Healthcare Cybersecurity

Biomanufacturing Sector Warned of High Risk of Tardigrade Malware Attacks

Posted by HIPAA Journal

A highly sophisticated malware capable of aggressively spreading within networks is being used in targeted attacks on the biomanufacturing sector. The malware has been named Tardigrade by security researchers and initial research suggests it may be a variant of SmokeLoader – A commonly used malware loader and backdoor, although SmokeLoader and Tardigrade malware are quite distinct.

The sophisticated nature of the malware coupled with the targeted attacks on vaccine manufacturers and their partners strongly suggest the malware was developed and is being used by an Advanced Persisted Threat (APT) actor. The malware was first detected being used in attacks on the biomanufacturing sector in the spring of 2021 when an infection was discovered at a large U.S. biomanufacturing facility. The malware was identified again in an attack on a biomanufacturing firm in October 2021 and it is believed to have been used in attacks on several firms in the sector.

In contrast to SmokeLoader, which requires instructions to be sent to the malware from its command-and-control infrastructure, Tardigrade malware has far greater autonomy and can use its internal logic to make decisions about lateral movement and which files to modify. The malware has a distributed command-and-control network and uses a variety of IPs that do not correspond to a specific command-and-control node. The malware is also metamorphic, which means its code regularly changes while retaining its functionality. That means signature-based detection mechanisms are not effective at identifying and blocking Tardigrade malware.

Tardigrade malware is stealthy and can be used to gain persistent access to victims’ systems for espionage. The malware creates a tunnel for data exfiltration and has been used to prepare systems for further malicious activities such as ransomware attacks. The malware was first detected when investigating what appeared to be a ransomware attack.

An advisory about the malware was issued by the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) due to the significant threat the malware poses to the biomanufacturing sector and their partners, with the HHS’ Health Sector Cybersecurity Coordination Center (HC3) also issuing a recent alert about the malware.

BIO-ISAC says all biomanufacturing sites and their partners should assume that they will be targets and should take steps to improve their defenses against this new malware threat. The primary method of malware delivery is believed to be phishing emails, although the malware is capable of spreading via USB drives and can propagate autonomously throughout victims’ networks.

It is important to ensure cybersecurity best practices are followed, such as closing open remote desktop protocols, updating out-of-date operating systems and software, aggressively segmenting networks, implementing multifactor authentication, and ensuring antivirus software is used on all devices that is capable of behavioral analysis.

BIO-ISAC also recommends conducting a “crown jewels” analysis, which should include assessing the impact of an attack should certain critical devices be rendered inoperable, ensuring offline backups are performed on biomanufacturing infrastructure, testing backups to ensure recovery is possible, providing phishing awareness training to the workforce, inquiring about lead times for procuring critical infrastructure components such as chromatography, endotoxin, and microbial containment systems, and accelerating the upgrade of legacy equipment.

Further information on the Tardigrade malware threat is available from BIO-ISAC and HC3.

The post Biomanufacturing Sector Warned of High Risk of Tardigrade Malware Attacks appeared first on HIPAA Journal.

APT Actor Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells

Posted by HIPAA Journal

An APT actor that was targeting a vulnerability in the enterprise password management and single sign-on solution Zoho ManageEngine ADSelfService Plus has started exploiting another critical vulnerability in a different Zoho product, the IT helpdesk and asset management solution Zoho ManageEngine ServiceDesk Plus.

The APT group had been exploiting a critical vulnerability in ManageEngine ADSelfService Plus tracked as CVE-2021-40539, which affects Zoho ManageEngine ADSelfService Plus version 6113 and prior, and is a REST API authentication bypass that can be exploited to allow remote code execution.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on December 2, 2021, about a different vulnerability being exploited by the APT actor. The vulnerability, CVE-2021-44077, affects all versions of Zoho ManageEngine ServiceDesk Plus prior to version 11306, ServiceDesk Plus MSP prior to version 10530, and SupportCenter Plus prior to version 11014. The vulnerability is related to RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration. Successful exploitation of the flaw will allow remote code execution.

The alert warns that APT actors and other threat groups are believed to be exploiting the vulnerability to upload executable files and place webshells on vulnerable systems. The webshells allow a range of different post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

Zoho released a security advisory and patch to correct the CVE-2021-44077 flaw on September 16, 2021, with a further alert issued on November 22, 2021, warning that the vulnerability was being exploited in the wild. The first know exploits of the vulnerability were used in late October 2021, prior to any proof-of-concept exploit being publicly released, indicating the exploit for the vulnerability was developed by the APT actor.

