Almost 300,000 email addresses and customer management numbers were leaked recently from Toyota, one of the largest revenue producing automakers in the world. The breach was a result of leaked credentials by a third-party subcontractor on a publicly accessible GitHub repository. The repository hosted source code from the company’s infotainment system “T-Connect”, with the credentials in question being an access key relating to a T-Connect server. The leak could be perceived as fortunate due to the duration of time the key had been present on the repository for, which reportedly was from 2017. The attacker was also not able to obtain any other sensitive information like customer names, phone numbers and credit card information – another potential silver lining. As a result, any potential attempts to use the obtained information in a phishing attack is weakened but still remains a possibility. In attempts to calm customer nerves, Toyota informed all those affected via email about the breach and have set up a page for customers to verify if their email addresses have been leaked.
The root cause of this breach was a leak of sensitive information hard coded into application source code. This is a common occurrence within the realm of data breaches, as developers tend to find this solution to be a quick and easy method of facilitating authentication services, rather than incorporating secure practices like accessing credentials from secrets/access key management servers. This news follows recent cases of source code related theft from large corporations such as Intel and LastPass, both who have been victim to hacks that leaked sensitive source code. It highlights the importance of both ensuring application source code is developed and stored securely, thus limiting the security risks organisations are exposed to.
As previously mentioned, it is best practice to ensure sensitive credentials are never hard coded into source code and instead provisioned through a credential provider like AWS’ HPC vault or Secrets Manager. Another alternative would be to prompt for a user password to authenticate to the relevant service; this could be done mechanisms like single-sign-on or OpenID Connect. Ensuring code repositories are not publicly available would have also mitigated the risk of a breach occurring in this instance. Hosting critical data in private repositories ensures that the security risk to organisations is kept as low as possible.
Fortinet are a widely known cyber security solutions provider headquartered in Sunnyvale, California. They are probably best known for their range of network devices and firewalls. Their devices run their proprietary software which is at the centre of the identified vulnerability. Dubbed CVE-2022-40684, the vulnerability impacts FortiOS versions from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1. FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0 are also impacted. This issue directly impacts FortiGate firewalls, FortiProxy web proxies and the FortiSwitchManager switch management product.
The vulnerability grants the attacker the ability to log on to vulnerable devices. This can be done using a specially crafted HTTP/S request resulting in a large scope for potential attackers to exploit. Any publicly facing administrative portals for both the firewalls and proxy devices are at risk of exploitation. The popularity of Fortinet and their products means they are usually a popular entry point for attackers to obtain initial access to a network and pivot to other internal assets.
Fortinet were very quick to release information on how to remediate or work around the issue. Currently, their security advisory recommends upgrading to the following versions of their products
They have also provided workarounds for customers who do not have the ability to implement any updates. Most workarounds involve disabling the HTTP/HTTPS administrative interface or restricting the IP addresses that can access the interface through the devices configuration file.
With Fortinet’s popularity in the Cyber Security industry, malicious actors looking for new methods of obtaining initial access to sensitive and internal networks may have found their answer. Although their popularity may draw some unwanted attention, Fortinet’s speedy remediation and workaround releases attempt to reduce the exploitation risk and ensure their customers remain secure.
At our core, we believe in the power of personalised guidance. Whether you have questions or feedback, we're here to listen and support you every step of the way. Reach out via the form and we will be in touch as soon as possible.