A zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution is being actively exploited by hackers to perform mass downloads of sensitive data from targeted organizations. MOVEit Transfer was developed by the Progress Software Corporation-owned company, Ipswitch, and is provided as an on-premise solution or cloud SaaS platform that is used by enterprises for securely transferring large files.

According to a recent security advisory from Progress, the flaw is an SQL injection vulnerability that affects the MOVEit Transfer web application. If exploited, a remote, unauthenticated attacker can gain access to the MOVEit Transfer database, infer information about the structure and contents of the database, exfiltrate data, and execute SQL statements that alter or delete database elements. Progress has confirmed that the vulnerability affects all MOVEit Transfer versions, including on-prem and MOVEit Cloud. There were many confirmed instances of mass data exfiltration over the Memorial Day weekend when monitoring was reduced, although it appears that the vulnerability was exploited weeks before in many of the cases that have been investigated. At present, it is unclear which threat group is exploiting the flaw as while there has been confirmed data theft, there has been no attempted extortion.

Progress has released a patch to fix the vulnerability in all supported versions, which are available here. Users have been recommended to immediately disable all HTTP and HTTPs traffic to the MOVEit Transfer environment by modifying firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. Simply blocking HTTP and HTTPs traffic will not prevent data exfiltration, which can still occur through SFTP and FTP protocols. After disabling traffic, a review should be conducted to identify any unauthorized files and user accounts, which should be deleted, then credentials should be reset. The patch can then be applied and HTTP and HTTPs traffic can be enabled after confirming that all unauthorized files and accounts have been successfully deleted.

According to Rapid7, there are approximately 2,500 instances of MOVEit that are exposed to the public Internet, the majority of which are located in the United States. All cases of exploitation have seen the same webshell (human2.asp) added to the c:\MOVEit Transfer\wwwroot\ public HTML folder. After patching, organizations should conduct a forensic analysis to look for Indicators of Compromise over the past 30 days to determine if the flaw has already been exploited and data exfiltrated.

The Clop ransomware gang is a prime suspect as the group was behind the exploitation of zero-day vulnerabilities in two other MFT solutions, Fortra’s GoAnywhere MFT in January 2023 and the Accellion FTA in December 2020.

The post Mass Exploitation of MOVEit Transfer Zero-day Vulnerability Confirmed appeared first on HIPAA Journal.

An updated version of the StopRansomware Guide has been published that includes further recommendations on actions that can be taken to reduce the risk of ransomware attacks. The StopRansomware Guide is a one-stop resource developed by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) that details best practices for detecting, preventing, responding to, and recovering from ransomware attacks and provides step-by-step approaches for addressing potential attacks. The updated guide was produced through the Joint Ransomware Task Force (JRTF), which was set up by Congress in 2022 to deal with the growing threat of ransomware attacks.

The StopRansomware Guide can be used by government agencies and organizations and businesses of all sizes to ensure appropriate defenses are in place to block attacks and can help with the development, implementation, and maintenance of incident response plans to ensure the fastest possible recovery in the event of an attack. The updated guide includes new recommendations for hardening defenses against the most common initial access vectors that are used by ransomware gangs and initial access brokers for gaining a foothold in networks, including compromised credentials, brute force attempts to obtain passwords, phishing, and advanced social engineering, along with information on securing cloud backups and tips for threat hunting.

The StopRansomware Guide is divided into two parts. The first part provides comprehensive, relevant, and proven best practices that can be adopted to reduce risk, including identifying critical data that needs protecting and proactive steps that can help with ransomware attack mitigation. The second part of the guide provides detailed information on detection, analysis, containment, eradication, and post-incident recovery, and includes a checklist to guide organizations through a methodical, measured, and properly managed incident response approach.

“With our FBI, NSA and MS-ISAC partners, we strongly encourage all organizations to review this guide and implement recommendations to prevent potential ransomware incidents,” wrote CISA. “In order to address the ransomware epidemic, we must reduce the prevalence of ransomware intrusions and reduce their impacts, which include applying lessons learned from ransomware incidents that have affected far too many organizations.”

The updated StopRansomware Guide can be downloaded from CISA on this link.

The post CISA & Partners Release Updated StopRansomware Guide appeared first on HIPAA Journal.

