Author Archives: HIPAA Journal

DOJ Launches Ransomware and Digital Extortion Task Force

In response to the growing threat from ransomware attacks, the U.S Department of Justice has launched a new Ransomware and Digital Extortion Task Force that will target the entire ransomware ecosystem as a whole. The aim is not only to bring the individuals conducting the attacks to justice, but also any individuals who assist attackers, including those who launder ransom payments.

The Task Force will include representatives from the DOJ criminal, national security and civil divisions, the Federal Bureau of Investigation, and the Executive Office for United States Attorneys and will work closely with the Departments of Homeland Security and the Treasury. The task force will also work to improve collaboration with the private sector and international partners.

Resources will be increased to address ransomware attacks, training and intelligence gathering will be improved, and the task force will coordinate with the Department of Justice to investigate leads and connections to known cybercriminal organizations and nation state threat groups. In addition to aggressively pursuing all individuals involved in attacks, the task force will make recommendations to Congress on how best to help victims of attacks while discouraging the payment of ransoms.

The task force will help to tackle the proliferation of ransomware attacks by making them less lucrative. According to an internal DOJ Memo written by DOJ Acting Deputy Attorney General John Carlin, “This will include the use of all available criminal, civil, and administrative actions for enforcement, ranging from takedowns of servers used to spread ransomware to seizures of these criminal enterprises’ ill-gotten gains.”

The aim of the task force is to better protect individuals and businesses from ransomware attacks and to ensure the individuals involved are brought to justice. At present, ransomware gangs, members of which are often based overseas, know that there is little risk of being caught and attacks can be extremely profitable.

Ransomware attacks increased sharply in 2020, which was the worst ever year for ransomware attacks. According to a recent report from Chainalysis, more than $370 million in ransom payments were collected by ransomware gangs in 2020, which is an increase of 336% from the previous year. Ransoms are often paid as victims are well aware that paying the ransom, even if it is several million dollars, is a fraction of the cost of recovering from the attack without paying. The cost of attacks could easily be 10 or 20 times higher if the ransom is not paid.

In 2019, the City of Baltimore refused to pay a $75,000 ransom and the attack ended up costing the city more than $18 million. According to the GetApp 2020 Data Security Survey, 28% of businesses have suffered a ransomware attack in the past 12 months and 75% of victims paid the ransom to reduce the cost of remediation.

Ransomware attacks are costing the U.S economy billions. Cybersecurity Ventures has predicted ransomware attacks will continue to increase and are likely to occur at a rate of one every 11 seconds in 2021, with the total cost of the attacks rising to $20 billion in 2021 in the United States alone, with the global cost expected to reach $6 trillion in 2021.

The post DOJ Launches Ransomware and Digital Extortion Task Force appeared first on HIPAA Journal.

Three Zero-Day Vulnerabilities in SonicWall Email Security are Being Actively Exploited

Three zero-day vulnerabilities have been identified in SonicWall Email Security products that are being actively exploited in the wild by at least one threat actor. The vulnerabilities can be chained to gain administrative access to enterprise networks and achieve code execution.

SonicWall Email Security solutions are deployed as a physical appliance, virtual appliance, software installation, or as a hosted SaaS solution and provide protection from phishing, spear phishing, malware, ransomware, and BEC attacks. The solutions do not need to be Internet facing, but hundreds are exposed to the Internet and are vulnerable to attack.

In one instance, a threat actor with intimate knowledge of the SonicWall application exploited the vulnerabilities to gain administrative access to the application and installed a backdoor that provided persistent access. The threat actor was able to access files and emails, harvest credentials from memory, and then used those credentials to move laterally within the victim’s network.

The three vulnerabilities were identified by the Mandiant Managed Defense team. SonicWall has now developed, tested, and released patches to correct the flaws. The SonicWall Hosted Email Security product was automatically updated on April 21, 2021 so customers using the hosted email security solution do not need to take any action, but users of other vulnerable SonicWall Email Security products will need to apply the patches to prevent exploitation.

SonicWall said “It is imperative that organizations using SonicWall Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade.”

The most serious vulnerability is a pre-authentication flaw with a severity score of 9.8 out of 10. The other two vulnerabilities have CVSS scores of 7.2 and 6.7.

