An emergency directive has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) to all federal agencies, requiring them to take steps to address two vulnerabilities in certain VMware products that are likely to be rapidly exploited in the wild, and two previous vulnerabilities in VMWare products that were disclosed in April which are being exploited by multiple threat actors, including Advanced Persistent Threat (APT) actors.

The latest vulnerabilities, tracked as CVE-2022-22972 (critical) and CVE-2022-22973 (high severity), and the two vulnerabilities from April affect 5 VMWare products:

• VMware Workspace ONE Access (Access) Appliance
• VMware Identity Manager (vIDM) Appliance
• VMware vRealize Automation (vRA)
• VMware Cloud Foundation
• vRealize Suite Lifecycle Manager

CVE-2022-22972 is an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users. If a malicious actor has network access to the UI, the flaw can be exploited to gain administrative access without authentication. The vulnerability has been assigned a CVSS severity score of 9.8 out of 10.

CVE-2022-22973 is a local privilege escalation vulnerability in VMware Workspace ONE Access and Identity Manager with a CVSS severity score of 7.8. If a malicious actor has local access, the flaw can be exploited to escalate privileges to root. Both flaws also affect VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

The two vulnerabilities known to have been exploited in the wild are tracked as CVE 2022-22954 (critical) and CVE 2022-22960 (high severity). CISA says both vulnerabilities have been exploited in real-world attacks, individually and in combination, by multiple threat actors.

CVE 2022-22954 is a code injection vulnerability with a CVSS score of 9.8 that affects VMware Workspace ONE Access and Identity Manager products. Exploitation of the flaw allows threat actors to trigger server-side template injection, which can lead to remote code execution. CVE 2022-22960 is an improper privilege management issue with a CVSS score of 7.8 that affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation products, and allows threat actors to escalate privileges to root.

In one attack, a threat actor with network access to the web interface exploited CVE 2022-22954 to execute a shell command as a VMWare user, then exploited the second flaw to escalate privileges to root. After exploiting both flaws, the threat actor could move laterally to other systems, escalate permissions, and wipe logs. In another case, a threat actor deployed the Dingo-J-spy web shell after exploiting the flaws. Exploits for the two April vulnerabilities were developed by reverse-engineering the patches released by VMWare. Now patches have been released to fix the latest two vulnerabilities, similarly rapid exploitation of the flaws in the wild can be expected.

While the emergency directive only applies to Federal agencies, all organizations that are using vulnerable VMWare products should patch immediately or implement the recommended mitigations. The deadlines for Federal agencies to complete the required actions are May 23 and May 24, 2022.

The post CISA Issues Emergency Directive to Patch Vulnerable VMWare Products appeared first on HIPAA Journal.

A new bill has been introduced that seeks to address the cybersecurity of medical devices that will require manufacturers of medical devices to meet certain minimum standards for cybersecurity for the entire lifecycle of the products.

The medical device cybersecurity provisions of the bill – H.R. 7667 Food and Drug Amendments of 2022 – call for device manufacturers to “have a plan to appropriately monitor, identify, and address in a reasonable time postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and procedures,” and to “design, develop, and maintain processes and procedures to ensure the device and related systems are cybersecure.”

The processes and procedures should include making “updates and patches available to the cyber device and related systems throughout the lifecycle of the cyber device.” Those patches and updates are required on a reasonably justified regular cycle to address known vulnerabilities, and, as soon as possible out of cycle, to address critical vulnerabilities that could cause uncontrolled risks.

The bill also calls for manufacturers of medical devices to provide a cyber device software bill of materials in the labeling that states all commercial, open-source, and off-the-shelf software components that have been used in the devices, and manufacturers will need to comply with other requirements that may be introduced, such as being able to “demonstrate reasonable assurance of the safety and effectiveness of the device for purposes of cybersecurity.”