According to Palo Alto Networks, the APT actor has conducted three campaigns this year, first exploiting the CVE-2021-40539 in attacks on US ports and defense firms, the second exploited the same vulnerability on targets in a range of different sectors, including healthcare, with the latest campaign exploiting the CVE-2021-44077 vulnerability in attacks on the healthcare, education, technology, defense, finance, and entertainment sectors.

In the latest campaign, the APT actor exploits the flaw by sending two requests to the REST API, one uploads an executable file and the second launches the payload. The flaw can be exploited without authentication on vulnerable ServiceDesk servers and has been exploited to deliver a variant of the Godzilla webshell that is different from the variant used in the first two campaigns.

Palo Alto Networks has found evidence that suggests the attack may be conducted by the Chinese nation-state APT group tracked as APT 27/Emissary Panda, although the evidence is not sufficient to attribute the attacks to that group. The attacks have mostly been conducted in the United States, with a small number of attacks conducted on targets in India, Turkey, Russia, and the UK.

The FBI and CISA have shared technical details of the attacks, indicators of compromise, network indicators, and YARA rules in the security Alert AA21-336A.

The post APT Actor Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells appeared first on HIPAA Journal.

APT Actor Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells

Posted by HIPAA Journal

An APT actor that was targeting a vulnerability in the enterprise password management and single sign-on solution Zoho ManageEngine ADSelfService Plus has started exploiting another critical vulnerability in a different Zoho product, the IT helpdesk and asset management solution Zoho ManageEngine ServiceDesk Plus.

The APT group had been exploiting a critical vulnerability in ManageEngine ADSelfService Plus tracked as CVE-2021-40539, which affects Zoho ManageEngine ADSelfService Plus version 6113 and prior, and is a REST API authentication bypass that can be exploited to allow remote code execution.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on December 2, 2021, about a different vulnerability being exploited by the APT actor. The vulnerability, CVE-2021-44077, affects all versions of Zoho ManageEngine ServiceDesk Plus prior to version 11306, ServiceDesk Plus MSP prior to version 10530, and SupportCenter Plus prior to version 11014. The vulnerability is related to RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration. Successful exploitation of the flaw will allow remote code execution.

The alert warns that APT actors and other threat groups are believed to be exploiting the vulnerability to upload executable files and place webshells on vulnerable systems. The webshells allow a range of different post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

Zoho released a security advisory and patch to correct the CVE-2021-44077 flaw on September 16, 2021, with a further alert issued on November 22, 2021, warning that the vulnerability was being exploited in the wild. The first know exploits of the vulnerability were used in late October 2021, prior to any proof-of-concept exploit being publicly released, indicating the exploit for the vulnerability was developed by the APT actor.

According to Palo Alto Networks, the APT actor has conducted three campaigns this year, first exploiting the CVE-2021-40539 in attacks on US ports and defense firms, the second exploited the same vulnerability on targets in a range of different sectors, including healthcare, with the latest campaign exploiting the CVE-2021-44077 vulnerability in attacks on the healthcare, education, technology, defense, finance, and entertainment sectors.

In the latest campaign, the APT actor exploits the flaw by sending two requests to the REST API, one uploads an executable file and the second launches the payload. The flaw can be exploited without authentication on vulnerable ServiceDesk servers and has been exploited to deliver a variant of the Godzilla webshell that is different from the variant used in the first two campaigns.

Palo Alto Networks has found evidence that suggests the attack may be conducted by the Chinese nation-state APT group tracked as APT 27/Emissary Panda, although the evidence is not sufficient to attribute the attacks to that group. The attacks have mostly been conducted in the United States, with a small number of attacks conducted on targets in India, Turkey, Russia, and the UK.

The FBI and CISA have shared technical details of the attacks, indicators of compromise, network indicators, and YARA rules in the security Alert AA21-336A.

The post APT Actor Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells appeared first on HIPAA Journal.

HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats

Posted by HIPAA Journal

The Department of Health and Human Services has launched a new website that offers advice and resources to help the healthcare and public health sector mitigate cybersecurity threats.

The website was created as part of the HHS 405(d) Aligning Health Care Industry Security Approaches Program, which was established in response to the Cybersecurity Act of 2015. The Cybersecurity Act of 2015 called for the HHS to establish the program and a Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures and processes that healthcare organizations can use.

