Mirion Medical has issued patches to fix five high-severity vulnerabilities in its EC2 Software NMIS BioDose software. Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access to the application, modify program executables, access sensitive information, and potentially remotely execute code.

Mirion Medical EC2 Software NMIS BioDose is tracking software used by healthcare providers to keep track of inventory, doses, patient information, and billing. The vulnerabilities affect software versions prior to v23.0. Users have been urged to update to v23.0 or later versions to prevent the vulnerabilities from being exploited. Users with an active support contract can update to the latest version via the software. At the time of issuing the updated version, there had been no known exploitation of the vulnerabilities in the wild.

CVE-2025-64298 – CVSS v3.1: 8.4 | CVSS v4: 8.6

NMIS/BioDose V22.02 and previous version installations where the embedded Microsoft SQL Server Express is used are exposed in the Windows share accessed by clients in networked installs. The directory has insecure directory paths by default, allowing access to the SQL Server database and configurations, which may contain sensitive data.

CVE-2025-61940 – CVSS v3.1: 8.3 | CVSS v4: 8.7

NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database, and while users must supply a password in the client software, the underlying database connection always has access. An option has been added to use Windows user authentication with the database to restrict the database connection.

CVE-2025-62575 – CVSS v3.1: 8.3 | CVSS v4: 8.7

NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account – nmdbuser – and other created accounts have the sysadmin role, which could lead to remote code execution through the use of certain built-in stored procedures.

CVE-2025-64642 – CVSS v3.1: 8.0 | CVSS v4: 7.1

In NMIS/BioDose V22.02 and previous versions, installation directory paths have insecure file permissions by default. In certain deployments, this can allow users to modify program executables and libraries.

CVE-2025-64778 – CVSS v3.1: 7.3 | CVSS v4: 8.4

NMIS/BioDose software V22.02 and previous versions have executable binaries with plaintext hard-coded passwords, which could be exploited to gain unauthorized access to the application and database.

The post High Severity Vulnerabilities Patched in Mirion Medical EC2 Software NMIS BioDose appeared first on The HIPAA Journal.

A cryptocurrency mixing service used by criminals to launder the proceeds from their illegal activities has been shut down by Europol, Eurojust, and law enforcement agencies in Switzerland and Germany.

Cybercriminals, such as ransomware actors, typically receive payment for their attacks in cryptocurrency. Cryptocurrency transactions are not anonymous, as all transactions are recorded on the public blockchain and can be traced to the wallets receiving the funds. That means the proceeds from cybercrime can be traced to individuals if the wallet address is linked to a real-world identity. Cybercriminals use cryptocurrency mixing services to launder the proceeds from their attacks, then redirect their anonymized funds to cryptocurrency exchanges to cash out.

The law enforcement operation was a week-long effort – Operation Olympia – between November 24 and November 26, targeting Cryptomixer, an illegal cryptocurrency mixing service that law enforcement agencies have been trying to shut down since its creation in 2016. According to Europol, Cryptomixer was the mixing service of choice for cybercriminals, and was used by ransomware gangs, payment card fraudsters, drug and weapons traffickers, and nation state hackers such as North Korea’s Lazarus Group to launder funds from their illegal activities. Since 2016, more than €1.3 billion in Bitcoin ($1.5 billion) has passed through Cryptomixer infrastructure.

Funds were deposited in the mixing service, pooled for a long and randomized period, then redistributed to destination addresses at random times. Mixing services such as Cryptomixer make pseudonymous cryptocurrency transactions anonymous, concealing the origin of cryptocurrency by making it difficult to trace specific coins, allowing cybercriminals to launder funds from their activities without the risk of being identified. More than €25 million ($28 million) in Bitcoin was confiscated, three servers in Switzerland and the cryptomixer.io clear web domain were seized, along with more than 12 terabytes of data.

The operation was part of a broader international effort by law enforcement agencies to tackle cybercrime by targeting the services that cybercriminals use to hide their financial transactions. Operation Olympia mirrors a similar effort in 2023 by Europol and law enforcement agencies in the United States and Germany that resulted in the seizure of the infrastructure behind the ChipMixer mixing service, which at the time was the go-to mixing service for cybercriminals, through which more than $3 billion in cryptocurrency had passed. In that operation, as well as seizing the infrastructure, more than $50 billion in Bitcoin was confiscated.

The post Europol Takes Down Illegal Crypto Mixing Laundering Service Used by Ransomware Actors appeared first on The HIPAA Journal.

