Notification Issued Regarding Ongoing BlackMatter Ransomware Attacks

The Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert about continuing BlackMatter ransomware attacks.

The group has been executing attacks in the U.S. starting July 2021. It has launched attacks on critical infrastructure entities and two establishments in the U.S. Food and Agriculture Sector. Proof has been acquired that associates the gang to the DarkSide ransomware group that carried out attacks between September 2020 and May 2021. The attack on Colonial Pipeline with the BlackMatter ransomware is possibly a rebrand of the DarkSide campaigns.

Investigations into the attacks have given agencies crucial information regarding the tactics, techniques, and procedures (TTPs) of the group, and an evaluation has been done on a sample of the ransomware in a sandbox environment.

The ransomware gang is well-known to utilize previously compromised credentials to obtain access to the networks of victims, then leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) to gain access to the Active Directory (AD) and find all hosts on the network. The BlackMatter gang deploys ransomware then encrypts the hosts and shared drives remotely as they are found. The group has been known to exfiltrate information and usually demands ransom payments of about $80,000 to $15 million in Monero or Bitcoin.

In the joint notification, the NSA, FBI, and CISA discussed TTPs, provide Snort signatures that may be utilized for discovering the network activity connected with BlackMatter ransomware attacks, and a number of mitigations to minimize the threat of an attack by the gang.

Mitigations consist of:

  1. Employing detection signatures to recognize and obstruct attacks in progress
  2. Utilizing strong passwords resilient to brute force attacks
  3. Using multi-factor authentication to prevent the employment of stolen credentials
  4. Patching and updating systems immediately
  5. Restricting access to resources over networks
  6. Using network segmentation and traversal monitoring
  7. Employing admin disabling tools to support identity and privileged access control
  8. Applying and enforcing backup and restoration guidelines and procedures

CISA and FBI Alert Regarding Increasing Conti Ransomware Attacks

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released an advisory regarding increasing Conti ransomware attacks. CISA and the FBI have seen that Conti ransomware is being utilized in over 400 cyberattacks in America and around the world.

Just like a lot of ransomware groups, the group exfiltrates information from the network of the victims before deploying the Conti ransomware. Ransom demand is sent together with a threat to post the stolen information in case the victim does not pay the ransom. The creators of Conti ransomware manage a ransomware-as-a-service operation, and recruits affiliates to carry out attacks. With this model, affiliates typically get a portion of the ransoms they help make. Conti seems to work somewhat in a different way. Affiliates get paid a salary to carry out attacks.

Various strategies are utilized to obtain access to victims’ systems. A common strategy is to use spear-phishing emails with malicious attachments like Word documents having embedded scripts as malware droppers. Generally, a malware variant like IcedID or TrickBot is downloaded. This allows the attackers to access the victims’ systems. And then, the attackers move laterally inside the breached network, find data of interest, and exfiltrate the information prior to the Conti ransomware payload deployment.

Brute force attacks are frequently used to guess weak credentials of Remote Desktop Protocol (RDP), exploit vulnerabilities in unpatched systems, and use search engine poisoning to make malicious websites show up in the search engine listings giving bogus software. Malware distribution networks like Zloader are utilized, and attacks are carried out after getting credentials by means of vishing or telephone calls.

CISA and the FBI have noticed legit penetration testing tools being utilized to identify cameras, routers, and network-linked storage gadgets that have web interfaces that may be brute-forced. They also noticed the use of legit remote monitoring and management software and remote desktop software as backdoors to retain persistence on the network of victims. The attackers make use of tools like Windows Sysinternals and Mimikatz to elevate privileges and make a lateral movement.

Vulnerabilities identified to be taken advantage of are PrintNightmare (CVE-2021-34527), ZeroLogon (CVE-2020-1472), and the vulnerabilities in Microsoft Windows Server Message Block which the WannaCry ransomware attacks exploited in 2017.

Considering that various strategies, techniques, and procedures are utilized to obtain access to the network of victims, not only one mitigation can be enforced to avoid attacks. CISA and the FBI propose using these mitigations to boost defenses versus Conti ransomware attacks:

  • Employ multi-factor authentication
  • Segment network and filter traffic
  • Check for vulnerabilities and update software
  • Get rid of unnecessary software and implement controls
  • Use endpoint and detection response solutions
  • Restrict resource access over the network, particularly by limiting RDP
  • Make user accounts secure
  • Back up critical data, store backups offline and test the copy to see if file recovery is achievable

Researchers Found Easy to Exploit Vulnerabilities in Drug Infusion Pumps

McAfee Advanced Threat Research (ATR) Researchers, along with the medical device cybersecurity company Culinda, have found 5 earlier unreported vulnerabilities in two popular B. Braun drug infusion pumps models.

The devices are employed internationally in hospitals for treating adult and pediatric patients and systemize the distribution of medicines and nutrients to patients. They are particularly helpful for making sure of a controlled supply of crucial medicine doses.

An unauthenticated attacker could exploit the vulnerabilities in the B. Braun infusion pumps to alter the settings of the infusion pumps as they are in a standby setting, which can bring about an unexpected dose of medicines being provided when the device is utilized, possibly causing hurt to a patient.

McAfee notified B.Braun about the vulnerabilities in the B. Braun SpaceStation and the B. Braun Infusomat Space Large Volume Pump on January 11, 2021, and advised safety measures that ought to be put in place to avoid the exploitation of the vulnerabilities. In May 2021, B.Braun released data for clients and informed the Health Information Sharing & Analysis Center (H-ISAC) concerning the vulnerabilities and proposed mitigations. The vulnerabilities impact infusion pumps operating older B.Braun software versions; nevertheless, the researchers revealed that “vulnerable versions of software program remain extensively used throughout medical facilities and stay in danger of exploitation.

Safety measures were integrated into the infusion pumps to keep attackers from altering dosages as the pumps are functional, therefore an attacker cannot alter dosages while they are being given. The vulnerabilities can nevertheless be taken advantage of as the pumps are on standby or idle, so modifications may be made to the device function in between infusions.

There were no documented incidents of the vulnerabilities in these or other drug infusion pumps being taken advantage of in the wild, however, this is a credible attack case and one that can very easily be taken advantage of to bring about harm to patients. The most recent B.Braun software version obstructs the preliminary network vector of the attack chain, however, the vulnerabilities were not completely addressed. An attacker can find one more way to obtain access to the system to which the devices link and take advantage of the vulnerabilities. Considering the number of ransomware attacks reported in the last few months, getting access to healthcare systems is not showing to be a big problem for lots of threat actors.

Until a detailed suite of patches is made and efficiently followed by B. Braun clients, medical facilities ought to actively give these threats particular focus, and stick to the mitigations and compensating controls offered by B. Braun Medical Inc. in their synchronized vulnerability disclosure records.

The researchers think that a lot of other medical devices may have vulnerabilities that can be taken advantage of to cause problems to patients. Medical devices are created to make sure of patient safety, and safety measures are enforced to make sure patient safety is not put in danger; nevertheless, it is typical for cybersecurity protections to be provided less concern in the course of the design phase. Additionally, when security vulnerabilities are identified in medical devices, patching is expensive. The devices are closely controlled, therefore it isn’t just a case of issuing a patch or instantly upgrading the devices as would happen with a web browser for example. Patches should be completely examined, the devices should be shut down as updates are implemented, and the patches and updates must be completely tested. A lot of devices still continue to utilize older versions of software programs and firmware.

