Healthcare Cybersecurity

Bipartisan Legislation Introduced to Strengthen Cybersecurity for Medical Devices

Posted by HIPAA Journal

A bipartisan billThe Strengthening Cybersecurity for Medical Devices Act – has been introduced that calls for the U.S. Food and Drug Administration (FDA) to review and update its guidelines on medical device cybersecurity more frequently to ensure devices are protected from potential hacking and cyberattacks.

The bill, introduced by Sen. Jacky Rosen (D-NV) and co-sponsored by Sen Todd Young (R-IN), calls for the Secretary of the Department of Health and Human Services (HHS), in consultation with the Director of the Cybersecurity and Infrastructure Security Agency (CISA), to provide updated guidance on medical device cybersecurity to FDA every year, and for the FDA to issue updated guidelines and suggestions on medical device cybersecurity at least every two years. The frequency of updates needs to be improved to ensure the guidelines remain current, especially considering the fast-evolving threat landscape and the extent to which the healthcare industry is being targeted by cyber threat actors.

“Medical devices are increasingly connected to the Internet or other health care facility networks to provide features that improve the ability of health care providers to treat patients,” said Sen. Young. “Our bill helps ensure medical devices are protected from cyberattacks and used safely and securely in order to reduce risks and vulnerabilities for patients.”

The bill also calls for the FDA to share information publicly about federal resources for healthcare professionals, medical device manufacturers, and health systems that will help them identify and address vulnerabilities and to ensure they can access appropriate support. The Strengthening Cybersecurity for Medical Devices Act also requires the Government Accountability Office (GAO) to compile a report on cybersecurity vulnerabilities affecting medical devices and to make recommendations for improving federal coordination to support cybersecurity for medical devices.

“In light of increased cyber threats, we must strengthen the security of our health care system’s cyber infrastructure,” said Senator Rosen. “This bipartisan bill I introduced with Senator Young will ensure that medical devices and technologies are up to date with the latest cybersecurity, protecting patients and health care systems.”

The post Bipartisan Legislation Introduced to Strengthen Cybersecurity for Medical Devices appeared first on HIPAA Journal.

DogWalk Zero-day Windows MSDT Vulnerability Gets Unofficial Patch

Posted by HIPAA Journal

Another zero-day vulnerability has been identified that affects the same Windows tool as Follina. While the vulnerability is not known to have been exploited in the wild, the bug is exploitable and the recent interest and widespread exploitation of the Follina vulnerability make exploitation of this flaw more likely.

The vulnerability affects the Microsoft Diagnostic Tool (MSDT) and is a path traversal flaw that can be exploited to copy an executable file to the Windows Startup folder. The vulnerability can be exploited by sending a specially crafted .diagcab file via email or convincing a user to download the file from the Internet. .diagcab files are Cabinet files that include a diagnostic configuration file. In this attack, once the startup entry is implanted, the executable file will be run the next time Windows is restarted.

The vulnerability was identified and publicly disclosed by security researcher Imre Red in January 2020. Microsoft decided not to issue a fix as this was technically not a security issue, and since .diagcab files are considered unsafe they are automatically blocked in Outlook, on the web, and in other places. While Microsoft’s reasoning is understandable, there are other file types that are not technically executables and could potentially be abused, it is possible that threat actors could try to exploit the vulnerability, especially in attacks over the Internet.

“Outlook is not the only delivery vehicle: such file is cheerfully downloaded by all major browsers including Microsoft Edge by simply visiting a website, and it only takes a single click (or mis-click) in the browser’s downloads list to have it opened,” explained 0Patch. “No warning is shown in the process, in contrast to downloading and opening any other known file capable of executing attacker’s code. From the attacker’s perspective, therefore, this is a nicely exploitable vulnerability with all Windows versions affected back to Windows 7 and Server 2008.”

Following the discovery of the Follina vulnerability, security researcher j00sean rediscovered the flaw and announced it last week. The vulnerability has been dubbed DogWalk and is considered to be sufficiently exploitable for 0Patch to develop micropatches to address the flaw.