Thanksgiving weekend is just a few days away, and while many healthcare employees will be enjoying time off work, it will be a particularly busy time for cybercriminals. Many hacking and ransomware attacks occur over Thanksgiving weekend when staffing levels are lower, and fewer eyes are monitoring for indicators of compromise.

The high level of ransomware attacks during holiday periods has recently been confirmed by the cybersecurity firm Semperis, which reports that in the United States, 56% of ransomware attacks occur on a weekend or holiday, and 47% of ransomware attacks on healthcare organizations occur during these times when staffing levels are reduced.

“Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks. Vigilance during these times is more critical than ever because the persistence and patience attackers have can lead to long-lasting business disruptions,” said Chris Inglis, the first U.S. National Cyber Director and Semperis Strategic Advisor.

The Semperis 2025 Ransomware Holiday Risk Report is based on an analysis of responses to a detailed global ransomware survey of 1,500 IT and security professionals conducted in the first half of the year by Censuswide. The survey suggests that ransomware groups research their targets and time their attacks to coincide with material corporate events such as mergers, acquisitions, IPOs, and layoffs, and exploit the organizational disruption and reduced security focus during these events. “Organizations are under intense pressure to sustain operations while transforming their form and protocols during an IPO or merger, and cannot afford downtime, making them more likely to pay quickly to restore operations,” said Inglis. “During these times, it is critical to remain vigilant and situationally aware that bad actors may be lurking, looking to plant ransomware.”

In healthcare, 96% of organizations maintain a security operations center, with 80% managing it in-house and 20% outsourcing to a third-party vendor. During weekends and holiday periods, 73% of healthcare organizations reduce their SOC staffing levels by 50% or more, and 5% of organizations said they eliminate their SOC staffing entirely on weekends and holidays. The main reasons given for reducing or eliminating staffing levels were to improve work/life balance (63%), because the organization was closed during holidays and weekends (43%), and 36% of respondents said they did not expect an attack to take place.

Smaller organizations were the most likely to cut or eliminate SOC staffing levels on weekends and during holiday periods because they thought they would be unlikely to be attacked. While reducing staffing levels to give employees weekends and holidays off is all well and good, there is no time off for hackers. If internal staffing levels are to be reduced, there must be adequate monitoring, staff on call, or a third-party vendor providing cover.

There has been a marked increase in organizations bringing their SOC in-house, which is up 28 percentage points from last year, which has coincided with a 30% percentage point increase in below 50% staffing levels during holidays and weekends to maintain a better work/life balance. The reason for the shift in bringing SOCs in-house was not explored in the study, but there could be several factors at play.

“Being able to see what’s happening might enable organizations to pivot and adapt faster based on changing operations, business needs, and regulatory reporting requirements,” Courtney Guss, Semperis Director of Crisis Management, said. “The ROI of outsourcing also seems to be shifting as AI begins to handle some Tier 1 work, leaving the more complex work for SOC analysts.”

The survey also probed respondents on their identity infrastructure and the methods used for protection. The majority (90%) scan for vulnerabilities, although only 38% have vulnerability remediation procedures, and only 63% automate recovery. Concerningly, 10% of respondents said they do not have an identity threat detection and response strategy.

One of the most effective ways to defend against ransomware attacks is by tightening identity systems, most commonly Active Directory, Entra ID, and Okta,” former Australian Prime Minister Malcolm Turnbull said. “These are the digital keys that determine who can access what within an organization. In nearly every major ransomware incident, weak or compromised credentials have been the initial entry point. Strengthening identity systems is therefore not just good practice but a critical line of defense.

The post Threat Actors Time Attacks to Coincide with Periods of Reduced Vigilance appeared first on The HIPAA Journal.

The Health Sector Coordinating Council (HSCC) has published updated Model Contract Language for MedTech Cybersecurity to help healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs) address the challenge of ensuring the cybersecurity of medical devices.

Medical devices can introduce cybersecurity risks that must be managed and reduced to a reasonable and appropriate level to comply with the HIPAA Security Rule. The devices must also meet the safety and effectiveness requirements of the Food and Drug Administration (FDA), which include cybersecurity for the entire life cycle of the devices.

The cybersecurity of medical devices is a shared responsibility between the HDO and the MDM; however, historically, cybersecurity accountability has been inconsistently reconciled in the purchase contract negotiation process due to factors such as uneven MDM capabilities and investment in cybersecurity controls, and varying cybersecurity expectations among HDOs.

If there are ambiguities in cybersecurity responsibilities due to the contract language – or a failure to clearly state in contracts the responsibilities of each party with respect to cybersecurity – it is likely to result in downstream disputes, insufficient security, and potential patient safety issues.