For the moment, ransomware attacks are a bigger problem in the medical field, however at some point, these sites will be secured against this type of ransomware attack and malicious threat actors will try to find other lower-hanging fruits, mentioned the researchers. Considering the lifetime of medical devices and the issues associated with their upgrades, it is essential to begin planning today for tomorrow’s dangers. Hopefully, this research can help provide consciousness to this area that has been ignored for a long time.

CISA Gives an Alert About Blackberry’s QNX Vulnerability Impacting Critical Infrastructure

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has released a security advisory concerning a vulnerability impacting Blackberry’s QNX Real-Time Operating System (RTOS), which is widely utilized by critical infrastructure companies and impacts several consumers, health, and manufacturing systems.

The vulnerability is included in the 25 vulnerabilities that are collectively called BadAlloc, which impact several IoT and OT systems. The vulnerabilities are memory allocation integer overflow or wraparound problems in memory allocation features utilized in embedded software development kits (SDKs), real-time operating systems (RTOS), and C standard library (libc) applications.

On August 17, 2021, Blackberry reported that CVE-2021-22156, one of the BadAlloc vulnerabilities, affected its QNX products. A remote attacker could exploit the vulnerability and cause a denial-of-service issue, or possibly get remote code execution, with the second effect possibly enabling an attacker to seize control of very sensitive systems.

The vulnerability impacts the C runtime library’s calloc() function in several BlackBerry QNX merchandise. According to CISA, an attacker could exploit this vulnerability if he/she has command over the variables to a calloc() function call and the capability to regulate what memory is utilized following the allocation. An attacker that has network access can remotely exploit this vulnerability when the vulnerable item is operating and the impacted device is accessible online.

The vulnerability impacts all BlackBerry applications which depend on the C runtime library, such as medical equipment that integrate BlackBerry QNX software program.

CISA is strongly urging all critical infrastructure companies and other businesses that create, sustain, support, or utilize the impacted QNX-based systems to implement the patch immediately to avoid exploitation of the vulnerability. CISA states that installing software upgrades for RTOS often may call for getting the device to support or to an off-site place for physical substitution of integrated memory.

The following lists the vulnerable products and versions of Blackberry’s QNX Real-Time Operating System (RTOS):

  • Model QNX SDP version 6.5.0SP1, 6.5.0, 6.4.1, 6.4.0
  • Model QNX Momentics version 6.3.0SP3, 6.3.0SP2, 6.3.0SP1, 6.3.0, 6.2.1b, 6.2.1, 6.2.1A, 6.2.0
  • Model QNX Momentics Development Suite version 6.3.2
  • Model QNX Realtime Platform version 6.1.0a, 6.1.0, 6.0.0a, 6.0.0
  • Model QNX Development Kit (Self-hosted) version 6.0.0, 6.1.0
  • Model QNX Cross Development Kit version 6.0.0, 6.1.0
  • Model QNX Neutrino RTOS Safe Kernel version 1.0
  • Model QNX Neutrino RTOS for Medical Devices version 1.0, 1.1
  • Model QNX Neutrino RTOS Certified Plus version 1.0
  • Model QNX CAR Development Platform version 2.0RR
  • Model QNX OS for Automotive Safety version 1.0
  • Model QNX OS for Safety version 1.0, 1.0.1
  • Model QNX Neutrino Secure Kernel version 6.4.0, 6.5.0

CISA recommends the following mitigations:

  • Makers of products that integrate vulnerable versions ought to get in touch with BlackBerry to get the patch.
  • Makers of products who create unique RTOS software versions must get in touch with BlackBerry to get the patch code. Take note: in certain cases, manufacturers might have to create and test the software patches on their own.
  • End-users of safety-critical systems ought to get in touch with the maker of their product to get a patch. In case there is no patch available, users must use the manufacturer’s suggested mitigation steps until there is a patch available.
  • In case it isn’t possible to use the patch, or the patch is not yet available, CISA suggests making sure that only ports and protocols utilized by RTOS apps can be accessed while others are blocked.

CISA Issues Guidance for MSPs and SMBs on Strengthening Security Defenses

Cybercriminals usually target Managed Service Providers (MSPs) because MSPs have privileged access to their clients’ systems. Therefore, one cyber attack on one MSP will allow the attacker to get access to several systems, if not all of the MSP’s clients.

The latest Kaseya supply chain attack demonstrated just how critical this kind of attack could be. An REvil ransomware affiliate acquired access to Kaseya systems, and through which accessed the systems of approximately 60 of its customers (mostly MSPs) and encrypted the data therein. Through those MSP clients, ransomware affected about 1,500 downstream companies.

Small- and mid-sized companies usually don’t have employees to handle their own IT systems or may not have the expertise or hardware to keep sensitive data and manage sensitive operations. Many use MSPs to offer that needed expertise. It is usually more economical for SMBs to scale and manage their networks using MSPs instead of handling their resources on their own.

Outsourcing IT or security capabilities to an MSP presents risks, which SMBs must mitigate. MSPs additionally must have safety measures to block unauthorized access to their networks and to control the harm that may affect their clients in case there is a breach of their perimeter defenses.

On July 14, 2021, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) released guidance to assist MSPs and SMBs in strengthening their defenses to enhance resilience to cyberattacks and to control the damage brought about in case an attack succeeds.

The CISA Insights report gives mitigations and hardening advice for MSPs and SMBs, pointing out vital steps to take to secure MSP network resources and those of their clients to minimize the risk of successful attacks.

The CISA Insights: Guidance for Managed Service Providers (MSPs) and Small- and Mid-sized Businesses guidance document can be downloaded on this page.

Critical Vulnerabilities Identified in MesaLabs Lab Temperature Monitoring System

Stephen Yackey of Securifera identified five vulnerabilities in the continuous monitoring system of MesaLabs AmegaView, which is utilized in hospital laboratories, forensics labs, and biotech firms. Two critical command injection vulnerabilities are given CVSS severity scores of 9.9 and 10 out of 10. Both vulnerabilities affect the AmegaView Versions 3.0 and prior versions.

The vulnerabilities include the following:

Vulnerability CVE-2021-27447 is given a CVSS 10/10. It is caused by the wrong neutralization of special elements utilized in a command that can enable an attacker to execute arbitrary code.

Vulnerability CVE-2021-27449 is given a CVSS 9.9/10. It is caused by the wrong neutralization of special elements utilized in a command that could allow an attacker to execute web server commands.

Vulnerability CVE-2021-27445 is given a CVSS 7.8/10. It is a result of insecure file permissions that enable an attacker to lift privileges on the device.

Vulnerability CVE-2021-27451 is given a CVSS 7.3/10. It is a result of the wrong authentication due to the passcodes produced by an easily reversible algorithm that could allow an attacker to acquire access to the device.

