Healthcare Cybersecurity

BD Issues Security Advisories About Pyxis and Synapsys Vulnerabilities

BD has issued security advisories about two vulnerabilities that affect certain BD Pyxis automated medication dispensing system products and the BD Synapsys microbiology informatics software platform.

BD Pyxis – CVE-2022-22767

According to BD, certain BD Pyxis products have been installed with default credentials and may still operate with those credentials. In some scenarios, the affected products may have been installed with the same default local operating system credentials or domain-joined server(s) credentials that may be shared across product types.

If a threat actor were to exploit the vulnerability, it would be possible to gain privileged access to the underlying file system, which would allow access to ePHI or other sensitive information. The vulnerability is tracked as CVE-2022-22767 and has a CVSS v3 base score of 8.8 out of 10 (high severity).

The following products are affected by the vulnerability

  • BD Pyxis ES Anesthesia Station
  • BD Pyxis CIISafe
  • BD Pyxis Logistics
  • BD Pyxis MedBank
  • BD Pyxis MedStation 4000
  • BD Pyxis MedStation ES
  • BD Pyxis MedStation ES Server
  • BD Pyxis ParAssist
  • BD Pyxis Rapid Rx
  • BD Pyxis StockStation
  • BD Pyxis SupplyCenter
  • BD Pyxis SupplyRoller
  • BD Pyxis SupplyStation
  • BD Pyxis SupplyStation EC
  • BD Pyxis SupplyStation RF auxiliary
  • BD Rowa Pouch Packaging Systems

BD said it is working with customers whose domain-joined server(s) credentials require updating and it is strengthening the credential management capabilities of BD Pyxis products.

BD recommends the following compensating controls for users of Pyxis products utilizing default credentials:

  • Restrict physical access to Pyxis products to only authorized personnel
  • Tightly control management of system passwords
  • Monitor and log network traffic attempting to reach the affected products for suspicious activity
  • Isolate affected products in a secure VLAN or behind firewalls and only permit communication with trusted hosts in other networks, when needed

BD Synapsys – CVE-2022-30277

Certain BD Synapsis products are affected by an insufficient session expiration vulnerability, which could potentially allow an unauthorized individual to access, modify, or delete sensitive information such as ePHI, which could potentially result in delayed or incorrect treatment. BD says a physical breach of a vulnerable workstation would be unlikely to lead to the modification of ePHI as the sequence of events has to be conducted in a specific order. The vulnerability is tracked as CVE-2022-30277 and has been assigned a CVSS v3 base score of 5.7 out of 10 (medium severity).

The vulnerability affects D Synapsys versions 4.20, 4.20 SR1, and 4.30. The flaw will be addressed in BD Synapsys v4.20 SR2, which will be released this month.

BD has suggested the following compensating controls:

  • Configure the inactivity session timeout in the operating system to match the session expiration timeout in BD Synapsys.
  • Ensure physical access controls are in place and only authorized end-users have access to BD Synapsys workstations.
  • Place a reminder at each computer for users to save all work, logout, or lock their workstation when leaving the BD Synapsys workstation.
  • Ensure industry standard network security policies and procedures are followed.

BD has alerted CISA, the FDA, and ISACs about the vulnerabilities under its responsible vulnerability disclosure policy.

The post BD Issues Security Advisories About Pyxis and Synapsys Vulnerabilities appeared first on HIPAA Journal.

Zero Day Microsoft Office Vulnerability can be Exploited with Macros Disabled

Microsoft has issued a security advisory and has provided workaround to prevent a zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) from being exploited.

The vulnerability is tracked as CVE-2022-30190 and has been dubbed Follina by security researchers. According to Microsoft, “a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.”

Over the weekend, security researcher nao_sec found a Word document that was leveraging remote templates to execute PowerShell commands on targeted systems via the MS-MSDT URL protocol scheme. In a recent blog post, security researcher Kevin Beaumont said the documents are not being detected as malicious by Microsoft Defender and detection by antivirus solutions is poor as the documents used to exploit the vulnerability do not contain any malicious code. Instead, they leverage remote templates to download an HTML file from a remote server, which allows an attacker to run malicious PowerShell commands.

Most email attacks that use attachments for malware delivery require macros to be enabled; however, the vulnerability can be exploited even with macros disabled. The vulnerability is exploited when the attached file is opened. Beaumont also showed that zero-click exploitation is possible if an RTF file is used, as the flaw can be exploited without opening the document via the preview tab in Explorer.