“In today’s partnership between HDOs and MDMs, cybersecurity requirements are often unclear, resulting in a lack of understanding and prioritization of cybersecurity best practices. For HDOs and MDMs alike, this leads to an investment in security controls that are not always aligned between stakeholders,” explained HSCC.

The HSCC Cybersecurity Working Group (CWG) formed the Model Contract Language Task Group in 2020 to help address these issues. The Working Group consists of 50 representatives from HDOs, MDMs, group purchasing organizations, and security and compliance specialists. After two years of deliberations, the Task Group published the first version of the Model Contract Language in 2022, which serves as a neutral framework for the contractual cybersecurity relationships between HDOs and MDMs.

The aim of the Model Contract Language is to help HDOs protect themselves and their patients from cybersecurity threats by establishing and maintaining appropriate security contract terms and commitments from MDMs concerning their products, services, and solutions. Version 1 has been downloaded more than 1,500 times from the HSCC CWG website since its publication.

In 18 months after publication, users submitted almost 100 comments to HSCC. The Task Group reconvened last year to review the feedback and has now incorporated many of the recommendations in Version 2, which it is hoped will simplify the contracting process, making it more predictable and less costly and time-consuming.

The main improvements made in Version 2 are revisions and expansions to align with the changed regulatory environment; updates to reflect increasing security maturity and better alignment with expectations between stakeholders; resolution of unclear separation in areas where terms describe shared responsibilities; and simplification of the language to improve clarity and structure to help speed up contract negotiations.

HSCC says the Model Contract Language can be used as a standalone agreement with an MDM, or as an addendum to a Business Associate Agreement (BAA), Master Service Agreement (MSA), or Request for Proposal (RFP). The document can serve as a template that can be tailored to meet the specific compliance needs of each HDO.

The post HSCC Updates Model Contract Language Framework for HDOs & MDMs appeared first on The HIPAA Journal.

A critical vulnerability in Oracle Identity Manager is under active exploitation, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). CISA has instructed all federal civilian executive branch agencies to ensure the vulnerability is patched by December 12, 2025, and strongly recommends that all users apply the available patches as soon as possible.

The remote code execution vulnerability can be easily exploited by an unauthenticated remote attacker via HTTP.  Successful exploitation would allow an attacker to execute arbitrary code on vulnerable systems, leading to a full takeover of Oracle Identity Manager. The vulnerability is tracked as CVE-2025-61757 and has a CVSS severity score of 9.8 out of 10.  The vulnerability is due to missing authentication for a critical function in the REST WebServices component of Oracle Fusion Middleware. The vulnerability can be exploited to trick a security filter into treating protected endpoints as publicly accessible, allowing access to a script that can be abused to run malicious code.

The vulnerability was identified by Searchlight Cyber researchers Adam Kues and Shubham Shahflow, who reported the vulnerability to Oracle. The researchers identified the flaw while investigating a security incident that exploited an older vulnerability, CVE-2021-35587. The researchers report that, in contrast to some of the previously identified vulnerabilities in Oracle Access Manager, this flaw is somewhat trivial and is easily exploitable by threat actors.

The vulnerability affects the supported versions 12.2.1.4.0 and 14.1.2.1.0. Oracle released patches to fix the vulnerability in its batch of October 2025 security updates. Any users who have yet to download and install the patches should do so immediately to prevent exploitation, as the researchers have now released all the necessary information to exploit the flaw.

While it is unclear how widely the vulnerability is being exploited, it is likely to be a prime target for ransomware groups. Some evidence has been found to suggest that the flaw has been exploited since August 30, 2025, potentially by an advanced persistent threat actor.

The post Critical Flaw in Oracle Identity Manager Under Active Exploitation appeared first on The HIPAA Journal.

A critical vulnerability has been identified in Emerson Appleton UPSMON-PRO, monitoring and power management software for uninterruptible power supplies. The software is used by healthcare and public health sector organizations to ensure power is maintained for essential equipment.

The vulnerability was identified by security researcher Kimiya, working with the Trend Micro Zero Day Initiative, who reported the issue to the Cybersecurity and Infrastructure Security Agency (CISA). The stack-based buffer overflow vulnerability is tracked as CVE-2024-3871 and has been assigned a CVSS v3.1 base score of 9.3 (CVSS v4 9.8). The vulnerability can be exploited by sending a specially crafted UDP packet to the default UDP port 2601, which can cause an overflow of the buffer stack, overwriting critical memory locations.

Successful exploitation of the vulnerability could allow an unauthorized individual to execute arbitrary code with SYSTEM privileges if the UPSMONProService service communication is not properly validated.