Vulnerability CVE-2021-27453 is given a CVSS 7.3/10. It is an authentication bypass issue that could enable an attacker to acquire web app access.

There are currently no public exploits that particularly target these vulnerabilities. Given that AmegaView is near its end-of-life this year, MesaLabs has made the decision not to produce any patches to address the vulnerabilities. Instead, all customers using the vulnerable devices are advised to obtain a current Viewpoint software that is compatible with AmegaView systems.

If this cannot be carried out, or if it is, it is suggested to determine vulnerable products secured by firewalls and to segregate them from the system and ensure they aren’t accessible on the internet. If remote access is required, Virtual Private Networks (VPNs) must be utilized for access, and VPNs must be the newest version.

Before taking on any new safety actions, an impact and risk analysis should be performed.

Active Exploitation of Critical VMWare VCenter Software Vulnerability

Cyber actors are actively exploiting a critical remote code execution vulnerability identified in VMware vCenter Server and VMware Cloud Foundation to get complete command of unpatched systems. VMWare announced vulnerability CVE-2021-21985 in late May and released a patch to resolve the vulnerability on May 25, 2021.

The Cybersecurity and Infrastructure Security Agency (CISA) lately released an advisory cautioning all end users of VMware vCenter Server and VMware Cloud Foundation about the vulnerability being an interesting target for cyber attackers and the high probability of exploitation. There is already a reputable proof-of-concept exploit for the vulnerability available in the public domain.

Thousands of vulnerable vCenter servers that can be accessed online are prone to attack. Several security researchers are conducting mass scanning for VMware vSphere hosts prone to RCE attacks and have noted the scanning for vulnerability of honeypots set up with unsecured versions of VMware vCenter Server.

Currently, the Department of Health and Human Services’ Office for Civil Rights published a cyber alert repeating the great importance of applying the patches to the vulnerability, conveying that CISA discovered a number of agencies that haven’t employed the patch yet and are prone to cyber attack.

VMWare explained that a malicious actor having network access to port 443 could take advantage of this problem to execute commands without restriction on the root operating system hosting the vCenter Server.

Security researcher Kevin Beaumont mentioned about the infection of his honeypot with a web shell following the expolitation of the vulnerability. “vCenter, which is a virtualization management software program can be hacked to control the virtualization layer (e.g., VMware ESXi)- allowing access prior to the OS layer (as well as security controls). This is a critical vulnerability, therefore businesses need to patch or limit the vCenter servier access to authorized administrators only.

In case it’s not possible to implement the patches right away, there are steps that can be done to work around the problem and lower the possibility of exploitation. These workarounds ought to be carried out without delay.

Threat Actor Actively Exploiting Pulse Connect Secure Vulnerabilities Including New Zero-Day Vulnerability

A recent alert from the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) stated that at least one threat group is exploiting vulnerabilities found in Ivanti’s Pulse Connect Secure products. Although there is no official attribution, a number of security researchers had linked the threat actor with China. Targets of attacks included government, defense, financial, and critical infrastructure agencies.

FireEye has been monitoring the malicious activity and states that about 12 malware families have been involved in cyberattacks taking advantage of the vulnerabilities beginning August 2020. These attacks involved the mining of credentials to permit lateral movement inside victim networks and using scripts and replacing files to gain persistence.

A number of entities have already confirmed that they suffered attacks after they detected malicious activity with the Pulse Connect Secure Integrity Tool. Access to Pulse Connect Secure appliance was acquired by exploiting several vulnerabilities such as three vulnerabilities that were disclosed in 2019 and 2020 and one lately spotted zero-day vulnerability. Patches were already available for a few months to resolve the first three vulnerabilities – CVE-2020-8260, CVE-2019-11510, and CVE-2020-8243; nevertheless, a patch has yet to be accessible to fix the lately exposed zero-day vulnerability – CVE-2021-22893.

The CVE-2021-2893 authentication bypass vulnerability has gotten the highest CVSS vulnerability severity score of 10/10. Ivanti released a security warning regarding the new vulnerability on April 20, 2021. An unauthenticated attacker exploiting the vulnerability can remotely execute arbitrary code within the Pulse Connect Secure Gateway. The vulnerability is thought to be exploitable by transmitting a specially designed HTTP request to an unsecured device, though this is not yet confirmed by Ivanti. The vulnerability impacts Pulse Connect Secure 9.0R3 and higher versions.

There is one threat group taking advantage of the vulnerabilities and placing web shells in vulnerable Pulse Secure VPN appliances. Because of the web shells, the threat group will be able to avoid authentication as well as multi-factor authentication controls, login passwords and obtain persistent access to the appliance even after the application of patches.

Ivanti and CISA firmly recommend all users of the unsecured Pulse Connect Secure devices to use the patches right away to avoid exploitation and to implement the mitigations recently released by Ivanti to minimize the risk of exploitation of the CVE-2021-22893 vulnerability until the release of a patch. The workaround involves removing two Pulse Connect Secure capabilities – Windows File Share Browser and Pulse Secure Collaboration – which could be realized by importing the workaround – 2104.xml file. A patch is predicted to be introduced to resolve the CVE-2021-22893 in May 2021.

Because patching can’t block unauthorized access in case the vulnerabilities have been exploited, CISA ardently recommends utilizing the Pulse Connect Secure Integrity Tool to see whether the vulnerabilities were already exploited.

CISA has given an emergency directive requiring all federal institutions to list all instances of Pulse Connect Secure virtual and hardware appliances, deploy and run the Pulse Connect Secure Integrity Tool to find malicious activity, and implement the mitigation against CVE-2021-22893. The actions should be taken by 5 pm Eastern Daylight Time on April 23, 2021.

COVID-19 Vaccine Cold Chain Still Targeted by Threat Groups

An up-to-date IBM Security X-Force report reveals that advanced persistent threat groups still target the COVID-19 vaccine cold chain all over the world. X-Force analysts published a December 2020 report warning about cyber criminals’ campaign on the COVID-19 cold chain to get access to vaccine data. There remains a big risk to the supply and storage of the COVID vaccine.

There are currently around 350 logistics partners active in the cold chain to make certain that vaccines are distributed and stored in cold environments. Since the initial published report concerning cold chain phishing attacks, the IBM X-Force researchers have found other 50 email message records associated with spear-phishing campaigns and recorded 44 institutions in 14 countries throughout Africa, Asia, the Americas and Europe.

The targeted organizations offer services such as the transport, warehousing, storage, and delivery of COVID-19 vaccines. The majority of targeted institutions are associated with healthcare, transport, IT and electronic devices including companies in biomedical research, medical manufacturing, and pharmaceutical and hygiene suppliers.

Threat actors, viewed as backed by nation-states, have expanded their campaigns and are employing spear-phishing email for stealing account records of CEOs, global sales representatives, purchasing managers, Human Resource officials, administrators of plant engineering and others to obtain privileged information of national Advance Market Commitment (AMC) talks connected to the buying of vaccines, schedules for delivery, information on the transit of vaccines through countries and territories, World Trade Organization (WTO) trade facilitation agreements, export rules and international property rights, technical vaccine information, and other sensitive facts.

