VMware Patches High Severity Vulnerabilities Identified in vRealize Operations, Cloud Foundation and vRealize Suite Lifecycle Manager

VMware has introduced patches to fix two high severity vulnerabilities that affected vRealize Operations, which is its AI-powered IT operations management system for private, hybrid, and multiple-cloud environments. The vulnerabilities likewise impacted its other products – vRealize Suite Lifecycle Manager and VMware Cloud Foundation.

The first vulnerability CVE-2021-21975 is a server-side request forgery vulnerability that a remote attacker could exploit to use the functions of a server and gain access to or manipulate data that must not be directly accessed. An attacker can exploit the vulnerability by transmitting a specially created request to an insecure vRealize Operations Manager API endpoint that will enable the attacker to steal admin credentials. The vulnerability has an assigned CVSS rating of 8.6 out of 10.

The second vulnerability identified in the vRealize Operations Manager API is monitored as CVE-2021-21983, which is an arbitrary file write vulnerability. It has an assigned CVSS rating of 7.2 out of 10. An attacker could exploit the vulnerability to write files to the root photon operating system. But the attacker must first have admin credentials to be authenticated and be able to take advantage of the vulnerability.

The problem is that the two vulnerabilities can be chained together so that an attacker could do execute arbitrary code remotely in the vRealize Operations system. To be able to exploit the vulnerabilities, it is necessary that the attacker has access to the vRealize Operations Manager API.

The vulnerabilities in vRealize Operations Manager versions 7.5.0 to 8.3.0 had been fixed by VMWare. End-users of the vRealize Operations system are instructed to update and get a secure edition of the platform immediately to avoid vulnerabilities exploitation.

If a user can’t do a prompt update, VMware has given an option that entails working with the casa-security-context.xml and taking away a configuration line and then rebooting the CaSA service on the impacted device. Igor Dimitenko of security company Positive Technologies identified the vulnerabilities.

Hacker of Verkada Security Camera Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft

The US. government has indicted the Swiss hacktivist who acquired access to the surveillance cameras of the California startup company Verkada in March 2021 for computer criminal activities spanning from 2019 to present. Her crimes included obtaining and publicly exposing source code and exclusive information of company and government victims in and outside the United States.

Till Kottmann, 21 years old, also known as ‘tillie crimew’ and ‘deletescape’ lives in Lucerne, Switzerland. She is a member of a hacking collective called APT 69420 / Arson Cats. Lately, Kottman confessed to getting access to the Verkada security cameras utilized by a lot of big corporations, such as Tesla, Cloudflare, Okta, Nissan, and also educational institutions, correctional establishments, and hospitals. He accessed the live streams of security camera and archived video footage from March 7 to March 9, 2021, and published their screenshots and videos online.

Ethical hackers generally exploit vulnerabilities and access systems to address the vulnerabilities before bad actors can exploit them. They report the vulnerabilities to the entities involved, and then steps are undertaken to resolve the security issues before publicly announcing the details. In Kottmann’s case, she did not follow responsible disclosure procedures. She publicly disclosed sensitive data attained from victims’ networks, and did not notify the breached organizations instantly before disclosing the stolen information.

On March 18, 2021, a grand jury in the Western District of Washington indicted Kottmann for a number of computer breach and identity and data theft activities from 2019 up to today. The Kottmann’s indictment includes charges of one count of aggravated identity theft, one count of conspiracy to commit computer fraud and abuse, a few counts of wire fraud, and one count of conspiracy to commit wire fraud.

Conspiracy to commit computer fraud and abuse bears a prison term of 5 years maximum, the wire fraud and conspiracy to commit wire fraud charges bears a prison term of 20 years maximum, and the identity theft charge has a obligatory 24-month prison term, which extends consecutively to other sentences.

Based on the indictment, Kottmann and co-conspirators accessed the computer systems of over 100 corporations and government agencies and exposed the stolen data on the Internet. Kottmann frequently attacked git and other source code databases, and copied the source code, files, and other top-secret data, which usually involved access codes, and hard-coded information, and other ways of getting access to company networks. She utilized the stolen information for further attacks, normally cloning more data from victims’ networks prior to publishing the stolen information on the web.

The indictment states that Kottmann will speak with the press and publish data on social media platforms regarding what she does to involve others and expand the hacking activity as well as her own name in the hacking community.

The FBI’s cyber task force headed Kottmann’s investigation. With Swiss law enforcement’s release of a search warrant of Kottmann’s house located in Lucerne on March 12, 2021, the FBI was able to seize computer equipment. Lately, the FBI took over a domain, which Kottmann managed and used to publicly disclose stolen information.

Stealing credentials and information, and publishing source code and private and sensitive data online can increase vulnerabilities for everybody from big corporations to individual customers.

AllyAlign Health Ransomware Attack Impacts Tens of Thousands of People

AllyAlign Health based in Glen Allen, VA, offering Medicare Advantage health plan management, has begun informing members and companies regarding a ransomware attack attempt that happened on November 13, 2020.

Based on the breach notification letters received by impacted persons, AllyAlign Health knew about the attack first on November 14, 2020. The investigator of the incident learned that the attackers accessed systems containing members’ information such as first and last names, birth dates, addresses, Social Security numbers, Medicare beneficiary identifiers, Medicare health insurance claim numbers, medical claims backgrounds, medical insurance policy numbers, and other medical data.

Healthcare providers impacted by the breach received notification that names, addresses, birth dates, Council for Affordable Quality Healthcare (CAQH) credentialing data, and Social Security numbers might have been breached.

It is uncertain precisely how many people were impacted by the attack. Based on the breach notification provided to the Maine Attorney General, the protected health information (PHI) of 76,348 persons was possibly affected by the breach. AllyAlign Health submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights indicating that 33,932 people were impacted. The 33,932 people are probably members and the others are healthcare providers.

The Attorney General notification reveals the breach was identified on February 2, 2021. This may be the particular date when they completed the breach investigation and knew about the number of people affected.

AllyAlign Health stated it worked immediately to take care of the breach and called in IT experts to secure its network environment. After the breach happened, guidelines and procedures were modified to address the security of its systems, servers and data life cycle control. The provider sent notification letters to affected persons on February 26, 2021 and offered them credit monitoring and identity theft protection services. During the issuance of notifications, there was no report received that indicates the misuse of the data of members or providers.