The vulnerability affects Appleton UPSMON-PRO versions 2.6 and earlier. Emerson has warned that the affected versions have reached end-of-life, so patches are not being released to fix the vulnerability. Any user who has yet to replace the affected UPSMON-PRO version with an actively supported UPS monitoring solution should do so as soon as possible.

While there is no patch, there are recommended mitigations to reduce the potential for exploitation. Users should block UDP port 2601 at the firewall level for all UPSMON-PRO installations, UPS monitoring networks should be isolated from general corporate networks, network-level packet filtering should reject oversized UDP packets to port 2601, and UPSMON-ProSer.exe should be monitored for server crashes as potential indicators of exploitation attempts.

CISA recommends ensuring that Emerson Appleton UPSMON-PRO is not accessible from the Internet, and if remote access is required, to ensure that secure methods are used to connect remotely, such as virtual private networks running the most up-to-date software version.

The post Critical Vulnerability Identified in Emerson Appleton UPSMON-PRO appeared first on The HIPAA Journal.

Several cybersecurity firms have tracked a surge in ransomware attacks in Q3, 2025, as groups such as Akira, Qilin, and Inc Ransom have stepped up their attacks. According to Beazley Security, a subsidiary of Beazley Insurance, those three groups accounted for 65% of all ransomware attacks in the quarter. Akira had a surge in attacks, conducting 39% of all attacks in the quarter, over 20% more than the second most active group, Qilin, with 18%, and Inc Ransom with 8%.

The Beazley Security Quarterly Threat Report for Q3, 2025, shows an 11% increase in additions to dark web data leak sites compared to Q2, 2025. The biggest increase in attacks came in August, which accounted for 26% of all publicly disclosed attacks in the past six months, with high levels of ransomware activity continuing in September, which accounted for 19% of all disclosed ransomware attacks in the previous six months.

While attacks are up overall, there has not been much change in the rate of attacks on the healthcare sector, which has remained fairly constant, accounting for 12% of attacks in Q2, 2025, and 11% of attacks in Q3, making it the 4^th most targeted sector. In Q3, there was a significant increase in attacks targeting the business services sector, which accounted for 28% of attacks, up from 19% in Q2. Professional services & associations was the second most targeted sector, accounting for 18% of attacks in Q3.

Beazley identified some interesting attack trends, including the continuing preference for using compromised credentials for initial access, most commonly compromised credentials for publicly accessible VPN solutions. Compromised VPN credentials were the initial access vector in 48% of attacks in Q3, up from 38% in Q2, 2025, with external services the next most common attack vector, accounting for 23% of attacks.

Compromised credentials for remote desktop services took third spot, followed by supply chain attacks and social engineering, with each of those attack vectors accounting for around 6% of all attacks in the quarter. While the top three attack vectors remain the same as in Q2, 2025, there was an increase in exploits of vulnerabilities in external services, which overtook compromised credentials to take second spot. The supply of valid credentials primarily comes from infostealer campaigns, and while there was a significant law enforcement action – Operation ENDGAME – targeting Lumma Stealer infrastructure, there was a subsequent spike in Rhadamanthys information activity, indicating the strong demand for credentials.

Akira typically targets VPNs for initial access, and in Q3, most attacks involved credential stuffing and brute force attempts to guess weak passwords, demonstrating the importance of implementing and enforcing password policies and ensuring that multifactor authentication is used. Any accounts that cannot be protected by MFA should have compensating controls. Akira also targeted vulnerabilities in SonicWall devices, where organizations were slow to patch vulnerabilities.

Qilin likewise targeted VPNs using brute force tactics to exploit weak passwords, and also abused valid compromised credentials. INC Ransom also appears to favor compromised valid credentials, gaining access to victims’ environments via VPNs and remote desktop services.

While accounting for a relatively small number of attacks, Beazley warns that several attacks started with downloads of trojanized software installers, including popular productivity and administrative tools such as PDF editors.  Ransomware actors use SEO poisoning to get their malicious download sites appearing at the top of the search engine results, along with malicious adverts (malvertising) that direct users to malicious sites.

Executing the downloaded installer may install the desired software, but it also installs malware. This technique was a common initial access vector in Rhysida ransomware attacks that Beazley investigated. Beazley suggests that organizations should consider security tools such as web filters for protecting against these attack vectors, and should ensure that they cover these techniques in organizational security awareness training programs.

The post Compromised VPN Credentials Leading Attack Vector in Ransomware Campaigns appeared first on The HIPAA Journal.