A joint security alert has been issued to the healthcare and public health sector by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury warning about the threat of Maui ransomware attacks.

Since May 2021, North Korean state-sponsored cyber actors have been targeting organizations in the U.S. healthcare and public health sector and have been encrypting servers that support electronic medical record systems and diagnostic, imaging, and intranet services. These attacks have resulted in data encryption which has disrupted the services provided to patients and, in some cases, has resulted in disruption to services for long periods.

According to the advisory, initial access is gained to healthcare networks and the ransomware is deployed manually. The threat actors use a command-line interface to control the ransomware payload and launch attacks. Healthcare organizations are an attractive target for ransomware threat actors as they are heavily reliant on data for providing their services. Attacks can cause major disruption, loss of revenue,  and can threaten patient safety. As such, healthcare organizations are seen as more likely to pay ransoms and negotiate payments quickly. For this reason, the FBI, CISA, and the Treasury believe that the healthcare and public health sector will continue to be targeted.

The FBI obtained a sample of Maui ransomware and shared technical details based on its analysis. The methods used by North Korean threat actors to gain initial access to healthcare networks are not understood at this stage, but details have been shared about how attacks are conducted, along with indicators of compromise (IoCs) and a list of mitigations that healthcare and public health sector organizations are encouraged to implement as soon as possible.

The payment of ransom demands is highly discouraged by the FBI, CISA, and the Treasury. Payment does not guarantee file recovery, further ransom demands may be issued after payment is made, and there is no guarantee that it will be possible to decrypt files after paying the ransom. The alert also draws attention to the risk of sanctions by the Office of Foreign Assets Control (OFAC) of the U.S. Treasury if payment is made.

The alert draws attention to a September 2021 advisory from the Treasury that encourages all entities, including those in the healthcare and public health sector to adopt and improve their cybersecurity practices. When the recommended OFAC measures are implemented, OFAC will be more likely to apparent sanctions violations involving ransomware attacks with a non-public enforcement response.

The FBI says it understands that when a healthcare organization is faced with an inability to function, all options should be evaluated, including paying the ransom to protect shareholders, employees, and patients. In the event of an attack, regardless of whether the ransom is paid, the FBI should be notified, and information shared about the attack, including boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files.

A long list of mitigations has been provided to help healthcare and public health sector organizations improve their defenses against these and other ransomware attacks. The mitigations, IoCs, and technical analysis of Maui ransomware can be found on this link.

The post Feds Warn of Threat of Maui Ransomware Attacks By North Korean State-Sponsored Hackers appeared first on HIPAA Journal.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) have issued a joint cybersecurity advisory about MedusaLocker ransomware.

The MedusaLocker threat group appears to operate as a ransomware-as-a-service operation, where affiliates are recruited to conduct the attacks for between 55 and 60% of any ransom payments they generate. MedusaLocker was first detected in September 2019 and has been used to attack a broad range of targets in the United States.

Once access to victims’ networks has been gained, a batch file is used to execute a PowerShell script which propagates MedusaLocker throughout the network. This is achieved by editing the EnableLinkedConnections value within the infected machine’s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and detect shared storage via Server Message Block (SMB) Protocol.

MedusaLocker will terminate security, accounting, and forensic software, restart the machine in safe mode to prevent security software from detecting the ransomware, and then files will be encrypted. All files are encrypted apart from those that are critical to the functionality of the victims’ devices. As is common with ransomware, local backups and shadow copies are deleted, and start-up recovery options are disabled.

A variety of vectors are used to gain initial access to networks, including spam and phishing email campaigns, with some campaigns having the ransomware payload directly attached to emails; however, by far the most common method of attack is exploiting vulnerable Remote Desktop Protocol (RDP) configurations.

Indicators of Compromise (IoCs) have been shared along with IP addresses, Bitcoin wallet addresses, email addresses, and TOR addresses are known to be used by the group. Several mitigations have been suggested, the most important of which are to prioritize remediating known vulnerabilities, enabling and enforcing multifactor authentication, and providing training to employees to help them recognize and avoid phishing attempts.

The post FBI, CISA, & FinCEN Sound Alarm About MedusaLocker Ransomware appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory for the healthcare and public health sector warning about three high-severity vulnerabilities in OFFIS DCMTK software. The software is used for examining, constructing, and converting DICOM image files, handling offline media, and sending and receiving images over a network connection.

The vulnerabilities affect all versions of DCMTK prior to version 3.6.7. If exploited, a remote attacker could trigger a denial-of-service condition, write malformed DICOM files into arbitrary directories, and gain remote code execution.

Two path traversal vulnerabilities have been identified in the product which could be exploited to write malformed files into arbitrary directories under controlled names, allowing remote code execution. The product’s service class provider (SCP) is vulnerable to path traversal – CVE-2022-2119 – and the service class user (SCU) is vulnerable to relative path traversal – CVE-2022-2120. Both vulnerabilities have been assigned a CVSS v3 base score of 7.5 out of 10 (high severity).