Microsoft said if an attacker successfully exploits the vulnerability, malicious code can be run with the privileges of the calling application. It would allow an attacker to install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. The vulnerability can be exploited in all Office versions since 2013, including the current version of Office 365.

The vulnerability was initially reported to Microsoft in April and the flaw was assigned a CVSS score of 7.8 out of 10 (high severity), as Microsoft did not consider the Follina vulnerability to be critical. Microsoft has now issued a workaround and guidance that involves disabling the MSDT URL Protocol until a patch is released. Immediate action is required to prevent the vulnerability from being exploited. Vulnerabilities that can be exploited via Office are rapidly adopted by threat actors, especially when they can be exploited with macros disabled.

Multiple threat actors are known to be exploiting the flaw, including the Chinese threat actor TA413, according to Proofpoint. According to Palo Alto Networks Unit 42 team, “Based on the amount of publicly available information, the ease of use, and the extreme effectiveness of this exploit, Palo Alto Networks highly recommends following Microsoft’s guidance to protect your enterprise until a patch is issued to fix the problem.

The post Zero Day Microsoft Office Vulnerability can be Exploited with Macros Disabled appeared first on HIPAA Journal.

CISA Adds 75 Vulnerabilities to the Known Exploited Vulnerability Catalog

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) added a further 75 vulnerabilities to its Known Exploited Vulnerability Catalog. The Known Exploited Vulnerability Catalog is a list of vulnerabilities in software and operating systems that are known to be exploited in real-world attacks. The list now includes 737 vulnerabilities.

The latest additions came in three batches that were added on Tuesday (21), Wednesday (20), and Thursday (34). Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to scan for the vulnerabilities and ensure patches are applied or the vulnerabilities are otherwise mitigated within two weeks.

The majority of the vulnerabilities added to the list last week are not new flaws. In most cases, patches were released to address the laws several years ago and in some cases, the vulnerabilities were publicly disclosed 12 years ago. Some of the vulnerabilities affect products that have long since passed end-of-life, such as Adobe Flash Player, Virtual System/Server Administrator (VSA), Microsoft Silverlight, and InfoSphere BigInsights. If those solutions are still installed or in use, the products should be uninstalled or disconnected.

Recent vulnerabilities include the Cisco IOS XR open port vulnerability (CVE-2022-20821), a memory corruption vulnerability in multiple Apple products (CVE-2021-30883), and two vulnerabilities in the Android Kernel – a use-after-free vulnerability (CVE-2021-1048) and a race condition vulnerability (CVE-2021-0920).

The vulnerabilities affect products from the following vendors:  Adobe, Android, Apple, Artifex, Cisco, Google, IBM, Kaseya, Linux, Meta Platforms, Microsoft, Mozilla, Oracle, QNAP, Red Hat, and WebKitGTK.

While BOD 22-01 only applies to FCEB agencies, CISA encourages all organizations to reduce their exposure to cyberattacks by ensuring the vulnerabilities on the Known Exploited Vulnerability Catalog are remediated in a timely manner as part of their vulnerability management practices.

The post CISA Adds 75 Vulnerabilities to the Known Exploited Vulnerability Catalog appeared first on HIPAA Journal.

Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites

A recent study by Source Defense examined the risks associated with the use of third- and fourth-party code on websites and found that all modern, dynamic websites included code that could be targeted by hackers to gain access to sensitive data.

SOurce Defense explained that websites typically have their own third-party supply chains, with those third parties providing a range of services and functions related to site performance, tracking and analytics, and improving conversion rates to generate more sales.

The inclusion of third- and fourth-party code on websites also introduces security and compliance risks. On the compliance side, tracking code has the potential to violate data privacy laws such as the EU’s General Data Protection Regulation (GDPR) and from a security perspective, the code included on websites may have vulnerabilities that can be exploited by threat actors to gain access to sensitive data, including protected health information.

To explore the risks associated with third- and fourth-party code, Source Defense scanned the top 4,300 websites based on traffic and analyzed their results to identify the scale of the digital supply chain, how many partners are involved on a typical website, whether the inclusion of code by those partners leaves websites exposed to cyberattacks, whether sensitive data is being exposed, and the types of attacks that could be conducted on websites that take advantage of the digital supply chain.