Ransomware Attacks on Ramsey County and Crisp Regional Health Services and Update on Vaccine Scheduling Application

The County Manager’s Office of Ramsey County, MN sent notifications to 8,700 clients of its Family Health Division about unauthorized persons that potentially accessed some of their personal information because of a ransomware attack on Netgain Technology LLC, one of its vendors.

Netgain Technology LLC located in St. Cloud is Ramsey County’s provider of technology solutions such as an application that the Family Health Division uses for documenting home sessions. Threat actors possibly viewed and downloaded data within the application prior to ransomware deployment. The information in the application included names, birth dates, addresses, dates of service, telephone numbers, account numbers, medical information, medical insurance details, and, the Social Security numbers of selected individuals.

It would seem that the motive behind the ransomware attack was to extort money from Netgain. There was no intention of getting access to personal information; nonetheless, the possibility of unauthorized access or data theft cannot be ruled out.

Ramsey County was advised regarding the ransomware attack on December 2, 2020 and immediately stopped using the services and program of Netgain and followed backup processes. The company had reported the ransomware attack to the respective authorities and implemented measures to fortify security to prevent other attacks.

Ransomware Attack at Crisp Regional Health Services

A January 27, 2020 ransomware attack on Crisp Regional Health Services in Cordele, GA led to the taking down of selected systems by the provider. The ransomware attack affected the hospital’s telephone system. Workers were forced to use radios to facilitate internal communications. Patients and their family members had to use social media to get in touch with each other during the time that the telephone system was unavailable.

Crisp Regional Health Services quickly took steps to secure the information and regulate the attack. Third-party cybersecurity professionals helped investigate the attack and find out the extent of the breach, as well as the likelihood that the attackers accessed or exfiltrated patient data.

Crisp Regional Health Services’ community relations and foundation Director Brooke Marshall mentioned that the attack did not jeopardize workflow, nor compromised patient care.

The investigation is still ongoing and more information will be announced when it is available.

Vaccine Scheduling Application Vulnerability Allowed People to Skip Queue and Get Vaccination Appointments

Michigan-based Beaumont Health experienced a breach last January 30/31 that affected its Epic COVID-19 vaccine scheduling system. An unauthorized person who exploited a vulnerability in the system publicly made known an unauthorized method of making a reservation. 2,700 people were able to book COVID-19 vaccination appointments using this unauthorized method.

Beaumont Health advised Epic concerning the breach on January 31, 2020 and together they dealt with the issue. The vaccination schedules of the 2,700 persons who made unauthorized reservations were canceled. People who fulfilled the eligibility requirements and made legit COVID-19 vaccination appointments were not affected.

Epic further made an announcement that the breach had not allowed any unauthorized person to access patient medical records.

VMWare Carbon Black Reviews the Status of Healthcare Cybersecurity in 2020

All through 2020, the healthcare sector provided health care to patients battling with COVID-19, at the same time, it had to manage growing numbers of cyberattacks because cybercriminals increased their activities.

Lately, VMware Carbon Black carried out a retrospective evaluation of the status of healthcare cybersecurity in 2020 that showed the degree to which the healthcare sector was attacked by cybercriminals, how attacks succeeded, and what must be done by healthcare companies to avoid cyberattacks this 2021.

VMware Carbon Black examined information from attacks on its healthcare clients in 2020 and discovered 239.4 million cyberattack attempts in 2020, which translates to 816 cyberattack attempts per endpoint on average. That shows an increase of 9,851% from 2019.

With the pandemic, cyberattacks on healthcare companies increased. From January to February 2020, cyberattacks on healthcare clients were 51% higher and continued to go up all through the year, the peak was from September to October when attacks had an 87% month-over-month increase. The big surge in attacks happened in the fall because of greater ransomware activity as the Ryuk ransomware gang particularly increased attacks on the healthcare community.

Attacks were done to get access to healthcare information for identity theft and fraudulence. Stolen information was sold on darknet marketplaces, however, the greatest threat was from ransomware. The effect of ransomware was mainly assisted by affiliates. A lot of ransomware groups offer ransomware-as-a-service (RaaS), so ransomware deployment is easily accessible to many cybercriminals who formerly had no resources to execute the attacks. The huge potential rewards for doing attacks have attracted a lot of people into ransomware distribution. Cybercriminals are additionally hiring insiders that could give them access to networks in exchange for paying big amounts of money or a percentage of ransoms earned.

Double extortion strategies have likewise been broadly used by ransomware gangs to boost the probability of victims paying, so as to avert the publicity of the stolen information instead of just getting the keys to restoring encrypted files. A great deal of the stolen information is being sold on dark websites, particularly stolen protected health information (PHI) and COVID-19 test result information.

In 2020, numerous threat actors had partnered and shared resources and swap strategies, with access to systems being given to other threat groups to perform their own attacks. The venture between threat groups is growing and threat actors are finding new ways to gain access to systems in order to deploy their malicious payloads.

The increasing attacks throughout 2020 would likely not slow down in 2021. Actually, the attacks will likely keep on increasing.

VMWare Carbon Black gave three recommendations for CISOs to make sure that they remain one step in advance of attackers. The majority of AV solutions simply emphasize the delivery step. For greater protection healthcare companies must deploy next-generation antivirus software that safeguards against each stage of ransomware attacks, starting from delivery to distribution to encryption. Endpoint protection software must be selected that could be quickly scaled and deployed to secure new users, at the same time maintain data protection, compliance, and security procedures.

Finally, healthcare CISOs must be proactive and deal with vulnerabilities well prior to exploitation. This means IT tracking applications must be deployed that offer complete visibility into devices that link to the system. This is going to let CISOs to monitor configuration drift and immediately remediate problems and make sure all gadgets are patched and secured.

NSA Publishes the Latest Guidance on Removing Weak Encryption Protocols

The National Security Agency (NSA) has published guidance to assist organizations in removing weak encryption protocols that threat actors are presently taking advantage of to decrypt sensitive information.