A recent study has confirmed that healthcare cyberattacks not only cause disruption at the organization that experiences an attack but also at emergency departments at neighboring hospitals, where patients face longer wait times due to increased patient numbers which place a strain on resources.

The study involved a retroactive analysis of two academic emergency departments operated by a healthcare delivery organization (HDO) in San Diego, which were in the vicinity of an unrelated HDO that experienced a ransomware attack. The researchers looked at adult and pediatric patient volume, emergency medical services diversion data, and emergency department stroke care metrics for four weeks prior to the attack, during the attack, and four weeks after the attack.

The ransomware attack in question occurred on May 1, 2021, and affected an HDO with 4 acute care hospitals, 19 outpatient facilities, and more than 1,300 combined acute inpatient beds. The attack prevented access to electronic medical records and imaging systems and affected the HDO’s telehealth capabilities. Staff were forced to use pen and paper to record patient information and emergency traffic was redirected to unaffected facilities. The attack caused disruption for 4 weeks, and around 150,000 patient records were compromised.

An attack on one hospital will often see patient numbers increase at neighboring hospitals, and the increased volume of patients and resource constraints impact time-sensitive care for health conditions such as acute stroke. The researchers found there were significant disruptions to services at the neighboring healthcare facilities, even though they were not targeted or directly affected by the ransomware attack. Compared to the period before the attack, there was a 15.1% increase in the daily mean emergency department census, a 35.2% increase in mean ambulance arrivals, a 6.7% increase in mean admissions, a 127.8% increase in patients leaving without being seen, a 50.4% increase in visits where patients left against medical advice, and a 47.6% increase in median waiting room times.

The researchers chose acute stroke care as an example of a time-sensitive, resource-intensive, technologically dependent, and potentially lifesaving set of complex actions and decisions, that required a readily available multidisciplinary team working in close coordination. The researchers observed a 74.6% increase in stroke code activations and a 113.6% increase in confirmed strokes compared to the pre-attack phase.

Since a ransomware attack on one hospital impacts other non-targeted healthcare facilities, the researchers suggest that ransomware and other cyberattacks should be classed as regional disasters. The researchers report no significant difference in door–to–CT scan or acute stroke treatment times, but suggest the disruptions due to ransomware attacks could easily lead to negative patient outcomes. “These findings support the need for coordinated regional cyber disaster planning, further study on the potential patient care effects of cyberattacks, and continued work to build technical health care systems resilient to cyberattacks such as ransomware,” wrong the researchers, who also suggest this should be made a national priority given the increase in cyberattacks on healthcare organizations in recent years.

The study – Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US – was conducted by Christian Dameff, MD, MS, Jeffrey Tully, MD, and Theodore C. Chan MD, and was published in JAMA Open Network.

The post Cyberattacks on Hospitals Cause Significant Disruption at Neighboring Healthcare Facilities appeared first on HIPAA Journal.

CommonSpirit Health has provided an updated estimate on the cost of its October 2022 ransomware attack, which is expected to increase to $160 million. The ransomware attack was detected by CommonSpirit Health on October 2, 2022, forcing systems to be taken offline. The attack affected over 100 current and former CommonSpirit facilities in 13 states. The forensic investigation determined hackers first gained access to its network on September 16, 2022, and were ejected on October 3, 2022. The attackers stole data from two file servers, although they did not gain access to its medical record system. The stolen files contained the protected health information of almost 624,000 patients.

CommonSpirit Health operates 143 hospitals and around 2,300 other healthcare facilities in 22 states and is the second-largest non-profit health system in the United States. CommonSpirt’s first quarter results show total revenues from the 3 months to March 31, 2023, of $8.3 billion, and $25.6 billion for the 9 months to March 31. In the first quarter of 2023, CommonSpirit reported $648 million in operating losses and $1.1 million in losses for the 9 months to March 31. Net losses of $231 million and $445 million were reported for the 3- and 9-month periods due to improved investment returns. CommonSpirit said the ransomware attack did not have any impact on the current quarter’s operating results.

The ransomware attack was initially estimated to cost around $150 million, but a further $10 million in costs has been added to that figure. The increased cost factors in lost revenues due to business interruption, costs incurred remediating the ransomware attack, and other business-related expenses. In a call with investors, CommonSpirit explained that most of the $160 million is expected to be recovered from underwriters, although recovery of the costs is expected to take some time. CommonSpirit also confirmed in its quarterly report that it is facing a class action lawsuit over the ransomware attack and data breach. The lawsuit was filed in December 2022 in the U.S. District Court for the Northern District of Illinois and alleges negligence due to the failure to implement reasonable and appropriate security measures to protect patient data. The lawsuit seeks damages for the plaintiff and class exceeding $5 million, injunctive relief, and legal costs.