The findings of the analysis are detailed in the report, Third-Party Digital Supply Chain Risk: Exposing the Shadow Code on Your Web Properties. Source Defense explained that there would be little point in a threat actor compromising a script on a static webpage; however, if scripts were included on webpages that collect sensitive data, threat actors could add malicious code to steal sensitive data. The researchers found that, on average, there were 12 third-party and 3 fourth-party scripts per website on web pages that collected data, such as login pages, account registration pages, and payment collection pages.

They identified six features on websites that could be exploited by threat actors that were commonly found on websites: Code to retrieve form input (49%), button click listeners (49%), link click listeners (43%), code to modify forms (23%), form submit listeners (22%), and input change listeners (14%). Every modern, dynamic website assessed for the study was found to contain one or more of those features.

An analysis was conducted of between 40 and 50 websites in industries where there is a higher-than-average risk. The researchers found that higher-risk industries such as healthcare had more than the average number of scripts. Healthcare websites had an average of 13 third-party and 5 fourth-party scripts on sensitive pages.

There may be a legitimate reason for including these scripts on the pages but adding that code introduces risk. “For example, a script might allow form fields to be changed or added on the fly to provide website users with a more personalized experience,” explained Source Defense in the report. “However, a threat actor could exploit this capability to add additional fields asking for credentials and personal information, which would then be sent to attacker’s website.”

“This data makes it clear that managing risk inherent in third- and fourth-party scripts is both a very necessary and a very challenging task,” explained the researchers, who recommend assessing websites for third party code, educating management about the risks, implementing a website client-side security solution, categorizing and consolidating scripts, and finding ways to recuse exposure and compliance risks.

The post Study Identifies Risks Associated with 3rd and 4th Party Scripts on Websites appeared first on HIPAA Journal.

Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server

An information technology consultant who worked as a contractor at a suburban healthcare company in Chicago has been charged with illegally accessing the company’s network and intentionally causing damage to a protected computer.

Aaron Lockner, 35, of Downers Grove, IL, worked for an IT company that had a contract with a healthcare company to provide security and technology services. Lockner was provided with access to the network of the healthcare provider’s clinic in Oak Lawn, IL, to perform the contracted IT services.

In February 2018, Lockner applied for an employment position with the healthcare provider, but his application was denied. Lockner was then terminated from the IT firm in March 2018. A month later, on or around April 16, 2018, Lockner is alleged to have remotely accessed the computer network of the healthcare company without authorization. According to the indictment, Lockner knowingly caused the transmission of a program, information, code, and command, and as a result of his actions, intentionally caused damage to a protected computer. The computer intrusion impaired medical examinations, treatment, and the care of multiple individuals.

Locker has been indicted on one count of intentionally causing damage to a protected computer. The arraignment has been scheduled for May 31, 0222 in the U.S. District Court in the Northern District of Illinois, Eastern Division. If convicted, Lockner could serve up to 10 years in federal prison.

This case highlights the risks posed by insiders. The recently published 2022 Verizon Data Breach Investigations Report highlights the risk of attacks by external threat actors, which outnumber insider attacks by 4 to 1, but safeguards also need to be implemented to protect against insider threats.

In this case, the alleged access occurred two months after the application for employment was rejected and one month after being terminated from the IT company. When individuals leave employment, voluntarily or if terminated, access rights to systems need to be immediately revoked and scans of systems conducted to identify any malware or backdoors that may have been installed.

There have been multiple cases of disgruntled IT contractors retaining remote access to systems after termination, with one notable case at a law firm seeing a former IT worker installing a backdoor and subsequently accessing the system and intentionally causing damage after leaving employment. In that case, the individual was sentenced to 115 months in federal prison and was ordered to pay $1.7 million in restitution.

The post Former IT Consultant Charged with Intentionally Causing Damage to Healthcare Company’s Server appeared first on HIPAA Journal.

Verizon Data Breach Investigations Report Reveals 2021 Data Breach Trends

For the past 15 years, Verizon has been publishing annual Data Breach Investigation Reports (DBIR), with this year’s report confirming just how bad the past 12 months have been. Verizon described the past 12 months as representing an unprecedented year in cybersecurity history. “From very well-publicized critical infrastructure attacks to massive supply chain breaches, the financially motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months,” explained Verizon.

The 2022 DBIR was compiled in conjunction with 87 partner organizations using data from 23,896 security incidents, of which 5,212 were confirmed data breaches, 849 of the security incidents analyzed in the report occurred in the healthcare sector, with 571 of those incidents resulting in confirmed data breaches.

