13 September 2024

6 min read

Fortinet confirms data breach | Cyber Intelligence Briefing: 13 September

September 2024
Fortinet confirms data breach

Top news stories this week

  1. Fortibreach. Fortinet experiences data breach and declines ransom payment.
  2. TfL takedown. Teenager arrested over London transport authority cyber attack.
  3. WhisperGate. Russian cyber-spies charged and accused of cyber attacks on Ukraine and its allies.
  4. School’s out. US and UK schools disrupted by cyber attacks.
  5. No silver bullet. Ransomware group uses legitimate cyber security tool to kill EDR solutions.
  6. Patching season. Microsoft, Ivanti, and SonicWall release patches. 
Q3 Cyber Webinar

 

1. Fortinet confirms data breach impacting a small subset of its customers 

US cyber security firm Fortinet confirmed it suffered a data breach involving unauthorised access to a third-party cloud-based shared file drive on Microsoft Azure SharePoint, after a threat actor claimed to have stolen 400gb of data on a hacking forum. Fortinet has refused to pay the ransom and said the breach affected less than 0.3% of its customer base and had no impact on its corporate network.

So What?

Organisations should conduct regular assessments of data held by third parties and ensure robust security configurations are in place, such as enabling admin-only consent for applications to safeguard sensitive information.

[Researcher: Lawrence Copson] 


2. Teenager arrested over London transport authority cyber attack

UK police arrested a 17-year-old boy in connection with the cyber attack against Transport for London (TfL), London’s transport authority. The UK National Crime Agency said the teenager, who has been released on bail, was detained on suspicion of offences under the Computer Misuse Act 1990.

So what?

This incident underscores the vulnerability of public infrastructure to cyber attacks and demonstrates that such threats can originate through various threat actors, including young individuals.

[Researcher: Waithera Junghae]


3. Russian cyber-spies charged and accused of cyber attacks on Ukraine and its allies

The US issued indictments and offered a USD 10 million bounty for five Russian military intelligence officers and one civilian over their alleged involvement with the data-wiping WhisperGate campaign which Russia conducted in January 2022, before its ground invasion of Ukraine. The indicted officers belonged to the Russian military Unit 29155, which has been linked to high-profile espionage and sabotage campaigns against Ukrainian allies around the world.

So what?

As Russia's devastating and prolonged war in Ukraine continues with no signs of abating, cyber attacks on Ukraine and its allies are expected to continue.

[Researcher: Milda Petraityte]


4. Significant cyber attacks force schools in the US and UK to shut down

Highline Public Schools across Washington State close their doors to students after their systems were compromised in a cyber attack. Many activities such as sporting events and meetings have been cancelled and school facilities are anticipated to remain inaccessible to students as forensic investigation continues.

Separately, Charles Darwin Secondary school in London has sent students home after being hit by a ransomware attack. The school has been informed that restored access to emails, student M365 accounts, and other school systems is estimated to take 3 weeks. It is also yet unconfirmed the extent of data accessed by the threat actor.

SO WHAT? 

Trends indicate an increase in cyber attacks impacting the education sector, as the sensitive data held by these institutions make them desirable targets.

[Researcher: Adelaide Parker]


5. RansomHub group uses legitimate cyber security tool to kill EDR solutions

The prolific ransomware group RansomHub is abusing a tool developed by Russian cyber security company Kaspersky named TDSSKiller to disable Endpoint Detection and Response (EDR) solutions on victim devices. The tool, designed to detect a type of malware known a rootkits, is being used to kill defences before the deployment of ransomware.

SO WHAT? 

It is important to ensure that any EDR solution deployed in your environment has anti-tamper settings enabled to prevent threat actors from disabling them.

[Researcher: David Broome]


6. Tech giants release patches for security flaws 

Microsoft has released patches for 79 security flaws in September’s Patch Tuesday update. This includes seven vulnerabilities that are rated as critical and three that are actively exploited in the wild. Ivanti has also released a patch for a critical remote code execution vulnerability.

Separately, CISA has warned that ransomware groups are exploiting a SonicWall remote access vulnerability (CVE-2024-40766) and recommended that affected organisations patch immediately.

So what?

Affected organisations should patch immediately and conduct investigations to identify if the vulnerabilities have been exploited on their systems.

[Researcher: Jon Seland]

 

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Editors

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.