The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published guidance that details security and resilience best practices to adopt when utilizing cloud services. The new guidance can be followed by all organizations; however, the guidance is of particular importance for federal agencies and critical infrastructure entities. Cybercriminals and advanced persistent threat actors are increasingly targeting supply chains to attack federal government networks and critical infrastructure, and many attacks now target cloud-based environments. The latest guidance can be used by federal agencies, critical infrastructure entities, and others to secure cloud business application environments and protect information created, accessed, shared, and stored in those environments.

The guidance was developed under CISA’s Secure Cloud Business Applications (SCuBA) project, which was established and funded through the American Rescue Plan Act of 2021. The aim of the project is to develop consistent, effective, modern, and manageable security configurations that will help secure agency information assets stored within cloud environments. The first resources to be published under this project are an Extensible Visibility Reference Framework (eVRF) Guidebook that can be used to identify visibility data, mitigate threats, understand the extent to which specific products and services provide visibility data, and identify potential visibility gaps. The eVRF is accompanied by a Technical Reference Architecture (TRA) document that can be used when adopting technology for cloud deployment, solutions, secure architecture, and zero trust frameworks.

“The final eVRF and TRA provides all organizations, including federal agencies, with adaptable, flexible, and timely guidance. These resources will help organizations address cybersecurity and visibility gaps that have long hampered our collective ability to adequately understand and manage cyber risk,” said CISA Executive Assistant for Cybersecurity, Eric Goldstein.

CISA has also confirmed that it is working on new guidance that will include recommended cybersecurity configurations for specific products, which will be released over the coming months.

The post CISA Publishes Guidance on Securing Cloud Services appeared first on HIPAA Journal.

In a recently published analyst note, the Health Sector Cybersecurity Coordination Center (HC3) draws attention to the practice of SEO poisoning – a tactic often used by malicious actors to trick individuals into disclosing sensitive information or downloading malware.

Phishing is one of the most common ways that malicious cyber actors target individuals to gain initial access to healthcare networks; however, contact may be made with healthcare employees over the Internet. SEO poisoning is a technique used to drive traffic to attacker-controlled websites where instead of distributing links to malicious websites via phishing emails or SMS/instant messaging services, search engine optimization (SEO) techniques are used to get the malicious websites to appear high in the search engine listings for key search terms. The goal is to get the websites to appear in the first few results for specific search terms. The top few results in the search engine listings attract the highest number of clicks and users tend to view the top results as the most relevant and trustworthy, and will often click without checking the URLs. Blackhat SEO tactics are used such as using high numbers of keywords in the page content and meta tags (keyword stuffing), private link networks to increase backlinks to the webpage, and artificially increasing click-through rates to trick search engine algorithms. Cloaking is also commonly used, where search engine crawlers are presented with different content than natural visits to the website via clicked links.

Malicious actors use SEO poisoning to target key search terms used by businesses or healthcare employees, and typosquatting may also be used to trick users into thinking they are on a legitimate website, such as registering domains with misspellings of brand names or substituting letters in domain names with similar-looking numbers or special characters. Typosquatting is also used to catch out careless typists – individuals who accidentally type Goole rather than Google for instance. Typosquatting may also be used to register domains similar to those used by healthcare organizations.

Security awareness training programs often concentrate on teaching employees how to identify phishing attempts, but it is also important to also cover other attack techniques such as SEO poisoning to reduce the risk of employees falling victim to these attacks. Technical measures to prevent these attacks include web filters, which act as a gateway between users and the Internet and block attempts to visit known malicious websites, analyze web content and apply filtering controls before a connection is established, and restrict access to certain categories of websites. HC3 also recommends using digital risk monitoring tools to identify typosquatting, such as tools that scan new domains that are registered to look for similarities with any brands or names.

The post Healthcare Organizations Warned of Risk of Cyberattacks via SEO Poisoning appeared first on HIPAA Journal.

Ransomware attacks on hospitals cause major disruption to healthcare operations over several weeks. During the acute and recovery phases, access is often prevented to electronic health records and critical IT systems which can naturally have an impact on patient care. Ransomware attacks cause disruption to workflows, increase wait times, and slow patient flow, which can increase patient transfers and complication rates and negatively affect patient outcomes. Some studies suggest mortality rates increase following a ransomware attack.

Research on the impact of ransomware attacks on hospitals is limited, with studies often focusing on the technical consequences of ransomware attacks rather than the impact these attacks have on hospital staff, especially in emergency care. A recent qualitative study, Hacking Acute Care: A Qualitative Study on the Health Care Impacts of Ransomware Attacks Against Hospitals, which was recently published in Annals of Emergency Medicine, sought to explore the impact on staff in more detail and identify the challenges faced by healthcare professionals and IT staff during the acute and recovery phase of hospital ransomware attacks.

