Fortinet Announces Another Bug Disclosure; Telecoms Have Seven Days to Disclose Breaches

Where there is smoke, there is fire. Fortinet has been in the news for so many exploits. I’m sure many people started looking at what has been compromised and used it as a roadmap to find bugs. Expect this to happen to other manufacturers in the news, such as SonicWall, Ivanti, F5, and more. Other manufacturers that haven’t been in the news aren’t immune; it’s just about how many eyes look at what.

CVE-2024-21762, out-of-bounds write, has a CVSS score of 9.8, and is listed in the NIST KEV catalog with a fix or discontinue date of 2/16/24. The workaround, disabling the SSL VPN isn't going to win you any points, you need to plan your update. Note FortiOS 7.6 is not affected, and if you're on FortiOS 6.0 you need to migrate to a fixed version. While the Internet-connected toothbrushes story was fake, it's a good conversation starter about what you do and don't want Internet connected, and how to approach security in that type of environment.

I’m sure there will be much lobbying to delay the requirement or weaken the language (which has plenty of wiggle room) but this one is long overdue.

The rule change expands breach notification rules to not just cover Customer Proprietary Network Information (CNPI) but all forms of PII and goes into effect on March 13th. It also eliminates the requirements for carriers to notify customers of a breach in cases where they can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach. Talk to your telecommunication/VoIP providers about modifications/impacts to their reporting process and that they have accurate reporting information for you.

We are long past the stage where companies can proclaim after a breach that they "take security seriously" but are then left to self-regulate how they manage security. The time for self-regulation is over and this new disclosure rule is one of many new regulations in the US, the EU, the UK, and indeed in other jurisdictions that will require companies to prove they take "security seriously" and take accountability for their actions.

Telecoms are such core infrastructure; seven days may be appropriate. However, we have seen legislation in the past in countries like India that failed to implement this. I suspect we will see exceptions like usual.

Seven days, 96, 72, 48-hours… the federal government seems to be all over the place in establishing data breach notification rules. Wouldn’t it be more efficient and clearer to private companies if the government were to settle on a single data breach reporting rule across every industry vertical? Sounds like the perfect job for the Office of the National Cyber Director.

The Warzone RAT, aka Ave Maria RAT, was being licensed for between $16 and $38/month. The two gentleman have been both marketing and providing support for the RAT from June 2019 to March 2023. The two gentlemen face extradition and, if convicted, up to 10 years in prison and pay a hefty fine. Somewhat ironic considering one is a Nigerian prince. If you were a victim of the Warzone RAT, head over to the FBI's Warzone Rat Victim Reporting form: https://wzvictims.ic3.gov. RAT mitigations include keeping software, including EDR, updated, having a good firewall, strong passwords (better still MFA), and not opening suspicious attachments or links. If your email provider has attachment security/link filtering, enable it.

These days cyber-crime is international, and the law enforcement response must be as well. What’s interesting is that one of the suspects worked as a trusted insider to obtain needed information to attack. Insider threat is the most difficult to defend against. Revisit your physical and personnel security processes and how they support a well-established cybersecurity program.

The takeaway quote: “While Planet had implemented multiple layers of security tools designed to prevent this type of unauthorized access…” “Security in Depth” is just “Spending in Depth” when you put layers of security without first putting down the foundation “Essentially Security Hygiene” which includes patching critical vulnerabilities in core infrastructure quickly.

Planet Home was the recipient of LockBit ransomware courtesy of the Citrix Bleed flaw. While affected customers are being notified, if you're a Planet Home customer, don't wait for the notice to get credit monitoring/restoration service. Not a bad time to verify that your shop patched Citrix Bleed, in all environments.

The attackers used Backmydata ransomware, which is a variant from the Phobos ransomware family. Interestingly the individual hospitals have backups of their data in the HIS systems, all but one is 3 days old, the one is 12 days old. Here is an interesting topic to dive deep on - have you got backups from your outsourced providers, and could you use those backups for service restoration? If not, could you change that answer?

A supply chain attack against a widely used software application. What’s unfortunate is that for many of the hospitals, the backups appear to have been stored locally and are themselves affected. Given this attack it seems a prudent reminder for organizations to maintain an instance of recovery data off-line as described by CIS Control 11.4.

Another example of how those behind cyberattacks are criminals motivated purely by greed and who have no remorse for those impacted by their attacks.

Patient data and other information should always be isolated from each other.

Split tunneling, or running multiple VPNs at a time, is always dangerous and it often isn't clear how packets, in particular DNS requests, are routed. One should also always test VPNs occasionally by inspecting traffic leaving the system to verify any assumptions about how packets are being routed (do not overlook IPv6!)

Typically, enabling the VPN changes your DNS configuration to use the VPN's so that you can resolve services provided "behind" the VPN. That also means those DNS requests are routed over the encrypted VPN tunnel, and therefore secure. By forcing full tunnel, these requests are forwarded to the DNS traffic to ExpressVPN's DNS responders rather than your local/ISP responder. The downside is local network resources (printers, NAS, servers) will not be reachable.

A very targeted attack with the likely aim of retrieving credit card or banking institution numbers. While they failed in that objective, the cybercriminals did retrieve valuable information to support identity theft. Unfortunately, it has become all too common practice for commercial companies to retain every shard of information about customers.

The breached data includes marital status, date of birth, social security number, name of the health insurer. The insurers are directly responsible for notifying affected users. The big concern is that the pilfered data could be combined with other breached data for identity theft.

The LockBit ransomware gang is taking credit for the IMS breach. BofA is declining to comment on this incident, and while they will notify affected customers, my advice is to be proactive on credit monitoring/identity restoration services. I am proactive here because my information has been breached previously.

Third parties rarely require peer access to your network. Consider running third party connections, apps, services, and servers, in “padded cells,” (to include end-to-end application layer encryption) designed to prevent harm to themselves or others.