The third flaw is a NULL pointer deference vulnerability that exists while processing DICOM files. The product dereferences a pointer that it expects to be valid, but if it is NULL, it causes the software to crash. The vulnerability could be exploited to trigger a denial-of-service condition. The vulnerability is tracked as CVE-2022-2121 and has been assigned a CVSS v3 base score of 6.5 out of 10 (high severity).

The vulnerabilities were reported to CISA by Noam Moshe of Claroty. OFFIS has corrected the vulnerabilities in DCMTK version 3.6.7. All users are advised to update to the latest version of the software as soon as possible to prevent exploitation of the flaws.

The risk of exploitation of vulnerabilities such as these can be minimized by ensuring the affected product, control systems, and devices are not exposed to the Internet. The product should be located behind a firewall and isolated from the business network, and if remote access is required, secure methods of connection should be used such as a Virtual Private Network (VPN). If a VPN is used, it should be kept up to date, as VPNs can contain vulnerabilities that can be exploited.

The post Warning Issued About 3 High-Severity Vulnerabilities in OFFIS DICOM Software appeared first on HIPAA Journal.

Hillrom Medical Device Management has announced that two vulnerabilities have been identified in certain Welch Allyn medical devices. If exploited the vulnerabilities could allow an unauthorized attacker to compromise software security by executing commands, gaining privileges, and reading sensitive information while evading detection.

The vulnerabilities affect the following Hillrom products:

• Welch Allyn ELI 380 Resting Electrocardiograph (versions 2.6.0 and prior)
• Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph (versions 2.3.1 and prior)
• Welch Allyn ELI 250c/BUR 250c Resting Electrocardiograph (versions 2.1.2 and prior)
• Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph (versions 2.2.0 and prior)

The two vulnerabilities were discovered by an anonymous researcher who reported to Hillrom. The most serious vulnerability – tracked as CVE-2022-26389 – has a CVSS v3 severity score of 7.7 out of 10 (high severity), and is due to improper access controls for restricting attempts at accessing resources by unauthorized individuals.

The second vulnerability – tracked as CVE-2022-26388 – has been assigned a CVSS v3 severity score of 6.4 out of 10 (medium severity) and is due to the use of hard-coded credentials for inbound authentication and outbound communication to external components.

Hillrom released a patch to fix the flaw in May 2022 for the Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph, and patches are scheduled to be released to address the vulnerabilities in the Welch Allyn ELI 380 and ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph devices by Q4, 2023.

The patches should be applied as soon as possible to prevent the exploitation of the flaws. If a patch is not yet available, Hillrom recommends applying the proper network and physical security controls to reduce risk:

• Ensure a unique encryption key is configured for ELI Link and Cardiograph.
• Where possible, use a firewall to prevent communication on Port 21 FTP service, Port 22 SSH (Secure Shell Connection), and Port 23 Telnet service.

The post Vulnerabilities Identified in Welch Allyn Resting Electrocardiograph Devices appeared first on HIPAA Journal.

A bipartisan bill – The Strengthening Cybersecurity for Medical Devices Act – has been introduced that calls for the U.S. Food and Drug Administration (FDA) to review and update its guidelines on medical device cybersecurity more frequently to ensure devices are protected from potential hacking and cyberattacks.

The bill, introduced by Sen. Jacky Rosen (D-NV) and co-sponsored by Sen Todd Young (R-IN), calls for the Secretary of the Department of Health and Human Services (HHS), in consultation with the Director of the Cybersecurity and Infrastructure Security Agency (CISA), to provide updated guidance on medical device cybersecurity to FDA every year, and for the FDA to issue updated guidelines and suggestions on medical device cybersecurity at least every two years. The frequency of updates needs to be improved to ensure the guidelines remain current, especially considering the fast-evolving threat landscape and the extent to which the healthcare industry is being targeted by cyber threat actors.

“Medical devices are increasingly connected to the Internet or other health care facility networks to provide features that improve the ability of health care providers to treat patients,” said Sen. Young. “Our bill helps ensure medical devices are protected from cyberattacks and used safely and securely in order to reduce risks and vulnerabilities for patients.”

The bill also calls for the FDA to share information publicly about federal resources for healthcare professionals, medical device manufacturers, and health systems that will help them identify and address vulnerabilities and to ensure they can access appropriate support. The Strengthening Cybersecurity for Medical Devices Act also requires the Government Accountability Office (GAO) to compile a report on cybersecurity vulnerabilities affecting medical devices and to make recommendations for improving federal coordination to support cybersecurity for medical devices.

“In light of increased cyber threats, we must strengthen the security of our health care system’s cyber infrastructure,” said Senator Rosen. “This bipartisan bill I introduced with Senator Young will ensure that medical devices and technologies are up to date with the latest cybersecurity, protecting patients and health care systems.”

The post Bipartisan Legislation Introduced to Strengthen Cybersecurity for Medical Devices appeared first on HIPAA Journal.

