Adversary Intelligence
2
mins read

Negotiation fails: Data analysis of 440GB leak from Fortinet Sharepoint

On 12 September 2024, CloudSEK’s XVigil found threat actor "Fortibitch" leaking 440GB of data from Fortinet’s SharePoint after failed extortion. While ransomware use is unclear, the actor mentioned Ukrainian group DC8044, but no direct link is confirmed. It’s believed with medium confidence that the actor is based in Ukraine.

CloudSEK TRIAD
September 17, 2024
Green Alert
Last Update posted on
September 24, 2024
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Category:  Adversary Intelligence | Industry: IT & Technology | Motivation: Financial | Region: USA/North America | Source: A1

Executive Summary

On 12 September 2024, CloudSEK's XVigil platform discovered a threat actor named “Fortibitch” leaking 440GB of data allegedly exfiltrated from Fortinet's SharePoint repository. The actor attempted to extort the company but, after unsuccessful negotiations, released the data. is highly unlikely that a ransomware was used in the breach. "Fortibitch" referenced the Ukrainian hacking group DC8044, though no direct connection is established between them. Based on available information, it is believed with medium confidence that the threat actor is based in Ukraine.

This blog is now updated after analyzing the leaked data for impact, please refer to the Analysis section

Analysis and Attribution

Information from the Post

  • On 12 SEPTEMBER 2024, CloudSEK’s contextual AI digital risk platform XVigil  discovered a threat actor with the moniker “Fortibitch” that leaked 440GB of data allegedly harvested from Fortigate’s Sharepoint repository. 

Threat actor posting 440 GB of data exfiltrated from Fortinet’s Sharepoint Repository on a hacking forum

  • The actor mentioned in the post that they have attempted negotiating with the leadership of the affected company, with no success. As a part of their extortion strategy, they have now leaked the data exfiltrated from Fortinet. The threat actor mentions the two acquisitions by Fortinet; Next DLP and Lacework, that are operating in the Data loss prevention and Cloud Security sectors respectively. 
  • It is unclear if Fortinet servers got infected by ransomware or not, given that the threat actor who posted the data did not mention the use of ransomware. 
  • The threat actor has mentioned a few groups in the thread, the most interesting of them being DC8044, which is a local hacking group based out of Ukraine. The threat actor “Fortibitch” has collaborated with DC8044 in the past. DC8044 Socials:some text
    • https://x.com/dc8044_cr3w
    • https://t.me/DC8044
  • There are no direct links between “Fortibitch” and DC8044, but the tone suggests a history between the two. Based on the available information, we can ascertain with medium confidence that the threat actor is based out of Ukraine. 
  • There’s a fair amount of chances that the data obtained from Fortinet was not critical in nature. If it was, the threat actor would have tried to sell the data off to interested buyers. However, we did not notice any sales threads related to the same. Our investigation is ongoing. 
  • The leaked data includes Employee resources, finance documents, HR documents from India, product offering, US sales, professional services and marketing documents, as well as customer information. The sensitivity and contents of the data indicates that this was indeed exfiltrated from a sharepoint server belonging to Fortinet.

Here’s a detailed overview on the type of data that can be accessed: 

  • EDR Alerts and Dashboard Information: Internal alerts related to various environments, hosted on a locally accessible dashboard tied to enSilo. In the hands of an attacker, this information provides visibility into the organization’s internal threat detection and response, potentially allowing them to understand weaknesses and bypass defenses.
  • Anti-Phishing Council Details: Information about the members and rules of a cybersecurity initiative. This could be exploited to target individuals involved in anti-phishing efforts.
  • Client Signed NDAs and Agreements: Confidential client contracts and agreements. An attacker could use this sensitive legal and business information for extortion, fraud, or reputaton damage.
  • Packet Captures: Network packet captures from internal environments. These could allow attackers to analyze traffic, identify vulnerabilities, and launch targeted attacks based on network data.
  • Network Diagrams and Configurations: Detailed network topology diagrams, firewall configurations, logs, and backups. This data offers insight into network architecture and security settings, making it easier for attackers to identify entry points, misconfigurations, and plan lateral movement.
  • RCA (Root Cause Analysis) and Incident Reports: Detailed post-incident reports that outline vulnerabilities and security incidents. Attackers could leverage this information to exploit known weaknesses or re-target specific vulnerabilities that have not been fully mitigated.
  • Internal Email Dumps: Access to internal emails. These could provide attackers with sensitive communications, giving insight into internal operations, potential spear-phishing opportunities, and additional entry points for further compromise

Threat Actor Activity and Rating

Threat Actor Profiling
Active since SEP 2024
Reputation 0 [Joined the forum just to post this leak]
Current Status ACTIVE
History The user has been working as a black hat, focused on extortion after data exfiltration.
Rating Medium

References

Appendix

Data exfiltrated from Fortinet’s Sharepoint Repository 
Samples of customer data leaked from Fortinet’s sharepoint

Author

CloudSEK TRIAD

CloudSEK Threat Research and Information Analytics Division

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

2

min read

Negotiation fails: Data analysis of 440GB leak from Fortinet Sharepoint

On 12 September 2024, CloudSEK’s XVigil found threat actor "Fortibitch" leaking 440GB of data from Fortinet’s SharePoint after failed extortion. While ransomware use is unclear, the actor mentioned Ukrainian group DC8044, but no direct link is confirmed. It’s believed with medium confidence that the actor is based in Ukraine.

