Overview

Let’s first review the breach as published in many online sources. Here is the summary of what happened.

1. An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive SharePoint.
2. The files consist of employee resources, financial reports, HR documents from India, product offerings, US sales reports, professional services, marketing strategies, and customer information.
3. The attackers claimed to have tried to unsuccessfully negotiate with Fortinet and as a result released these data
4. Fortinet did not seem to comment on negotiation with attackers.
5. The attacker is alleged to be Ukraine based

 To our customers

With abundance of caution, we would like to advise our customers to follow these steps. Please note that the breach appears to be a Fortinet corporate data breach through shared file servers and does not impact the products that our customers are using.

1. Keep monitoring your domain and emails on Dark web. Using Seceon’s aiSecurity Score 360 is a terrific way to accomplish this.
2. Change the password for all users who are accessing Fortinet ASAP including VPN users. Do not limit yourself to the administration users and users with configuration change privileges.
3. Address any alerts which are raised in your environment as fast as possible but no more than 1 hour from the report. Please pay special attention to alerts where any of your Fortinet devices are involved.
4. We urge you all to have a good balance of leaning towards security risk and operational inconvenience. Based on this, please set up auto-remediation and playbooks to contain threats in near real-time.
5. Please ensure that any outbound facing public IP of the Fortinet devices are configured as your infrastructure IP. This ensures that these devices are monitored for potential security threats.
6. Please follow Fortinet provided risk mitigation plans as applicable for you.

Normal hygiene that everyone must follow

1. MFA for all the access. Tokens that are used exclusively for a specific purpose should have additional security such as the allow-listing of the IP that the token will come from.
2. Provide your users “Need to know” based access. This is important to ensure that unauthorized access is denied at the outset itself and thus preventing such large unfavorable news stories about your company.
3. Utilize Machine Learning and AI based solutions like Seceon which will learn from the environment about legitimate use and immediately detect with opportunities to instantly prevent unauthorized use.

We urge our customers and all readers to follow basic hygiene and employ a comprehensive security platform like Seceon’s aiXDR with PMaX instead of many disparate point solutions. This will help you stay ahead of the attackers and help improve your abilities to thwart the attacks more effectively.