In May, a Dutch NCSC report revealed a more extensive Chinese-state sponsored espionage campaign than previously believed, with 20,000 FortiGate Edge Devices believed to have been breached, and the British National Health Service (NHS) faced a cyber-attack on their pathology provider, Synnovis.

In other news, Tenable discovered what they describe as a high-severity vulnerability in Azure that may expose private data, and. EUROPOL and law enforcement agencies across Europe and the US, launched an international effort to disrupted popular ransomware and malware delivery platforms, while the FBI recovered over 7,000 LockBit decryption keys following their takedown of the LockBit infrastructure in early 2024.

New/Improved Techniques

WiFi Positioning System (WPS) Tracking

Security researchers at the University of Maryland have proven that it is possible to leverage Apple’s WiFi Positioning System (WPS) to track devices globally, including Starlink systems – potentially exposing military movements and devices in conflict zones.

WPS collects location data of Wi-Fi access points in range to assist in device geo-location, as a low power and out of cover alternative to GPS. These Basic Service Set Identifiers (BSSIDs) are uploaded to Apple, and are able to be requested via an open API with no rate limiting, allowing the researchers to quickly build out locational maps of SSIDs, that can be used to track movements. This highlights significant privacy concerns, as Wi-Fi access points could be tracked without consent, revealing movements of individuals and sensitive locations.

The researchers were able to use this to pinpoint Starlink devices in active warzones and may be able to be used to reveal important strategic locations and troop movements. Google have for some time offered the ability to avoid being added to BSSID lists, by appending ‘_nomap’ to a WiFi network name, and Apple have followed suit following the release of this research.

Attacks / Threats

[Global] 20,000 FortiGate Edge Devices Breached

A new report published by the Dutch NCSC, in collaboration with their General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD) shows that the Chinese-state sponsored espionage campaign targeting Western Governments and Militaries using the Coathanger remote access trojan (RAT) is much more extensive than previously believed.

The report suggests that the state sponsored actor was aware of a 2022 critical (9.3/10) rated remote code execution (RCE) vulnerability for months before it was announced by Fortinet and managed to infect 14,000 devices in this zero-day period alone. Although new infections are not possible due to security patching implemented by Fortinet, the security patch was unable to remediate already breached devices – with the malicious actors retaining permanent access to these devices. Even with a full technical report, the Coathanger malware is extremely difficult to identify and remove from systems, and in many cases, full replacement is required, leading researchers to speculate that there are likely to be a significant number of breached FortiGate edge devices still active in networks worldwide.

[US] Okta Credential Stuffing

Identity and access management giant Okta have warned that their SaaS management solution Customer Identity Cloud is being targeted by wide-scale credential stuffing attacks. Credential stuffing is a technique where malicious parties obtain credential sets from previous breaches and then try to use these to access other systems in an attempt to find systems where passwords have been re-used, which is why unique passwords and multi-factor authentication should always be used.

Okta first identified the attacks in mid-April and has attempted to proactively warn their customers of these attacks, which follow on from a similar attack earlier in the year, where residential proxies (those designed for home users) were being used in an attempt to obfuscate similar credential stuffing attacks originating from the TOR network. The current wave of attacks are hitting URLs that customers have configured within their Okta tenant to accept authentication requests to facilitate cross-site access, and a large number of these have been identified by Okta as being currently not required, but left over from improperly decommissioning resources. Okta has provided guidance indicating that their customers should review their configurations and remove any unrequired URLS they may have configured.

[UK]The NHS Attacked – Blood matching Unavailable

The UK’s National Health Service (NHS) have issued urgent calls for blood doners of the universally accepted O positive and O negative blood types, following a cyber-attack on their pathology provider, Synnovis, impacting multiple hospitals in the London area. Synnovis provide the system that enables hospitals to match doner and recipient blood types, and without the ability to do so, all non-urgent procedures have been delayed and some urgent surgeries are being delayed awaiting new donations. So far nearly 1,600 operations and outpatient appointments have been cancelled in Southeast London alone.

Synnovis has been focused on recovery but noted that a full return to business as usual may take months, as they work to restore their systems one by one. A Russian group known as Qilin, who have a history of double-extortion tactics are believed to be behind the attack, but no technical details or a ransom demand have been revealed.

Naughty List

Azure Firewall Rule Bypass

Security researchers at Tenable have discovered what they describe as a high-severity vulnerability in Azure that may expose private data. The vulnerability allows an attacker to bypass firewall rules based on Azure Service Tags by crafting malicious forged requests from trusted services, which enables a threat actor to exploit the Service Tags that have been allowed through a user’s firewall, if there are no additional authentication or validation controls in place.

Security Tags are groups of IP addresses for Azure services that are used for firewall filtering and IP based Access Control Lists (ACLS). The vulnerability was initially discovered in the Azure Application Insights service but has been found to affect at least 10 other Azure services. The impact of this vulnerability is significant as it enables an attacker to control server-side requests to impersonate trusted Azure services and bypass network controls based on Service Tags, which are often used to prevent public access to Azure customers’ internal assets, data, and services.

Microsoft has addressed the issue by producing documentation to provide information to customers about usage patterns for Security Tags and have stated that this is not a vulnerability, as Service Tags were never intended to be a security boundary. Security Tags are intended to be used as a routing mechanism in conjunction with validation controls, and Microsoft have advised that anyone relying on these for security should review their configuration.

Operation Endgame

EUROPOL and law enforcement agencies across Europe joined forces with the US authorities to announce Operation Endgame, the largest ever international effort to disrupt the most popular ransomware and malware delivery platforms. Hundreds of law enforcement officers worldwide coordinated efforts to take down 100 servers, seize over 2,000 malicious domains, and arrest 4 suspects, and issue an additional 8 arrest warrants.

As a result of the efforts, Have I Been Pwned (a website for checking credentials against data breaches) was supplied with 16 million email addresses, and 13 million unique passwords, which has been made available for free to affected domain owners. One suspect alone was believed to have made $74 million USD from renting out their malicious infrastructure which is known to have infected millions of devices worldwide. Tens of millions of dollars of cryptocurrency and other assets were seized, and more arrests and warrants are expected to be issued.

FBI Recovers LockBit Keys

The FBI have announced that they have recovered over 7,000 LockBit decryption keys after their takedown of the LockBit infrastructure in early 2024. The LockBit group were back up and running within a week of the takedown, with new infrastructure and domains. They are continuing to target victims across the globe, the cache of captured keys may allow hundreds of victims to recover their data.

The number of decryption keys closely match the number of reported LockBit victims since they moved to their 3.0 encryptor in mid-2022. Attacks using their 3.0 encryptor are believed to have generated in excess of 1 billion USD in ransom payments. In response to the takedown, LockBit have been aggressively leaking stolen data, and have recently claimed responsibility for a ransomware attack on Canadian pharmacy chain London Drugs.

Although it seems as though these malicious groups have no issues rising from the ashes each time their infrastructure is seized, authorities are confident in their strategy. Even if arrests cannot be made, the disruptions are incredibly costly for these groups.