion that the risk of cyber attacks is increasing, and even cybersecurity firms are having to evolve and improve their defenses regularly.
That Fortinet – a company in the business of keeping others safe from cyberattacks – fell victim to just such an attack and got hacked was, therefore, doubly alarming and, in its way, representative of a growing trend. In recent years, firms in the business of keeping others safe against cyberattacks have been increasingly falling victim to them. They offer a ripe target for threat actors since sensitive data is held about their own operations, as well as their customers.
Notable Cybersecurity Breaches in Recent History Targeting Cybersecurity/Technology Companies
- FireEye (2020): Another global cybersecurity company, FireEye, experienced a breach in which the attacker accessed FireEye’s Red Team tools (directions for attacking computer systems) used by the company’s cyber-simulation teams to perform penetration tests for its clients so that vulnerabilities could be identified beforehand. Eventually, the incident was attributed to a nation-state and sent out a serious signal to the cyber community.
- SolarWinds (2020): SolarWinds isn’t a pure-play, publicly traded security company; it’s a technology company whose supply-chain attack compromised many security vendors and enterprises. Malware was slipped into an Orion software update, giving attackers an undetected way to access many other companies for months after.
- Kaseya (2021): A vulnerability in its remote management platform for managed services providers impacted tens of thousands of organizations and their customers, encrypting files and demanding a ransom payment of $70 million.
- Okta (2023): Okta, a leading identity and access management provider, also revealed that hackers managed to breach its support case management system and possibly customer data by accessing attached files to support cases in 134 customers’ accounts.
- LastPass (2023): The popular password manager LastPass released an announcement detailing the aftermath of a cyberattack that managed to expose its development environment by breaching the credentials of a developer account. No customer data was corrupted, but the incident attests to the lack of impenetrability of password management.
- Ivanti (2024): Another high-profile entry in the zero-day misery club came from the security solutions provider Ivanti, which revealed that thousands of its Connect Secure VPN devices were being exploited via zero days.
- Cloudflare (2024): After obtaining employees’ passwords through an external phishing campaign, a content delivery and web security company called Cloudflare reported that a group of unidentified attackers pivoted into its internal networks and systems. While Cloudflare reported that no customer information or intellectual property was stolen, the event was just one more recent example of the real-world risk to even the most ‘hardened’ cybersecurity organizations.
These breaches highlight the reality that no organization is completely safe from cyber threats, even those specializing in the defense against them.
Lessons Learned: Fortinet’s Breach and the Broader Implications
Fortinet’s breach teaches the world a valuable yet too infrequently discussed lesson: nobody is immune to cyberattacks, even those leaders in cybersecurity that happen to be Fortinet. This incident highlights several important lessons for the security community.
1. The Importance of Cloud Security
The breach also might have taken place through a third-party, customized cloud-based file-sharing application, which shows that cloud services are a vulnerable link for many organizational cyber-security frameworks. Companies should use a combination of cloud security, such as data encryption, identity access management (IAM) and multi-factor authentication (MFA).
2. The Need for Regular Audits and Penetration Testing
Conducting security audits for clients is the business of security-research companies, of which Fortinet is just one, but internal audits and penetration testing are also warranted to detect vulnerabilities in their own systems. The Fortinet breach shows that regular security checks – especially of third-party applications and shared workspaces – are a must.
3. The Value of Rapid Incident Response
Fortinet’s quick response, including shutting down unauthorized access and notifying relevant authorities, helped mitigate further damage. Rapid incident response is essential in minimizing the impact of a breach, and organizations should ensure they have predefined incident response plans in place.
4. Transparency and Customer Communication
Fortinet’s quick and open communication about the breach and swift notification of potentially affected customers are correct practices during a crisis of this nature. They are part of what might be called ‘epistemic trust,’ the principles of communication about events that are not entirely under your control. Such communication can serve to sustain or even build trust and may ameliorate the possibility of reputational damage.
