The Cyber Safety Review Board (CSRB), established by President Biden in February 2022, has published a report on the Log4j vulnerability – CVE-2021-44228 – and associated vulnerabilities that were discovered in late 2021. The vulnerabilities affect the open source Java-based logging tool, Log4j, and, according to CSRB, they are endemic and are likely to be present in many systems for years to come.

The Log4j vulnerability can be exploited remotely to achieve code execution on vulnerable systems and was assigned a maximum CVSS severity score of 10 out of 10. According to the report, the vulnerabilities are among the most serious to be discovered in recent years.

The CSRB includes 15 cybersecurity leaders from the private sector and government and has been tasked with conducting reviews of major cybersecurity events and making recommendations for improving public and private sector cybersecurity. The Log4J vulnerability report is the first to be published by the CSRB since its formation.

“At this critical juncture in our nation’s cybersecurity, when our ability to handle risk is not keeping pace with advances in the digital space, the Cyber Safety Review Board is a new and transformational institution that will advance our cyber resilience in unprecedented ways,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The CSRB’s first-of-its-kind review has provided us – government and industry alike – with clear, actionable recommendations that DHS will help implement to strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security.”

For the Log4j vulnerability review, the CSRB engaged with almost 80 organizations to gain an understanding of how the vulnerability has been or is still being mitigated, in order to develop actional recommendations to prevent and effectively respond to future incidents such as this.

The report is broken down into three sections, providing factual information on the vulnerability and what happened, the findings and conclusions based on an analysis of the facts, and a list of recommendations. The 19 actionable recommendations are subdivided into four categories: Address the continued risks from theLog4j vulnerabilities; drive existing best practices for security hygiene; build a better software ecosystem; and investments in the future.

One of the most important recommendations is to create and maintain an accurate IT asset inventory, as vulnerabilities cannot be addressed if it is not known where the vulnerabilities exist. It is essential to have a complete software bill of materials (SBOM) that includes all third-party software components and dependencies used in software solutions. One of the biggest problems with addressing the Log4j vulnerabilities is understanding which products were affected. The report also recommends enterprises develop a vulnerability response program and a vulnerability disclosure and handling process and suggests the U.S. government investigate whether a Software Security Risk Assessment Center of Excellence is viable.

“Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future. Our review of Log4j produced recommendations that we are confident can drive change and improve cybersecurity,” said CSRB Chair and DHS Under Secretary for Policy Robert Silvers.

The post Cyber Safety Review Board Says Log4j Vulnerabilities Endemic and Will Persist for Years appeared first on HIPAA Journal.

A joint security alert has been issued to the healthcare and public health sector by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury warning about the threat of Maui ransomware attacks.

Since May 2021, North Korean state-sponsored cyber actors have been targeting organizations in the U.S. healthcare and public health sector and have been encrypting servers that support electronic medical record systems and diagnostic, imaging, and intranet services. These attacks have resulted in data encryption which has disrupted the services provided to patients and, in some cases, has resulted in disruption to services for long periods.

According to the advisory, initial access is gained to healthcare networks and the ransomware is deployed manually. The threat actors use a command-line interface to control the ransomware payload and launch attacks. Healthcare organizations are an attractive target for ransomware threat actors as they are heavily reliant on data for providing their services. Attacks can cause major disruption, loss of revenue,  and can threaten patient safety. As such, healthcare organizations are seen as more likely to pay ransoms and negotiate payments quickly. For this reason, the FBI, CISA, and the Treasury believe that the healthcare and public health sector will continue to be targeted.

The FBI obtained a sample of Maui ransomware and shared technical details based on its analysis. The methods used by North Korean threat actors to gain initial access to healthcare networks are not understood at this stage, but details have been shared about how attacks are conducted, along with indicators of compromise (IoCs) and a list of mitigations that healthcare and public health sector organizations are encouraged to implement as soon as possible.

The payment of ransom demands is highly discouraged by the FBI, CISA, and the Treasury. Payment does not guarantee file recovery, further ransom demands may be issued after payment is made, and there is no guarantee that it will be possible to decrypt files after paying the ransom. The alert also draws attention to the risk of sanctions by the Office of Foreign Assets Control (OFAC) of the U.S. Treasury if payment is made.

The alert draws attention to a September 2021 advisory from the Treasury that encourages all entities, including those in the healthcare and public health sector to adopt and improve their cybersecurity practices. When the recommended OFAC measures are implemented, OFAC will be more likely to apparent sanctions violations involving ransomware attacks with a non-public enforcement response.

The FBI says it understands that when a healthcare organization is faced with an inability to function, all options should be evaluated, including paying the ransom to protect shareholders, employees, and patients. In the event of an attack, regardless of whether the ransom is paid, the FBI should be notified, and information shared about the attack, including boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files.

A long list of mitigations has been provided to help healthcare and public health sector organizations improve their defenses against these and other ransomware attacks. The mitigations, IoCs, and technical analysis of Maui ransomware can be found on this link.

The post Feds Warn of Threat of Maui Ransomware Attacks By North Korean State-Sponsored Hackers appeared first on HIPAA Journal.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) have issued a joint cybersecurity advisory about MedusaLocker ransomware.

The MedusaLocker threat group appears to operate as a ransomware-as-a-service operation, where affiliates are recruited to conduct the attacks for between 55 and 60% of any ransom payments they generate. MedusaLocker was first detected in September 2019 and has been used to attack a broad range of targets in the United States.