More than 150 individuals from industry and the federal government have collaborated under the program and provided insights into how best to mitigate cyberthreats. The new website supports the motto, Cyber Safety is Patient Safety, and provides videos and other educational material to raise awareness of pertinent threats along with vetted cybersecurity resources to drive behavioral change and move toward consistency in mitigating key threats to healthcare organizations. Through the website, organizations in the HPH sector can subscribe to a bi-monthly 405(d) newsletter and will have easy access to threat-specific products to support cybersecurity awareness and training efforts.

“The new 405(d) Program website is a step forward for HHS to help build cybersecurity resiliency across the Healthcare and Public Health Sector. This is also an exciting moment for the HHS Office of the Chief Information Officer in our ongoing partnership with industry,” said Christopher Bollerer, HHS Acting Chief Information Security Officer.

“This website is the first of its kind! It’s a unique space where the healthcare industry can access vetted cybersecurity practices specific to the HPH sector on a federal government website,” said Erik Decker, 405(d) Task Group Industry co-lead. “I think it’s a great resource for the HPH sector to turn to and will surely be a go-to site for organizations that want to better protect their patients and facilities from the latest cybersecurity threats.”

The post HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats appeared first on HIPAA Journal.

CISA Publishes Mobile Device Cybersecurity Checklist for Organizations

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance for enterprises to help them secure mobile devices and safely access enterprise resources using mobile devices.

The Enterprise Mobility Management (EMM) system checklist has been created to help businesses implement best practices to mitigate vulnerabilities and block threats that could compromise mobile devices and the enterprise networks to which they connect. The steps outlined in the checklist are easy for enterprises to implement and can greatly improve mobile device security and allow mobile devices to be safely used to access business networks.

CISA recommends a security-focused approach to mobile device management. When selecting mobile devices that meet enterprise requirements, an assessment should be performed to identify potential supply chain risks. The Mobile Device Management (MDM) system should be configured to update automatically to ensure it is always running the latest version of the software and patches are applied automatically to fix known vulnerabilities.

A policy should be implemented for trusting devices, with access to enterprise resources denied if the device does not have the latest patch level, has not been configured to enterprise standards, is jailbroken or rooted, and if the device is not continuously monitored by the EMM.

Strong authentication controls need to be implemented, including strong passwords/PINs, with PINs consisting of a minimum of 6 digits. Wherever possible, face or fingerprint recognition should be enabled. Two-factor authentication should be implemented for enterprise networks that require a password/passphrase plus one additional method of authentication such as an SMS message, rotating passcode, or biometric input.

CISA recommends practicing good app security, including only downloading apps from trusted app stores, isolating enterprise applications, minimizing PII stored in apps, disabling sensitive permissions, restricting OS/app synchronization, and vetting enterprise-developed applications.

Network communications should be protected by disabling unnecessary network radios (Bluetooth, NFC, Wi-Fi, GPS) when not in use, disabling user certificates, and only using secure communication apps and protocols such as a VPN for connecting to the enterprise network.

Mobile devices should be protected at all times. A Mobile Threat Defense (MTD) system should guard against malicious software that can compromise apps and operating systems and detect improper configurations. Devices should only be charged using trusted chargers and cables, and the lost device function should be enabled to ensure the devices are wiped after a certain number of incorrect login attempts (10 for example). It is also important to protect critical enterprise systems and prevent them from being accessed using mobile devices due to the risk of transferring malware.

The CISA mobile device cybersecurity checklist for organizations can be downloaded here.

The post CISA Publishes Mobile Device Cybersecurity Checklist for Organizations appeared first on HIPAA Journal.

Increased Risk of Cyber and Ransomware Attacks Over Thanksgiving Weekend

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned organizations in the United States about the increased risk of cyberattacks over Thanksgiving weekend.

Cyber threat actors are often at their most active during holidays and weekends, as there are likely to be fewer IT and security employees available to detect attempts to breach networks. Recent attacks have demonstrated holiday weekends are prime time for cyber threat actors, with Las Vegas Cancer Center one of the most recent victims of such an attack on the Labor Day weekend.

The warning applies to all organizations and businesses, but especially critical infrastructure firms. Cyber actors around the world may choose Thanksgiving weekend to conduct attacks to disrupt critical infrastructure and conduct ransomware attacks.

CISA and the FBI are urging all entities to take steps to ensure risk is effectively mitigated ahead of the holiday weekend to help prevent them from becoming the next victim of a costly cyberattack.