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols were designed to have safeguarded channels employing authentication and encryption to make sure the protection of sensitive data between a server and a consumer. The algorithms employed by these protocols to encrypt information have since been made current to enhance the power of encryption, nevertheless obsolete protocol settings remain utilized. Attackers are creating new attacks and actively employing them to take advantage of authentication and weak encryption protocols to decrypt and get access to sensitive data.

The NSA makes clear that many products using obsolete cipher suites, TLS versions, and key exchange methods were updated, however, implementations were not often followed and continued usage of these outdated TLS configurations pose a heightened risk of attack. Usage of obsolete protocols presents a wrong sense of protection, because even though data transmissions are secured, the degree of security given is not enough to avoid decryption of data by nation state actors and other threat actors.

The latest NSA guidance points out how to detect out-of-date TLS and SSL settings, exchange them with the newest, more risk-free versions, and prohibit out-of-date cipher suites, key exchange methods and TLS versions.

The guidance is largely focused on cybersecurity frontrunners in the Department of Defense (DoD), Defense Industrial Base (DIB), and National Security System (NSS), even so, it may be utilized by every network user and operator to be able to better safeguard sensitive data.

The NSA advises replacing SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 and just employing TLS 1.2 or TLS 1.3. The guidance provided specific data on the applications, network signatures, and server settings needed to just enable strong encryption protocol settings.

Outdated configurations give attackers access to sensitive operational traffic via various methods, like passive decryption and changing of traffic via man-in-the-middle attacks. To assist system administrators in fixing the components of their network, NSA designed a number of server settings and network signatures to go along with the report that are offered on the NSA Cybersecurity Github.

Upgrading TLS configurations will make certain that government services and business establishments have more powerful encryption and authentication and can better safeguard sensitive data.

Attacks on the SolarWinds Orion Software by Sophisticated Hackers

The Cybersecurity and Infrastructure Security Agency (CISA) gave a warning regarding the active exploitation of the SolarWinds Orion IT monitoring and management software by sophisticated hackers.

It is believed that the ongoing cyberattack is the work of a very sophisticated nation state hacking group. It’s the same group that created a Trojanized version of the Orion software used for downloading a backdoor known as SUNBURST into customers’ systems.

About 18,000 customers had been affected by the supply chain attack because of having downloaded the Trojanized version of the Orion software as well as the SUNBURST backdoor. Big public and private companies and government institutions are using SolarWinds Orion.

The U.S. military, State Department, the Pentagon, the National Security Agency and NASA are SolarWinds customers. 425 of the 500 biggest publicly traded U.S. companies use SolarWinds  products. There have been attacks on the US Treasury, the Department of Homeland Security, and the US National Telecommunications and Information Administration (NTIA).

The cybersecurity firm FireEye first detected the attacks. The attacks began in spring 2020 with the launching of the malicious versions of the Orion software. The malware is elusive so it’s been so long before a threat is detected. According to FireEye, the malware hides its network traffic in the Orion Improvement Program (OIP) protocol and keeps reconnaissance results in valid plugin configuration files so it could mix in with valid SolarWinds activity. After the installation of the backdoor, the attackers could move sideways and perform data theft.

President and CEO of SolarWinds Kevin Thompson said that the vulnerability is thought to be the work of a nation-state group attacking a very-sophisticated, targeted, and manual supply chain.

The hackers accessed SolarWinds’ software development set up and put in the backdoor code into the library of the SolarWinds Orion Platform software versions 2019.4 HF 5 up to 2020.2.1 HF 1, which were available in March 2020 to June 2020.

CISA’s Emergency Directive ordered all federal civilian bureaus to work quickly to prevent any ongoing attack by removing or disconnecting SolarWinds Orion products, versions 2019.4 up to 2020.2.1 HF1, from their systems. The bureaus likewise prevented the Windows host OS from linking to the enterprise domain.

All SolarWinds clients were instructed to upgrade their Orion software to Orion Platform version 2020.2.1 HF 1. And later use the available second hotfix,  2020.2.1 HF 2  to replace the compromised part and do other extra security improvements.

If immediate upgrade is impossible, SolarWinds provided guidelines for keeping the Orion Platform secure. Organizations must likewise check for any indication of compromise by means of the antivirus engines, where the signatures of the backdoor are added. Microsoft has stated that detection of the backdoor is now possible with all its antivirus products so users should run a full scan.

SolarWinds, FireEye, the FBI, and the intelligence community are working together to watch  the attacks. SolarWinds and Microsoft are also working to take out an attack vector that causes the compromise of Microsoft Office 365 productivity solutions.

It is still uncertain which group is doing the attack; but according to the Washington Post, the Russian nation state hacking group APT29 (Cozy Bear) is responsible for the attack. A Kremlin spokesperson said Russia is not involved with the attacks.

CISA Warns About the Active Attack of the SolarWinds Orion Software

The Cybersecurity and Infrastructure Security Agency (CISA) gave an alert regarding the active exploitation of SolarWinds Orion IT monitoring and management software by sophisticated hackers. It is believed that the group behind the cyberattack is the highly sophisticated, elusive, nation-state hacking group that created a Trojanized version of the Orion software. That software program was used to deploy a backdoor into the systems of customers known as SUNBURST.

The supply chain attack has affected about 18,000 customers, who have downloaded the Trojanized version of SolarWinds Orion as well as the SUNBURST backdoor. Big  public and private companies and government departments use SolarWinds Orion.

Among the users of SolarWinds are the five branches of the U.S. military, the State Department, the Pentagon, the National Security Agency and NASA. There are also about 425 big publicly traded U.S. firms that use its solutions. Organizations that have been under cyberattack include the US National Telecommunications and Information Administration (NTIA), the US Treasury, and Department of Homeland Security. The cybersecurity firm FireEye that first detected the cyberattack was also attacked.

The attacks began with the introduction of the first malicious versions of the Orion software last spring 2020. It is believed that the hackers were present in the breached  networks since then. It took so long to identify the threat because the malware is elusive. According to FireEye, the malware covers up its network traffic as the Orion Improvement Program (OIP) protocol and keeps reconnaissance results within legitimate plugin configuration files enabling it to merge with valid SolarWinds activity. As soon as the backdoor is installed, the attackers move laterally and perform data theft.

The hackers obtained access to the software development environment of SolarWinds and put the backdoor code in the library of SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, which were released from March 2020 up to June 2020.