The micropatches for the DogWalk vulnerability are being provided free of charge until Microsoft develops a patch to permanently fix the issue. The micropatches have been released for Windows 7, 10, and 11, and Windows Server 2008 R2, 2012/2012 R2, 2016, 2019, and 2022.

The post DogWalk Zero-day Windows MSDT Vulnerability Gets Unofficial Patch appeared first on HIPAA Journal.

HC3 Warns Healthcare Sector About Growing Threat from Emotet Malware

Posted by HIPAA Journal

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the healthcare sector about the threat from Emotet malware. Emotet was first detected in 2014 and was initially a banking Trojan; however, the malware has been updated over the years and has had new features added. In addition to serving as a banking Trojan, the malware includes a dropper for delivering other malware variants and is offered to other cybercriminal groups under the infrastructure-as-a-service (IaaS) model. Emotet has been used to deliver a range of malware variants including IcedID, Trickbot, Qbot, Azorult, and ransomware payloads such as Ryuk and BitPaymer.

According to Europol, Emotet is the most dangerous malware variant and has infected one in five organizations worldwide. Data from Malwarebytes indicates 80% of malware infections at healthcare organizations involved Trojans, and Emotet was the most common Trojan deployed in attacks on the healthcare sector. Europol considers Emotet to be the most dangerous malware currently in use.

Emotet is operated by the MUMMY SPIDER threat group, which was targeted in an international law enforcement operation in late 2020. Multiple cybersecurity agencies from the U.S., Canada, and Europe successfully took down the Emotet infrastructure in January 2021 and removed the disabled malware from infected devices in April 2021.

While Emotet activity was stopped, it didn’t take long for MUMMY SPIDER to start rebuilding the botnet. In November 2021, security researchers started to identify new Emotet activity as the botnet started to be rebuilt. According to HC3, the new command-and-control infrastructure of Emotet now consists of 246 systems (and growing), and the malware has been updated and has an enhanced dropper and new loader. The number of infected devices has been growing at an incredible rate.

Emotet malware is primarily delivered via email, most commonly via malicious Office attachments or hyperlinks to compromised websites where the payload is downloaded. Emotet has also been overserved being delivered in brute force attacks and by exploiting known vulnerabilities. Proofpoint has reported that the tactics, techniques, and procedures (TTPs) have been updated and new methods of delivery are being trialed, including emails with hyperlinks to OneDrive. These new tactics are being trialed in small campaigns to test their effectiveness and could be adopted in much larger campaigns. Proofpoint also suggests the threat group may have changed tactics and could continue conducting more limited attacks on selected targets.

Emotet is capable of self-propagation, hijacks email threats, and inserts a copy of itself into the messages which are sent to contacts. This method of distribution has proven to be highly effective, as the messages distributing the malware come from known and trusted sources, which increases the likelihood of the attachments being opened. In January the malware was observed dropping Cobalt Strike onto infected systems.

The best approach to take to block attacks is to implement layered defenses. HC3 has provided an analysis of the malware and the TTPs known to be used for distributing the malware in the threat brief, and recommends consulting government resources and implementing the suggested mitigations.

The post HC3 Warns Healthcare Sector About Growing Threat from Emotet Malware appeared first on HIPAA Journal.

Healthcare Ransomware Attacks Increased by 94% in 2021

Posted by HIPAA Journal

Ransomware attacks on healthcare organizations increased by 94% year over year, according to the 2022 State of Ransomware Report from cybersecurity firm Sophos. The report is based on a global survey of 5,600 IT professionals and included interviews with 381 healthcare IT professionals from 31 countries.  This year’s report focused on the rapidly evolving relationship between ransomware and cyber insurance in healthcare.

66% of surveyed healthcare organizations said they had experienced a ransomware attack in 2021, up from 34% in 2020 and the volume of attacks increased by 69%, which was the highest of all industry sectors. Healthcare had the second-highest increase (59%) in the impact of ransomware attacks.