H.R. 7667 was proposed by Rep. Anna Eshoo, (D-CA), and was co-sponsored by Reps. Brett Guthrie, (R-KY), Frank Pallone, (D-NJ), and Cathy McMorris Rogers, (R-WA), and has now been referred to the House Committee on Energy and Commerce. The bill would amend the Food, Drug, and Cosmetic Act and extend the FDA user fee programs, which require manufacturers to pay fees when submitting applications to the FDA for product reviews. The amendments would extend the fee program to cover medical devices, prescription drugs, generic drugs, and other similar biological products.

Several bills have been introduced recently that seek to improve the cybersecurity of medical devices such as the PATCH Act, which was introduced by U.S. Senators Bill Cassidy, M.D. (R-LA) and Tammy Baldwin (D-WI) in March 2022. The PATCH Act also seeks to amend the Federal Food, Drug, and Cosmetic Act and requires all premarket submissions for medical devices to include details of the cybersecurity protections that have been implemented.

There is a clear need for changes to be made to current legislation to require medical device manufacturers to address cyber risks. The security of medical devices has attracted considerable attention of late due to the risk of vulnerabilities being exploited by cyber actors to gain access to healthcare networks, conduct denial-of-service attacks, and deliberately or inadvertently cause harm to patients.

While the FDA has published updated guidance for medical device manufacturers that includes recommendations for improving cybersecurity throughout the entire lifecycle of medical devices, they are only recommendations and are therefore non-binding.

The post Bill Introduced that Seeks to Improve Medical Device Cybersecurity appeared first on HIPAA Journal.

The average ransom payment in ransomware attacks fell by 34% in Q1, 2022, from an all-time high in Q4, 2021, according to ransomware incident response firm Coveware. The average ransom payment in Q1, 2022 was $211,259 and the median ransom payment was $73,906.

The fall in total ransom payments has been attributed to several factors. Coveware suggests ransomware gangs have been targeting smaller organizations and issuing lower ransom demands, due to the increased scrutiny by law enforcement when attacks are conducted on large enterprises. The median company size has been falling since Q4, 2020, and is now companies with around 160 employees. This appears to be the sweet spot, where the companies have sufficient revenues to allow sizable ransoms to be paid, but not so large that attacks will result in considerable scrutiny by law enforcement.

Another reason why total ransom payments have fallen is fewer victims of ransomware attacks have been paying the ransom. The number of victims of ransomware attacks that pay the ransom has been steadily declining, from 85% of victims in Q1 2019 to 46% of victims in Q1, 2022. Also, some of the most prolific ransomware operations have gone quiet, such as Maze and REvil (Sodinokibi).

Conti and LockBit are the most prolific ransomware operations, accounting for 16.1% and 14.9% of ransomware attacks respectively, followed by BlackCat/Alphv (7.1%), Hive (5.4%), and AvosLocker (4.8%). Coveware suggests that the affiliates who work with ransomware-as-a-service operations appear to be less keen to work with large RaaS groups, as those groups are often targeted by law enforcement. It is now common for affiliates to try smaller RaaS operations or even develop their own ransomware variants from leaked source code.

The most common attack vectors in ransomware attacks are phishing, Remote Desktop Protocol connections, and exploiting unpatched vulnerabilities in software and operating systems. Coveware has tracked an increase in other attack vectors since Q2, 2021, such as social engineering and the direct compromising of insiders. Social engineering attacks are similar to phishing but are highly targeted and often involve priming or grooming targeted employees before convincing them to provide access to the network. There has also been an increase in lone wolf attackers. Coveware identified the trend in late 2021, and it has continued throughout Q1, 2022. Attacks by these threat actors are often conducted on companies that have far better security than the average ransomware victim, such as multi-factor authentication properly enabled for all employees and critical resources.

In late 2019, the Maze ransomware operation started using double extortion tactics, where data is stolen from victims before files are encrypted. Payment must then be made for the decryptor and to prevent the publication or sale of stolen data. These tactics were rapidly adopted by many ransomware operations and became the norm, although there was a decline in attacks involving encryption and extortion in Q1, 2022. Double extortion was used in 84% of attacks in Q4, 2021, and 77% of attacks in Q1, 2022. While double extortion is likely to continue to be extensively used in attacks for the foreseeable future, Coveware expects the shift from data encryption to data extortion to continue, as data theft and naming and shaming victims are less likely to attract the attention of law enforcement. “Data theft without encryption results in no operational disruption but preserves the ability of the threat actor to extort the victim. We expect this shift from Big Game Hunting to Big Shame Hunting to continue,” explained Coveware in the report.