  • CVE-2021-20021 – Pre-authentication vulnerability allowing remote attackers to create administrative accounts by sending specially crafted HTTP requests to a remote host. (CVSS 9.8)
  • CVE-2021-20022 – Post-authentication vulnerability allowing uploads of arbitrary files to a remote host. (CVSS 7.2)
  • CVE-2021-20023 – Post-authentication vulnerability allowing arbitrary file read on a remote host. (CVSS 6.7)

Mandiant identified the threat actor exploiting the vulnerabilities as UNC2682 and blocked the attack before the threat group could achieve its final aim, so the objective of the attack is unknown. Other threat groups may also attempt to exploit the vulnerabilities to obtain persistent access to enterprise networks and steal sensitive data.

“At the time of activity, the victim organization was using the same local Administrator password across multiple hosts in their domain, which provided the adversary an easy opportunity to move laterally under the context of this account – highlighting the value of randomizing passwords to built-in Windows accounts on each host within a domain,” explained Mandiant. “The adversary managed to briefly perform internal reconnaissance activity prior to being isolated and removed from the environment.”

Affected Product Version Patched Version CVEs
SonicWall Email Security versions 10.0.4-Present 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 10.0.3 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 10.0.2 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 10.0.1 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 7.0.0-9.2.2 Active support license allows upgrade to above secure versions but without an active support license upgrades are not possible CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.4-Present HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.3 HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.2 HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.1 HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023

The post Three Zero-Day Vulnerabilities in SonicWall Email Security are Being Actively Exploited appeared first on HIPAA Journal.

Pulse Connect Secure Vulnerabilities Being Actively Exploited, Including New Zero-Day Flaw

At least one threat group is exploiting vulnerabilities in Ivanti’s Pulse Connect Secure products, according to a recent alert from the DHS’ Cybersecurity and Infrastructure Security Agency (CISA). While there has not been an official attribution, the threat actor has been linked to China by some security researchers and targets have included government, defense, financial, and critical infrastructure organizations.

FireEye has been tracking the malicious activity and reports that at least 12 malware families have been involved in cyberattacks exploiting the vulnerabilities since August 2020. These attacks have involved the harvesting of credentials to allow lateral movement within victim networks and the use of scripts and the replacement of files to achieve persistence.

Several entities have now confirmed that they have been attacked after they identified malicious activity using the Pulse Connect Secure Integrity Tool. Access has been gained to Pulse Connect Secure appliance by exploiting multiple vulnerabilities including three vulnerabilities that were disclosed in 2019 and 2020 and one recently disclosed zero-day vulnerability. Patches have been available for several months to fix the first three vulnerabilities – CVE-2019-11510, CVE-2020-8260 and CVE-2020-8243; however, a patch has yet to be released to correct the most recently disclosed zero-day vulnerability – CVE-2021-22893.

The CVE-2021-2893 authentication bypass vulnerability has received the maximum CVSS vulnerability severity score of 10/10. Ivanti published a security advisory about the new vulnerability on April 20, 2021. Exploitation of the flaw allows a remote unauthenticated attacker to execute arbitrary code in the Pulse Connect Secure Gateway. The flaw is believed to be exploitable by sending a specially crafted HTTP request to a vulnerable device, although this has yet to be confirmed by Ivanti. The vulnerability affects Pulse Connect Secure 9.0R3 and higher.

At least one threat group is exploiting the vulnerabilities to place web shells on vulnerable Pulse Secure VPN appliances. The web shells allow the threat actor to bypass authentication and multi-factor authentication controls, log passwords, and gain persistent access to the appliance even after the patches have been applied.

Ivanti and CISA strongly advise all users of the vulnerable Pulse Connect Secure appliances to apply the patches immediately to prevent exploitation and to implement the mitigations recently published by Ivanti to reduce the risk of exploitation of the CVE-2021-22893 vulnerability until a patch is released. The workaround involves deleting two Pulse Connect Secure features – Windows File Share Browser and Pulse Secure Collaboration – which can be achieved by importing the workaround-2104.xml file. A patch is expected to be released to correct the CVE-2021-22893 in May 2021.

Since patching will not block unauthorized access if the vulnerabilities have already been exploited, CISA strongly recommends using the Pulse Connect Secure Integrity Tool to investigate whether the vulnerabilities have already been exploited.