According to the report, the number of healthcare organizations that paid the ransom has doubled year over year. In 2021, 61% of healthcare organizations that suffered a ransomware attack paid the ransom – The highest percentage of any industry sector. The global average was 46%, which is almost twice the percentage of the previous year.

Paying the ransom may help healthcare organizations recover from ransomware attacks more quickly, but there is no guarantee that paying the ransom will prevent data loss. On average, after paying the ransom, healthcare organizations were only able to recover 65% of encrypted data, down from 69% in 2020. In 2020, 8% of healthcare organizations recovered all of their data after paying the ransom. That figure fell to just 2% in 2021.

While the healthcare industry had the highest percentage of victims paying the ransom for the decryption keys and to prevent the exposure of sensitive data, healthcare had the lowest average ransom amount of $197,000. The global average across all industry sectors was $812,000. The ransom cost was lower in healthcare, but the overall cost of recovery was second-highest, with the total cost of a ransomware attack $1.85 million, which is considerably higher than the global average of $1.4 million.

Even though there is a high risk of suffering a costly ransomware attack, there are relatively low levels of cyber insurance coverage in healthcare. Across all industry sectors, 83% of organizations had cyber insurance. Only 78% of surveyed healthcare organizations said they had a cyber insurance policy. Many cyber insurance providers stipulate that certain baseline security measures must be implemented in order to take out insurance policies, and the level of maturity of cybersecurity programs can have a big impact on the cost of insurance.  97% of healthcare organizations said they had upgraded their cybersecurity defenses to improve their cyber insurance position.

97% of healthcare organizations that had cyber insurance that covered ransomware attacks said the policy paid out, with 47% saying the entire ransom payment was covered by their cyber insurance provider; however, obtaining cyber insurance to cover ransomware attacks is getting much harder due to the extent to which the healthcare industry is being targeted.

The post Healthcare Ransomware Attacks Increased by 94% in 2021 appeared first on HIPAA Journal.

Atlassian Releases Patch for Maximum Severity Widely Exploited Vulnerability in Confluence Server and Data Center

Posted by HIPAA Journal

Atlassian has released a patch to fix a critical zero-day vulnerability that affects all supported versions of Confluence Server and Data Center. The vulnerability – tracked as CVE-2022-26134 – has a maximum CVSS severity score of 10 out of 10 and can be exploited remotely by unauthenticated attackers to achieve code execution. According to security researchers, exploiting the flaw is trivial, with no user interaction or privileges required.

Last week, cybersecurity firm Volexity detected exploitation of the vulnerability while responding to a security breach. The researchers were able to reproduce the exploit for the flaw and shared details of the vulnerability with Atlassian last week. Volexity reports that in the incident its researchers investigated, the attackers were most likely based in China and exploited the vulnerability to run malicious code and installed webshells such as BEHINDER and China Chopper. The attackers conducted reconnaissance, checked local confluence databases and dumped user tables, altered web access logs to remove traces of exploitation, and wrote additional webshells.

On Friday, Volexity President, Steven Adair, said in a Tweet, “It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we have seen so far.”

Over the weekend, proof-of-concept exploits were widely released and exploitation accelerated. On Thursday, GreyNoise CEO, Andrew Morris said 23 IP addresses were attempting to exploit the flaw and by Friday the number had grown to 211.

It is essential for the patch to be applied immediately on Confluence or Data Center servers to prevent exploitation. Atlassian says the following product versions are affected:  7.4.0, 7.13.0, 7.14.0, 7.15.0, 7.16.0, 7.15.1, 7.14.2, 7.17.0, 7.4.16, 7.18.0, 7.16.3, 7.13.6, and 7.17.3. Atlassian Cloud sites are unaffected.

Atlassian has fixed the vulnerability in versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1. If it is not possible to patch immediately, it is essential to implement the mitigations suggested by Atlassian.

