Adversary Intelligence
2
mins read

Negotiation fails: Threat actor leaks 440 GB of data from Fortinet’s Sharepoint

On 12 September 2024, CloudSEK's XVigil platform discovered a threat actor named “Fortibitch” leaking 440GB of data allegedly exfiltrated from Fortinet's SharePoint repository. The actor attempted to extort the company but, after unsuccessful negotiations, released the data. It remains unclear if ransomware was used in the breach, as it was not mentioned by the actor. "Fortibitch" referenced the Ukrainian hacking group DC8044, though no direct connection is established between them. Based on available information, it is believed with medium confidence that the threat actor is based in Ukraine.

CloudSEK TRIAD
September 17, 2024
Green Alert
Last Update posted on
September 17, 2024
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Category:  Adversary Intelligence | Industry: IT & Technology | Motivation: Financial | Region: USA/North America | Source: A1

Executive Summary

On 12 September 2024, CloudSEK's XVigil platform discovered a threat actor named “Fortibitch” leaking 440GB of data allegedly exfiltrated from Fortinet's SharePoint repository. The actor attempted to extort the company but, after unsuccessful negotiations, released the data. It remains unclear if ransomware was used in the breach, as it was not mentioned by the actor. "Fortibitch" referenced the Ukrainian hacking group DC8044, though no direct connection is established between them. Based on available information, it is believed with medium confidence that the threat actor is based in Ukraine.

Analysis and Attribution

Information from the Post

  • On 12 SEPTEMBER 2024, CloudSEK’s contextual AI digital risk platform XVigil  discovered a threat actor with the moniker “Fortibitch” that leaked 440GB of data allegedly harvested from Fortigate’s Sharepoint repository. 

Threat actor posting 440 GB of data exfiltrated from Fortinet’s Sharepoint Repository on a hacking forum

  • The actor mentioned in the post that they have attempted negotiating with the leadership of the affected company, with no success. As a part of their extortion strategy, they have now leaked the midata exfiltrated from Fortinet. The threat actor mentions the two acquisitions by Fortinet; Next DLP and Lacework, that are operating in the Data loss prevention and Cloud Security sectors respectively. 
  • It is unclear if Fortinet servers got infected by ransomware or not, given that the threat actor who posted the data did not mention the use of ransomware. 
  • The threat actor has mentioned a few groups in the thread, the most interesting of them being DC8044, which is a local hacking group based out of Ukraine. The threat actor “Fortibitch” has collaborated with DC8044 in the past. DC8044 Socials:some text
    • https://x.com/dc8044_cr3w
    • https://t.me/DC8044
  • There are no direct links between “Fortibitch” and DC8044, but the tone suggests a history between the two. Based on the available information, we can ascertain with medium confidence that the threat actor is based out of Ukraine. 
  • There’s a fair amount of chances that the data obtained from Fortinet was not critical in nature. If it was, the threat actor would have tried to sell the data off to interested buyers. However, we did not notice any sales threads related to the same. Our investigation is ongoing. 
  • The leaked data includes Employee resources, finance documents, HR documents from India, product offering, US sales, professional services and marketing documents, as well as customer information. The sensitivity and contents of the data indicates that this was indeed exfiltrated from a sharepoint server belonging to Fortinet.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since SEP 2024
Reputation 0 [Joined the forum just to post this leak]
Current Status ACTIVE
History The user has been working as a black hat, focused on extortion after data exfiltration.
Rating Medium

References

Appendix

Data exfiltrated from Fortinet’s Sharepoint Repository 

Author

CloudSEK TRIAD

CloudSEK Threat Research and Information Analytics Division

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

2

min read

Negotiation fails: Threat actor leaks 440 GB of data from Fortinet’s Sharepoint

On 12 September 2024, CloudSEK's XVigil platform discovered a threat actor named “Fortibitch” leaking 440GB of data allegedly exfiltrated from Fortinet's SharePoint repository. The actor attempted to extort the company but, after unsuccessful negotiations, released the data. It remains unclear if ransomware was used in the breach, as it was not mentioned by the actor. "Fortibitch" referenced the Ukrainian hacking group DC8044, though no direct connection is established between them. Based on available information, it is believed with medium confidence that the threat actor is based in Ukraine.

Authors
CloudSEK TRIAD
CloudSEK Threat Research and Information Analytics Division
Co-Authors
No items found.

Category:  Adversary Intelligence | Industry: IT & Technology | Motivation: Financial | Region: USA/North America | Source: A1

Executive Summary

On 12 September 2024, CloudSEK's XVigil platform discovered a threat actor named “Fortibitch” leaking 440GB of data allegedly exfiltrated from Fortinet's SharePoint repository. The actor attempted to extort the company but, after unsuccessful negotiations, released the data. It remains unclear if ransomware was used in the breach, as it was not mentioned by the actor. "Fortibitch" referenced the Ukrainian hacking group DC8044, though no direct connection is established between them. Based on available information, it is believed with medium confidence that the threat actor is based in Ukraine.

Analysis and Attribution

Information from the Post

  • On 12 SEPTEMBER 2024, CloudSEK’s contextual AI digital risk platform XVigil  discovered a threat actor with the moniker “Fortibitch” that leaked 440GB of data allegedly harvested from Fortigate’s Sharepoint repository. 

Threat actor posting 440 GB of data exfiltrated from Fortinet’s Sharepoint Repository on a hacking forum

  • The actor mentioned in the post that they have attempted negotiating with the leadership of the affected company, with no success. As a part of their extortion strategy, they have now leaked the midata exfiltrated from Fortinet. The threat actor mentions the two acquisitions by Fortinet; Next DLP and Lacework, that are operating in the Data loss prevention and Cloud Security sectors respectively. 
  • It is unclear if Fortinet servers got infected by ransomware or not, given that the threat actor who posted the data did not mention the use of ransomware. 
  • The threat actor has mentioned a few groups in the thread, the most interesting of them being DC8044, which is a local hacking group based out of Ukraine. The threat actor “Fortibitch” has collaborated with DC8044 in the past. DC8044 Socials:some text
    • https://x.com/dc8044_cr3w
    • https://t.me/DC8044
  • There are no direct links between “Fortibitch” and DC8044, but the tone suggests a history between the two. Based on the available information, we can ascertain with medium confidence that the threat actor is based out of Ukraine. 
  • There’s a fair amount of chances that the data obtained from Fortinet was not critical in nature. If it was, the threat actor would have tried to sell the data off to interested buyers. However, we did not notice any sales threads related to the same. Our investigation is ongoing. 
  • The leaked data includes Employee resources, finance documents, HR documents from India, product offering, US sales, professional services and marketing documents, as well as customer information. The sensitivity and contents of the data indicates that this was indeed exfiltrated from a sharepoint server belonging to Fortinet.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since SEP 2024
Reputation 0 [Joined the forum just to post this leak]
Current Status ACTIVE
History The user has been working as a black hat, focused on extortion after data exfiltration.
Rating Medium

References

Appendix

Data exfiltrated from Fortinet’s Sharepoint Repository