CISA has issued an emergency directive requiring all federal agencies to enumerate all instances of Pulse Connect Secure virtual and hardware appliances, deploy and run the Pulse Connect Secure Integrity Tool to identify malicious activity, and apply the mitigation against CVE-2021-22893. The actions must be taken by 5 pm Eastern Daylight Time on Friday, April 23, 2021.

The post Pulse Connect Secure Vulnerabilities Being Actively Exploited, Including New Zero-Day Flaw appeared first on HIPAA Journal.

Data Breaches Reported by VEP Healthcare and the American College of Emergency Physicians

The American College of Emergency Physicians (ACEP) has starting alerting certain members that some of their personal information was stored on a server that was accessed by unauthorized individuals.

In addition to providing professional organizational services to its members, management services are provided by ACEP to organizations such as the Emergency Medicine Foundation (EMF), Society for Emergency Medicine Physician Assistants (SEMPA), and the Emergency Medicine Residents’ Association (EMRA). The breach concerns data related to those organizations. Affected individuals had made a purchase from or donated to EMF, SEMPA, or EMRA.

A breach was detected on September 7, 2020 when unusual activity was identified in its systems. A server had been compromised that contained the login details for its SQL database servers, and those databases contained members’ information. While no evidence was found to indicate the credentials were used to access the databases, it was not possible to rule out unauthorized access. The information exposed was for the dates April 8, 2020 to September 21, 2020.

The exposed data varied from individual to individual. In addition to names, sensitive information such as Social Security numbers and financial information may have also been compromised.

The impacted server has been rebuilt, passwords changed, and additional technical safeguards have now been implemented.  12 months of credit monitoring services have been offered to affected individuals.

VEP Healthcare Discovers Multiple Email Accounts Were Accessed by Unauthorized Individuals

Portland, OR-based VEP Healthcare has discovered multiple employee email accounts have been accessed by unauthorized individuals after employees responded to phishing emails and disclosed their login credentials. The email security incident was detected on March 11, 2021 and the investigation confirmed the affected email accounts had been subjected to unauthorized access between November 15, 2019 and January 20, 2020. It is unclear exactly what information was contained in the compromised accounts.

While the email accounts were accessed, no evidence was found to indicate any protected health information in those accounts was viewed or obtained. However, out of an abundance of caution, affected individuals have been offered a free 12-month membership to the IDX identify theft protection service which includes a $1 million identity theft insurance policy.

VEP healthcare has since improved email security, implemented 2-factor authentication on email accounts, has modified its policies and procedures, and provided additional security awareness training to the workforce.

Epilepsy Florida Impacted by Blackbaud Data Breach

Epilepsy Florida has recently confirmed that it has been affected the data breach at Blackbaud Inc., its cloud computing vendor. The breach occurred in May 2020 and notifications were sent to affected clients in July 2020.

In a March 30, 2021 substitute breach notice, Epilepsy Florida explained that it launched an investigation into the breach to determine what information had been compromised and, after demanding further information from Blackbaud, determined the breach was limited to the full names of 1,832 individuals. No other information appears to have been compromised.

The post Data Breaches Reported by VEP Healthcare and the American College of Emergency Physicians appeared first on HIPAA Journal.

HSCC Publishes Guidance on Securing the Telehealth and Telemedicine Ecosystem

Healthcare providers are increasingly leveraging health information technology to provide virtual healthcare services to patients. Telehealth services allow patients living in rural areas and the elderly to gain access to essential medical services, and the pandemic has seen a major expansion in telehealth to provide virtual healthcare services to patients to reduce the spread of COVID-19.

According to FAIR Health, the number of telehealth claims to private insurers has increased by 4,347% in the past year, with virtual care such as telehealth now one of the fastest growing areas of healthcare. The Centers for Medicare and Medicaid Services has committed to providing long term support for virtual healthcare services and Frost & Sullivan predicts there will be a seven-fold increase in telehealth by 2025.

The major expansion of healthcare services has happened quickly and at a time when the healthcare industry is being targeted by cybercriminals more than ever before. Hackers have been exploiting vulnerabilities with ease to gain access to sensitive healthcare data and disrupt operations for financial gain. A 2020 study by SecurityScorecard and DarkOwl revealed there was a near exponential increase in targeted attacks on telehealth providers as the popularity of telehealth soared.

In order for virtual healthcare services to reach their full potential, it is essential for healthcare industry stakeholders to identify and address the privacy and security risks to healthcare data, which can be a challenge in a complex, connected environment such as healthcare.