CISA gave an Emergency Directive instructing all federal civilian agencies to block attacks by quickly disconnecting from networks or shutting down SolarWinds Orion software versions 2019.4 through 2020.2.1 HF1. The agencies were also told not to “(re)connect the Windows host OS to the company domain.

All clients need to make prompt upgrades of their SolarWinds Orion software to Orion Platform version 2020.2.1 HF 1. The second hotfix – 2020.2.1 HF 2 – will be available soon to replace the vulnerable component and apply additional security improvements.

If unable to quickly upgrade, follow the guidelines provided by SolarWinds to protect the Orion Platform. Companies must monitor for indicators of compromise. Microsoft already added the signatures of the backdoor to its antivirus products (other antivirus software too) to enable detection of the backdoor. Running a full scan is highly recommended.

SolarWinds, FireEye, the FBI, and the intelligence community are working together to look into the attacks. SolarWinds and Microsoft are also trying to get rid of an attack vector that results in the breach of targeted Microsoft Office 365 productivity products.

It is still uncertain which group is really behind the attack; but the Washington Post reported that some sources stated the Russian nation-state hacking group APT29 (Cozy Bear) conducted the attack but a spokesperson for the Kremlin denied it.

Ransomware Attacks at GBMC HealthCare, Golden Gate Regional Center and Dyras Dental

GBMC HealthCare based in Towson, MD announced a ransomware attack that occurred on December 6, 2020 resulting in the shutdown of its computer systems. The healthcare organization now operates under EHR downtime procedures while it mitigates the attack. GBMC HealthCare had a plan for such a case and had processes set up to make sure that it could continue to provide patient care while minimizing disruption.

GBMC Healthcare continues to provide patients with safe and effective care. Its emergency section did not cease receiving patients; but, certain elective treatments scheduled for December 7 were postponed. GMBC is doing all it can to bring systems back online and recover the encrypted data. The incident is already reported to law enforcement who is looking into the attack. The Egregor ransomware gang has stated it is responsible for the attack.

Golden Gate Regional Center Ransomware Attack Impacts 11,315 Individuals

Golden Gate Regional Center in San Francisco, Marin, and San Mateo counties in California provides services to persons with developmental disabilities. On September 23, 2020, it noticed suspicious activity on its computer networks. The investigation showed that the attacker exfiltrated the protected health information (PHI) of 11,315 people from its systems before deploying the ransomware.

Information stolen in the attack only included names, service codes/descriptions, vendor/service provider names/numbers, GGRC client identification numbers, month or year of service, and cost data associated with the services given. No evidence was found that indicates the misuse of any stolen data. Affected persons received notification by mail in November. Breach victims received free identity theft protection services.

Stolen Data from Dyras Dental Dumped

Dyras Dental based in Lansing, MI has encountered a ransomware attack that used the Egregor ransomware. This attack is not yet verified by the dental service provider. Databreaches.net identified a dump of information stolen in the attack on September 24, 2020. It attempted to contact Dyras Dental, however, there was no response from the provider. Databreaches.net reported the incident to the Department of Health and Human Services’ Office for Civil Rights since it would seem that it was not yet reported and patients did not get any notification letter regarding the theft of their PHI.

As per Databreaches.net, the dumped information contained more than 100 files with data such as insurance billing details, voicemail recordings that contain PHI and employee W-2 statements.

Healthcare Data Breaches at Fairchild Medical Center, Harvard Pilgrim Health Care, and Indian Health Council Inc.

Fairchild Medical Center based in Yreka, CA, began sending notifications to some patients about the potential access of some of their protected health information (PHI) by unauthorized individuals online.

In July 2020, a third-party security company informed Fairchild Medical Center regarding a misconfigured server, which made it accessible over the web. With the help of third-party computer specialists, the medical center learned that unauthorized people may have gotten access to patient information.

The server held medical images with patient names, birth dates, exam identification numbers, patient identification numbers, names of ordering provider, and dates of exam. The misconfiguration happened on December 16, 2015 and was only corrected on July 31, 2020. A third-party security firm verified the security of the server after making necessary changes.

A forensic investigation couldn’t ensure whether unauthorized persons accessed patient data when the server was accessible, but the possibility couldn’t be excluded.

Mismailing Incident Reported by Harvard Pilgrim Health Care

Harvard Pilgrim Health Care is sending a notification to 8,022 persons regarding a software error in its enrollment data management system. The error caused the association of a person’s mailing address with another address connected to the health plan of that person. Because of the error, a number of mailings were misdirected to the address of a subscriber of the individual’s health plan or to a previous address. Harvard Pilgrim Health Care traced back the problem to an error that happened in 2013.

The types of information that may have been breached varied from mailing to mailing and possibly included the name of the member, ID number, birth date, telephone number, provider names, service dates, treatment details, deductibles, charges for services, co-pay amount, and co-insurance data associated to healthcare coverage.

The problem has now been solved and the procedure of system updates has been evaluated and enhanced. Affected people were instructed to verify their Activity Summaries and to submit a report on any dubious entries to Harvard Pilgrim right away.

Indian Health Council Inc Encounters Ransomware Attack

A ransomware attack on Indian Health Council Inc. based in Valley Center, CA occurred in September 2020 resulting in file encryption that possibly impacted patients’ PHI. Indian Health Council knew about the cyberattack on September 22, 2020 and hired independent computer forensic professionals to assist with the investigation.

An evaluation of the files the attacker had access to revealed that some had patient data included like names, dates of birth, health data, and health insurance details and, for certain persons, data about medical conditions, treatment, or diagnosis details.

Following the ransomware attack, Indian Health Council Inc changed passwords and strengthened security to avoid other attacks. It also enforced additional measures or controls like remote access and multi-factor authentication.

All patients affected by the breach already received notification. The breach report filed with the Office for Civil Rights indicates that the attack potentially impacted 5,769 people.

Ransomware Attack with Data Theft on US Fertility

A ransomware attack on US Fertility (USF) on September 14, 2020 impacted parts of its computer networks and included systems where sensitive protected health information (PHI) is located. US Fertility is the biggest network of fertility centers throughout the United States, operating 55 clinics in 10 states. About 50 percent of its clinics are identified to have been impacted by the attack.

