Progress Software has issued a warning about another vulnerability in its MOVEit Transfer file transfer software, an exploit for which is in the public domain. The announcement comes as the Clop ransomware group starts to name companies that were attacked by exploiting a separate zero-day bug in May, and CISA confirms the victims include several federal agencies.

The CVE for the latest vulnerability is still pending and there is no CVSS severity score at present; however, this is a critical vulnerability and a Proof-of-Concept (PoC) exploit for the new zero-day flaw has been shared by a security researcher on Twitter, although at the time of release, code execution is not believed to have been achieved. The attacks by the Clop gang demonstrate that MOVEit vulnerabilities can be weaponized and exploited in mass attacks, so mitigations should be implemented immediately and patches applied as soon they are released.

MOVEit Transfer Zero Day Mitigations and Fixes

According to Progress Software, all users must take action to address the latest MOVEit zero day bug. The steps that need to be taken are dependent on whether patches have been applied to fix the zero-day bug (CVE-2023-34362) that was exploited by Clop and patched on May 31, 2023, and a second critical SQL injection vulnerability – CVE-2023-35036 – a patch for which was released on June 9. The May 31 and June 9 patches and remediation steps should be followed first, if they have not been already, then the June 15, 2023, patch can be applied to fix the third zero-day (CVE pending).

If it is not possible to immediately apply the June 15, 2023, patch, users should disable all HTTP and HTTPs traffic to the MOVEit Transfer environment immediately (ports 80 and 443) to prevent unauthorized access. HTTP and HTTPs traffic should not be re-enabled until the June 15, 2023, patch has been applied. While this mitigation will prevent users from being able to log into their accounts via the web user interface, transfers will still be available since the SFTP and FTP/s protocols will continue to work, and admins will still be able to access MOVEit Transfer by connecting to the Windows server via remote desktop, and then navigating to https://localhost/

Details on patching all three vulnerabilities and the mitigation steps are detailed in the latest Progress Software alert.

Progress Software said, “We have taken HTTPs traffic down for MOVEit Cloud in light of the newly published vulnerability and are asking all MOVEit Transfer customers to immediately take down their HTTP and HTTPs traffic to safeguard their environments while the patch is finalized.”

Clop Starts Publishing Victims’ Names on Dark Web Data Leak Site

The Clop gang claimed responsibility for the attacks which exploited the May 2023 vulnerability (CVE-2023-34362), and while the victim count is not known, several hundred companies are understood to have been affected. Clop provided a deadline of June 14, 2023, for payment of the ransom demands, after which the group claimed it would start releasing the stolen data. On Wednesday, names started to be published on its data leak site which include the oil and gas company Shell, the University of Georgia (UGA) and University System of Georgia (USG), UnitedHealthcare Student Resources (UHSR), Putnam Investments, Heidelberger Druck, and Landal Greenpark. Several other companies have confirmed that they were affected although they have yet to be listed on the data leak site. Those companies include Zellis, Boots, Aer Lingus, and the BBC.

CISA Confirms Federal Agencies Impacted

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that several federal agencies were attacked by the Clop gang by exploiting the May 2023 vulnerability and that it is providing support to the agencies that have suffered intrusions. Eric Goldstein, CISA executive assistant director for cybersecurity, confirmed to CNN that it is currently trying to understand the impact of those intrusions. CISA Director, Jen Easterly, said the May 2023 attacks were opportunistic in nature and were not targeted at government agencies, and while Clop is a Russian ransomware group, the attacks are not believed to be connected to the Russian government. “Although we are very concerned about this campaign, this is not a campaign like SolarWinds that poses a systemic risk,” said Easterly. Government agencies known to have been affected include the Energy Department, which confirmed that two entities within the Department have been compromised.

The post Progress Software Warns of New MOVEit Zero-Day Vulnerability – Immediate Action Required appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and its international cybersecurity agency partners have issued a cybersecurity advisory about the LockBit ransomware operation, which has extorted $91 million from organizations in the United States since 2020 across 1,700 attacks.