Coveware warned about paying the ransom to prevent the publication or sale of data, as there are no guarantees that payment will result in data deletion. In 63% of attacks where a ransom was paid to prevent publication or sale of stolen data, the attackers provided no proof of data deletion. In the remaining attacks where proof was provided, it could easily have been faked. When videos, screenshots, live screen shares, or deletion logs are provided as proof, victims must trust that a copy of the data has not been made. “In one notable case, we observed a threat actor explicitly state that they would not be deleting the stolen data if paid, and would keep it for future leverage against the victim,” said Coveware.

The post Average Ransom Payment Dropped by 34% in Q1, 2022 appeared first on HIPAA Journal.

The Federal Bureau of Investigation (FBI) has issued a public service announcement warning about the threat of Business Email Compromise/Email Account Compromise (BEC/EAC) scams. The number of attacks reported to the FBI Internet Crime Complaint Center (IC3) and the amount of money lost to these scams continues to grow each year, with losses to BEC/EAC scams increasing 65% between July 2019 and December 2021.

BEC/EAC scams are the leading cause of losses to cybercrime. Between June 2016 and December 2021, IC3 received 241,206 complaints about domestic and international BEC/EAC attacks with reported losses of more than $43.3 billion. The IC3 2021 Internet Crime Report shows victims reported losses of $2.4 billion in 2021 across 19,954 complaints – around one-third of all losses to cybercrime in 2021. The actual losses to these scams are undoubtedly far higher, as many victims do not report the scams to the FBI, especially if the losses are relatively small.

BEC/EAC scams involve compromising email accounts and using them to send emails to businesses and individuals who perform legitimate transfers of funds requesting fraudulent transfers or changes to bank account information for upcoming payments. Statistical data shows the destination accounts for these transfers are most commonly overseas. The FBI says fraudulent transfers were made to banks in 140 countries, with Thailand topping the list followed by Hong Kong, China, Mexico, and Singapore.

The number of complaints about BEC/EAC scams involving cryptocurrencies has been growing. BEC/EAC scams involving cryptocurrencies started to be received by IC3 in 2018 when losses of less than $5 million. In 2021, cryptocurrency losses from BEC/EAC scams of $40 million were reported.

While it is common for scammers to target large enterprises that routinely perform transfers of millions of dollars, businesses of all sizes have been targeted including small local firms as well as individuals. The FBI says scams have been reported domestically in all 50 states, and reports have been received from victims in 177 countries.

BEC/EAC scams are conducted frequently because they have a high success rate and the ROI is so high. Fraudulent transfers are often for hundreds of thousands or millions of dollars, and the high success rate is due to the abuse of trust. The emails requesting transfers come from the email accounts of trusted individuals, such as company executives, vendors, and business partners, and the requests for transfers or bank account changes are often not questioned. The scams can also target sensitive data, such as the personally identifiable information of employees in W-2 forms.

Businesses and individuals should take steps to protect against BEC/EAC scams. These scams often start with phishing emails to obtain credentials to email accounts, so implementing a spam filtering solution to block the initial phishing emails will help to prevent email accounts from being compromised. 2-factor authentication should also be implemented to prevent stolen credentials from being used to access email accounts. Password policies should be implemented and enforced to prevent weak passwords from being set, which are vulnerable to brute force attacks.

Businesses should conduct security awareness training to teach employees how to recognize phishing emails and BEC/EAC scams and condition them to be wary of any email that requests login credentials or PII of any kind. The emails may appear to have been sent by trusted individuals and the reason for providing information often appears legitimate.

It is important to verify the email address used to send emails to ensure that the sender’s name and email address match, and to carefully check any URLs in emails to make sure they are associated with the business or individual they claim to be from. Employees should be alert to hyperlinks that may contain misspellings of the actual domain name. Employees’ computers and corporate-issued mobile devices should be configured to allow full email extensions to be viewed.