The threat group liable for this threat campaign seems to have a full understanding of the vaccine cold chain. The email communications used in the spear-phishing campaign look like coming from an account manager from Haier Biomedical, a Chinese biomedical company that is the number one cold chain provider worldwide.

The emails request price quotations for service contracts regarding the Cold Chain Equipment Optimization Platform (CCEOP) program and reference products for instance an ice-lined fridge and solar-powered vaccine fridge from Haier Biomedical. The email communications furthermore explore firms linked to petrochemical production and the manufacturing of solar panels that fits in with those merchandises, and the language used in the message indicates the educational background of the sender that is falsified in the signature.

The emails have malicious HTML attachments that are accessed locally, which the user accesses by first providing their login credentials. In the event that credentials are provided, they are obtained and duplicated in the attacker’s command and control server.

The researchers stated that even though prior reporting revealed direct targeting of supranational organizations, the energy and IT sectors in six nations around the world, it is thought that this development is based on the identified attack pattern, and the campaign is still a purposive and calculated threat.

Considering the vaccine nationalism and global competition for vaccine access, attacks that impact the cold chain were inescapable. Though researchers did not associate the campaign with any criminal gang, there is a good chance that this operation is supported by a nation-state.

If the cold chain is disturbed it could bring about slowdowns in moving the vaccines or can impact the circumstances required to securely transfer and store vaccines, which can make the vaccines hazardous or not effective. IBM outlined the Indicators of Compromise in its document 
to help organizations in keeping the COVID-19 cold chain safe against attacks.

FBI Issues Advisory Regarding Mamba Ransomware

A spike in cyberattacks employing Mamba ransomware prompted the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) to give a flash alert notifying organizations and companies in several sectors regarding the risks of the ransomware.

As opposed to numerous ransomware variants having their own encryption programs, Mamba ransomware has adapted the open-source full disk encryption software DiskCryptor and used it as a weapon. DiskCryptor is a legit encryption tool that’s not malicious and is for that reason unlikely to be identified as such by security solutions.

The FBI has yet to give any information regarding the degree to which the ransomware has been utilized in attacks, which have to date primarily targeted government institutions and transportation, legal agencies, technology, commercial, industrial, manufacturing, construction firms.

A number of techniques are employed to get access to systems to set up the ransomware, which includes exploitation of vulnerabilities in Remote Desktop Protocol (RDP) and other unsecured means of remote access.

Rather than finding particular file extensions to encrypt, Mamba ransomware utilized DiskCryptor to encrypt the whole drives, making all attacked devices unusable. Following encryption, a ransom note is shown that tells the victim that their drive was attacked. It provides an email address for contact, the victim’s ID and Hostname, and an area to put the decryption key to recover the drive.

The Mamba ransomware package comes with a DiskCryptor, which is unpacked and set up. The system is rebooted after about two minutes to accomplish the installation, then the encryption routine begins. A second restart will happen approximately two hours afterward which finishes the encryption step and shows the ransom note.

An attack in progress can be stopped until the second restart. The encryption key and the shutdown time variable are stored in the myConfig.txt file, which can be read until before the second restart. The myConfig.txt can’t be accessed after the second restart and the system will require the decryption key to access files. This gives network defenders a brief opportunity to stop an attack and recover without the need to pay the ransom. A listing of DiskCryptor files is given in the advisory to help network defenders discover attacks in progress. These files ought to be blacklisted when DiskCryptor is not utilized.

The FBI TLP: White Alert also gives mitigations that will help prevent the success of an attack, restrict the effect in case of a successful attack, and make sure that systems may be brought back without paying the ransom demand.

Recommended mitigations consist of:

  • Saving a copy of data and keeping the backups on an air-gapped device.
  • Segmenting sites.
  • Setting up systems to only permitting administrators to install software programs.
  • Patching operating systems, software programs, and firmware immediately.
  • Employing multifactor authentication.
  • Having excellent password hygiene.
  • Deactivating unused remote access/RDP ports and keeping track of access logs.
  • Only utilizing secure networks and using a VPN for remote access.

FBI Gives Warning of Increase in Business Email Compromise Attacks on Local and State Governments

The Federal Bureau of Investigation (FBI) in its March 17, 2021 Private Industry Notification cautioned state, local, tribal, and territorial (SLTT) governments about Business Email Compromise (BEC) scammers. It has been observed that BEC attacks on SLTT government entities increased between 2018 and 2020. Losses as a result of these attacks range from $10,000 to $4 million.

BEC attacks involve acquiring access to an email account and sending messages impersonating the email account holder with the intention to convince the target to make a bogus transaction. The email account is frequently employed to deliver communications to the payroll division to modify employee direct deposit data or to persons authorized to perform wire transfers, to request modifications to bank account data or payment methods.

In 2020, the FBI’s Internet Crime Complaint Center (IC3) received information regarding the report of 19,369 BEC attacks and losses of approximately $1.9 billion. The following are some incidents of BEC scams:

In July 2019, a small city government lost $3 million after being scammed through a spoofed email that looked like it came from a contractor requesting an alteration of their payment method.

In December 2019, the email account of a financial supervisor of a government agency of a US territory was accessed and used to transmit 146 messages to government agencies with instructions regarding financial transactions. A lot of these requests were made via email, and the attacker had intercepted and replied to those messages. In total, $4 million was sent to the account of the scammer.

Besides the financial losses, the attacks hinder the operational functions of SLTT government organizations, cause reputational problems, and can additionally bring about the loss of sensitive information like PII, banking details, and employment information.

BEC scammers can very easily research targets and can find out SLTT operating data and data concerning vendors, suppliers, and contractors from public sources. Obtaining access to the email accounts is easy as the email address of the target can be quickly located, and phishing kits are available cheaply on the darknet for getting credentials.

As soon as an email account is compromised, the attacker copies the writing style of the account owner and often hijacks message threads. The scam can entail several messages where the target is convinced they are conversing with the real account holder when they are speaking with the scammer.

The FBI states that BEC scammers usually target SLTT government entities with insufficient cybersecurity practices and take advantage of SLTT government entities that are not able to give adequate training to the workers. The move to remote working because of the pandemic has additionally made it less complicated for the scammers.

In 2020, CISA performed phishing simulations involving SLTT government entities. Across 152 campaigns having about 40,000 messages, there were approximately 5,500 unique clicks of bogus malicious links. With a click rate of 13.6%, it indicates security awareness training doesn’t teach employees concerning the danger of email-based attacks and highlights the necessity of “defense in depth mitigations.”

The FBI suggests making sure that all workers receive training on security awareness, know about BEC attacks and how to distinguish phishing emails and bogus emails. Employees should be told to properly check email requests for advance payments, alterations to bank account details, or requests for sensitive details. Policies and processes must be carried out that call for any bank account change or transaction request to be validated by telephone utilizing a verified number, not information provided in emails.

Supplemental measures that ought to be considered consist of multi-factor authentication on email accounts, phishing simulations, blocking of automated email forwarding, keeping track of email Exchange servers for configuration alterations, including banners to emails from external sources, and employing email filtering services.