“This joint advisory on LockBit is another example of effective collaboration with our partners to provide timely and actionable resources to help all organizations understand and defend against this ransomware activity,” said CISA Executive Assistant Director for Cybersecurity, Eric Goldstein. “As we look to the future, we must all work together to evolve to a model where ransomware actors are unable to use common tactics and techniques to compromise victims and work to ensure ransomware intrusions are detected and remediated before harm can occur.”

The LockBit ransomware-as-a-service operation is the most prolific RaaS group, having listed more victims on its data leak site than any other ransomware operation. LockBit was behind 16% of ransomware attacks on state, local, tribal, and tribunal (SLTT) governments in 2022 and was the most commonly deployed ransomware variant last year. The group has attacked organizations of all sizes, including critical infrastructure entities such as financial services, food & agriculture, education, and healthcare, and 2023 attacks have continued in high numbers.

There are several reasons why LockBit has become the most prolific RaaS operation. Affiliates are recruited to conduct attacks and receive a share of the ransoms they generate, as is the case with other RaaS operations; however, LockBit pays its affiliates faster and provides them with their cut of ransom payments before payment is received by core members of the group. The group has developed an easy-to-use interface for its affiliates which lowers the bar for new affiliates, who require less technical skill to start conducting ransomware attacks than with other ransomware variants. The group also engages in publicity-generating exercises, disparages other RaaS operations, and has even taken steps to discourage individuals from disclosing the identity of the lead member of the group (LockBitSupp) to law enforcement by offering a $1 million bounty on information that could lead to LockBitSupp’s identification.

Due to the large number of affiliates working within the LockBit operation, the tactics, techniques, and procedures (TTPs) used in attacks are diverse so network defenders face significant challenges defending against attacks. The security advisory details the TTPs that CISA, the FBI, and their international cybersecurity partners have observed in LockBit ransomware attacks over the past 3 years, along with a lengthy list of mitigations to help network defenders take proactive steps to improve their defenses against LockBit attacks. The advisory includes around 30 different freeware and open source tools that have been used by LockBit affiliates, 9 CVEs that are known to have been exploited, and more than 40 MITRE ATT&CK techniques for initial access, discovery, credential access, privilege escalation, lateral movement, persistence, defense evasion, collection, command and control, data exfiltration, and execution.

“The FBI encourages all organizations to review this CSA and implement the recommended mitigation measures to better defend against threat actors using LockBit,” said Bryan Vorndran, Assistant Director of the FBI’s Cyber Division, and encouraged all victims of cybercrime to report incidents to their local FBI field office.

The post Comprehensive LockBit Ransomware Cybersecurity Advisory Issued by CISA & Partners appeared first on HIPAA Journal.

The Health Sector Cybersecurity and Coordination Center (HC3) has compiled a profile of the FIN11 threat group (TA505/Lace Tempest/Hive0065) which is known to target organizations in the healthcare and public health (HPH) sector. Historically, FIN11 has conducted phishing campaigns but has now migrated to other attack vectors against companies in North America and Europe. The group is financially motivated and often engages in data theft for extortion, with or without ransomware.

Recent attacks include the exploitation of zero day vulnerabilities in file transfer solutions to gain access to sensitive data, which is stolen and threatened to be released if a ransom is not paid. FIN11 often deploys CLOP ransomware in its attacks, although it is unclear exactly how many CLOP ransomware attacks FIN11 has conducted. The ransom demands in these attacks vary based on the perceived ability of the victim to pay and typically range from a few hundred thousand dollars to $10 million.

FIN11 phishing and spear phishing campaigns have used a combination of malicious attachments and hyperlinks, and fake download pages have been used to trick people into downloading malware. FIN11 is thought to have been involved in the mass exploitation of vulnerabilities in the MOVEit and Accellion FTA file transfer solutions, the PaperCut MF and NG vulnerability in 2023, the Windows ZeroLogon vulnerability in October 2020, and several other vulnerabilities. FIN11 also targeted HPH sector organizations during the COVID-19 pandemic.