Since these scams often involve compromised internal email accounts and those of vendors, it is important to use secondary channels or two-factor authentication to verify requests for changes to account information and wire transfers, and businesses and individuals should monitor their financial accounts closely for irregularities such as missing deposits.

Victims of BEC/EAC scams should immediately report the incidents to their financial institution and request a recall of funds, and should also file a complaint with IC3. IC3’s Recovery Assist Team initiated the Financial Fraud Kill Chain (FFKC) in 2021 on 1,726 BEC complaints involving domestic to domestic transactions with potential losses of $443,448,237 and achieved a 74% success rate, freezing funds totaling $329 million.

The post FBI Issues Warning About BEC Scams as Losses Increase to $43 Billion appeared first on HIPAA Journal.

Thursday, May 2, 2024, is World Password Day. Established in 2013, the event is observed on the first Thursday of May with the goal of improving awareness of the importance of creating complex and unique passwords and adopting password best practices to keep sensitive information private and confidential.

Passwords were first used to protect accounts against unauthorized access in computing environments in the 1960s. In 1961, researchers at the Massachusetts Institute of Technology (MIT) started using the Compatible Time-Sharing System (CTSS). The system ran on an IBM 709 and users could access the system through a dumb terminal, with passwords used to prevent unauthorized access to users’ personal files.

The system is widely believed to be the first to use passwords and was also one of the first to experience a password breach. In the mid-1960s, MIT Ph.D. researcher Allan Scherr needed more than his allotted 4-hour CTSS time to run performance simulations he had designed for the computer system. He discovered a way to print out all passwords stored in the system and used the passwords to gain extra time.

Passwords are now the most common way to secure accounts and while passwordless authentication, such as biometric identifiers and single sign-on, are becoming more popular, in the short to medium term passwords are likely to remain the most widely used way of authenticating users and preventing unauthorized account access.

The Importance of Creating Strong Passwords

The use of passwords carries security risks, which World Password Day aims to address. One of the most common ways for hackers to gain access to accounts is to use stolen passwords. Phishing is used to target employees and trick them into disclosing their passwords, either via email, phone (vishing), or text message (SMiShing). Adopting 2-factor authentication will help to stop these attacks from succeeding. According to Microsoft, 2-factor authentication blocks more than 99% of automated attacks on accounts.

Hackers also use brute force tactics to guess weak passwords and take advantage of default credentials that have not been changed. If rate limiting is not implemented to lock accounts after a set number of failed login attempts, weak passwords can be guessed in a fraction of a second. Even strong passwords can be guessed in seconds or minutes if they are not sufficiently long.

In 2020, Hive Systems started publishing charts showing the time it takes for a hacker to brute force a password using a powerful, commercially available computer, and each year the table is updated to account for advances in computing technology. The chart clearly demonstrates the importance of creating strong passwords that include a combination of numbers, symbols, and upper- and lower-case letters and ensuring passwords contain enough characters. We recommend a minimum password length of 14 characters.

How long does it take to hack a password in 2024 – Source Hive Systems

Password Management Shortcuts Weaken Security

Creating and remembering long, complex passwords is difficult for most people, and it is made even harder due to the need to create passwords to protect multiple accounts – A study by NordPass suggests the average person has around 100 passwords. Many people struggle to create and remember more than one strong and unique password, so with so many accounts to secure it is unsurprising that people take shortcuts, but those password management shortcuts significantly weaken password security.

It is common for users to avoid creating unique passwords and they end up reusing the same password for multiple accounts. The problem with this is that if the password is compromised on one platform, either through brute force tactics, a phishing scam, or another method, all other accounts that use that password are at risk. Hackers take advantage of this common bad practice using a technique called credential stuffing. If they obtain a list of usernames and passwords from a data breach, they will attempt to access accounts on other unrelated platforms using those username and password combinations. This method only succeeds if there has been password reuse.

Changing passwords slightly by adding a number or substituting characters when creating new accounts isn’t much more secure, and will leave accounts susceptible to brute force attacks. If a hacker obtains a username and password combination, various permutations of that password will be attempted with that username. Writing down passwords is also a very bad idea.