The researchers explored the effect of several large ransomware attacks on hospitals between 2017 and 2022 and conducted interviews with 9 individuals at hospitals that had suffered ransomware attacks, including emergency department staff and IT professionals. The study confirmed that ransomware attacks cause significant disruption to emergency department workflows and acute care delivery, and indicate the attacks have a detrimental effect on the well-being of healthcare providers. The low number of participants was due to the “profound hesitancy” of hospitals to participate in the study; however, valuable information was obtained from the interviews that allowed the researchers to gain an insight into the impact of the attacks and make recommendations to improve preparedness and limit the adverse impacts on workflows and staff well-being.

While hospitals often have incident recovery plans, the study highlighted a lack of preparedness for ransomware attacks within emergency departments and highlighted several challenges that are encountered during the acute and recovery stage of the attacks. The lack of access to digital radiology systems following ransomware attacks made ordering and obtaining diagnostic imaging a challenge. The inability to communicate electronically meant forms had to be carried back and forth to the radiology department and medical images often had to be reviewed in person at the radiology department. Non-clinical staff members were found to serve as runners between the point of care and the radiology department, collecting and delivering imaging results, and due to the disruption, diagnostic imaging had to be reserved for the most urgent situations.

Ransomware attacks will naturally have an adverse impact on hospitals; however, that impact can be minimized with better preparedness.  The researchers recommend temporarily diverting emergency department personnel in the first few hours of an attack to reduce pressure on acute care services and to use reverse triage, where the most seriously injured patients already in the emergency department are transferred to healthcare facilities unaffected by the attack. Patient care protocols should be established for when critical systems are offline and training should be provided to employees on paper-based charting and recording of patient information, and hospitals should ensure that paper charts and diagnostic order forms are on hand for emergencies. The researchers also recommend transparency with hospital staff, patients, and partners to help mitigate cyberattack concerns.

The post Study Identifies Lack of Preparedness for Ransomware Attacks in Emergency Departments appeared first on HIPAA Journal.

Proof-of-concept exploit code has been released for a high-severity vulnerability in AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. Users that have yet to apply the patch should do so immediately to prevent exploitation. Unpatched flaws in Cisco Secure Client Software have been targeted by malicious actors in the past.

Cisco Secure Client Software is a remote access solution that allows employees to connect to the network from any location via a Virtual Private Network and is used by IT admins for endpoint management. The vulnerability is tracked as CVE-2023-20178 and has a CVSS base score of 7.8.

The vulnerability affects the client update process and can be exploited by an authenticated, local attacker to elevate privileges to SYSTEM level. The vulnerability is due to improper permissions on a temporary directory created during the update process and can be exploited by abusing a specific function of the Windows installer process. An attack exploiting the vulnerability has low complexity and requires no user interaction. The vulnerability was discovered by security researcher, Filip Dragovic, who reported the flaw to CISCO. He recently published the PoC exploit after successfully testing it on Secure Client version 5.0.01242 and AnyConnect Secure Mobility Client version 4.10.06079.

CISCO says there are no workarounds and patching is the only way to fix the vulnerability and prevent exploitation. A patch to fix the flaw was released on June 13, 2023, and, at the time of release, there had been no detected instances of exploitation. The flaw has been corrected in AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2.

The post PoC Exploit Published for CISCO AnyConnect Secure Vulnerability appeared first on HIPAA Journal.

VMware has confirmed that a remote code execution vulnerability in the VMware Aria Operations for Networks (previously vRealize Network Insight) network analytics tool is now being exploited in the wild.  The vulnerability is tracked as CVE-2023-20887, has a CVSS severity score of 9.8, and has been fixed in the latest version of the tool.

A proof-of-concept exploit for the pre-authentication command injection vulnerability was published on June 13, 2023, by security researcher Sina Kheirkhah of Summoning Team. Exploitation of the flaw on unpatched systems started two days later. Researchers at the cybersecurity firm GreyNoise detected mass-scanning activity to identify unpatched systems shortly after the PoC exploit was published. The vulnerability is one of three recently discovered vulnerabilities in VMware Aria Operations for Networks, the other two being another critical flaw – CVE-2023-20888 – and an important flaw – CVE-2023-20889. VMWare released patches to fix all three flaws around two weeks ago. All three were identified by Kheirkhah and were reported to VMWare, although the exploited CVE-2023-20887 flaw had been previously discovered and reported to VMware by an anonymous security researcher.

CVE-2023-20887 can be exploited by a malicious actor with network access to VMware Aria Operations for Networks in a command injection attack that can lead to remote code execution. CVE-2023-20888 can be exploited by a malicious actor with network access to VMware Aria Operations for Networks and allows a deserialization attack, resulting in remote code execution. The third vulnerability can be exploited to perform a command injection attack resulting in information disclosure.