The post CommonSpirit Health Says Ransomware Attack Likely to Cost $160 Million appeared first on HIPAA Journal.

New bipartisan legislation has recently been introduced to help address the current shortage of cybersecurity skills at rural hospitals. The Rural Hospital Cybersecurity Enhancement Act was introduced by Sen. Gary Peters (D-MI), chair of the Senate Homeland Security and Governmental Affairs Committee, and Sen. Josh Hawley (R-MO), committee member.

Cyberattacks on healthcare organizations have increased significantly over the past few years. These attacks cause considerable disruption to patient care and can put lives at risk and while health systems have increased investment in cybersecurity, many small and rural hospitals lack the necessary resources and struggle to hire skilled cybersecurity professionals. At a recent Senate Homeland Security and Governmental Affairs Committee hearing, cybersecurity experts testified about the current healthcare cybersecurity challenges. Kate Pierce, former CIO and CISO at North County Hospital in Vermont and executive at Fortified Health Security said cybercriminals have shifted their focus and are now actively targeting small and rural hospitals. Large health systems have implemented advanced cybersecurity measures and employ large cybersecurity teams to manage their sophisticated defenses, but there is a large disparity in cybersecurity spending at small and rural hospitals, which tend to have much weaker defenses.

“A basic security measure like 24/7 monitoring of systems is “pie-in-the-sky” for these organizations,” explained Pierce at the hearing. “Despite all the guidance, recommendations and services provided over the past few years by HSCC, 405(d), H-ISAC, CISA, and other organizations, I have found that the vast majority of small and rural hospitals are unaware of these resources, and too overwhelmed to take advantage of these valuable tools.”

The Rural Hospital Cybersecurity Enhancement Act requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop a comprehensive cybersecurity workforce development strategy for healthcare facilities that provide inpatient and outpatient care services in non-urbanized areas. The strategy should include public-private partnerships, the development of curricula and training resources, and policy recommendations. The bill requires the Director of CISA to create instructional materials for rural hospitals to train staff on fundamental cybersecurity measures, and for the Department of Homeland Security to report annually to congressional committees on updates to the strategy and any programs that have been implemented.

“Ransomware attacks against hospitals and health care systems that compromise sensitive medical information and disrupt patient care must be stopped. Unfortunately, small and rural hospitals often lack the resources to invest in cybersecurity defenses and staff to prevent these breaches,” said Senator Peters. “This bipartisan legislation will require the federal government to ensure our most vulnerable health care providers have the necessary tools to protect patient information and provide lifesaving care even as criminal hackers continue to target their networks.”

The post Bipartisan Legislation Introduced to Address Rural Hospital Cybersecurity Skill Gaps appeared first on HIPAA Journal.

A joint cybersecurity alert has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) about the BianLian ransomware and data extortion group.

The BianLian group has been conducting attacks in the United States since at least June 2022 and has actively targeted critical infrastructure organizations, including the healthcare and public health sector. The BianLian group is a ransomware actor that develops and uses ransomware in its attacks, typically engaging in double extortion tactics, where sensitive private data is exfiltrated from victims’ networks before files are encrypted. The group threatens to leak the stolen data if the ransom is not paid. This year, the group has largely switched to extortion-only attacks where files are not encrypted after exfiltration. These attacks have proven to be effective as the release of stolen data can cause significant damage to an organization’s reputation and legal complications.

The BianLian group primarily gains access to victims’ networks by using Remote Desktop Protocol (RDP) credentials, which may be obtained through brute force attacks to guess weak credentials, purchasing credentials from initial access brokers, or phishing attacks. Once credentials are obtained, the group deploys a custom backdoor specific to each victim, and commercially available remote access tools are downloaded such as TeamViewer, Atera Agent, SplashTop, and AnyDesk. The group uses command-line tools and scripts for network reconnaissance and harvesting more credentials. PowerShell and Windows Command Shell are used to disable antivirus software such as Windows Defender and Anti-Malware Scan Interface (AMSI), and the registry is modified to uninstall services such as Sophos SAVEnabled, SEDenabled, and SAVService services.

