Another day, another data leak: Fortinet and the security lessons learned

Clavister 2021-11-24

In September this year, network security solutions provider Fortinet, suffered a data leak which exposed VPN login names and passwords. The exact number of credentials isn’t known. Fortinet said in a blog post that 87,000 had been impacted, while publication Bleeping Computer put the number at half a million.

According to Fortinet, the credentials were obtained from systems that remain unpatched against FG-IR-18-384 / CVE-2018-13379 – a bug uncovered in 2018 which is now on the Cybersecurity and Infrastructure Security Agency’s (CISA’s) list of the top 30 most-exploited flaws. Fortinet released a patch in 2019, but even if devices were patched at the time, if passwords weren’t updated, they remined vulnerable.

The business of PR

The credentials were published by a threat actor known as ‘Orange’ who is the administrator of the newly launched RAMP hacking forum (believed to be a representative of the new Groove ransomware operation) and a previous operator of the Babuk Ransomware operation. In other words, a pretty formidable cybercriminal.

With the credentials being leaked for free, by some, the move was seen as an attempt for the new group to boost awareness of itself. In other words, criminal gangs are partaking in PR. And Groove didn’t stop there, in another effort to raise its profile and cause alarm, just last month, the gang published a Russian blog calling on all other ransomware operations to target the US.

Lucky escape

As well as the Fortinet breach being a possible publicity stunt, it was also a genuine cyber-attack that had the potential to cause a lot of damage. A major risk is that the credentials could be used to access corporate VPNs and, therefore, networks, to exfiltrate data, launch ransomware or other malware and other disruptive activities.

In particular, events from the past year have demonstrated the chaos that can ensue if an organisation falls victim to a ransomware attack. Indeed, 2021 has seen two particularly devastating events – the Colonial Pipeline and JBS (the global meatpacking company). Ransomware shut down both companies’ operational capacity, leaving lasting implications such as shortages and rising prices. What’s more, a staggering amount of money was handed over – the bosses of each organisation paid $4.4 million and $11 million respectively, proving just how critical robust cybersecurity measures can be.

Together we are stronger

Luckily, the consequences following the Fortinet data breach weren’t quite so disastrous, however, even months on, the breach should be a wake-up call to all those in the industry. What can we learn from this? It’s important for vendors to share treats, breaches, patches and such, because together are we stronger.

Sharing threat intelligence could help mitigation of cyber threats. It reduces duplication of effort and allows one vendor’s detection to become another organisations prevention. Indeed, the European Union Agency for Cybersecurity (enisa) states ‘information sharing between is an important aspect for cyber security.’ With this in mind, Clavister adheres to enisa’s best practices for knowledge sharing.

Protect your data at all costs

Even with sharing of threat intelligence though, any breach involving a security vendor will always be concerning given the company is entrusted to protect data. It highlights where vulnerabilities can exist within security setups and shows how important it is to be able to trust your cybersecurity provider.

Vendors have a duty to regularly patch their products and leverage their knowledge and insight of cyberattacks and techniques to ensure their offerings aren’t vulnerable. Fortinet was breached just one month prior to the September incident, indicating that despite knowing the vulnerabilities, they found it difficult to patch all affected devices. There’s no doubt that cybercriminals are stealthy but, at Clavister, we are dedicated to ensuring nothing like this ever happens to our customers.

That said, a cybersecurity strategy requires input from customers too. Good security posture takes more than simply investing in solutions, it requires ongoing management – such as a patching and regular password refreshes. As part of this, a cybersecurity strategy ought to consider the three crucial elements outlined in our blog: the challenges of remote working, European security for European businesses and, finally, having the correct training in place for staff.

The news of the Fortinet breach, coupled with the fact that 68% of business leaders feel their cybersecurity risks are increasing, shows the power cybercriminals have, and their ability outsmart even some vendors. Ultimately, companies of all shapes and sizes need to wake up to the very real possibility of an attack and bolster defences in light of the ever-evolving capabilities of criminals with a cybersecurity partner they trust explicitly. That’s us.

If you’re interested in hearing about how Clavister can help you stay on top of cyber threats and increase business productivity, get in touch here.

Clavister Cyber Security Market Survey 2022

What is security delivered as a cloud service?

Professional Services

Delivering high performance security for digital transformation

25 Years of European Cyber Security