The post Atlassian Releases Patch for Maximum Severity Widely Exploited Vulnerability in Confluence Server and Data Center appeared first on HIPAA Journal.

Healthcare Organizations Warned About Maximum Severity Vulnerabilities in Illumina Devices

Posted by HIPAA Journal

Five vulnerabilities that require immediate patching have been identified in the Illumina Local Run Manager (LRM), which is used by Illumina In Vitro Diagnostic (IVD) devices and Illumina Researcher Use Only (ROU) instruments. The affected devices are used for clinical diagnostic DNA sequencing and testing for various genetic conditions, and for research use. Four of the vulnerabilities are critical, with three having a maximum CVSS severity score of 10 out of 10.

The vulnerabilities affect the following devices and instruments:

Illumina IVD Devices

  • NextSeq 550Dx: LRM Versions 1.3 to 3.1
  • MiSeq Dx: LRM Versions 1.3 to 3.1

Illumina ROU Devices

  • NextSeq 500 Instrument: LRM Versions 1.3 to 3.1
  • NextSeq 550 Instrument: LRM Versions 1.3 to 3.1
  • MiSeq Instrument: LRM Versions 1.3 to 3.1
  • iSeq 100 Instrument: LRM Versions 1.3 to 3.1
  • MiniSeq Instrument: LRM Versions 1.3 to 3.1

A threat actor could exploit the vulnerabilities remotely, take control of the instruments, and perform any action at the operating system level such as modifying the settings, configurations, software, or data on the instrument. It would also be possible to exploit the vulnerabilities to interact with the connected network through the affected product.

The vulnerabilities are:

  • CVE-2022-1517 – A remote code execution vulnerability due to the LRM utilizing elevated privileges, which would allow a malicious actor to upload and execute code at the operating system level. The vulnerability has a CVSS v3 severity score of 10 (critical)
  • CVE-2022-1518 – A directory traversal vulnerability that allows a malicious actor to upload outside the intended directory structure. The vulnerability has a CVSS v3 severity score of 10 (critical)
  • CVE-2022-1519 – The failure to restrict uploads of dangerous file types. A malicious actor could upload any file type, including executable code that allows for a remote code exploit. The vulnerability has a CVSS v3 severity score of 10 (critical)
  • CVE-2022-1521 – A lack of authentication or authorization in the default configuration, which would allow a malicious actor to inject, replay, modify, and/or intercept sensitive data. The vulnerability has a CVSS y3 severity score of 9.1 (critical)
  • CVE-2022-1524 – A lack of TLS encryption for the transmission of sensitive information, putting information – including credentials – at risk of interception in a man-in-the-middle attack. The vulnerability has a CVSS v3 severity score of 7.4 (high severity)

The vulnerabilities were reported to Illumina by Pentest, Ltd. Illumina has developed a software patch that will prevent the vulnerabilities from being exploited remotely as an interim fix while a permanent solution is developed for current and future instruments.

The U.S. Food and Drug Administration and the Cybersecurity and Infrastructure Security Agency (CISA) have issued security alerts urging immediate action to be taken to address the vulnerabilities.

The patch for Internet-connected instruments is available here. If the instruments are not connected to the Internet, users should contact Illumina Tech Support.

The post Healthcare Organizations Warned About Maximum Severity Vulnerabilities in Illumina Devices appeared first on HIPAA Journal.

FBI Thwarted ‘Despicable’ Cyberattack on Boston Children’s Hospital

Posted by HIPAA Journal

In 2021, Iranian state-sponsored hackers attempted a destructive cyberattack on Boston Children’s Hospital, which the Federal Bureau of Investigation (FBI) was able to successfully block before the hospital’s computer network was damaged. FBI Director Christopher Wray said the attempted cyberattack was “one of the most despicable cyberattacks I have ever seen.”