Read about further procedures that may be put in place to avoid and identify BEC attacks in the FBI Alert.

CISA/FBI Give Joint Advisory Regarding Spear Phishing Attacks Spreading TrickBot Malware

The Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have released a joint security advisory concerning TrickBot malware. This malware was first discovered in 2016 and began as a banking Trojan; today, it has many new capabilities and is broadly employed as a malware loader for sending other variants of malware, such as the ransomware Ryuk and Conti.

The CISA/FBI alert states that TrickBot has become a remarkably modular, multi-stage malware that gives its users a complete selection of tools to perform a variety of criminal cyber activities.

In the latter part of 2019, TrickBot overcame the effort of Microsoft and its associates to break up its infrastructure and spam activities circulating the malware shortly restarted, with TrickBot activity spiking in recently. At the beginning of March, Check Point researchers cautioned regarding increasing TrickBot infections right after the arrest of the Emotet botnet. In 2020, TrickBot was the 4th most rampant malware variant and went up to 3rd last January 2021. When the Emotet botnet was interrupted, TrickBot turned out to be the most extensively propagated malware variant and tops the malware index of Check Point for the first time.

The ransomware attack on Universal Healthcare Services involved TrickBot and systems were shut down for a few weeks. TrickBot was employed to obtain access to UHS systems and identify and collect information, then the malware sent the Ryuk ransomware payload. The ransomware attack resulted in $67 million worth of losses to UHS in 2020.

TrickBot is mainly propagated through spear-phishing emails, which are customized for the targeted company. The email messages utilize a mix of malicious file attachments and links to web pages with downloadable malware. In February, the TrickBot gang carried out a massive phishing campaign aimed at the legal and insurance industries that utilized a.zip file attachment that contains malicious JavaScript for sending the malware.

The most recent phishing campaigns make use of phony traffic violation notices as the bait to make recipients click to view a “photo proof” of the traffic violation. When the photo is clicked, a JavaScript file is launched that makes a connection with the command and control (C2) server of the gang then the TrickBot malware is installed in the system of the victim.

TrickBot can make a lateral movement through the Server Message Block (SMB) Protocol, copies sensitive information from breached systems, and can do crypto mining as well as host enumeration. TrickBot operators possess a set of tools that span the whole of the MITRE ATT&CK system, from passively or actively collecting data that may be employed to support targeting to attempting to manipulate, disrupt, or damage systems and information, revealed by CISA/FBI.

CISA has created a snort signature for uncovering network activity connected with TrickBot malware. The CISA/FBI advisory likewise specifies cybersecurity guidelines that make it more difficult to have TrickBot installed and will help to strengthen systems against system propagation.

CISA Gives Warning on Active Exploitation of Vulnerabilities in Accellion File Transfer Appliance

The Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity authorities in Singapore, New Zealand, Australia, and the United Kingdom have released a notification for Accellion File Transfer Appliance (FTA) users regarding 4 vulnerabilities that threat actors are actively exploiting to get access to sensitive information.

The Accellion FTA is an old file transfer appliance that is used for sharing big files. Accellion discovered a zero-day vulnerability in the FTA in the middle of December 2020 and introduced a patch to deal with the vulnerability. However, more vulnerabilities were identified since.

The following describes the vulnerabilities being monitored:

  1. CVE-2021-27101 – SQL injection vulnerability via a crafted HOST header
  2. CVE-2021-27102 – Operating system command execution vulnerability via a local web service
  3. CVE-2021-27103 – Server-side request forgery via a crafted POST request
  4. CVE-2021-27104 – Operating system command execution vulnerability via a crafted POST request

The SQL injection flaw (CVE-2021-27011) enables an unauthorized person to execute remote commands on vulnerable devices. An exploit for the vulnerability was coupled with a webshell, with the last mentioned used to receive commands from the attacker and exfiltrate information and clean up logs. Because the clean-up logs are removed, the attacker can steer clear of detection and examination of the attack is hampered.

With the exfiltration of sensitive information, the attacker tries to extort cash from the victim by issuing threats to publicly disclose the stolen information on a ransomware data leak website when no ransom is paid. FireEye/Mandiant have related the attacks to the FIN11 and CL0P ransomware activities, though no ransomware is used by the attackers.

Accellion knew about the attacks that take advantage of the vulnerabilities in January 2021 and less than 100 clients have reported being affected with about 2 dozen of them allegedly sustaining substantial data theft. Kroger has lately announced that a number of pharmacy and little Clinic customers were affected. Centene also experienced a data breach by means of exploiting the vulnerabilities. Other reported victims of the attacks are:

  • Transport for New South Wales in Australia
  • Canadian Aircraft maker Bombardier
  • Reserve Bank of New Zealand
  • Australian financial regulator ASIC
  • Office of the Washington State Auditor
  • The University of Colorado

CISA has given Indicators of Compromise (IoCs) in its cybersecurity advisory (AA21-055A) which Accellion clients can use to know if the vulnerabilities were exploited, as well as be advised as soon as malicious activity is found.

Besides doing an analysis to determine whether the vulnerabilities were exploited, CISA proposes separating systems hosting the software program from the Web and upgrading Accellion FTA to version FTA_9_12_432 or a more recent one. Accellion and CISA additionally suggested switching from this old tool to a more secure file sharing platform. The Accellion FTA’s end-of-life is on April 30, 2021. Accellion suggests using its Kiteworks file sharing platform, which has improved security functions.

100% of Analyzed mHealth Apps Vulnerable to API Attacks

The personally identifiable health information of hundreds of thousands of people is being exposed via the Application Programming Interfaces (APIs) utilized by mobile health (mHealth) applications, as per the latest study released by cybersecurity company Approov.

Ethical hacker and researcher Allissa Knight performed the study to find out how safe well-known mHealth apps are and whether it’s possible to get access to users’ sensitive health information. One of the provisos of the study was she won’t be permitted to identify any of the applications in case vulnerabilities were discovered. She evaluated 30 of the top mHealth apps and found all were prone to API attacks which can permit unauthorized persons to acquire access to the whole patient data, including personally identifiable information (PII) and protected health information (PHI), showing that security problems are systemic.

mHealth apps had been very helpful throughout the COVID-19 pandemic and are now more and more used by hospitals and healthcare firms. As per Pew Research, mHealth apps are now generating much more user activity compared to other mobile device applications like online banking. There are presently an approximated 318,000 mHealth apps available for download from the big app stores.

The 30 mHealth applications analyzed for the research are employed by around 23 million individuals, with each and every app downloaded about 772,619 times from app stores. These applications consist of a wealth of sensitive information, from vital signs records to pathology reports, test results, X-rays and other medical images and, in certain cases, full medical files. The types of information saved in or accessible by means of the apps hold a high price on darknet marketplaces and are often targeted by cybercriminals. The vulnerabilities determined in mHealth apps make it effortless for cybercriminals to obtain access to the data.

There will generally be vulnerabilities in the code. But it’s surprising to find that every app reviewed had hard-coded keys and tokens. All APIs had broken object level authorization (BOLA) vulnerabilities that allow access to patient reports, pathology information, X-rays, and full PHI information in their database.

