Robin’s Newsletter #226

16 October 2022. Volume 5, Issue 42
Critical authentication bypass in Fortinet devices. NHS vendor Advanced says cyberattack was LockBit 3.0 ransomware. CSAM Scanning rebuttal.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Trivial authentication bypass vulnerability in Fortinet security products

  • **If you run FortiOS, FortiProxy, or FortiSwitchManager, you need to get patching, as CISA has added a critical vulnerability to their ‘known exploited’ catalogue.
  • CVE-2022-40684 scores 9.6/10.0 and is an authentication bypass, allowing attackers to gain administrative access to exploited devices. The exploit is trivial: set HTTP headers so data is ‘forwarded for’ (localhost) and a user-agent of “Report Runner” and perform API requests.
  • Those who can’t immediately patch their affected Fortinet devices should set limitations to restrict Internet access to the management interface.
  • Network security devices like this often sit on the perimeter of organisations and are a popular target for cybercriminals and those seeking unauthorised access. Threat intelligence vendor GreyNoise says it has seen unique IPs exploiting the vulnerability increase to over 40 by 14th October. Fortinet has reported that some victims have found a new administrator account created called ‘fortigate-tech-support’.
  • This sort of weakness in the authentication process shouldn’t exist in code, especially that of security control devices, and raises questions over Fortinet’s development, quality assurance and testing regimes.

LockBit 3.0 malware forced shutdown of NHS tech vendor Advanced

  • “[W]e believe the likelihood of harm to individuals is low,” said the company in an update this week, though chief operating officer Simon Short declined to say if patient data is affectedor if logs existed to detect if data had been exfiltrated.
  • Mandiant and Microsoft have been working on the incident response, which is now believed to have started on 2nd August. The initial access appears to have been via a scheduling system used for staff rosters that run on Citrix that didn’t have multi-factor authentication enabled.
  • The attack is attributed to the LockBit 3.0 ransomware gang. However, there are no listings on the cybercrime group’s public breach site.
  • The breach resulted in severe disruption to the handling of non-emergency NHS 111 calls, amongst other services provided to over 30 NHS trusts (vol. 5, iss. 32) and over two months later some systems are still not restored.

CSAM scanning invades privacy, data doesn’t back up the harms

  • ”[The] data do not support claims of large-scale growing harm that is initiated online and that is preventable by image scanning,” says Ross Anderson in his most recent paper on child sexual abuse material (CSAM) scanning. 
  • Chat Control or Child Protection? is a rebuttal to a paper by Ian Levy and Crispin Robinson (or NCSC and GCHQ, respectively). It makes the point that with a 5% false positive rate, every one of Europe’s 1.6 million police officers would have 625 alarms daily to handle by such systems. 
  • Instead, Anderson argues for forcing ‘big tech’ companies to improve their reporting and moderation practices to handle reports from users better.

Interesting stats

£12.2 million spent by Hackney Council in the last year as the long tail of their October 2020 breach (vol. 3, iss. 42), which left the council unable to make benefit payments, continues

60% less likely for small and medium enterprises with Cyber Essentials to make a cyber insurance claim, according to NCSC

Other newsy bits / in brief 

Attacks, incidents & breaches

  • Russian missile strikes against Ukraine caused power outages and Internet disruption
  • **Singtel-owned Dialog has suffered a data breach “potentially affecting fewer than 20 clients and 1,000 [employees]”. The incident is hot on the heels of fellow Australian and Singtel-owned business Optus’ data loss, which is now subject to two regulatory probes from the Australian Communication and Media Authority (ACMA) and Office of the Australian Information Commissioner (OAIC),
  • India’s Tata Power has confirmed a cyberattack affecting IT systems, operational and power generation systems unaffected
  • Toyota exposed over 296,000 customers’ data after the auto-maker let database credentials in source code published to Github for almost five years
  • The BIOS source code for Intel’s Alder Lake CPUs has been leaked by a third party. The leak appears to be from Insyde Software Corp, a UEFI development company working with Lenovo (based on references to their products in the files) and includes private keys. Intel says it does “not rely on obfuscation of information as a security measure”
  • Attackers are apparently landing drones with wifi exploitation payloads on the roofs of victims in isolated cases (h/t Chris), @Laughing_Mantis
  • Quelle surprise: unofficial WhatsApp Android app ‘YoWhatsApp’ is stealing user’s keys
  • You’ve done an awesome job, Kevin: Personal data stolen from the Church of Jesus Christ of Latter-day Saints (Mormon church) by ‘state-sponsored’ attackers “aimed at organizations and governments around the world that are not intended to cause harm to individuals,” concludes seven-month federal investigation