Another zero-day vulnerability has been identified that affects the same Windows tool as Follina. While the vulnerability is not known to have been exploited in the wild, the bug is exploitable and the recent interest and widespread exploitation of the Follina vulnerability make exploitation of this flaw more likely.

The vulnerability affects the Microsoft Diagnostic Tool (MSDT) and is a path traversal flaw that can be exploited to copy an executable file to the Windows Startup folder. The vulnerability can be exploited by sending a specially crafted .diagcab file via email or convincing a user to download the file from the Internet. .diagcab files are Cabinet files that include a diagnostic configuration file. In this attack, once the startup entry is implanted, the executable file will be run the next time Windows is restarted.

The vulnerability was identified and publicly disclosed by security researcher Imre Red in January 2020. Microsoft decided not to issue a fix as this was technically not a security issue, and since .diagcab files are considered unsafe they are automatically blocked in Outlook, on the web, and in other places. While Microsoft’s reasoning is understandable, there are other file types that are not technically executables and could potentially be abused, it is possible that threat actors could try to exploit the vulnerability, especially in attacks over the Internet.

“Outlook is not the only delivery vehicle: such file is cheerfully downloaded by all major browsers including Microsoft Edge by simply visiting a website, and it only takes a single click (or mis-click) in the browser’s downloads list to have it opened,” explained 0Patch. “No warning is shown in the process, in contrast to downloading and opening any other known file capable of executing attacker’s code. From the attacker’s perspective, therefore, this is a nicely exploitable vulnerability with all Windows versions affected back to Windows 7 and Server 2008.”

Following the discovery of the Follina vulnerability, security researcher j00sean rediscovered the flaw and announced it last week. The vulnerability has been dubbed DogWalk and is considered to be sufficiently exploitable for 0Patch to develop micropatches to address the flaw.

The micropatches for the DogWalk vulnerability are being provided free of charge until Microsoft develops a patch to permanently fix the issue. The micropatches have been released for Windows 7, 10, and 11, and Windows Server 2008 R2, 2012/2012 R2, 2016, 2019, and 2022.

The post DogWalk Zero-day Windows MSDT Vulnerability Gets Unofficial Patch appeared first on HIPAA Journal.

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the healthcare sector about the threat from Emotet malware. Emotet was first detected in 2014 and was initially a banking Trojan; however, the malware has been updated over the years and has had new features added. In addition to serving as a banking Trojan, the malware includes a dropper for delivering other malware variants and is offered to other cybercriminal groups under the infrastructure-as-a-service (IaaS) model. Emotet has been used to deliver a range of malware variants including IcedID, Trickbot, Qbot, Azorult, and ransomware payloads such as Ryuk and BitPaymer.

According to Europol, Emotet is the most dangerous malware variant and has infected one in five organizations worldwide. Data from Malwarebytes indicates 80% of malware infections at healthcare organizations involved Trojans, and Emotet was the most common Trojan deployed in attacks on the healthcare sector. Europol considers Emotet to be the most dangerous malware currently in use.

Emotet is operated by the MUMMY SPIDER threat group, which was targeted in an international law enforcement operation in late 2020. Multiple cybersecurity agencies from the U.S., Canada, and Europe successfully took down the Emotet infrastructure in January 2021 and removed the disabled malware from infected devices in April 2021.

While Emotet activity was stopped, it didn’t take long for MUMMY SPIDER to start rebuilding the botnet. In November 2021, security researchers started to identify new Emotet activity as the botnet started to be rebuilt. According to HC3, the new command-and-control infrastructure of Emotet now consists of 246 systems (and growing), and the malware has been updated and has an enhanced dropper and new loader. The number of infected devices has been growing at an incredible rate.

Emotet malware is primarily delivered via email, most commonly via malicious Office attachments or hyperlinks to compromised websites where the payload is downloaded. Emotet has also been overserved being delivered in brute force attacks and by exploiting known vulnerabilities. Proofpoint has reported that the tactics, techniques, and procedures (TTPs) have been updated and new methods of delivery are being trialed, including emails with hyperlinks to OneDrive. These new tactics are being trialed in small campaigns to test their effectiveness and could be adopted in much larger campaigns. Proofpoint also suggests the threat group may have changed tactics and could continue conducting more limited attacks on selected targets.

Emotet is capable of self-propagation, hijacks email threats, and inserts a copy of itself into the messages which are sent to contacts. This method of distribution has proven to be highly effective, as the messages distributing the malware come from known and trusted sources, which increases the likelihood of the attachments being opened. In January the malware was observed dropping Cobalt Strike onto infected systems.

The best approach to take to block attacks is to implement layered defenses. HC3 has provided an analysis of the malware and the TTPs known to be used for distributing the malware in the threat brief, and recommends consulting government resources and implementing the suggested mitigations.

The post HC3 Warns Healthcare Sector About Growing Threat from Emotet Malware appeared first on HIPAA Journal.