This week, the Healthcare and Public Health Sector Coordinating Council (HSCC) has published a white paper that provides guidance for the healthcare industry on identifying cybersecurity vulnerabilities and risks related to the use and management of telehealth and telemedicine.

The new resource, Health Industry Cybersecurity—Securing Telehealth and Telemedicine, was published for the benefit of healthcare systems, clinicians, vendors, service providers, and patients, who together share the responsibility for ensuring telehealth provides the maximum benefit while keeping privacy and security risks to a low and acceptable level.

The document explains the cyber risks associated with telehealth and telemedicine and outlines the regulatory issues that apply to telehealth services, providing audit tools, guidance on policies and procedures, and suggesting best practices to adopt.

The guidance document outlines the policy underpinnings of healthcare cybersecurity, explains regulations and organizational policies, cybersecurity considerations, and includes recommendations for implementing and maintaining telemedicine programs.

“Currently, there is no single federal agency with authority to establish and enforce privacy and security requirements for the entire telehealth ecosystem,” explained HSCC. “At a minimum, telehealth systems need to maintain security and privacy consistent with those of all other forms of care.”

Healthcare organizations are encouraged to adopt the best practices suggested in the white paper and implement the recommendations appropriate to their risk profile to improve privacy and security protections to get the optimal benefit from telehealth and telemedicine services.

You can download the HIC-STAT white paper on this link.

The post HSCC Publishes Guidance on Securing the Telehealth and Telemedicine Ecosystem appeared first on HIPAA Journal.

March 2021 Healthcare Data Breach Report

There was a 38.8% increase in reported healthcare data breaches in March. 62 breaches of 500 or more records reported to the HHS’ Office for Civil Rights, with hacking incidents dominating the breach reports. The high number of reported breaches is largely due to an increase in data breaches at business associates.

Healthcare data breaches in the past 12 months

The number of breached records also increased sharply with 2,913,084 healthcare records exposed or impermissibly disclosed across those 62 incidents; an increase of 135.89% from February.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches Reported in March 2021

The table below shows the 25 largest healthcare data breaches to be reported in March, all of which were hacking/IT incidents. 76% involved compromised network servers with the remaining 24% involving breaches of email accounts. 60% of these breaches involved business associates.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Health Net Community Solutions Health Plan 686,556 Hacking/IT Incident Network Server
Health Net of California Health Plan 523,709 Hacking/IT Incident Network Server
Woodcreek Provider Services LLC Business Associate 207,000 Hacking/IT Incident Network Server
Trusted Health Plans, Inc. Health Plan 200,665 Hacking/IT Incident Network Server
Apple Valley Clinic Healthcare Provider 157,939 Hacking/IT Incident Network Server
Saint Alphonsus Health System Healthcare Provider 134,906 Hacking/IT Incident Email
The Centers for Advanced Orthopaedics Healthcare Provider 125,291 Hacking/IT Incident Email
Cancer Treatment Centers of America at Midwestern Regional Medical Center Healthcare Provider 104,808 Hacking/IT Incident Email
SalusCare Healthcare Provider 85,000 Hacking/IT Incident Email
California Health & Wellness Health Plan 80,138 Hacking/IT Incident Network Server
Mobile Anesthesiologists Healthcare Provider 65,403 Hacking/IT Incident Network Server
Trillium Community Health Plan Health Plan 50,000 Hacking/IT Incident Network Server
PeakTPA Business Associate 50,000 Hacking/IT Incident Network Server
Sandhills Medical Foundation, Inc. Healthcare Provider 39,602 Hacking/IT Incident Network Server
ProPath Services, LLC Healthcare Provider 39,213 Hacking/IT Incident Email
BioTel Heart Healthcare Provider 38,575 Hacking/IT Incident Network Server
Healthgrades Operating Company, Inc. Business Associate 35,485 Hacking/IT Incident Network Server
The New London Hospital Association, Inc. Healthcare Provider 34,878 Hacking/IT Incident Network Server
La Clinica de La Raza, Inc. (La Clinica) Healthcare Provider 31,132 Hacking/IT Incident Network Server
Arizona Complete Health Health Plan 27,390 Hacking/IT Incident Network Server
Health Net Life Insurance Company Health Plan 26,637 Hacking/IT Incident Network Server
Colorado Retina Associates, P.C. Healthcare Provider 26,609 Hacking/IT Incident Email
Haven Behavioral Healthcare Business Associate 21,714 Hacking/IT Incident Network Server
Health Prime International Business Associate 17,562 Hacking/IT Incident Network Server
CalViva Health Health Plan 15,287 Hacking/IT Incident Network Server