The report confirms there was a major increase in ransomware attacks in 2021, increasing 13% from the previous year. To add some perspective, the increase is greater than the combined increases over the previous five years. As Verizon points out in the report, ransomware is just a way of taking advantage of access to victims’ networks, but it has proven to be particularly successful at monetizing illegal access to networks and private information. Ransomware was involved in 25% of data breaches in 2021.

The most common vectors in ransomware attacks were the use of stolen credentials, mostly for desktop sharing software, which provided initial access in 40% of attacks. Phishing was the second most common vector in attacks, providing initial access in 35% of ransomware attacks followed by the exploitation of vulnerabilities in web applications and direct installs. The high percentage of attacks involving remote desktop software and email highlights the importance of locking down RDP and securing email.

The increase in ransomware attacks is alarming, as is the number of supply chain attacks, which account for 62% of system intrusions. Supply chain attacks may be conducted by financially motivated cyber actors, but oftentimes they are used by nation-state actors to gain persistent access to systems for espionage purposes.

Protecting against cyberattacks requires action to be taken to address the four main avenues that lead to initial access to networks being gained, which are credentials, phishing, exploitation of vulnerabilities, and botnets. While insiders can and do cause data breaches, by far the main cause is external actors. Breaches due to external actors outnumber insider breaches by four to 4. While external attacks are much more likely, the median number of records involved in insider breaches is far higher.

Human error continues to play a large part in data breaches. 13% of breaches involved misconfigurations, mostly of cloud storage facilities, and 82% of all data breaches analyzed in the past 12 months involved a human element. 25% of all breaches in 2021 were the result of social engineering attacks, highlighting not only the importance of implementing advanced email defenses but also providing regular security awareness training to the workforce.

The top three attack methods were the same as last year, albeit changing position. System intrusions took the top spot, followed by web application attacks, and social engineering. In healthcare, the leading causes of data breaches were web application attacks, miscellaneous errors, and system intrusions, which accounted for 76% of all data breaches.

Verizon reports that while insiders have long been a leading cause of data breaches in healthcare, the increase in web application attacks has meant external threats have overtaken insiders. Healthcare employees caused 39% of breaches in 2021, which is considerably higher than the 18% across all other industry sectors. While there will always be malicious insiders in healthcare, employees are 2.5 times more likely to make an error than to maliciously abuse their access to data, with misdelivery and loss the most common errors made in healthcare.

Healthcare data breach trends

Patterns in Healthcare data breaches. Source: Verizon DBIR 2022

 

The post Verizon Data Breach Investigations Report Reveals 2021 Data Breach Trends appeared first on HIPAA Journal.

HHS Shares Information on Advanced Persistent Threat Groups Linked with the Russian Intelligence Services

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief providing information on the cyber organizations of the Russian Intelligence Services which pose a threat to organizations in the United States, including the healthcare and public health (HPH) sector.

The threat brief provides information on four key advanced persistent threat actors which conduct offensive cyber activities and espionage within the Russian Intelligence Services. These APT actors have been linked to the Federal Security Service (FSB), the Foreign Intelligence Service (SVR), and the Main Intelligence Directorate of the General Staff of the Armed Forces (GRU). The FSB is equivalent to the Federal Bureau of Investigation in the U.S and is mostly concerned with domestic intelligence and foreign intelligence from Russia’s near abroad. The SVR is equivalent to the U.S. Central Intelligence Agency (CIA) and collects foreign intelligence from military, strategic, economic, scientific, and technological targets. The GRU is the equivalent of the Defense Intelligence Agency (DIA) and collects foreign intelligence related to military issues through espionage and is also responsible for conducting destructive cyberattacks.

Turla

Turla, aka Venomous Bear/Iron Hunter/KRYPTON/Waterbug, operates under the direction of the FSB and mostly targets industries such as academic, energy, government, military, telecommunications, research, pharmaceutical companies, and foreign embassies, and has been active since at least 2004. The group is known to use malware and sophisticated backdoors and is mostly focused on diplomatic espionage activities in former Eastern Bloc countries, although was responsible for the attack on U.S. Central Command in 2008, G20 attendees in 2017, and the government computer network in Germany in 2018.

APT29

APT29, aka Cozy Bear, YTTRIUM, Iron Hemlock, and The Dukes, operates under the direction of the SVR and mostly targets the academic, energy, financial, government, healthcare, media, pharmaceutical, and technology industries and think tanks. The APT actor has been active since at least 2008 and uses a range of malware variants and backdoors. The APR actor mostly targets European and NATO countries and is known to conduct spear phishing campaigns to gain stealthy, long-term access to targets networks, and is especially persistent and focused on specific targets. The APT actor steals information but does not leak that information. APT29 is known to be behind the attack on the Pentagon in 2015, the SolarWinds Orion attack in 2020, and targeted COVID-19 vaccine developers during the pandemic.