FIN11 is known to deploy a range of different malware variants after gaining initial access to networks. In addition to CLOP ransomware, the group has deployed the LEMURLOOT web shell, P2P RAT, FlawedAmmyy and FlawedGrace remote access Trojans, and Cobalt Strike, along with a host of other tools to allow the group to achieve its objectives.

Due to the range of different attack vectors, mitigations are varied and involve strong email security measures, prompt patching of known vulnerabilities, endpoint detection solutions, and active monitoring of security alerts for signs of compromise. HC3 recommends that healthcare organizations consider FIN11 a top priority for their security teams, as the group poses a significant threat to the HPH sector.

The post HPH Sector Urged to Make FIN11 Threat Group a Priority for Security Teams appeared first on HIPAA Journal.

A critical vulnerability in Fortinet’s FortiOS and FortiProxy SSL VPN has potentially already been exploited by malicious actors. The vulnerability, tracked as CVE-2023-27997, is a heap buffer overflow issue in FortiOS and FortiProxy SSL-VPN which can be exploited remotely, pre-authentication, to execute code via malicious requests to vulnerable devices. The flaw can be exploited even if multifactor authentication has been enabled.

Fortinet firewalls and VPNs are widely used and vulnerabilities are actively sought by malicious actors and have been rapidly exploited in the past. A search on the Shodan search engine indicates around 250,000 Fortinet firewalls are accessible over the Internet and the majority of those are thought to be vulnerable. Fortinet said the vulnerability was identified during a code audit conducted in response to a series of attacks exploiting a separate zero-day vulnerability – CVE-2022-42475 – in FortiOS SSL VPN that was disclosed in January. Those attacks were linked to the Chinese state-sponsored threat group, Volt Typhoon, which has been active since mid-2021 and has previously targeted critical infrastructure entities in the United States. Fortinet has not linked exploits of the most recently disclosed vulnerability to Volt Typhoon, but said the threat actor and other threat groups will likely target the vulnerability and that there may already have been limited attacks against government, manufacturing, and critical infrastructure.

Fortinet issued a security advisory on June 12 about the vulnerability, which affects virtually all versions of FortiOS and FortiProxy. Patches have been released to fix the vulnerability and customers have been urged to update their firmware to the latest version. Fortinet said the vulnerability is mitigated if customers are not operating SSL-VPN; however, all users have been recommended to update to the latest firmware version regardless.

While there is only believed to have been limited exploitation of the flaw, now that patches have been released threat actors will compare the new releases with previous firmware versions to work out what has changed and will likely rapidly discover and develop exploits for the vulnerability, so immediate patching is strongly recommended.  All users should ensure they have updated to the following firewall and VPN versions:

FortiOS-6K7K

• FortiOS-6K7K version 7.0.12 or above
• FortiOS-6K7K version 6.4.13 or above
• FortiOS-6K7K version 6.2.15 or above
• FortiOS-6K7K version 6.0.17 or above

FortiOS

• FortiOS version 7.4.0 or above
• FortiOS version 7.2.5 or above
• FortiOS version 7.0.12 or above
• FortiOS version 6.4.13 or above
• FortiOS version 6.2.14 or above
• FortiOS version 6.0.17 or above

FortiProxy

• FortiProxy version 7.2.4 or above
• FortiProxy version 7.0.10 or above

The post Immediate Patching Recommended for Critical Fortinet FortiOS & FortiProxy Vulnerability appeared first on HIPAA Journal.

The HHS’ Health Sector Cybersecurity Coordination Center has issued a threat brief to highlight the types of cyber threat actors that target the health and public health sector (HPH), and their differing objectives, tactics, techniques, and procedures.