 

Causes of March 2021 Healthcare Data Breaches

43 breaches – 69.35% of the month’s total – were the result of hacking/IT incidents such as compromised network servers and email accounts. Hacking incidents accounted for 98.43% of all records breached in March – 2,867,472 records. The average breach size was 66,685 records and the median breach size was 26,609 records.  17 unauthorized access/disclosure incidents were reported in March (27.42% of breaches) and 44,395 records were breached in those incidents – 1.52% of the month’s total. The average breach size was 2,611 records and the median breach size was 1,594 records. There was one theft incident reported involving 500 healthcare records and one loss incident that affected 717 individuals.

causes of March 2021 healthcare data breaches

Many of the reported breaches occurred at business associates of HIPAA covered entities, with those breaches impacting multiple healthcare clients. Notable business associate data breaches include a cyberattack on Accellion that affected its file transfer appliance. Hackers exploited vulnerabilities in the appliance and stole client files. A ransom was demanded by the attackers and threats were issued to publish the stolen data if payment was not made. The two largest data breaches of the month were due to this incident.

Several healthcare organizations were affected by a ransomware attack on business associate Netgain Technology LLC, including the 3rd and 5th largest breaches reported in March. Med-Data suffered a breach that affected at least 5 covered entities. This incident involved an employee uploading files containing healthcare data to a public facing website (GitHub).

 

The most common location of breached protected health information was network servers, many of which were due to ransomware attacks or other malware infections. Email accounts were the second most common location of breached PHI, which were mostly accessed following responses to phishing emails.

March 2021 healthcare data breaches - location PHI

Covered Entities Reporting Data Breaches in March 2021

Healthcare providers were the worst affected covered entity with 40 reported breaches and 15 breaches were reported by health plans, with the latter increasing 200% from the previous month. While only 5 data breaches were reported by business associates of covered entities, 30 of the month’s breaches – 48.39% – involved business associates but were reported by the covered entity. That represents a 200% increase from February.

March 2021 healthcare data breaches - breached entity

Distribution of March 2021 Healthcare Data Breaches

There was a large geographical spread of data breaches, with covered entities and business associates in 30 states affected. California was the worst affected state with 11 data breaches reported. There were 5 breaches reported in Texas, 4 in Florida and Massachusetts, 3 in Illinois and Maryland, 2 in each of Arkansas, Arizona, Michigan, Minnesota, Missouri, Ohio, and Pennsylvania, and one breach was reported in each of Alabama, Colorado, Connecticut, Georgia, Idaho, Kansas, Louisiana, Montana, New Hampshire, Nevada, Oregon, South Carolina, Tennessee, Utah, Washington, Wisconsin, and West Virginia.

HIPAA Enforcement Activity in March 2021

The HHS’ Office for Civil Rights announced two further settlements to resolve HIPAA violations in March, both of which involved violations of the HIPAA Right of Access. These two settlements bring the total number of financial penalties under OCR’s HIPAA Right of Access enforcement initiative to 18.

Arbour Hospital settled its case with OCR and paid a $65,000 financial penalty and Village Plastic Surgery settled its case and paid OCR $30,000. Both cases arose from complaints from patients who had not been provided with timely access to their medical records.

The post March 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Health-ISAC Helps Healthcare Organizations Prepare for Supply Chain Cyberattacks

Health-ISAC, in conjunction with the American Hospital Association (AHA), has published guidance for healthcare information security teams to help them improve resilience against supply chain cyberattacks such as the recent SolarWinds Orion incident.

The white paperStrategic Threat Intelligence: Preparing for the Next “SolarWinds” Event – provides insights into the cyberattack and explores the characteristics that made such an attack possible. The document provides technical recommendations for senior business leaders, C-suite executives, and IT and information security teams to help them prevent and mitigate similar attacks.