Moving Forward: Proactive Measures for Cybersecurity Companies
As the digital world grows in both quantity and complexity, the digital impact on business, along with digitally enabled crime, is ever-increasing. Cybersecurity organizations have to become more proactive as they strive to protect their own environments and those of their clients. A key element of this proactive stance is threat intelligence. It’s all well and good to build a fortified castle with moats and high walls, but it only becomes really powerful when armed intelligence about the enemy is added to the mix. Threat intelligence is the process of gathering, analyzing, and acting on information about any element that might constitute a future threat, be it natural, malevolent, or accidental in nature. It helps to stay one step ahead of the adversary (threat actor) by using their tactics, techniques, and procedures (TTPs) against them, identifying vulnerabilities and risk mitigation before they can cause significant damage by taking proactive action.
Threat intelligence provides an understanding of the current threat landscape combined with an actionable course of events for organizations. Through ongoing analysis of hacker activity, identifying emerging threats, and then supplying the context, companies can respond to upcoming incidents. Key elements of threat intelligence include:
- Indicators of Compromise (IOC) discovery: looking at IPs, domains, hashes, and file signatures that could be an ‘indication of compromise.’ It could mean an attack is coming soon or it’s underway.
- TTPs of Threat Actors: Exploring the shifting tactics that cybercriminals use to attack systems, such as phishing, ransomware, or zero-day exploits.
- Providing Real-Time Alerts: Anticipating and providing security warnings to cybersecurity teams over potential threats so they can take appropriate measures as early as possible to contain the threat before it worsens.
One of the main takeaways from the Fortinet breach, however, is that threat intelligence can be employed from a prevention standpoint to catch threats early. We can better ride out any cyberattacks if we monitor for threats to bring up the attack surface and employ what we’ve learned from past incidents.
How ThreatMon Can Help
ThreatMon is a next-generation threat intelligence and monitoring platform that gives companies deep insight into threat actor behavior and malicious activity, helping them stay a step ahead of attackers.
ThreatMon enables organizations to:
- Real-Time Threat Detection: With its sophisticated monitoring capabilities, ThreatMon spots suspicious activity in real time, using mathematical algorithms and machine learning to detect anomalies. It can sound the alarm and send reports of abnormal behaviors to security teams, alerting them to threats before an attack cripples the company.
- Unified Threat Acknowledgement: ThreatMon aggregates attack and system-compromise data from honeypots, other external threat feeds and internal historic incident data, enabling aggregated threat intelligence to be formed to support decision-making into current threats and the TTPs used by those making the attacks. Immediate and real-time processing, automatic decision-making, and incident remediation: ThreatMon identifies attacks and system compromises in real-time and automatically executes your security policy, allowing teams to immediately respond and mitigate an incident.
- Incident Response Assistance: Should an attack occur on your system, ThreatMon’s detailed Incident Reports, forensic-level analysis and root cause analysis will guide your security team in tackling the incident immediately and effectively. The platform also offers post-incident insights to help your organization prevent a repeat of the incident.
- Pro-Active Threat Hunting: One of the most advanced use cases for ThreatMon is pro-active hunting, the ability to comb through network traffic, server logs, and endpoint behavior, looking for indicators of compromise, disruption or counterattacks before they escalate into a major issue.
- Preventing Cloud-Based Attacks: Since Fortinet’s attack was first discovered via a third-party cloud platform, ThreatMon’s emphasis on cloud environments becomes even more important. ThreatMon provides all the necessary elements for monitoring the cloud and is one of the few tools on this list with an impressive set of features for monitoring cloud assets for vulnerabilities, unauthorized access, and suspicious activities.
- Data Correlation and Surface of Attack: ThreatMon empowers organizations to quickly and accurately triage across large amounts of security data, helping them to focus on the threats that pose the greatest risk. ThreatMon does that by using threat data correlations and attacks surface identification to quickly alert the security teams about their most urgent problems.
The breach of Fortinet shows cybersecurity has a few hard lessons to learn. Everyone in this industry needs to adopt a heightened level of paranoia – rigorously using the very best threat intelligence tools available – to stay ahead of the threat. The days of simply reacting to threats, no matter who you are or what you’re defending, are over. You must be hunting in order to stay ahead of the bad guys. You must continuously improve your defenses based on real-time threat intelligence data.
ThreatMon – which employs actionable insights, continuous monitoring for emerging threats, and full incident response for its partners, enabling them to take a proactive stance in protecting themselves against future breaches and minimize the impact of incidents as and when they occur – is one such platform available to organizations that are serious about safeguarding their data and reputation. When the stakes are so high, nothing short of the best practices of threat intelligence will do.