US Fertility reacted promptly to the attack and confirmed the encryption of data on several of its servers and workstations linked to its website. Those systems were taken off the internet right away while investigating the attack. Third-party security and computer forensic professionals came in to help investigate the incident and retrieve data on the impacted workstations and servers. According to USF, it was able to fix all impacted devices and had them connected again to the system on September 20, 2020. USF has reported the attack to federal law enforcement and is helping with the continuing investigation.

After the completion of the forensic investigation, USF confirmed that the attackers stole data. On August 12, 2020, the attackers first acquired access to the network and continued to access it possibly until September 14, 2020 when USF discovered the attack. A review of the system to identify all the files the attackers had access to was concluded on November 13.

USF stated that the unidentified threat actors potentially accessed files that contain names, addresses, birth dates, Social Security numbers and
MPI numbers. The types of information compromised differed from one person to another. The majority of patients had not exposed their Social Security numbers.

Although USF confirmed that there was data theft, no report of PHI misuse was received. Nevertheless, USF notified the affected persons to keep an eye on their accounts and submit a report if they suspect any misuse of protected health information.

USF already took the following steps to strengthen security after the ransomware attack:

  • strengthened its firewall
  • improved tracking of networking activities
  • provided additional training to employees regarding computer security
  • data safety, and identifying phishing emails

Cyberattacks Impact Hendrick Health, First Impressions Orthodontics and Kids First Dentistry & Orthodontics

Hendrick Health EHR Downtime As a Result of Ransomware Attack

The IT and EHR systems of Hendrick Health in Texas were taken offline to address the threat of a cyberattack. The ransomware attack on November 9, 2020 affected some Hendrick Health’s clinics and the main campus medical center. The ransomware attack did not impact Hendrick Health’s medical center in the South and Brownwood.

Hendrick Health reported that despite the cyberattack, patient care was not affected. The medical center continued to offer inpatient services; although, a few patients had to be diverted to other campuses to receive medical care. There were also some changes made to the schedule of outpatient services.

Hendrick Health is working round the clock to fix all its systems. In the meantime, medical center staff had to record patient data manually using pen and paper.

PHI of 28,000 Dental Patients Potentially Compromised

The protected health information (PHI) of 23,000 patients of First Impressions Orthodontics is potentially compromised due to a September 28, 2020 ransomware attack.

First Impressions Orthodontics creates data backups regularly and keeps it safe. So patient data may be brought back without having to pay the ransom. Aside from the 23,000 First Impressions Orthodontics patients, the breach also impacted 5,000 Kids First Dentistry & Orthodontics patients
who go to First Impressions Orthodontics to get their x-rays.

The types of data possibly breached included names, addresses, email addresses, phone numbers, Social Security numbers, dental files, dental x-rays, service charge amounts, dental insurance numbers, and payments made for services. Compromised x-ray images contained patients’ names, birth dates, and insurance details.

First Impressions Orthodontics sent notifications to the affected persons to comply with the requirement of the HIPAA breach notification rules. Though no evidence shows that data was accessed, stolen, or misused, as a safety measure, affected patients received complimentary two-years credit monitoring and identity theft protection services.

Survey Reveals the Cybersecurity Impact of COVID-19 to Organizations That Switch to a Remote Working Environment

Before the 2019 Novel Coronavirus pandemic, a lot of companies granted their employees to work from home on some weeks. With COVID-19, the way people work dramatically changed. National lockdowns forced employers to speedily change working tactics and permitted practically all their employees to work from home.

Even when the lockdowns were removed, a lot of employees went on working from home. The new work from home setup is regarded by many people as the new normal now. Remote working has produced a lot of challenges, particularly for cybersecurity because it is more difficult for organizations to stop, identify, and restrict cyberattacks when most of the employees are doing remote work.

Ponemon Institute conducted a new survey on behalf of Keeper Security to examine the cybersecurity obstacles of teleworking and assess how organizations have taken cybersecurity strategies to tackle the threats of teleworking. 2,215 IT and IT security experts participated in the survey.

One of the important discoveries from the survey is a significant reduction in the effectiveness of an organization’s security posture because of remote working. 71% of the participants rated their security defenses as very or highly effective prior to the pandemic. Only 44% rated their defenses as highly effective during the COVID pandemic.

The survey revealed a number of reasons for the observed drop in the effectiveness of those security defenses. When people work on-site, there are physical security measures that prevent equipment and data theft. 47% of survey participants said that employees’ homes lack physical security.

71% of IT experts stated that remote employees were additional risks to the data breach of an organization. 57% stated that remote employees are a primary target for cybercriminals trying to take advantage of vulnerabilities.

Remote employees must use business-critical applications. 59% of the survey participants said that remote access to those apps is higher at this time of the pandemic. Normally, organizations have got 51 business-critical apps and employees remotely access 56% of those apps.

56% of respondents said that the response time to a cyberattack is longer during the pandemic. The problem is 42% of respondents claimed they lack understanding of the proper way to protect against cyberattacks with lots of remote employees.

A big increase in using personal devices is observed because of the pandemic, and BYOD systems have lowered the security posture of organizations. 67% of survey participants stated that during the pandemic, remote employees were utilizing personal devices like mobile phones, which are mostly vulnerable devices.

If intrusion detection systems were effective in an office-based setup, it’s less effective with teleworking. 51% of respondents claimed that their intrusion detection systems stopped an exploit or malware infection during the pandemic. 61% stated they suffered a cyberattack using phishing and social engineering tactics during the pandemic.

In spite of the threat of cyberattacks, 31% of companies said they have no multi-factor authentication in place for remote workers. Just 43% offer security awareness training to deal with the problems of remote working. Just 47% are keeping track of their systems 24/7. Below 50% of respondents safeguard company-owned devices with updated anti-virus, gadget encryption, and firewalls. When these security problems are not dealt with, organizations will be at a far higher risk of encountering a cyberattack that could end up with a costly data breach. The complete details of the survey are on this page.

Vulnerabilities Discovered in SpaceCom and B. Braun OnlineSuite

Vulnerabilities in SpaceCom and Battery Pack SP with Wi-Fi

There were 11 vulnerabilities found in SpaceCom Patient Data Management System (in PC or USB memory stick} and Battery Pack with WiFi. These products are employed to hook up external devices for the purpose of documenting information.