Solutions such as SolarWinds Orion have privileged access to the assets they are used to manage, and those supply chain dependencies and inherent trust models were exploited in the SolarWinds Orion attack. The attackers exploited a software update mechanism to inject a backdoor into the network monitoring platform. The update was downloaded and applied by around 18,000 customers and selected companies were then targeted in more in-depth compromises, including several government agencies and cybersecurity firms. The U.S. government recently formally attributed cyberattack to the Russian Foreign Intelligence Service (SVR).

Platforms such as SolarWinds Orion are an attractive target for threat actors. They are used by many attractive targets such as large enterprises and government agencies, they have a centralized system that controls multiple subsystems, networks, and products, and they require little interaction, if any, from the controlled system. The system has an undisclosed, unpatched, or unknown opening that attackers can exploit for a degree of administrative control and, if that opening is exploited, the attackers can gain limited or total control of the subsystems it controls.

All of those factors were exploited in the SolarWinds attack and a further four incidents are described in the white paper where similar characteristics were exploited – – The 2003 HP OpenView vulnerability, WannaCry, NotPetya, and the 2021 SAP Solution Manager incident.

Similar cybersecurity incidents are likely to happen time and time again, so it is important for steps to be taken to minimise risk and limit the damage that can be caused. The white paper details the risks involved with enterprise IT systems such as SolarWinds Orion and provides recommendations that can be applied to allow organizations to predict, and hopefully prevent, similar incidents in the future.

Recommendations include signing up with an ISAC to receive timely and actionable threat intelligence, conducting vulnerability scans to identify vulnerabilities, patching promptly, adhering to the principle of least privilege, and implementing a program of continuous verification to ensure that security controls are still effective at blocking threats.

“What is truly needed is close cooperation between governments, the healthcare sector and all critical infrastructure globally via a formal exchange of cyber threat information and combined cyber defenses – to create a truly global approach,” explained Health-ISAC in the white paper. “We urge organizations to use the strategic and tactical issues discussed in this paper as considerations for all trusted systems used, or planning to be used, in your environment.

The post Health-ISAC Helps Healthcare Organizations Prepare for Supply Chain Cyberattacks appeared first on HIPAA Journal.

NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities

Tension is growing between Russian and the United States over the continuous cyberattacks on the U.S. government and public and private sector organizations by Russian government hackers. Yesterday, a joint alert was issued by the National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), warning of the continued exploitation of software vulnerabilities by the Russian Foreign Intelligence Service (SVR).

The attacks have been attributed to the Cozy Bear Advanced Persistent Threat (APT) Group – aka APT29/The Dukes – which is part of the SVR. The APT group is conducting widespread scanning and exploitation of software flaws in vulnerable systems to gain access to credentials that allow them to gain further access to devices and networks for espionage activities. The NSA, CISA, and the FBI have shared details of five software vulnerabilities that continue to be successfully exploited by the SVR to gain access to devices and networks.

The NSA, CISA, and the FBI have previously shared mitigations that can be implemented to defend against the exploitation of these vulnerabilities and patches are available to address all the software flaws. While many organizations have now patched the flaws, they may have already been exploited and networks been compromised. Steps should be taken to identify whether systems have been compromised and actions taken to mitigate the loss of sensitive information that could allow Russia to gain a strategic or competitive advantage.

The 5 software vulnerabilities most commonly exploited by the SVR hackers are:

Vulnerability Products Description Affected Versions
CVE-2018-13379 Fortinet FortiGate VPNs Unauthenticated attackers can download system files via HTTP resource requests Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
CVE-2019-9670 Synacor Zimbra Collaboration Suite XML External Entity injection (XXE) vulnerability 8.7.x before 8.7.11p10.
CVE-2019-11510 Pulse Secure VPNs An unauthenticated remote attacker can send a specially crafted Uniform Resource Identifier (URI) to perform an arbitrary file read. PCS 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
CVE-2019-19781 Citrix Application Delivery Controller and Gateway Directory traversal vulnerability allowing an unauthenticated attacker to execute arbitrary code. Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.
CVE-2020-4006 VMware Workspace One Access Command injection vulnerability that allows an attacker with a valid password to execute commands with unrestricted privileges on the underlying operating system VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 and 19.03, VMware Cloud Foundation 4.0 – 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.

“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” according to the alert (PDF).