The HPH sector is a relatively easy target for cybercriminals compared to other industry sectors. There is a complex supply chain involving many different vendors, a large attack surface with many IoT and IoMT-connected devices that are difficult to secure, reliance on outdated software and operating systems that have reached end-of-life, and HPH sector organizations often find it difficult to recruit and retain skilled cybersecurity staff.

HPH sector organizations also store large quantities of data that can be easily monetized and used for a range of nefarious purposes such as identity theft, blackmail, and insurance fraud. Since the sector is highly regulated, there are often costly legal ramifications for healthcare organizations that suffer data breaches, and successful attacks can cause significant reputational damage which makes the HPH sector an ideal target for extortion. Nation-state actors often target HPH sector organizations to steal research data to gain a technological advantage and collect sensitive data and cause disruption in line with national priorities.

The HPH sector is targeted by financially motivated cybercriminals, politically motivated hacktivists and nation-state actors, malicious insiders for financial gain or retaliation, cyberterrorists who wish to cause harm, and script kiddies who seek attention, want to create chaos, gain kudos within the hacking community, or simply have fun. Regardless of the threat actor, the attacks can have serious financial and reputational implications and often put patient safety at risk.

While the motivations behind healthcare cyberattacks are varied, there are common initial access vectors that are used by the different types of threat actors. Phishing and social engineering attacks exploit human weaknesses to gain initial access to healthcare networks and sensitive data. Vulnerabilities in software and operating systems are targeted for initial access, man-in-the-middle attacks intercept sensitive data, and Distributed-Denial-of-Service attacks and wiper malware are used to cause disruption to critical systems. Attacks often involve malware that steals data and provides persistent access to networks, adware is used for tracking, information theft, and driving traffic to websites, and ransomware is often deployed for data theft and extortion.

The threat brief provides information on the different types of threat actors and their motivations to help network defenders gain a better understanding of their adversaries, and includes information on the most active threat groups that are known to target the HPH sector.

The post HC3 Raises Awareness of Diverse Threat Actors Targeting the HPH Sector appeared first on HIPAA Journal.

A zero-day vulnerability in the MOVEit file transfer service (CVE-2023-34362) started to be exploited by a cyber threat actor at scale over the Memorial Day weekend. Progress Software issued an advisory about the vulnerability on May 31, 2023, and rapidly released patches to fix the flaw, but not in time to prevent mass exploitation of the vulnerability. Remote exploitation of the flaw allowed access to be gained to the MOVEit server database, providing access to customer data.

A few days later, several major companies confirmed they had been impacted by the attacks, including the airlines British Airways and Aer Lingus, the UK drugstore chain Boots, the University of Rochester in New York, and the Nova Scotia provincial government, which had all fallen victim and had data exfiltrated through their payroll and HR service provider, Zellis. Nova Scotia Health has confirmed that the personal information of up to 100,000 employees was stolen in the attack.

The Clop ransomware gang and associated FIN11 threat group were suspected of involvement in the mass exploitation of the vulnerabilities as they had previously targeted vulnerabilities in file transfer solutions, exploiting zero-day vulnerabilities in the Accellion FTA and Fortra’s GoAnywhere MFT. Microsoft, Mandiant, and others attributed the attacks to Clop/FIN11, with Microsoft attributing the attacks to a Clop affiliate it tracks as Lace Tempest, and Mandiant attributed the attacks to a newly created threat cluster it tracks as UNC4857, also linked to Clop/FIN11. Mandiant confirmed to The HIPAA Journal that it has seen evidence of data exfiltration at multiple companies and that targeted applications were infected with a webshell called LEMURLOOT. Shodan scans revealed more than 2,500 instances of MOVEit software are exposed to the Internet and Censys reported more than 3,000 hosts running the service, all of which were potentially vulnerable.