Speaking at Boston College for the Boston Conference on Cyber Security, Wray said Iranian state-sponsored hackers exploited a vulnerability in a popular software solution made by the Californian cybersecurity vendor Fortinet. The FBI was alerted to the breach and the pending attack by another intelligence agency and notified the hospital on August 3, 2021. Wray said the FBI met with representatives of the hospital and provided information that helped the hospital identify and mitigate the threat.

Wray said this was “a great example of why we deploy in the field the way we do, enabling that kind of immediate, before-catastrophe-strikes response,” and explained that the incident should serve as a reminder to all healthcare organizations to ensure they have an incident response plan that includes the FBI. Wray said this incident highlights the risk of high impact cyberattacks by nation-state threat actors from Russia, China, Iran, and North Korea, and said “We cannot let up on China or Iran or criminal syndicates while we’re focused on Russia.”

In November 2021, the FBI, in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), the National Cyber Security Centre (NCSC) in the UK, and the Australian Cyber Security Centre (ACSC) issued a security alert warning the healthcare sector and operators of critical infrastructure about an Iranian nation-state Advanced Persistent Threat actor who was known to be exploiting Microsoft Exchange and Fortinet vulnerabilities to steal data, conduct ransomware attacks and extort money from victims.

Wray did not specify what type of attack the threat actor was attempting to conduct, only that a cyberattack could have damaged the network, which could have had a devastating impact on the sick children that depend on it. The cyberattack in question appears to have been conducted through an HVAC vendor.

In August 2021, a threat actor contacted Databreaches.net and shared evidence of a successful attack on an HVAC vendor and claimed that they had breached the HVAC vendor’s systems and also had access to the systems of a children’s hospital. It was confirmed that the HVAC vendor in question ENE systems, which provides services to the Harvard-linked hospitals, Boston Children’s Hospital, Brigham & Women’s Hospital, and Mass General Hospital.

Boston Children’s Hospital is no stranger to cyberattacks. Back in 2014, the hospital suffered a series of attacks that disrupted its systems for more than a week. The attacks were conducted in retaliation for how the hospital handled the case of patient Justina Pelletier, who was involved in a custody battle. The individual behind that attack was apprehended and convicted and was sentenced to 10 years in jail in 2019.

The post FBI Thwarted ‘Despicable’ Cyberattack on Boston Children’s Hospital appeared first on HIPAA Journal.

BD Issues Security Advisories About Pyxis and Synapsys Vulnerabilities

Posted by HIPAA Journal

BD has issued security advisories about two vulnerabilities that affect certain BD Pyxis automated medication dispensing system products and the BD Synapsys microbiology informatics software platform.

BD Pyxis – CVE-2022-22767

According to BD, certain BD Pyxis products have been installed with default credentials and may still operate with those credentials. In some scenarios, the affected products may have been installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types.

If a threat actor were to exploit the vulnerability, it would be possible to gain privileged access to the underlying file system, which would allow access to ePHI or other sensitive information. The vulnerability is tracked as CVE-2022-22767 and has a CVSS v3 base score of 8.8 out of 10 (high severity).

The following products are affected by the vulnerability

  • BD Pyxis ES Anesthesia Station
  • BD Pyxis CIISafe
  • BD Pyxis Logistics
  • BD Pyxis MedBank
  • BD Pyxis MedStation 4000
  • BD Pyxis MedStation ES
  • BD Pyxis MedStation ES Server
  • BD Pyxis ParAssist
  • BD Pyxis Rapid Rx
  • BD Pyxis StockStation
  • BD Pyxis SupplyCenter
  • BD Pyxis SupplyRoller
  • BD Pyxis SupplyStation
  • BD Pyxis SupplyStation EC
  • BD Pyxis SupplyStation RF auxiliary
  • BD Rowa Pouch Packaging Systems

BD said it is working with customers whose domain-joined server(s) credentials require updating and it is strengthening the credential management capabilities of BD Pyxis products.