Many businesses have implemented minimum complexity requirements for passwords, stipulating a minimum password length and composition requirements, yet it is common for employees to take shortcuts to make passwords easier to remember. It is possible to create a password that meets minimum complexity requirements yet is still incredibly weak. ‘Password’ is still one of the most commonly used passwords and it is usually the first one that is attempted when trying to hack an account. ‘P4ssw0rd!’ would meet the password complexity requirements imposed on many platforms, but it is still incredibly weak and offers next to no protection.

Global Password Management Survey Reveals Poor Password Management Practices

The 2024 Global Password Management Survey conducted by password management solution provider Bitwarden ahead of World Password Day confirms that extremely risky password practices are still incredibly common. The survey was conducted on more than 2,400 Internet users in the United States, United Kingdom, Australia, Germany, France, and Japan and asked questions about personal passwords, password habits at work, and the strategies that are adopted for managing passwords.

Despite the risks, 84% of respondents admitted to reusing passwords for multiple accounts, down from 90% in 2022. In 2024, 33% of respondents said they reuse passwords on 1-5 sites, 26% reuse passwords on 6-10 sites, 15% reuse passwords on 11-15 sites, and 11% use the same password to secure more than 15 sites. Password reuse is most common on personal accounts; however, 47% of respondents said they reuse passwords at work very (14%) or somewhat (33%) frequently.

Password manager use is increasing. 32% of respondents said they use a password manager at home, up from 30% last year, but only 30% of respondents said they use a password manager at work. 54% of respondents said they rely on memory to manage passwords at home, which suggests that the passwords they set are easy to remember and therefore not particularly complex. 36% of respondents said they use personal information in their passwords, and 60% said that the personal information they use in their passwords can be found in their social media accounts.

Workplace security habits were rated as generally secure by 53% of respondents; with 37% of respondents admitting to somewhat (31%) or very (6%) risky workplace security habits. Risky security habits were the use of weak or personal information-based passwords (39%), storing work passwords insecurely (35%), not using 2-factor authentication (2FA) or multifactor authentication (MFA) (33%), and sharing passwords insecurely (32%).

Account security can be greatly improved with 2FA/MFA, and while there are strong feelings that the additional authentication makes accessing accounts cumbersome, 2FA/MFA is now being widely adopted. 80% of respondents said they use 2FA for personal accounts, up from 66% in 2023, and only 28% of respondents said they do not use 2FA or MFA at work. Awareness of 2FA and MFA is improving, with only 7% of users saying they are not sure what those terms mean, down from 22% last year. While any form of MFA is better than none, SMS-based MFA is still the most common despite this method being the least secure. 65% of respondents said they used SMS-based MFA at home and 50% said SMS-based MFA was used at work.

2FA/MFA is vital for protecting accounts. In the event of a phishing attack where an employee discloses their password, 2FA/MFA can prevent that password from granting access to the account, thus preventing a costly data breach. However, while any form of 2FA/MFA is better than single-factor authentication, phishing-resistant MFA provides the best protection. Threat actors are now using phishing kits capable of stealing session cookies and MFA codes, thus bypassing MFA.

Password Security and Management Tips

World Password Day 2024 is the perfect time to assess password security and take steps to ensure that all accounts are properly secured with strong and unique passwords, and start following password best practices:

• Ensure a strong, unique password is set for all accounts
• Use a combination of upper- and lower-case letters, numbers, and symbols in passwords
• Use easy-to-remember passphrases rather than passwords, that have a minimum of 14 characters
• Never reuse passwords on multiple accounts
• Don’t use information in passwords that can be found in social media profiles (DOB, spouse or pet name, etc.) or is known to others
• Ensure 2-factor authentication is set up, especially for accounts containing sensitive data
• Use a secure password generator to generate random strings of characters
• Avoid using dictionary words and commonly used passwords
• Use a password manager for creating strong passwords and secure storage, and set a long and complex passphrase for your password vault.

The post World Password Day 2024 – Password Tips and Best Practices appeared first on HIPAA Journal.