Clop Ransomware Group Claims Responsibility for the Attacks

Around a week after the news broke about the exploits, the Clop ransomware gang claimed responsibility for the attacks and confirmed that ransom demands had been issued along with threats to release the stolen data if the ransoms are not paid, giving breached firms until June 14 to pay up or face data exposure. While the Clop group uses ransomware, these attacks involved data theft and exploitation without encryption, as was the case with the attacks on the Accellion FTA and GoAnywhere MFT.

On June 7, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint security advisory and provided a list of recommended mitigations to reduce the impact of Clop exploits. A few days earlier, on June 2, the Health Sector Cybersecurity Coordination Center (HC3) issued a sector alert, warning that the health and public health sector was potentially at risk from the vulnerability.

The number of victims has yet to be determined, and in contrast to the GoANywhere MFT attacks, the Clop group has not publicly stated how many attacks were conducted but did say it was in the hundreds. The scale of the attacks should start to become clearer from June 14 if Clop is true to its word and starts publishing stolen data, although it may take several weeks or months before the full extent of the exploitation of the vulnerability is known.

Clop May Have Known About Vulnerability for 2 Years

Cybersecurity firm GreyNoise reports that it traced scanning activity associated with the vulnerability to March 3, 2023, and security experts at Kroll said they found evidence to indicate Clop was testing ways to exploit the vulnerability and obtain data in April 2023; however, they also found evidence of similar manual activity related to the exploit as early as July 2021, suggesting the Clop actors have known about the vulnerability for almost two years. The researchers suggest they waited until they had the automation tools available to allow exploitation at scale.

The post Update on MOVEit Vulnerability Exploitation and Extortion: Victims Given Until June 11 to Pay Ransoms appeared first on HIPAA Journal.

Remote access software is used by organizations and their vendors to improve efficiency and productivity and cut costs; however, the same remote access tools can be leveraged by cyber threat actors for a range of malicious purposes while evading detection by security solutions.

Benefits and Risks of Remote Access Software

Remote access software is used for a wide range of purposes and is especially useful for remotely managing and monitoring IT systems and devices. IT support teams use the software to troubleshoot IT issues, provide IT helpdesk support, perform backups and data recovery, reconfigure devices, install new software, apply patches to fix vulnerabilities, and monitor for suspicious network activity. Managed Service Providers (MSPs) extensively use these tools to access clients’ networks to perform a wide range of contracted services.

While the software can improve efficiency and productivity and reduce costs, there is considerable potential for misuse of the software, and remote access solutions are actively targeted by cyber threat actors. By abusing these tools, cyber threat actors can gain broad access to internal systems, and since these tools are legitimately used by members of the workforce and third-party contractors, connections are often not flagged as malicious by security solutions which means malicious actors can hide their activities.

Remote access software is used to gain access to internal networks and maintain persistence, and it is common for threat actors to leverage the software and tools that are already present on the compromised system to sustain their malicious activities. By using these living-off-the-land (LOTL) techniques malicious actors do not need to download additional software, scripts, and tools, which makes intrusions, lateral movement, and data exfiltration difficult to detect.

Remote access software is one of the main ways that ransomware actors gain initial access to victims’ networks and evade security solutions. Cyber threat actors may also exploit vulnerabilities to gain access to systems then install legitimate remote access software or use social engineering techniques to trick individuals into installing the software to provide access to victims’ devices and the networks to which they connect.

Guidance on Securing Remote Access Software

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Israel National Cyber Directorate (INCD), have recently published a guide for all organizations that use remote access software for regular business purposes, especially managed service providers, to help them defend against malicious use of the software.

The guide includes best practices, protections, and mitigations developed by CISA and the National Institute of Standards and Technology (NIST) based on existing cybersecurity frameworks to help organizations protect against the most common cyber threats and tactics, techniques, and procedures used by cybercriminal groups and nation-state threat actors. The guidance can be used by organizations of all types and sizes and includes specific best practices and recommendations for IT support teams and managed service providers.

Guide to Securing Remote Access Software – PDF

The post Guide Released on Securing Remote Access Software appeared first on HIPAA Journal.