Formal Attribution of SolarWinds Orion Supply Chain Attack

The United States government has also formally accused the Russian government of orchestrating and conducting the massive SolarWinds Orion supply chain attack, which saw the SVR gain access to around 18,000 computers worldwide and conduct more extensive attacks on cybersecurity companies of the United States and its allies – FireEye, Malwarebytes, Mimecast – and federal agencies in the United States.  Russia has also been formally accused of engaging in activities with the intent of disrupting the U.S. presidential election in November 2020.

Sanctions Imposed on Russia by President Biden

President Biden has signed an executive order blocking property and placing new restrictions of Russia’s sovereign debt to make it harder for the government to raise money. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken action against 16 entities and 16 individuals for their role in the campaign to influence the 2020 U.S. presidential election, under the direction of the Russian government.

All property and assets of those entities and individuals that are subject to U.S. jurisdiction have been blocked and the entities and individuals have been added to OFAC’s SDN list. U.S. persons have been prohibited from engaging in transactions with them. Russian Technology companies covered by the sanctions include SVA, Neobit, AST, Positive Technologies, Pasit, and ERA Technologies.

The post NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities appeared first on HIPAA Journal.

NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities

Tension is growing between Russian and the United States over the continuous cyberattacks on the U.S. government and public and private sector organizations by Russian government hackers. Yesterday, a joint alert was issued by the National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), warning of the continued exploitation of software vulnerabilities by the Russian Foreign Intelligence Service (SVR).

The attacks have been attributed to the Cozy Bear Advanced Persistent Threat (APT) Group – aka APT29/The Dukes – which is part of the SVR. The APT group is conducting widespread scanning and exploitation of software flaws in vulnerable systems to gain access to credentials that allow them to gain further access to devices and networks for espionage activities. The NSA, CISA, and the FBI have shared details of five software vulnerabilities that continue to be successfully exploited by the SVR to gain access to devices and networks.

The NSA, CISA, and the FBI have previously shared mitigations that can be implemented to defend against the exploitation of these vulnerabilities and patches are available to address all the software flaws. While many organizations have now patched the flaws, they may have already been exploited and networks been compromised. Steps should be taken to identify whether systems have been compromised and actions taken to mitigate the loss of sensitive information that could allow Russia to gain a strategic or competitive advantage.

The 5 software vulnerabilities most commonly exploited by the SVR hackers are:

Vulnerability Products Description Affected Versions
CVE-2018-13379 Fortinet FortiGate VPNs Unauthenticated attackers can download system files via HTTP resource requests Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
CVE-2019-9670 Synacor Zimbra Collaboration Suite XML External Entity injection (XXE) vulnerability 8.7.x before 8.7.11p10.
CVE-2019-11510 Pulse Secure VPNs An unauthenticated remote attacker can send a specially crafted Uniform Resource Identifier (URI) to perform an arbitrary file read. PCS 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
CVE-2019-19781 Citrix Application Delivery Controller and Gateway Directory traversal vulnerability allowing an unauthenticated attacker to execute arbitrary code. Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.
CVE-2020-4006 VMware Workspace One Access Command injection vulnerability that allows an attacker with a valid password to execute commands with unrestricted privileges on the underlying operating system VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 and 19.03, VMware Cloud Foundation 4.0 – 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.

“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” according to the alert (PDF).

Formal Attribution of SolarWinds Orion Supply Chain Attack

The United States government has also formally accused the Russian government of orchestrating and conducting the massive SolarWinds Orion supply chain attack, which saw the SVR gain access to around 18,000 computers worldwide and conduct more extensive attacks on cybersecurity companies of the United States and its allies – FireEye, Malwarebytes, Mimecast – and federal agencies in the United States.  Russia has also been formally accused of engaging in activities with the intent of disrupting the U.S. presidential election in November 2020.

Sanctions Imposed on Russia by President Biden

President Biden has signed an executive order blocking property and placing new restrictions of Russia’s sovereign debt to make it harder for the government to raise money. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken action against 16 entities and 16 individuals for their role in the campaign to influence the 2020 U.S. presidential election, under the direction of the Russian government.

All property and assets of those entities and individuals that are subject to U.S. jurisdiction have been blocked and the entities and individuals have been added to OFAC’s SDN list. U.S. persons have been prohibited from engaging in transactions with them. Russian Technology companies covered by the sanctions include SVA, Neobit, AST, Positive Technologies, Pasit, and ERA Technologies.

The post NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities appeared first on HIPAA Journal.