The vulnerabilities were found in SpaceCom, software program Versions U61 and prior versions as well as Battery pack with Wi-Fi, software Versions U61 and prior versions.

An attacker can exploit the vulnerabilities and compromise the safety of SpaceCom devices. With elevated privileges, an attacker can view sensitive data, upload arbitrary data files, and wirelessly execute code. These are the 11 vulnerabilities:

1. CVE-2020-25158 (CVSS score of 7.6) – Mirrored cross-site scripting (XSS) vulnerability permitting injection of arbitrary HTML or web script into different areas.
2. CVE-2020-25150 (CVSS score of 7.6) -Relative path traversal attack vulnerability permitting an attacker having service user privileges to transfer arbitrary files and implement arbitrary codes.
3. CVE-2020-25162 (CVSS score of 7.5) – Path injection vulnerability enabling unauthenticated persons to view sensitive data and elevate privileges.
4. CVE-2020-25156 (CVSS score of 7.2) – Active debug code that allows attackers with cryptographic material to use the device as root.
5. CVE-2020-25160 (CVSS score of 6.8) -Incorrect access controls that permit extraction and modifying the device’s network settings.
6. CVE-2020-25166 (CVSS score of 6.8) -Incorrect validation of the cryptographic signature of software updates, which enables an attacker to create acceptable firmware updates having arbitrary material that may be utilized to tinker with devices.
7. CVE-2020-16238 (CVSS score of 6.7) – Inappropriate privilege management that allows attackers to control line access to the root Linux system, and to escalate privileges as root user.
8. CVE-2020-25152 (CVSS score of 6.5) -Session fixation vulnerability enabling web session hijacking and elevating privileges.
9. CVE-2020-25154 (CVSS score of 5.4) – Open redirect vulnerability enabling rerouting to malicious web pages.
10. CVE-2020-25164 (CVSS score of 5.1) – uses a one-way hash that permits the retrieval of user login information at the administrative interface.
11. CVE-2020-25168 (CVSS score of 3.3) – using hard-coded credentials to permit command-line access to get into the Wi-Fi module of the device.

Braun already launched updates to fix the vulnerabilities. Users need to acquire an update of the Battery Pack SP with Wi-Fi: Version U62 or more recent version and the SpaceCom: Version U62 or more recent version.

Braun additionally advises users not to make the devices directly accessible from the web and to set up a firewall and separate medical devices from the business connections.

The following persons were responsible for identifying the vulnerabilities: Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH; Julian Suleder, Birk Kauer and Nils Emmerich of ERNW Research GmbH.

Vulnerabilities Discovered in B. Braun OnlineSuite

There were three vulnerabilities found in B. Braun OnlineSuite, which is a clinical IT service for making and delivering drug libraries and handling infusion devices and various medical accessories. If an attacker exploits the vulnerability, it’s possible to increase privileges, upload and download arbitrary data files, and execute code wirelessly.

The most critical vulnerabilities with assigned CVSS v3 base scores of 8.4 to 8.6 out of 10 are the following two vulnerabilities:
1. Vulnerability CVE-2020-25174 is a remote code execution vulnerability that permits an attacker with local access to a vulnerable device to execute code like a high privileged user.
2. Vulnerability CVE-2020-25172 is a relative path traversal vulnerability that permits unauthenticated individuals to upload and downloads of files

The third vulnerability, CVE-2020-25170 is an Excel macro vulnerability found in the export feature and is attributable to the improper handling of multiple input fields, and has an assigned CVSS v3 base score of 6.9.

The abovementioned vulnerabilities are present in OnlineSuite AP 3.0 and prior versions. B.Braun has resolved the vulnerabilities in the OnlineSuite Field Service Information AIS06/20 update. Users are therefore urged to get the update without delay.

Potential Exposure of Financial Data and SSNs in Blackbaud Ransomware Attack Reported

On September 30, 2020, the SEC (U.S. Securities and Exchange Commission) received the Form 8-K filed by Blackbaud to give more information about the ransomware attack that the company encountered in May 2020. Blackbaud explained that the investigation by the forensic team revealed the possibility that more information was compromised in the attack. The attackers may have viewed the unencrypted fields that were intended for bank account details, usernames, passwords, and Social Security numbers of some clients.

For most of the Blackbaud clients affected by the attack, the data mentioned above were not compromised. The attackers could not read the sensitive information thanks to encryption. Blackbaud mentioned that it had sent notifications to all clients whose sensitive data were potentially exposed and gave them further assistance.

Blackbaud reported in the SEC filing that it had stopped the attackers from completely encrypting some files, but the attackers were able to extract a part of the data from Blackbaud’s cloud before encryption.

Blackbaud previously gave a statement that it gave the attackers their ransom demand so that the stolen data would not be exposed to the public or offered for sale. The attackers confirmed the deletion of the stolen data after receiving the ransom payment. The SEC filing did not state how much Blackbaud paid.

Blackbaud is sure that there was no data posted publicly or further compromised; even so, the risk is typical to paying hackers who stole data and encrypted records. It’s possible that they would not do as they say and kept a copy of the stolen information. Blackbaud is enforcing safety procedures and had engaged a cybersecurity agency to keep an eye on the dark web and the hacking forums for any posting of the stolen data.

On July 16, Blackbaud published notices about the data breach in compliance with the breach notification rules of the HIPAA. Throughout August and September, the number of breaches published on the HHS’ Office for Civil Rights breach portal steadily increased. Approximately 58 US healthcare companies have reported that the breach impacted them and there are more than 3 dozen breaches currently listed on the OCR breach portal.

The worst affected company thus far is Trinity Health. There were 3,320,726 individuals whose protected health information (PHI) was exposed. The PHI of 1,045,270 Inova Health System’s clients and 657,392 Northern Light Health’s clients were likewise affected by the breach. Many other healthcare organizations have stated that the breach affected many of their clients. To date, nearly 10 million individuals were affected.

Blackbaud, the security firms, and the authorities are continually investigating the breach.

Sen. Warner Wants Answers Regarding the Suspected Universal Health Services Cyber Attack

Universal Health Services has reported that its 250 hospitals within the United States are in business and trying to get an alleged person to be behind the attack that impacted its systems for 3 weeks. The attack began some time on September 27, 2020. On October 12, UHS has all its systems back online. A notice put up on its website stated the continuation of normal operations in the hospitals after the completion of the back-loading of information.