VMware says there are no workarounds. The only way to address the flaws is to update to a fixed version. All VMware Aria Operations Networks 6.x on-prem installations must be patched to prevent exploitation. All three flaws have been fixed in version KB92684.

The post Critical Vulnerability in VMware Aria Operations for Networks Now Actively Exploited appeared first on HIPAA Journal.

The Securities and Exchange Commission (SEC) was due to issue a final rule that would implement new regulatory requirements for publicly traded companies to disclose material cyber breaches in their regulatory filings within 4 days of the discovery of a breach. The decision has now been delayed until at least October 2023. A draft rule was proposed in March 2022 to improve transparency about cybersecurity incidents at publicly traded companies. The proposed rule called for publicly traded companies to ensure that investors are made aware of any material cybersecurity incidents and disclose information about cybersecurity governance, the level of board expertise in dealing with cybersecurity incidents, and the involvement of upper management in cyber risk. A new rule was also proposed for investment advisers, registered investment companies, and business development companies in February 2022 that requires them to develop, implement, and maintain written cybersecurity policies and procedures to address cybersecurity risks.

Regulatory changes to force publicly traded companies to disclose cyber incidents were seen to be necessary as many were choosing not to disclose these incidents to avoid potential lawsuits and minimize reputational harm. Only one-quarter of ransomware attacks are reported to public authorities, as the reporting of cyber incidents is voluntary. The proposed rules were subject to two comment periods, and more than 175 comments have been submitted in response to the proposed cyber rules.  The final rule was expected to be published as early as April 3, 2023; however, the SEC has now stated in a recent update to its rulemaking agenda that its new cyber rules will not be published until at least October 2023. The SEC did not provide a reason for the delay; however, there has been considerable pushback on the proposed rules.

While there has been broad support for the new cyber requirements for improving transparency, the devil is in the detail, especially the 4-day reporting requirement, which many commenters believe would hinder the ability of public companies to stop, investigate, remediate, and defend against cybersecurity incidents. The cybersecurity firm, Rapid7, warned that the 4-day disclosure deadline would mean companies that suffer security incidents would be forced to publicly disclose the incidents before they had been fully contained, and that would tip off hackers and make the companies more vulnerable and could lead to greater harm to investors. Rapid7 requested companies be allowed to delay reporting until a cyber incident has been fully remediated before being required to report the incident.

The U.S. Chamber of Commerce said the SEC is attempting to micromanage corporate cybersecurity programs and the proposed rule would not necessarily protect investors. The SEC was criticized for the 4-day reporting period as it did not give companies sufficient time to evaluate the severity of security incidents. The requirement to disclose whether the board has cybersecurity expertise was also criticized as it could lead to unwieldy and unwanted outcomes, such as giving investors a false level of confidence in the ability of a company to deal with the security incident. In its comments, the Chamber of Commerce said it would be difficult even for NIST to pinpoint what constitutes expertise or experience in cybersecurity that would earn widespread agreement among industry professionals.

The post SEC Postpones Final Rule on Cyber Incident Disclosures appeared first on HIPAA Journal.

An alarm has been sounded about a relatively unknown threat group called TimisoaraHackerTeam following a recent attack on a U.S. medical facility. TimisoaraHackerTeam is believed to be a financially motivated threat group, which in contrast to many cybercriminal and ransomware groups, has no qualms about attacking the healthcare and public health (HPH) sector and appears to actively target HPH sector organizations, mainly conducting attacks on large organizations. The group was first identified in July 2018 but has largely stayed under the radar.

According to the Healthcare Sector Cybersecurity Coordination Center (HC3), which issued the alert on June 16, the group has resurfaced and conducted a June 2023 ransomware attack on a U.S. cancer center which rendered its digital services unavailable, put the protected health information of patients at risk, and significantly reduced the ability of the medical center to provide treatment for patients.

The group has exploited known vulnerabilities to gain initial access to HPH sector networks, then escalates privileges, moves laterally, and encrypts files. The group uses Microsoft’s native disk encryption tool, BitLocker, along with Jetico’s BestCrypt, rather than custom ransomware. This allows the group to encrypt files without being detected by security solutions. Previous attacks that have been loosely attributed to TimisoaraHackerTeam include an attack on a French hospital in April 2021 which involved similar living-off-the-land tactics, and an attack on Hillel Yaffe Medical Center in Israel, which resulted in the cancellation of non-elective procedures and forced the medical center to switch to alternative systems to continue to provide patient care.

According to the cybersecurity firm Varonis, the attack on Hillel Yaffe Medical Center in Israel is thought to have involved the exploitation of a known and unpatched vulnerability in the Pulse Secure VPN, with the hackers then using living-off-the-land techniques for the next stages of the attack to evade security solutions. Varonis says reports of attacks by TimisoaraHackerTeam mostly date to 2018, and while it is possible that the group has resurfaced, the DeepBlueMagic threat group may be an evolution of TimisoaraHackerTeam or DeepBlueMagic may have simply adopted the same tactics as TimisoaraHackerTeam. The same tactics have also been used by hackers in China, with those attacks attributed to an Advanced Persistent Threat Group that is tracked as APT41, although it is unclear to what extent, if any, these threat actors are linked.