Once access to victims’ networks has been gained, a batch file is used to execute a PowerShell script which propagates MedusaLocker throughout the network. This is achieved by editing the EnableLinkedConnections value within the infected machine’s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and detect shared storage via Server Message Block (SMB) Protocol.

MedusaLocker will terminate security, accounting, and forensic software, restart the machine in safe mode to prevent security software from detecting the ransomware, and then files will be encrypted. All files are encrypted apart from those that are critical to the functionality of the victims’ devices. As is common with ransomware, local backups and shadow copies are deleted, and start-up recovery options are disabled.

A variety of vectors are used to gain initial access to networks, including spam and phishing email campaigns, with some campaigns having the ransomware payload directly attached to emails; however, by far the most common method of attack is exploiting vulnerable Remote Desktop Protocol (RDP) configurations.

Indicators of Compromise (IoCs) have been shared along with IP addresses, Bitcoin wallet addresses, email addresses, and TOR addresses are known to be used by the group. Several mitigations have been suggested, the most important of which are to prioritize remediating known vulnerabilities, enabling and enforcing multifactor authentication, and providing training to employees to help them recognize and avoid phishing attempts.

The post FBI, CISA, & FinCEN Sound Alarm About MedusaLocker Ransomware appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory for the healthcare and public health sector warning about three high-severity vulnerabilities in OFFIS DCMTK software. The software is used for examining, constructing, and converting DICOM image files, handling offline media, and sending and receiving images over a network connection.

The vulnerabilities affect all versions of DCMTK prior to version 3.6.7. If exploited, a remote attacker could trigger a denial-of-service condition, write malformed DICOM files into arbitrary directories, and gain remote code execution.

Two path traversal vulnerabilities have been identified in the product which could be exploited to write malformed files into arbitrary directories under controlled names, allowing remote code execution. The product’s service class provider (SCP) is vulnerable to path traversal – CVE-2022-2119 – and the service class user (SCU) is vulnerable to relative path traversal – CVE-2022-2120. Both vulnerabilities have been assigned a CVSS v3 base score of 7.5 out of 10 (high severity).

The third flaw is a NULL pointer deference vulnerability that exists while processing DICOM files. The product dereferences a pointer that it expects to be valid, but if it is NULL, it causes the software to crash. The vulnerability could be exploited to trigger a denial-of-service condition. The vulnerability is tracked as CVE-2022-2121 and has been assigned a CVSS v3 base score of 6.5 out of 10 (high severity).

The vulnerabilities were reported to CISA by Noam Moshe of Claroty. OFFIS has corrected the vulnerabilities in DCMTK version 3.6.7. All users are advised to update to the latest version of the software as soon as possible to prevent exploitation of the flaws.

The risk of exploitation of vulnerabilities such as these can be minimized by ensuring the affected product, control systems, and devices are not exposed to the Internet. The product should be located behind a firewall and isolated from the business network, and if remote access is required, secure methods of connection should be used such as a Virtual Private Network (VPN). If a VPN is used, it should be kept up to date, as VPNs can contain vulnerabilities that can be exploited.

The post Warning Issued About 3 High-Severity Vulnerabilities in OFFIS DICOM Software appeared first on HIPAA Journal.

Hillrom Medical Device Management has announced that two vulnerabilities have been identified in certain Welch Allyn medical devices. If exploited the vulnerabilities could allow an unauthorized attacker to compromise software security by executing commands, gaining privileges, and reading sensitive information while evading detection.

The vulnerabilities affect the following Hillrom products:

• Welch Allyn ELI 380 Resting Electrocardiograph (versions 2.6.0 and prior)
• Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph (versions 2.3.1 and prior)
• Welch Allyn ELI 250c/BUR 250c Resting Electrocardiograph (versions 2.1.2 and prior)
• Welch Allyn ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph (versions 2.2.0 and prior)

The two vulnerabilities were discovered by an anonymous researcher who reported to Hillrom. The most serious vulnerability – tracked as CVE-2022-26389 – has a CVSS v3 severity score of 7.7 out of 10 (high severity), and is due to improper access controls for restricting attempts at accessing resources by unauthorized individuals.

The second vulnerability – tracked as CVE-2022-26388 – has been assigned a CVSS v3 severity score of 6.4 out of 10 (medium severity) and is due to the use of hard-coded credentials for inbound authentication and outbound communication to external components.

Hillrom released a patch to fix the flaw in May 2022 for the Welch Allyn ELI 280/BUR280/MLBUR 280 Resting Electrocardiograph, and patches are scheduled to be released to address the vulnerabilities in the Welch Allyn ELI 380 and ELI 150c/BUR 150c/MLBUR 150c Resting Electrocardiograph devices by Q4, 2023.

The patches should be applied as soon as possible to prevent the exploitation of the flaws. If a patch is not yet available, Hillrom recommends applying the proper network and physical security controls to reduce risk:

• Ensure a unique encryption key is configured for ELI Link and Cardiograph.
• Where possible, use a firewall to prevent communication on Port 21 FTP service, Port 22 SSH (Secure Shell Connection), and Port 23 Telnet service.

The post Vulnerabilities Identified in Welch Allyn Resting Electrocardiograph Devices appeared first on HIPAA Journal.