APT28

APT28, aka Fancy Bear, STRONTIUM, Sofacy, Iron Twilight, operates under the direction of the GRU and has been active since 2004. APT28 targets the aerospace, defense, energy, government, healthcare, military, and media industries and dissidents. The group uses a variety of malware, a downloader for next-stage infections, and collects system information and metadata to distinguish real environments from sandboxes.

APT28 primarily targets NATO countries and is known to use password spraying, unique malware, phishing and credential harvesting, and tends to conduct noisy rather than stealthy attacks. The group steals and leaks information to further Russia’s political interests. The group was behind the attack on the World Anti-Doping Agency in 2016, the cyberattack and leaking of data from the U.S. Democratic National Committee and the Clinton Campaign in 2016, and the German and French Elections in 2016 and 2017.

Sandworm

Sandworm, aka Voodoo Bear, ELECTRUM, IRIDIUM, Telebots, and Iron Viking, operates under the direction of the GRU and has been active since at least 2007. Sandworm mainly targets the energy and government sectors and is the most destructive of all ‘Bear’ threat groups. SAndworm targets ICS and computer systems for destructive purposes, such as conducting wiper malware attacks, especially in Ukraine. The group appears unconcerned with 2nd and 3rd order effects of attacks, such as those of NotPetya, and uses malware such as BadRabbit, BlackEnergy, GCat, GreyEnergy, KillDisk, NotPetya, and Industroyer.

Sandworm was behind the multiple attacks on the Ukrainian government and critical infrastructure in 2015-2016 and 2022, attacks on Georgian websites before the Russian Invasion in 2008, and the NotPetya attacks in 2017.

Mitigations

The tactics, techniques, procedures, and malware used by each of these groups are diverse, but some mitigations can be implemented to improve resilience and block the main attack vectors. These are detailed in the HC3 report and include updating software, patching promptly, enforcing MFA, segmenting networks, and reviewing CVEs for all public-facing systems.

The post HHS Shares Information on Advanced Persistent Threat Groups Linked with the Russian Intelligence Services appeared first on HIPAA Journal.

CISA Issues Emergency Directive to Patch Vulnerable VMWare Products

An emergency directive has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) to all federal agencies, requiring them to take steps to address two vulnerabilities in certain VMware products that are likely to be rapidly exploited in the wild, and two previous vulnerabilities in VMWare products that were disclosed in April which are being exploited by multiple threat actors, including Advanced Persistent Threat (APT) actors.

The latest vulnerabilities, tracked as CVE-2022-22972 (critical) and CVE-2022-22973 (high severity), and the two vulnerabilities from April affect 5 VMWare products:

  • VMware Workspace ONE Access (Access) Appliance
  • VMware Identity Manager (vIDM) Appliance
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

CVE-2022-22972 is an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users. If a malicious actor has network access to the UI, the flaw can be exploited to gain administrative access without authentication. The vulnerability has been assigned a CVSS severity score of 9.8 out of 10.

CVE-2022-22973 is a local privilege escalation vulnerability in VMware Workspace ONE Access and Identity Manager with a CVSS severity score of 7.8. If a malicious actor has local access, the flaw can be exploited to escalate privileges to root. Both flaws also affect VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

The two vulnerabilities known to have been exploited in the wild are tracked as CVE 2022-22954 (critical) and CVE 2022-22960 (high severity). CISA says both vulnerabilities have been exploited in real-world attacks, individually and in combination, by multiple threat actors.

CVE 2022-22954 is a code injection vulnerability with a CVSS score of 9.8 that affects VMware Workspace ONE Access and Identity Manager products. Exploitation of the flaw allows threat actors to trigger server-side template injection, which can lead to remote code execution. CVE 2022-22960 is an improper privilege management issue with a CVSS score of 7.8 that affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation products, and allows threat actors to escalate privileges to root.

In one attack, a threat actor with network access to the web interface exploited CVE 2022-22954 to execute a shell command as a VMWare user, then exploited the second flaw to escalate privileges to root. After exploiting both flaws, the threat actor could move laterally to other systems, escalate permissions, and wipe logs. In another case, a threat actor deployed the Dingo-J-spy web shell after exploiting the flaws. Exploits for the two April vulnerabilities were developed by reverse-engineering the patches released by VMWare. Now patches have been released to fix the latest two vulnerabilities, similarly rapid exploitation of the flaws in the wild can be expected.