BD recommends the following compensating controls for users of Pyxis products utilizing default credentials:

  • Restrict physical access to Pyxis products to only authorized personnel
  • Tightly control management of system passwords
  • Monitor and log network traffic attempting to reach the affected products for suspicious activity
  • Isolate affected products in a secure VLAN or behind firewalls and only permit communication with trusted hosts in other networks, when needed

BD Synapsys – CVE-2022-30277

Certain BD Synapsis products are affected by an insufficient session expiration vulnerability, which could potentially allow an unauthorized individual to access, modify, or delete sensitive information such as ePHI, which could potentially result in delayed or incorrect treatment. BD says a physical breach of a vulnerable workstation would be unlikely to lead to the modification of ePHI as the sequence of events has to be conducted in a specific order. The vulnerability is tracked as CVE-2022-30277 and has been assigned a CVSS v3 base score of 5.7 out of 10 (medium severity).

The vulnerability affects D Synapsys versions 4.20, 4.20 SR1, and 4.30. The flaw will be addressed in BD Synapsys v4.20 SR2, which will be released this month.

BD has suggested the following compensating controls:

  • Configure the inactivity session timeout in the operating system to match the session expiration timeout in BD Synapsys.
  • Ensure physical access controls are in place and only authorized end-users have access to BD Synapsys workstations.
  • Place a reminder at each computer for users to save all work, logout, or lock their workstation when leaving the BD Synapsys workstation.
  • Ensure industry standard network security policies and procedures are followed.

BD has alerted CISA, the FDA, and ISACs about the vulnerabilities under its responsible vulnerability disclosure policy.

The post BD Issues Security Advisories About Pyxis and Synapsys Vulnerabilities appeared first on HIPAA Journal.

Zero Day Microsoft Office Vulnerability can be Exploited with Macros Disabled

Posted by HIPAA Journal

Microsoft has issued a security advisory and has provided workaround to prevent a zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) from being exploited.

The vulnerability is tracked as CVE-2022-30190 and has been dubbed Follina by security researchers. According to Microsoft, “a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.”

Over the weekend, security researcher nao_sec found a Word document that was leveraging remote templates to execute PowerShell commands on targeted systems via the MS-MSDT URL protocol scheme. In a recent blog post, security researcher Kevin Beaumont said the documents are not being detected as malicious by Microsoft Defender and detection by antivirus solutions is poor as the documents used to exploit the vulnerability do not contain any malicious code. Instead, they leverage remote templates to download an HTML file from a remote server, which allows an attacker to run malicious PowerShell commands.

Most email attacks that use attachments for malware delivery require macros to be enabled; however, the vulnerability can be exploited even with macros disabled. The vulnerability is exploited when the attached file is opened. Beaumont also showed that zero-click exploitation is possible if an RTF file is used, as the flaw can be exploited without opening the document via the preview tab in Explorer.

Microsoft said if an attacker successfully exploits the vulnerability, malicious code can be run with the privileges of the calling application. It would allow an attacker to install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. The vulnerability can be exploited in all Office versions since 2013, including the current version of Office 365.

The vulnerability was initially reported to Microsoft in April and the flaw was assigned a CVSS score of 7.8 out of 10 (high severity), as Microsoft did not consider the Follina vulnerability to be critical. Microsoft has now issued a workaround and guidance that involves disabling the MSDT URL Protocol until a patch is released. Immediate action is required to prevent the vulnerability from being exploited. Vulnerabilities that can be exploited via Office are rapidly adopted by threat actors, especially when they can be exploited with macros disabled.

Multiple threat actors are known to be exploiting the flaw, including the Chinese threat actor TA413, according to Proofpoint. According to Palo Alto Networks Unit 42 team, “Based on the amount of publicly available information, the ease of use, and the extreme effectiveness of this exploit, Palo Alto Networks highly recommends following Microsoft’s guidance to protect your enterprise until a patch is issued to fix the problem.

The post Zero Day Microsoft Office Vulnerability can be Exploited with Macros Disabled appeared first on HIPAA Journal.