When systems were not available, physicians had to use pen and paper to be able to keep on offering treatment for patients and, in certain areas, patients had to be taken to substitute facilities to get treatment.

The health system revealed that a malware attack caused the security breach and the power down of its network; nevertheless, a number of insiders went to Reddit to speak up their concerns and said that this was a ransomware attack. Based on the information shared by those insiders, the attack looked like it involved Ryuk ransomware. The Ryuk ransomware gang are well-known to exfiltrate data files prior to deploying the ransomware; but, UHS said that there is no evidence found to show that the attackers accessed, copied or misused employee or patient data.

Sen. Mark Warner, D-VA sent a letter to the UHS Chairman and CEO Alan Miller to obtain responses to some questions regarding the attack and the security measures that were integrated to avoid and reduce the severity of a ransomware or malware attack. In his letter, Sen. Warner mentioned his major concerns regarding the security of the United Health Services’ digital medical data and breakdown of clinical healthcare functions whenever there is a cyber attack.

UHS, as one of the largest hospital operators in the United States, provides patient care to more than 3.5 million individuals each year throughout its 250 hospitals. Considering all the resources of a Fortune 500 organization that gets more than $11 billion in annual income, it is expected that the UHS’s cybersecurity posture is powerful enough to hinder major disruptions to health care treatments.

Sen. Warner asked if UHS had segmented its system to avert the horizontal movement of attackers so that a breach won’t spread to affect all facilities. Sen. Warner additionally inquired whether clinical medical equipment was separated from management systems and networks to make certain that those gadgets won’t be disrupted in the event of a cyberattack.

In light of the posts made by the UHS insiders, Sen. Warner questioned if there was any ransom payment made by UHS to decrypt files, whether any patient information became inaccessible because of the attack, and if the hackers downloaded any medical information from UHS managed facilities.

Sen. Warner is looking for answers to those and other issues concerning the UHS cybersecurity procedures in the next 2 weeks.

Data Breaches at Mayo Clinic, UMMA Community Clinic and AAA Ambulance Service

Former Mayo Clinic Employee Accessed Medical Records of 1,600 Patients Without Legit Work Reason

Mayo Clinic began sending notifications to over 1,600 patients that a former staff accessed some of their protected health information (PHI) with no authorization.

Mayo Clinic announced on August 5, 2020 that a licensed medical professional had viewed the data files of patients even though there was no valid reason. The staff was finishing his/her employment with Mayo Clinic when the provider discovered the privacy breach. The person is not working at Mayo Clinic any longer.

It is not known what is the reason for viewing the healthcare data and Mayo Clinic didn’t reveal the time when the privacy breach happened. Mayo Clinic mentioned that the records access was of restricted length of time and there is no proof found that suggests the employee printed or retained any information.

The potentially exposed data included names, birth dates, demographic data, medical record numbers, medical images, and clinical notes. There was no financial information or Social Security numbers viewed by the staff. Mayo Clinic has filed a report of the unauthorized data access to the FBI and the Rochester Police Department. Investigation of the security breach is now ongoing.

Mayo Clinic stated that the delayed sending of notifications was due to the lengthy investigation into the privacy breach. Affected persons already received notifications, however, the nature of data exposed indicates there’s no action necessary associated with the breach.

Insider Breach at UMMA Community Clinic

The Los Angeles University Muslim Medical Association (UMMA) Community Clinic learned that an ex-employee transmitted a secured file with patients’ PHI to a private email account. UMMA discovered the incident on July 1, 2020, after two days the file was emailed.

UMMA has acquired written affirmation from the ex-employee that the file was properly deleted and UMMA doesn’t know of any other data exposures or misuse.

UMMA has put in place more policies and procedures to avoid the same privacy breaches later on. It is presently obvious how many people have been impacted or the types of protected health information included in the secured document.

Attempted Ransomware Attack at AAA Ambulance Service

AAA Ambulance Service in Mississippi is informing patients regarding an attempted ransomware attack that happened sometime on July 1, 2020. Immediate action was undertaken to stop data encryption. An internal investigation was started to find out the magnitude of the data breach. With the help of third-party computer forensics specialists, AAA Ambulance Service established on August 26, 2020 the potential access or exfiltration of patient data by the attackers before the ransomware deployment.

The types of information likely exposed include patients’ names along with at least one of these data: driver’s license number, Social Security number, birth date, financial account number, diagnosis data, treatment details, patient account number, medication details, medical record number and/or medical insurance details.

There is no evidence found that suggests the misuse of patient data. However, as a safety precaution, impacted persons were offered free credit monitoring services. AAA Ambulance Service is employing more safety measures to avoid the same breaches later on.

CISA Releases Notification Because of Increased Emotet Malware Attacks

After a period of dormancy from February 2020 to July 2020, the Emotet botnet is now back and started spam runs sending the Emotet Trojan. From August 2020, attacks on local and state governments have gone up, compelling the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to give a cybersecurity warning for all industry fields.

The Emotet botnet started again its activity in July by using a huge phishing campaign sending messages along with malicious Word attachments and URLs. From then on, several spam runs were carried out which usually include over 500,000 emails. The Emotet Trojan is a harmful banking Trojan that is utilized as a downloader of other kinds of malware, remarkably the Qbot and TrickBot Trojans. The secondary payloads consequently send other malware payloads, such as Ryuk and Conti ransomware.

One infected device can quickly cause more infections throughout the network. Emotet infections of other devices happen in a worm-like manner, producing numerous copies of itself that are written to shared drives. Emotet likewise brute forces credentials and sends duplicates of itself through email. Emotet could hijack authentic email threads and put in malicious files. Considering that the emails seem like they were delivered by identified contacts in reply to earlier sent emails, there is a greater possibility of the email attachments being clicked to read.

The Trojan is constantly changing employing dynamic link libraries and frequently has new abilities included. The abilities of the Trojan make it hard to get rid of them from systems. The Trojan may be eliminated from infected systems, however, they could easily be reinfected with other infected units on the network.