In addition to exploiting Pulse Secure VPN vulnerabilities, TimisoaraHackerTeam has targeted vulnerabilities in Microsoft Exchange Server and Fortinet firewalls and uses poorly configured Remote Desktop Protocol to move laterally within networks. The recent attack on the cancer center serves as a warning that the group is still active, and that network defenders should take steps to improve monitoring and protect their networks from attacks. Further details on the group and its tactics, techniques, and procedures can be found in the HC3 HPH Sector Cybersecurity Notification.

The post TimisoaraHackerTeam Ransomware Group Linked to Recent Attack on U.S. Cancer Center appeared first on HIPAA Journal.

Progress Software has issued a warning about another vulnerability in its MOVEit Transfer file transfer software, an exploit for which is in the public domain. The announcement comes as the Clop ransomware group starts to name companies that were attacked by exploiting a separate zero-day bug in May, and CISA confirms the victims include several federal agencies.

The CVE for the latest vulnerability is still pending and there is no CVSS severity score at present; however, this is a critical vulnerability and a Proof-of-Concept (PoC) exploit for the new zero-day flaw has been shared by a security researcher on Twitter, although at the time of release, code execution is not believed to have been achieved. The attacks by the Clop gang demonstrate that MOVEit vulnerabilities can be weaponized and exploited in mass attacks, so mitigations should be implemented immediately and patches applied as soon they are released.

MOVEit Transfer Zero Day Mitigations and Fixes

According to Progress Software, all users must take action to address the latest MOVEit zero day bug. The steps that need to be taken are dependent on whether patches have been applied to fix the zero-day bug (CVE-2023-34362) that was exploited by Clop and patched on May 31, 2023, and a second critical SQL injection vulnerability – CVE-2023-35036 – a patch for which was released on June 9. The May 31 and June 9 patches and remediation steps should be followed first, if they have not been already, then the June 15, 2023, patch can be applied to fix the third zero-day (CVE pending).

If it is not possible to immediately apply the June 15, 2023, patch, users should disable all HTTP and HTTPs traffic to the MOVEit Transfer environment immediately (ports 80 and 443) to prevent unauthorized access. HTTP and HTTPs traffic should not be re-enabled until the June 15, 2023, patch has been applied. While this mitigation will prevent users from being able to log into their accounts via the web user interface, transfers will still be available since the SFTP and FTP/s protocols will continue to work, and admins will still be able to access MOVEit Transfer by connecting to the Windows server via remote desktop, and then navigating to https://localhost/

Details on patching all three vulnerabilities and the mitigation steps are detailed in the latest Progress Software alert.

Progress Software said, “We have taken HTTPs traffic down for MOVEit Cloud in light of the newly published vulnerability and are asking all MOVEit Transfer customers to immediately take down their HTTP and HTTPs traffic to safeguard their environments while the patch is finalized.”

Clop Starts Publishing Victims’ Names on Dark Web Data Leak Site

The Clop gang claimed responsibility for the attacks which exploited the May 2023 vulnerability (CVE-2023-34362), and while the victim count is not known, several hundred companies are understood to have been affected. Clop provided a deadline of June 14, 2023, for payment of the ransom demands, after which the group claimed it would start releasing the stolen data. On Wednesday, names started to be published on its data leak site which include the oil and gas company Shell, the University of Georgia (UGA) and University System of Georgia (USG), UnitedHealthcare Student Resources (UHSR), Putnam Investments, Heidelberger Druck, and Landal Greenpark. Several other companies have confirmed that they were affected although they have yet to be listed on the data leak site. Those companies include Zellis, Boots, Aer Lingus, and the BBC.

CISA Confirms Federal Agencies Impacted

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that several federal agencies were attacked by the Clop gang by exploiting the May 2023 vulnerability and that it is providing support to the agencies that have suffered intrusions. Eric Goldstein, CISA executive assistant director for cybersecurity, confirmed to CNN that it is currently trying to understand the impact of those intrusions. CISA Director, Jen Easterly, said the May 2023 attacks were opportunistic in nature and were not targeted at government agencies, and while Clop is a Russian ransomware group, the attacks are not believed to be connected to the Russian government. “Although we are very concerned about this campaign, this is not a campaign like SolarWinds that poses a systemic risk,” said Easterly. Government agencies known to have been affected include the Energy Department, which confirmed that two entities within the Department have been compromised.

The post Progress Software Warns of New MOVEit Zero-Day Vulnerability – Immediate Action Required appeared first on HIPAA Journal.