BOLA vulnerabilities make it possible for a threat actor to replace the ID of a resource with another ID. If the object ID can be directly called in the URI, it opens the endpoint up to ID enumeration that permits an enemy the capability to read stuff that doesn’t belong to them. Exposed references to internal implementation objects could point to nearly anything — a file, directory, database record, or key. In the case of mHealth programs, that could give a threat actor the capacity to download complete medical information and personal data that may be utilized for identity theft.

APIs specify how applications can connect with other programs and systems and are employed for sharing information. Of the 30 mHealth applications examined, 77% contained hard-coded API keys which made them susceptible to attacks that would permit the attacker to intercept data as it is exchanged. In certain instances, those keys have no expiration and 7% of the API keys were used by third-party payment processors that disagree with hard coding the private keys using plain text. Still, the usernames and passwords were hardcoded.

All of the apps didn’t have certificate pinning that is required to avoid attacks. This flaw can be exploited and enable sensitive health and personal information to be intercepted and modified. Half of the tested apps didn’t authenticate requests using tokens, and 27% failed to have code obfuscation protections, which made them prone to reverse engineering.

Knight had the ability to access highly sensitive data throughout the study. 50% of records involved names, addresses, birth dates, Social Security numbers, allergies, prescribed medications, and more sensitive health information. Knight in addition discovered that when access is acquired to one patient’s files, other patient records could likewise be accessed randomly. 50 % of all APIs permitted medical specialists to look at pathology, X-ray, and clinical data of other patients and all API endpoints were identified to be susceptible to BOLA attacks, which granted Knight to see the PHI and PII of patients not included in her clinical account. Knight likewise discovered replay vulnerabilities that allowed her to playback FaceID unlock requests that were days old and take other users’ sessions.

One more issue is mHealth applications do not have security procedures baked in. Instead of build security into the apps at the design phase, the apps are created, and security measures are applied later. That can quickly bring about vulnerabilities not being completely addressed.

David Stewart, founder, and CEO of Approov stated the fact that top developers and their company and organizational customers continually fail to recognize that APIs servicing remote clients like mobile applications need a new and focused security paradigm. Since so few organizations use protections for APIs that make sure only authentic mobile app instances could link to backend servers, threat actors exploit these APIs and cause a real problem for vulnerable companies and their patients.

CISA Alert Concerning Hackers Exploiting Poor Cyber Hygiene to Access Cloud Environments

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has given an alert concerning the exploitation of poor cyber hygiene by threat actors to obtain access to business cloud environments. The alert was given after CISA noticed a spike in attacks on companies that have switched to a mostly remote workforce because of the pandemic.

Although the hackers associated with the SolarWinds Orion supply chain attack used a few of the techniques specified in the report, these techniques were not tied up to any particular threat group. Several threat actors are using the techniques to get access to cloud environments and steal sensitive information.

As per the alert, threat actors are employing various methods, techniques, and processes to attack cloud environments. They use phishing attacks, brute force attacks to guess weak passwords, and unpatched vulnerabilities exploitation and exploitation of cloud security practices weaknesses.

Phishing is frequently employed to acquire credentials to remotely access cloud assets and programs. Phishing emails usually consist of links to malicious web pages where credentials are collected. When there’s no multi-factor authentication, the attackers could utilize credentials to access online resources. Phishing emails usually seem to be safe messages and hyperlinks to seemingly legit file hosting account services. The breached email accounts are then utilized to dispatch more phishing emails to other employees within the organization. These phishing emails that were sent internally usually link to files within what seems to be the company’s file hosting service.

There were instances where auto-forwarding protocols were created in the breached email accounts to gather sensitive emails, or to set up search rules to identify and gather sensitive information. “Besides changing current user email rules, the threat actors made new mailbox rules that sent a number of messages obtained by the users (particularly, messages with a number of keywords related to phishing) to the legit users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder to try to avoid legitimate users from seeing the warnings.

Besides employing phishing emails to acquire login information, brute force tactics are employed to speculate weak passwords. In a lot of instances, brute force and phishing attacks were successful but were foiled by multi-factor authentication, which averted the use of stolen credentials; nevertheless, CISA discovered one attack wherein the attacker bypassed multi-factor authentication to obtain access to cloud sources utilizing ‘pass-the-cookie’ techniques. A pass-the-cookie attack entails using a stolen cookie for a previously authenticated session to sign into online solutions or web applications. These attacks could succeed regardless if a company has properly integrated multi-factor authentication.

Threat actors are targeting remote workers utilizing personally owned devices or company-issued devices to connect to their company’s cloud resources. Although companies have enforced security solutions to prohibit these attacks, a lot had become successful due to poor cyber hygiene procedures.

In the notification, CISA specified the following best practices that could be followed to strengthen cyber hygiene and reinforce cloud security configurations to prevent attacks on cloud solutions.

  • Apply for conditional access
  • Review Active Directory logs and unified audit logs for suspicious activity
  • Enforce MFA for all users
  • Review email forwarding guidelines on a regular basis
  • Adhere to guidance on protecting privileged access
  • Resolve client site requests internal to the network
  • IT teams must follow a zero-trust mindset

Specific suggestions were also given to help business organizations protect their M365 environments.

Enterprise companies can read the Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services Analysis Report on this page and carry out the recommendations.

Hidden Backdoor Discovered in 100,000 Zyxel Devices

A vulnerability was discovered in Zyxel products including firewalls, access point (AP) controllers, and VPN gateways that hackers may exploited to obtain remote administrative access to the gadgets. By taking advantage of the vulnerability, hackers could change firewall configurations, permit/reject some traffic, intercept traffic, make new VPN accounts, make internal services accessible to the public, and acquire access to internal systems powering Zyxel products. About 100,000 Zyxel units globally have the vulnerability.

Zyxel company’s networking equipment and its devices are recognizyed by small and medium-sized organizations and are likewise utilized by big businesses and government institutions.

Niels Teusink of the Dutch cybersecurity firm EYE found the vulnerability, monitored as CVE-2020-29583 when he discovered a secret user account in the newest version of Zyxel software (4.60 patch 0). The secret user account, zyfwp, has a hardcoded plain-text password located in one of the product binaries. This hardcoded administrative password was introduced in the newest version of the software.

Teusink had utilized the credentials to logon to vulnerable equipment over SSH and the online interface. considering that the password is hardcoded, device users are unable to modify the password. A hacker can use the credentials to logon remotely and exploit a vulnerable Zyxel unit. Since SSL VPN on these products works on the same port like the cloud interface, numerous users have port 443 of these devices open online.

Zyxel has issued a patch to resolve the vulnerability. Zyxel said that the account was included to permit the organization to give programmed firewall updates to linked access points by FTP.

The vulnerability is found in a number of Zyxel solutions like the Zyxel Advanced Threat Protection (APT) firewall, VPN version 4.60, Unified Security Gateway (USG), USG Flex, and Zyxel AP Controllers NXC2500 and NXC5500 version 6.10.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) gave an notification regarding the vulnerability. The vulnerability was ranked as medium risk for small government entities and small businesses; it was high risk for big and medium-sized government agencies and big and medium-sized businesses.