The Multi-State Information Sharing & Analysis Center (MS-ISAC) and CISA were gathering information on Emotet attacks and loader downloads when botnet activity started again in July. The EINSTEIN Intrusion Detection System of CISA, which safeguards government, civilian executive branch networks, discovered about 16,000 warnings about Emotet activity beginning in July, which include potentially targeted Emoted attacks on state and local governments. Compromises were also documented in Italy, France, Canada, Japan, the Netherlands and New Zealand.

CISA looks at Emotet as among the most widespread continuing threats. The secondary malware payloads of TrickBot and Qbot are likewise considerable threats, like the ransomware payloads they transmit.

The phishing email messages employed to spread the Emotet loader are different and frequently change. COVID-19 related email messages were utilized this year together with numerous baits focused at companies. The email attachments are usually malicious Word files, though password protected zip files were used as well to avert anti-spam and anti-phishing tools. The email messages usually claim that attachments were produced on mobile gadgets and necessitate the user to allow content (and in that way enable macros) to access the files.

To avoid Emotet malware attacks, MS-ISAC and CISA suggest

  • implementing cybersecurity guidelines such as
  • implementing protocols to prohibit suspicious attachments and email attachments that can’t be checked by AV solutions for instance password-protected documents.
  • using Antivirus software program on all units and configuring updates on auto-pilot
  • suspicious IPs must be blacklisted
  • use DMARC authentication and multi-factor authentication
  • companies must stick to the principle of least privilege, by segmenting and isolating networks and turning off file and printer sharing services (when possible)

The complete list of suggested mitigations is given in the CISA advisory.

Ransomware Attack on a Clinical Trial Software Provider

Company eResearchTechnology based in Philadelphia that is selling software for clinical trials, such as the clinical trials involving Covid-19 vaccines had a ransomware attack on September 20, 2020. The attack affected a number of its clients, which include at least an organization doing Covid-19 vaccine trials. Because of the attack, some clinical trial researchers had to use pen and paper to monitor their patients. Although there was no risk to patient safety, the attack had an impact on the clinical trials and slowed down the progress.

The attack affected IQVIA, the research institution performing AstraZeneca’s Covid-19 vaccine trial. But there is no certainty yet up to what severity the attack impacted its Covid-19 vaccine trial if any. The ransomware attack also affected Bristol Myers Squibb, the company that is leading the efforts to create a rapid test for the coronavirus. The two companies mentioned that the impact was minimal because they had backup copies that could be utilized to recover data files. IQVIA released an announcement that it wasn’t aware of any confidential information associated with the clinical trials being exfiltrated before the ransomware encrypted the files.

After the attack, eResearchTechnology shut down its computer systems. Third-party cybersecurity specialists helped with the breach investigation and data restoration. The Federal Bureau of Investigation (FBI) also received notification about the attack and is investigating it. Selected systems were offline for about two weeks and were only brought back online on October 2, 2020, reported by the New York Times. The company is expecting to bring back the rest of its systems online in the next couple of days.

There is no information regarding which threat group executed the attack, the ransomware variant used, and if the company paid the ransom demand to get the keys for file decryption.

eResearchTechnology’s software program is widely employed in clinical trials. In 2019, about 75% of all clinical trials that ended in drug approvals utilized the software of eResearchTechnology.

The attack was publicized several days after Universal Health Services encountered an alleged ransomware attack that impacted all of its U.S. zones and had to shut down its systems offline and bring patients to substitute healthcare providers. Statistics from Emsisoft indicate that so far healthcare providers in the USA had at least 53 ransomware attacks in 2020. Those attacks affected over 500 hospitals and clinics.

PHI Exposed in Four Phishing Attacks

MU Health Care based in Missouri has encountered a phishing attack that resulted in the breach of a number of employee email accounts from May 4 to May 6, 2020. An investigation of the occurrence showed the compromised email accounts comprised patient data such as names, birth dates, account numbers, medical insurance details, driver’s license numbers and Social Security numbers.

MU Health Care has informed all impacted patients and has provided them free credit monitoring services. Thus far, there are no reports obtained that imply the misuse of any patient information.

The exposed email accounts held the protected health information (PHI) of 5,074 individuals.

Data Leaked After the University Hospital SunCrypt Ransomware Attack

University Hospital is a teaching hospital located in Newark, NJ that has suffered a ransomware attack. The attack in September 2020 involves the SunCrypt ransomware. Before deploying the ransomware, the attackers stole about 48,000 records, a few of which were posted on the attacker’s data leak website.

The number of patients affected by the attack is still uncertain at this point. However, the leaked information did consist of some patient records, such as names, Social Security numbers, dates of birth, driver’s license numbers, and some other information.

The attack seems to have began with a phishing email that led to the download of TrickBot Trojan and the. SunCrypt ransomware was downloaded as a secondary payload.

PHI of 4,806 Individuals Possibly Exposed in UCare Minnesota Phishing Attack

The not-for-profit health plan, UCare Minnesota, has encountered a phishing attack impacting the email accounts of a number of employees. A breach investigation was started upon discovery of suspicious network activity last April 2020. On May 4, 2020, UCare Minnesota established that an unauthorized person accessed selected email accounts. The email accounts were quickly secured and had an evaluation to know if the attackers accessed member data.

UCare Minnesota discovered on September 1, 2020 that the information in the email accounts included these personal records and PHI of 4,806 people: names, medical care provider names, diagnosis details, health insurance ID numbers, and dates of birth.

There is no evidence found that identify indicate the exfiltration or misuse of any data by the persons liable for the attack. UCare Minnesota has re-trained the workers regarding phishing attacks and has fortified email security.

Nebraska Medicine Experiences Cyberatack

Nebraska Medicine has reported that it has encountered a cyberattack that stopped accessibility to its computer networks. The cyberattack happened on September 25, 2020 and caused an outage that prompted substantial information technology system failures.

With no access to crucial IT systems, Nebraska Medicine was compelled to delay consultations for patients with elective operations or had other non-emergent medical concerns. Nebraska Medicine released an announcement on September 24 saying normal procedures would continue “in days”. The urgent room had messages and no ER patients were rerouted to elective techniques or had other non-important health concerns facilities.

It is not clear if patient records were viewed or stolen, however Nebraska Medicineconfirmed that no patient records had been deleted or destroyed and that all patient information could be reclaimed from backups.