Fortinet confirms data breach, extortion demand

Fortinet confirmed it suffered a data breach, though it's unclear what types of data the threat actor obtained.

The security vendor published a blog post Thursday evening that disclosed an unknown threat actor gained unauthorized access to a limited number of files stored on a third-party cloud-based shared file drive. Fortinet said the attacker did not breach its corporate network and that the incident did not affect operations or services. 

Fortinet is one of the largest cybersecurity vendors in the industry, offering  firewalls, secure access service edge, XDR and response, and VPN products. In recent years, Fortinet VPNs have come under frequent attacks by threat actors that have exploited several vulnerabilities in the products to gain access to victim organizations. 

Thursday's disclosure confirmed that Fortinet has already notified affected customers, as well as law enforcement.

"An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number (less than 0.3%) of Fortinet customers," Fortinet wrote in the blog post. "To date, there is no indication that this incident has resulted in malicious activity affecting any customers."

Cyber Daily initially reported the breach on Thursday and said the incident affected Fortinet's Asia-Pacific customers. While Fortinet did not disclose those details, it did provide a statement to Cyber Daily and additional media outlets, including TechTarget Editorial, on other aspects of the breach. 

"An individual gained unauthorized access to a limited number of files stored on Fortinet's instance of a third-party cloud-based shared file drive, which included limited data related to a small number of Fortinet customers, and we have communicated directly with customers as appropriate," the statement read. "To-date there is no indication that this incident has resulted in malicious activity affecting any customers. Fortinet's operations, products, and services have not been impacted."

Security researchers first spotted a post on a widely known cybercrime forum in which a threat actor claimed to have 440GB of leaked data from a Fortinet's Azure SharePoint instance. The threat actor stated the data was available in their AWS S3 bucket for other forum members to access.

The forum post also claimed that Fortinet cut off negotiations and refused to pay a ransom. The threat actor called out Fortinet co-founder and CEO Ken Xie and questioned why the company had not filed an 8K form with the U.S. Securities and Exchange Commission to disclose the breach.

While Fortinet has not confirmed those details, the company did say there was no ransomware or encryption involved in the incident. The blog post also said the company does not believe the incident will have a material impact to its financials or operating results.

"After identifying the incident, we immediately began an investigation, contained the incident by terminating the unauthorized individual's access, and notified law enforcement and select cybersecurity agencies globally. A leading external forensics firm was engaged to validate our own forensics team's findings," the blog post said. "Moreover, we have put additional internal processes in place to help prevent a similar incident from reoccurring, including enhanced account monitoring and threat detection measures."

Fortinet did not respond to requests for additional comment at press time.

Arielle Waldman is a Boston-based reporter covering enterprise security news.