All end users of the vulnerable products were tols to utilize the patch without delay to protect against exploitation. Even though there are no documented instances of vulnerability exploitation so far, exploitation of the vulnerability is probable.

For the following vulnerable Firewall products, patches were available in December 2020.

  • USG series using firmware ZLD V4.60
  • ATP series using firmware ZLD V4.60
  • USG FLEX series using firmware ZLD V4.60
  • VPN series using firmware ZLD V4.60

For the following affected AP controllers, patches will be accessible on January 8, 2021.

  • NXC2500 using firmware V6.00 through V6.10
  • NXC5500 using firmware V6.00 through V6.10

To offset the threat, MS-ISAC advises the following actions:

  • Implement necessary updates offered by Zyxel to vulnerable systems, right away after suitable testing.
  • Use all software as a user with no admin privileges to reduce the effects of a successful attack.
  • Tell users not to go to un-trusted web pages or clink hyperlinks presented by anonymous or un-trusted sources.
  • Notify and teach users about the threats created by hypertext links included in emails or attachments particularly from un-trusted sources.
  • Follow the Principle of Least Privilege whenever employing all systems and solutions.

NSA Advisory of Authentication Mechanism Abuse to Obtain Access to Cloud Resources

The U.S. National Security Agency (NSA) has published a notification regarding two hacking strategies that threat groups are utilizing presently to obtain access to cloud resources that contain protected information. These tactics exploit authentication systems and permit attackers to exfiltrate credentials and retain persistent access to networks.

Threat actors who breached the SolarWinds Orion system are using these strategies. The hackers associated with the attacks aren’t yet known, however, some information has surfaced that indicates this attack was by a nation-state Russian threat group, perhaps APT29 (Cozy Bear). State Secretary Mike Pompeo stated in a radio interview that the activity was done by Russians, though President Trump undervalued the attack and mentioned there is a probability that China is liable.

The SolarWinds Orion system supply chain attack was employed to send malware out to clients via the SolarWinds software program update process, still, that is one of a number of strategies now being employed to compromise public and private industry companies and government institutions.

NSA’s alert detailed that the preliminary access may be established by means of various ways, which consist of identified and unidentified vulnerabilities. An example of this was the latest SolarWinds Orion code breach. On-premises systems were compromised, leading to the abuse of federated authentication and malicious cloud access.

As soon as first access had been acquired, the strategies explained in the advisory are utilized to develop more privileges via the forging of credentials to retain persistent access. The NSA has offered guidance on recognizing and mitigating attacks, no matter how the preliminary access is gotten. The NSA says that these techniques aren’t different and threat actors have used them starting 2017 and continue to be effective.

The methods explained in the alert entail utilizing compromised authentication tokens and misuse of compromised system administration accounts in Microsoft Azure and some other cloud systems as soon as a local network has been breached.

The first method entails breaching an on-premises federated identity provider or single sign-on (SSO) system. These methods permit organizations to utilize the authentication system they actually own to give access to resources, which include cloud services. These systems utilize cryptographically signed automatic messages – statements – which are given through Security Assertion Markup Language (SAML) to indicate that users were validated. Threat actors are abusing the authentication system to get dubious access to a broad variety of assets held by companies.

The attackers either steal credentials or private keys from the SSO system that make it possible for them to sign statements and imitate a legit user and obtain adequate privileges to generate their own keys and identities, in addition to their own SSO system. The second method consists of compromising administrator accounts to designate credentials to cloud program solutions, after that the attackers require the application’s credentials to obtain programmed access to cloud information.

The NSA has cautioned that threat actors continue to exploit the recently shared command injection vulnerability in VMware items (CVE-2020-4006). In one instance reported by the NSA, exploiting this vulnerability permitted first local network access to be obtained, instead of the SolarWinds tactic. The methods explained in the advisory were then utilized to acquire access to cloud assets. A patch was already issued to fix the vulnerability impacting VMware items. The patch ought to be employed immediately. SolarWinds Orion users must adhere to the earlier published mitigations.

These attack methods to get access to cloud sources don’t take advantage of vulnerabilities in cloud facilities, the SAML protocol, federated identity management, or on-premises and cloud identity systems, instead, they abuse confidence in the federated identity system.

However, since the safety of identity federation in any cloud environment directly relies on trust in the on-premises elements that execute authentication, designate privileges, and sign SAML tokens. When any of these elements is compromised, the trust in the federated identity system could be abused for unapproved access.

To avert the success of utilizing the new strategies to get access to cloud resources, the NSA suggests carrying out the following:

  • Protect SSO settings and service principle usage
  • Strengthen systems using on-premises identity and federation services
  • Keep track of logs for suspicious tokens that do not fit the company’s baseline for SAML tokens.
  • Review tokens to identify flaws
  • Analyze records for suspicious usage of service principles
  • Seek out unexpected trust relationships that were put into the Azure Active Directory

Serious Vulnerabilities Discovered in Medtronic MyCareLink Smart Patient Readers

Three serious vulnerabilities were found in Medtronic MyCareLink (MCL) Smart Patient Readers, which can likely be exploited to obtain access to and change patient data from the paired implanted cardiac gadget. Remote code execution on the MCL Smart Patient Reader is possible with the exploitation of the vulnerabilities together, permitting an attacker to have control of a matched cardiac device. An attacker can only exploit the vulnerabilities if within Bluetooth signal proximity to the vulnerable product.

All versions of the MCL Smart Model 25000 Patient Reader are affected by the following vulnerabilities.

Vulnerability CVE-2020-25183 is a vulnerability that exploits the authentication protocol. The method employed to authenticate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app could be circumvented. An attacker using another mobile device or malicious application on the patient’s smartphone may authenticate the patient’s MCL Smart Patient Reader, deceiving it into believing it is conversing with the smartphone app of the patient. The vulnerability has an assigned CVSS v3 base score of 8.0 out of 10.

With vulnerability CVE-2020-27252, an authenticated attacker running a debug command could introduce a heap-based buffer overflow incident in the MCL Smart Patient Reader software stack. When prompted, an attacker can remotely execute code on the vulnerable MCL Smart Patient Reader, so that the attacker could get control of the device. This vulnerability has a designated CVSS v3 base rating of 8.8.

Vulnerability CVE-2020-27252 is identified in the software update system of MCL Smart Patient Readers. An attacker exploiting this vulnerability could upload and use unsigned firmware on the Patient Reader. This vulnerability can additionally permit remote execution of arbitrary code on the MCL Smart Patient Reader and may let an attacker take control of the system. This vulnerability has an assigned CVSS v3 base score of 8.8.

The researchers that discovered the device vulnerabilities were from the Israeli firm Sternum. Researchers at the UC Santa Barbara, University of Michigan and the University of Florida also independently identified the improper authentication vulnerability.

Medtronic has now provided a software update to correct the vulnerabilities after receiving a report about the vulnerabilities. The firmware update may be done by updating the MyCareLink Smartapp using its mobile application store. By updating the mobile app to version v5.2, it will make certain to apply the update upon next use; nevertheless, the patch will only work when the user’s smartphone is running Android 6.0 or above or iOS 10 or later version.