Steps that should be taken immediately include a review of current cybersecurity measures and to ensure cybersecurity best practices are being followed. Multi-factor authentication should be activated on all remote and administrative accounts, default passwords should be changed, and strong passwords set on all accounts, with steps taken to ensure passwords are not reused elsewhere.

Remote Desktop Protocol (RDP) is commonly targeted by threat actors, as are other remote access services. It is important to ensure that RDP and remote access services are secured, and connections are monitored. If remote access is not required, these services should be disabled.

Phishing is commonly used to gain access to networks. It is important to remind employees to exercise caution with email, never to click on suspicious links in messages, or to open attachments in unsolicited emails. Phishing scams often spoof trusted entities such as charities, well-known brands, vendors, and work colleagues and phishing campaigns are conducted in large numbers at this time of year targeting holiday season shoppers, especially in the run-up to Black Friday and Cyber Monday.  Over the next couple of days, it is wise to conduct exercises to raise awareness of security risks.

All staff members will likely want to have time off over Thanksgiving weekend, but it is important to identify IT security employees who can be available to surge into action should a security incident or ransomware attack occur. Prompt action can greatly reduce the severity and cost of a cyberattack.

It is also recommended to review and update incident response and communication plans to ensure they will be effective in the event of a cyberattack. This month, CISA issued new cybersecurity incident and vulnerability response playbooks to help federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities; however, they can be used by all businesses for developing cybersecurity incident and vulnerability response plans.

Mitigations and cybersecurity best practices that can be adopted to reduce risk are detailed in the previously released CISA alert – Ransomware Awareness for Holidays and Weekends.

The post Increased Risk of Cyber and Ransomware Attacks Over Thanksgiving Weekend appeared first on HIPAA Journal.

HHS Warns Healthcare Sector About Risk of Zero-day Attacks

Posted by HIPAA Journal

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief warning the healthcare and public health sector about an increase in financially motivated zero-day attacks, outlining mitigation tactics that should be adopted to reduce risk to a low and acceptable level.

A zero-day attack leverages a vulnerability for which a patch has yet to be released. The vulnerabilities are referred to as zero-day, as the developer has had no time to release a patch to correct the flaw.

Zero-day attacks are those where a threat actor has exploited a zero-day vulnerability using a weaponized exploit for the flaw. Zero-day vulnerabilities are exploited in attacks on all industry sectors and are not only a problem for the healthcare industry.  For instance, in 2010, exploits were developed for four zero-day vulnerabilities in the “Stuxnet” attack on the Iranian nuclear program, which caused Iranian centrifuges to self-destruct to disrupt Iran’s nuclear program.

More recently in 2017, a zero-day vulnerability was exploited to deliver the Dridex banking Trojan. While it would normally be necessary for an individual to take additional actions after opening a malicious email attachment for malware to be downloaded, by including an exploit for a zero-day vulnerability the threat actors were able to install the Dridex banking Trojan if an individual simply opened an infected email attachment. A zero-day vulnerability was also exploited this year in the 2021 SonicWall ransomware attacks. The vulnerability was identified by the UNC2447 threat group and was exploited to deliver FiveHands ransomware.

The very nature of zero-day vulnerabilities means it is not possible to eliminate risk entirely, as software developers need to develop patches to fix the vulnerabilities, but strategies can be adopted to reduce the potential for zero-day vulnerabilities to be exploited.

The number of detected exploits for zero-day vulnerabilities more than doubled between 2019 and 2021. This is, in part, due to the high value of exploits for zero-day flaws. The price paid for working exploits rose by more than 1,150% between 2018 and 2021. While the market for zero-day exploits was limited to a handful of groups with deep pockets, there are now many threat actors with considerable resources that are willing to pay as they know they can make their money back many times over by using the exploits in their attacks. Now, an exploit for a zero-day vulnerability could be worth more than $1 million.

Zero-day attacks specifically conducted against the healthcare sector are a very real possibility. In August this year, a zero-day vulnerability dubbed PwnedPiper was identified in the pneumatic tube systems used in hospitals to transport biological samples and medications. The vulnerability was identified in the control panel, which would allow unsigned firmware updates to be applied. An attacker could exploit the flaw and take control of the system and deploy ransomware.

In August 2020, four zero-day vulnerabilities were identified that exposed OpenClinic patients’ test results. Unauthenticated attackers could successfully request files containing sensitive documents from the medical test directory, including medical test results.