Tools typically downloaded onto victims’ networks include Advanced Port Scanner, SoftPerfect Network Scanner, SharpShares, and PingCastle to aid discovery, along with native Windows tools and Windows Command Shell, with PsExec and RDP with valid accounts used for lateral movement. Once sensitive data has been located, data exfiltration occurs via File Transfer Protocol (FTP), Rclone, or Mega. Once data exfiltration has occurred, threats are issued to publish the stolen data.

The best defense against attacks is to limit the use of RDP and other remote desktop services. Audits should be conducted of all remote access tools on the network to identify installed and currently used software. Any remote access tools that are not currently used should be removed or disabled, and RDP should be locked down. Security software should be used to detect instances of remote access software being loaded in the memory, and logs should be reviewed of remote access software to detect any abnormal use.

Authorized remote access solutions should only be used from within the network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs). Inbound and outbound connections on common remote access software ports and protocols should be blocked at the network perimeter. Organizations should also disable command-line services and scripting activities and restrict the use of PowerShell on critical systems, and enhanced PowerShell logging should be enabled. Regular audits of administrative accounts should be conducted, time-based access for accounts should be set at the admin level and higher, and the principle of least privilege should be applied.

The cybersecurity alert includes Indicators of Compromise (IOCs), details of the tactics, techniques, and procedures (TTPs) used by the group, and other recommended mitigations.

The post FBI and CISA Issue Warning About BianLian Ransomware and Extortion Group appeared first on HIPAA Journal.

Healthcare providers and laboratory personnel have been warned about a maximum severity vulnerability in Illumina Universal Copy Service software used by its DNA sequencing instruments.

The vulnerability affects Illumina products with Illumina Universal Copy Service (UCS) v2.x installed:

• iScan Controls Software (v4.0.0 and v4.0.5)
• iSeq 100 (all versions)
• MiniSeq Control Software (v2.0 and later)
• MiSeq Control Software (v4.0 RUO Mode)
• MiSeqDx Operating Software (v4.0.1 and later)
• NextSeq 500/550 Control Software (v4.0)
• NextSeq 550Dx Control Software (v4.0 RUO Mode)
• NextSeq 550Dx Operating Software (v1.0.0 to 1.3.1)
• NextSeq 550Dx Operating Software (v1.3.3 and later)
• NextSeq 1000/2000 Control Software (v1.4.1 and prior)
• NovaSeq 6000 Control Software (v1.7 and prior)
• NovaSeq Control Software (v1.8)

Affected devices are vulnerable to two flaws, the most serious of which – CVE-2023-1699 – allows binding to an unrestricted IP address. If exploited, a malicious actor could use UCS to listen on all IP addresses, including those capable of accepting remove communications, remotely take control of the affected devices, change device settings, and alter or steal sensitive data. The flaw can be exploited remotely with low attack complexity and has been assigned a CVSS score of 10 out of 10.

The second flaw, tracked as CVE-2023-1966, affects UCS v1.x and v2.0 and is due to unnecessary privileges. A remote attacker could upload and execute code remotely at the operating system level, allowing changes to be made to settings and configurations and sensitive data to be accessed on the affected products. The vulnerability has been assigned a CVSS score of 7.4 out of 10.

The vulnerabilities were discovered by Illumina and were reported to the Cybersecurity and Infrastructure Agency (CISA). Illumina says it is unaware of any instances of actual or attempted exploitation of the flaws; however, due to the severity of the vulnerabilities and the ease of exploitation, immediate patching is recommended.

On April 5, 2023, Illumina notified customers about the flaw requesting they check for signs of exploitation. A patch has now been released along with a Vulnerability Instructions Guide to help users address the flaw based on the specific configurations of their devices. The U.S. Food and Drug Administration (FDA) recently issued a warning to healthcare providers and laboratory personnel that the vulnerabilities may present risks for patient results and customer networks. Until the patch can be applied, steps should be taken to reduce the risk of exploitation, including minimizing network exposure, ensuring the affected devices are not accessible over the Internet, locating control system networks and remote devices behind firewalls, and only using secure methods to remotely access the devices, such as a Virtual Private Network (VPN).

The post Illumina Sequencing Instruments Affected by Maximum Severity Vulnerability appeared first on HIPAA Journal.