Device users were likewise advised to maintain strong physical control over their monitors at home and to limit the use of home devices to private settings. Patients should just use home monitors that were acquired straight from their healthcare provider or a Medtronic agent.

Medtronic likewise took steps to enhance security, including employing Sternum’s enhanced integrity validation (EIV) technology which provides early detection and real-time mitigation of identified vulnerability exploitation attempts, and Sternum’s advanced detection system technology, which allows device-level logging and tracking of all device activity and tendencies.

Critical Vulnerabilities Found in Over 100 GE Healthcare Imaging and Ultrasound Devices

  • Two critical severity vulnerabilities found in GE Healthcare medical imaging products may permit remote code execution and access/change of sensitive patient information. The vulnerabilities impact GE Healthcare’s exclusive management software program and impact over 100 GE Healthcare imaging gadgets which include MRI, Advanced Visualization, Ultrasound, Interventional, Mammography, X-Ray, Computed Tomography, PET/CT and Nuclear Medicine devices
    .
    GE Healthcare products affected by the vulnerabilities include:
  • Ultrasound Devices – Image Vault, EchoPAC, LOGIQ, Voluson, Vivid
  • MRI Devices – Brivo, Optima, Signa
  • Advanced Visualization Device – AW
  • X-Ray Devices – AMX, Brivo, Discovery, Definium, Optima, Precision
  • Interventional Devices – Optima, Innova
  • Mammography Devices – Seno, Senographe Pristina
  • Nuclear Medicine, PET/CT Devices – Brivo, Discovery, PET Discovery, Infinia Optima, PETtrace, Ventri, Xeleris
    Computed Tomography Devices – Brivo, BrightSpeed, Discovery, Frontier Optima, LightSpeed, Revolution

Researchers Lior Bar Yosef and Elad Luz of CyberMDX discovered the vulnerabilities and notified GE Healthcare last May 2020. CyberMDX has referred to the vulnerabilities as MDHexRay. The two vulnerabilities have an assigned CVSS v3 base rating of 9.8 of 10.

The first vulnerability CVE-2020-25175 is caused by unsecured transport of credentials via the network. The second vulnerability is caused by the exposure of sensitive system data to an unapproved control sphere, which may permit the access or alteration of sensitive data.

The CyberMDX researchers determined that GE Healthcare’s servicing practices depended on having selected ports open and available to GE Healthcare so that the devices could be managed remotely via the web. Although credentials are necessary for updating and maintaining the software, GE Healthcare only modifies the default credentials when a customer makes the request. Anyone can easily find the default credentials of GE Healthcare online. The number of customers that requested the change of the default credentials is unknown.

An attacker could only exploit the vulnerabilities when connected to the network of the hospital. The default credentials can then be utilized to get access to vulnerable linked imaging devices including the data saved on the devices. Unauthorized users cannot access medical devices if they don’t get access to the internal network of the hospital. No report indicated the exploit of the vulnerabilities in the wild.

GE Healthcare has evaluated the vulnerabilities and performed a risk assessment and confirmed that there are no patient safety issues; nevertheless, the vulnerabilities present a risk to patient privacy. An attacker could also alter patient data that may affect the results of some treatments. Considering that data only stays on the imaging devices for a finite amount of time prior to being transmitted to PACS, the potential compromise of patient data is limited.

Because no patch to fix the vulnerabilities is available yet, mitigation steps include modifying the default password, which only GE Healthcare can do. GE Healthcare is currently informing its customers and is assisting the affected clients to alter the default password and make sure firewalls of their product are set up correctly. Customers are likewise being instructed to follow guidelines for network management and security. CyberMDX suggests setting ports 21 (FTP), 22 (SSH), 23 (Telnet), and 512 (REXEC) to listen-only mode.

AMA Issues Guidance to Prepare Healthcare Organizations Mitigate COVID-19 Cyber Risks

The American Medical Association has cautioned hospitals, health systems, and medical practices regarding the spike in cyber risks particularly in the healthcare market, and has offered advice on the steps to be undertaken to mitigate threats and improve network security.

AMA assistant director of federal affairs, Laura Hoffman, discussed the existing threats in an AMA COVID-19 Update and introduced a new resource created by the AMA and American Hospital Association (AHA) regarding the technology that healthcare companies should consider for the rest of 2020 to have better network security and patient privacy.

The COVID-19 pandemic has created a lot of new problems for healthcare companies that are treating more patients while dealing with unfamiliar cases. The pandemic prompted a big growth of telehealth service, as many patients receive virtual care using new technology tools.

The new technologies and systems brought in vulnerabilities and widened the attack surface thus cybercriminals are taking advantage and escalating attacks on the healthcare industry. At the beginning of the pandemic, phishing attacks on this sector increased. Virtual Private Networks became popular for supporting remote employment, telehealth, and remote tracking of medical equipment, which has a greater attack surface. A number of vulnerabilities were discovered in these tools that threat actors exploit to get access to healthcare systems.

Ransomware attacks on healthcare providers also increased. Particularly, more Ryuk ransomware operators targeted the healthcare sector in recent weeks. These attacks stop access to protected health information (PHI) and deactivate mission-critical systems, resulting in delayed patient care and risk to patient safety. The AMA also noticed more insider threats throughout the pandemic. Insiders are exploiting identified security vulnerabilities for financial gain.

The new guidance is meant to help prepare for the months when practices and hospitals may have to deal with the second wave of COVID-19 infections occurring at the same time as the cold and flu season. The AMA’s recommendation tells healthcare providers to ask for regular updates from their IT vendors or security specialists. The guidance document provides a set of questions to ask providers to make sure to identify and address vulnerabilities. The questions tackle network security, legacy devices and unsupported software, systems access rights provided to third parties and vendors at the time of the pandemic, and the location of all PHI.

Besides dealing with cybersecurity risks, healthcare companies must be ready for the time when the Public Health Emergency ends. During the pandemic, the HHS’ Office for Civil Rights is exercising enforcement discretion regarding the use of telehealth technology. After the Public Health Emergency, healthcare organizations need to be in complete compliance with HIPAA.

The telehealth systems utilized at the time of the pandemic may not be acceptable for use. If used continually, there must be a business associate agreement with technology providers. It is additionally required to perform security risk checks on telehealth platforms to identify risks and vulnerabilities to PHI associated, if not yet conducted.

The AMA is telling doctors and hospitals to begin discussing with their telemedicine vendors and conducting a security risk analysis, so they will be ready when the Public Health Emergency comes to an end.

In the guidance, the AMA/AHA likewise recommends asking telemedicine vendors regarding their privacy procedures, designed data use, and security practices. Seek advice from your legal team to make clear how the vendors capture and store video, audio, and other information and could access such data. You may also ask if the vendor shares results of third-party security audits, such as SOC 2 or HITRUST, along with the penetration testing results.

It is additionally a good idea to allow all available privacy and security applications when utilizing telemedicine platforms, such as end-to-end encryption so that third-parties won’t intercept communications between patients and providers. Patients should also be made aware of the potential privacy risks involved when using telemedicine platforms and providing virtual care.