Authors
CloudSEK TRIAD
CloudSEK Threat Research and Information Analytics Division
Co-Authors
No items found.

Category:  Adversary Intelligence | Industry: IT & Technology | Motivation: Financial | Region: USA/North America | Source: A1

Executive Summary

On 12 September 2024, CloudSEK's XVigil platform discovered a threat actor named “Fortibitch” leaking 440GB of data allegedly exfiltrated from Fortinet's SharePoint repository. The actor attempted to extort the company but, after unsuccessful negotiations, released the data. is highly unlikely that a ransomware was used in the breach. "Fortibitch" referenced the Ukrainian hacking group DC8044, though no direct connection is established between them. Based on available information, it is believed with medium confidence that the threat actor is based in Ukraine.

This blog is now updated after analyzing the leaked data for impact, please refer to the Analysis section

Analysis and Attribution

Information from the Post

  • On 12 SEPTEMBER 2024, CloudSEK’s contextual AI digital risk platform XVigil  discovered a threat actor with the moniker “Fortibitch” that leaked 440GB of data allegedly harvested from Fortigate’s Sharepoint repository. 

Threat actor posting 440 GB of data exfiltrated from Fortinet’s Sharepoint Repository on a hacking forum

  • The actor mentioned in the post that they have attempted negotiating with the leadership of the affected company, with no success. As a part of their extortion strategy, they have now leaked the data exfiltrated from Fortinet. The threat actor mentions the two acquisitions by Fortinet; Next DLP and Lacework, that are operating in the Data loss prevention and Cloud Security sectors respectively. 
  • It is unclear if Fortinet servers got infected by ransomware or not, given that the threat actor who posted the data did not mention the use of ransomware. 
  • The threat actor has mentioned a few groups in the thread, the most interesting of them being DC8044, which is a local hacking group based out of Ukraine. The threat actor “Fortibitch” has collaborated with DC8044 in the past. DC8044 Socials:some text
    • https://x.com/dc8044_cr3w
    • https://t.me/DC8044
  • There are no direct links between “Fortibitch” and DC8044, but the tone suggests a history between the two. Based on the available information, we can ascertain with medium confidence that the threat actor is based out of Ukraine. 
  • There’s a fair amount of chances that the data obtained from Fortinet was not critical in nature. If it was, the threat actor would have tried to sell the data off to interested buyers. However, we did not notice any sales threads related to the same. Our investigation is ongoing. 
  • The leaked data includes Employee resources, finance documents, HR documents from India, product offering, US sales, professional services and marketing documents, as well as customer information. The sensitivity and contents of the data indicates that this was indeed exfiltrated from a sharepoint server belonging to Fortinet.

Here’s a detailed overview on the type of data that can be accessed: 

  • EDR Alerts and Dashboard Information: Internal alerts related to various environments, hosted on a locally accessible dashboard tied to enSilo. In the hands of an attacker, this information provides visibility into the organization’s internal threat detection and response, potentially allowing them to understand weaknesses and bypass defenses.
  • Anti-Phishing Council Details: Information about the members and rules of a cybersecurity initiative. This could be exploited to target individuals involved in anti-phishing efforts.
  • Client Signed NDAs and Agreements: Confidential client contracts and agreements. An attacker could use this sensitive legal and business information for extortion, fraud, or reputaton damage.
  • Packet Captures: Network packet captures from internal environments. These could allow attackers to analyze traffic, identify vulnerabilities, and launch targeted attacks based on network data.
  • Network Diagrams and Configurations: Detailed network topology diagrams, firewall configurations, logs, and backups. This data offers insight into network architecture and security settings, making it easier for attackers to identify entry points, misconfigurations, and plan lateral movement.
  • RCA (Root Cause Analysis) and Incident Reports: Detailed post-incident reports that outline vulnerabilities and security incidents. Attackers could leverage this information to exploit known weaknesses or re-target specific vulnerabilities that have not been fully mitigated.
  • Internal Email Dumps: Access to internal emails. These could provide attackers with sensitive communications, giving insight into internal operations, potential spear-phishing opportunities, and additional entry points for further compromise

Threat Actor Activity and Rating

Threat Actor Profiling
Active since SEP 2024
Reputation 0 [Joined the forum just to post this leak]
Current Status ACTIVE
History The user has been working as a black hat, focused on extortion after data exfiltration.
Rating Medium

References

Appendix

Data exfiltrated from Fortinet’s Sharepoint Repository 
Samples of customer data leaked from Fortinet’s sharepoint