While the emergency directive only applies to Federal agencies, all organizations that are using vulnerable VMWare products should patch immediately or implement the recommended mitigations. The deadlines for Federal agencies to complete the required actions are May 23 and May 24, 2022.

The post CISA Issues Emergency Directive to Patch Vulnerable VMWare Products appeared first on HIPAA Journal.

Cybersecurity Agencies Share Most Common Attack Vectors for Initial Access and Recommended Mitigations

According to a recent security advisory issued by the Five Eyes Cybersecurity agencies in the US, UK, Canada, Australia, and New Zealand, the most common attack vectors used by cyber threat actors for initial access to networks are exploits of public-facing applications, external remote services, trusted relationships, phishing, and compromised credentials for valid user accounts.

These attack methods often succeed due to poor security practices, bad cyber hygiene, weak controls, and poor security configurations. The security advisory details the most commonly exploited controls and practices and provides recommendations for mitigations to strengthen security and block these attack vectors.

Top 10 Security Weaknesses Exploited by Hackers

The top ten security weaknesses exploited by hackers consist of poor security practices, weak security controls, and misconfigurations and unsecured systems, which allow the most common attack vectors to be used.

Slow software updates and patching

The failure to update software promptly and apply patches for known vulnerabilities gives attackers a window of opportunity for exploiting the vulnerabilities. Exploits for vulnerabilities are often released publicly within days or weeks. Vulnerabilities can be exploited to gain access to sensitive information, conduct denial-of-service attacks, or take full control of vulnerable systems. Slow patching is one of the commonest poor security practices.

Open ports and misconfigurations that expose services to the Internet

Another commonly identified vulnerability is the failure to close open ports. Hackers continuously scan for open ports and misconfigured services that expose systems to the Internet. The compromising of these services can provide attackers with initial access. RDP, Server Message Block (SMB), Telnet, and NetBIOS are high-risk services.

Failure to enforce multifactor authentication

Multifactor authentication should be enforced on all accounts to block attempts to use stolen credentials. This is especially important for Remote Desktop Protocol, other remote services, and accounts with administrative privileges. The lack of multifactor authentication for RDP is commonly exploited in ransomware attacks.

Use of default credentials and configurations

The failure to change default credentials provides attackers with easy access, as default credentials are often in the public domain. Default configurations are typically excessively permissible to ensure they are user-friendly, and the failure to change configurations can give attackers an avenue for exploitation.

Insufficient controls for remote access

Remote services are commonly targeted by threat actors who exploit a lack of sufficient authentication controls, such as no multifactor authentication. In addition to enforcing MFA, network defenders should consider implementing a boundary firewall in front of a VPN and IDS/IPS sensors to detect anomalous activity.

Incorrectly applied privileges or permissions, and errors within access control lists

Incorrectly applied privileges or permissions can prevent access control rules from being enforced, which could allow system processes or unauthorized users to be granted access to objects.

Poor password policies

Many different methods can be used to exploit weak, leaked, or compromised passwords to access victims’ systems. Policies should be set and enforced requiring strong, unique passwords to be used. Weak RDP passwords are commonly exploited.

Unprotected cloud services

Misconfigurations and poor security configurations can leave cloud services unprotected, giving threat actors easy access to sensitive data and permitting cryptojacking using cloud servers.

Insufficient phishing defenses

Phishing is one of the leading ways that threat actors gain a foothold in networks. Email security solutions should be used that have strong antivirus controls, use behavioral analysis to identify malware, and have the capability to scan embedded links. Security awareness training should be regularly provided to the workforce.

Poor endpoint detection and response

Endpoint detection solutions should be implemented that go beyond signature-based detection methods as threat actors commonly use obfuscated malicious scripts and PowerShell to bypass endpoint security solutions such as antivirus software.

Suggested Mitigations

The security alert includes several mitigations that can help network defenders strengthen security and protect against these commonly exploited weak security controls and practices. The suggested mitigations are concerned with controlling access, credential hardening, establishing centralized log management, deploying antivirus and other detection tools, conducting vulnerability scans, establishing a robust patch management program, and maintaining a rigorous configuration management program.

The post Cybersecurity Agencies Share Most Common Attack Vectors for Initial Access and Recommended Mitigations appeared first on HIPAA Journal.