Threat intel and vulnerabilities

  • A Russian-based threat group known as Eternity is behind a ‘Swiss Army knife-like’ malware-as-a-service botnet, with info stealer, ransomware, DDoS, cryptocurrency and other features, says Zscaler
  • ’Prestige’ ransomware targeting logistics organisations in Ukraine and Poland
  • Election workers in Arizona, Pennsylvania have been subject to a ‘surge’ of malicious emails attempting to steal passwords and infect their computers with malware, ahead of the November mid-term elections, says Trellix
  • Aruba’s EdgeConnect Orchestrator has two critical vulnerabilities, the authentication bypass and arbitrary command execution issues (CVE-2022-37913, CVE-202s-37914, CVE-2022-37915) that have both been patched
  • **Critical vulnerability in Siemens S7-1200 and S7-1500 PLCs, used in industrial control systems, allows the theft of “heavily guarded, hardcoded, global” cryptographic keys
  • Home user ransom is back: Magniber uses fake Windows security update prompts and JavaScript to initiate malware and demand $2,500 from victims, says HP
  • Office 365 Message Encryption uses “generally insecure” electronic codebook (ECB) cipher, and email contents may be decrypted if enough messages can be intercepted, says WithSecure. Microsoft paid out under its bug bounty scheme, but it is simultaneously “not considered meeting the bar for security servicing” (h/t Tim)

Cyber defence


  • Dutch court says disabling webcam to avoid intrusive video surveillance at work isn’t “insubordination” or “refusal to work” in a case brought against a Florida-based software company Chetu
  • Shein fined $1.9 million by the state of New York for failing to notify 39 million users of a 2018 data breach

Public policy

  • Around 50 representatives from consumer product associations will begin discussing cyber security labels at the White House this week, as the National Security Council pushes for a scheme modelled after the Energy Star energy efficiency scheme
  • US Communications, water and healthcare sectors to get new cyber security regulations aimed at improving baseline security postures 
  • The Federal Communications Commission (FCC) may move to extend restrictions on Huawei and ZTE equipment, banning new devices from receiving FCC approval
  • Extension likely for implementation of India’s cyber regulations that would see an aggressive six-hour reporting objective (vol. 5, iss. 16), hints Rajeev Chandrasekhar, India’s electronics and information technology minister

Law enforcement

  • 70 suspected members of the ‘Black Axe’ group have been arrested as part of Interpol’s ‘Operation Jackal’

Mergers, acquisitions and investments

  • Thoma Bravo snaps up identity and access management firm ForgeRock for $2.3 billion, a 53% premium on the share price. The transaction marks the third acquisition for the private equity firm this year, with ForgeRock joining SailPoint (April; $6.9 billion; vol. 5, iss. 16) and Ping Identity (August; $2.8 billion; vol. 5, iss. 32)
  • Immersive Labs has raised $66 million capital towards further investment in its ‘cyber workforce resilience’ platform. (Congrats, James & the IL team!)
  • KnowBe4 to be acquired by Vista Equity Partners in a $4.6 billion cash deal
  • Vanta has raised $40 million in a Series B extension round to support R&D and go-to-market efforts for the company’s SOC and ISO27001 compliance automation platform
  • Kevin Mandia offers insight into Google’s $5.4 billion purchase (vol. 5, iss. 11) of Mandiant in an interview with reporters, “One of the things we can do best at Mandiant, combined with Google, is be that brain, be the hub for all the spokes.”

And finally

  • You might be able to read a user’s password using thermal cameras to identify their keypresses and order, say researchers at the University of Glasgow
  • Police tricked the DeadBolt ransomware group out of 155 decryption keys for victims by exploiting logic in the ransomware operation’s payment system, blockchain congestion and low transaction fees

  Robin's Newsletter - Volume 5

  Fortinet Authentication Advanced National Health Service (NHS) LockBit 3.0 Child Sexual Abuse Material (CSAM) Workplace Surveillance Security labels Thermal imaging Cyber insurance