The best defense against zero-day vulnerabilities is to patch promptly, but patching is often slow, especially in healthcare. In 2019, a survey conducted by the Ponemon Institute revealed the average time to apply, test, and deploy a patch for a zero-day vulnerability was 97 days after the patch was released.

The advice of HC3 is to “patch early, patch often, patch completely.” HC3 provides up-to-date information on actively exploited zero-days and the available patches to fix zero-day flaws. HC3 also suggests implementing a web-application firewall to review incoming traffic and filter out malicious input, as this can prevent threat actors from gaining access to vulnerable systems. It is also recommended to use runtime application self-protection (RASP) agents, which sit inside applications’ runtime and can detect anomalous behavior. Segmenting networks is also strongly recommended.

The TLP: WHITE Zero-Day Threat Brief is available for download on this link.

The post HHS Warns Healthcare Sector About Risk of Zero-day Attacks appeared first on HIPAA Journal.

Vulnerabilities Identified in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors

Posted by HIPAA Journal

Five vulnerabilities have been identified that affect the IntelliBridge EC 40 and EC 80 Hub, Philips Patient Information Center iX, and Efficia CM series patient monitors.

IntelliBride EC 40 and EC 80 Hub

Two vulnerabilities have been identified that affect C.00.04 and prior versions of the IntelliBridge EC 40 and EC 80 Hub. Successful exploitation of the vulnerabilities could allow an unauthorized individual to execute software, change system configurations, and update/view files that may include unidentifiable patient data.

The first vulnerability is due to the use of hard-coded credentials – CVE-2021-32993 – in the software for its own inbound authentication, outbound communication to external components, or the encryption of internal data. The second vulnerability is an authentication bypass issue – CVE-2021-33017. While the standard access path of the product requires authentication, an alternative path has been identified that does not require authentication.

Both vulnerabilities have been assigned a CVSS v3 severity score of 8.1 out of 10.

Philips has not yet issued an update to correct the vulnerabilities but expects to fix the flaws by the end of the year. In the meantime, Philips recommends only deploying the products within Philips authorized specifications, and only using Philips-approved software, software configuration, system services, and security configurations. The devices should also be logically or physically isolated from the hospital network.

Patient Information Center iX and Efficia CM Series Patient Monitors

Three vulnerabilities have been identified that affect the Philips Patient Information Center iX and Efficia CM series patient monitors. The flaws could be exploited to gain access to patient data and to conduct a denial-of-service attack. While exploitation has a low attack complexity, the flaws could only be exploited via an adjacent network.

The vulnerabilities affect the following Philips products:

  • Patient Information Center iX (PIC iX): Versions B.02, C.02, C.03
  • Efficia CM Series: Revisions A.01 to C.0x and 4.0

Vulnerable versions of the PIC iX do not adequately validate input to determine whether the input has the properties to be processed safely and correctly. The vulnerability is tracked as CVE-2021-43548 and has been assigned a CVSS severity score of 6.5 out of 10.

A hard-coded cryptographic key has been used which means it is possible for encrypted data to be recovered from vulnerable versions of the PIC iX. The flaw is tracked as CVE-2021-43552 and has a CVSS score of 6.1.

A broken or risky cryptographic algorithm means sensitive data may be exposed in communications between PIC iX and Efficia CM Series patient monitors. The vulnerability is tracked as CVE-2-21-43550 and has a CVSS score of 5.9.

CVE-2021-43548 has been remediated in PIC iX C.03.06 and updates to fix the other two vulnerabilities are due to be released by the end of 2022.

To reduce the potential for exploitation of the vulnerabilities, the products should only be used in accordance with Philips authorized specifications, which include physically or logically isolating the devices from the hospital local area network, and using a firewall or router that can implement access control lists restricting access in and out of the patient monitoring network for only necessary ports and IP addresses.

Philips-issued hardware has Bitlocker Drive Encryption enabled by default and this should not be disabled. Prior to disposal, NIST SP 800-88 media sanitization guidelines should be followed. Patient information is not included in archives by default, so if archives are exported that contain patient information, the information should be stored securely with strong access controls.

The post Vulnerabilities Identified in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors appeared first on HIPAA Journal.

Iranian APT Actors Actively Exploiting Microsoft Exchange and Fortinet Vulnerabilities

Posted by HIPAA Journal

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) warning of ongoing attacks by an Iranian Advanced Persistent Threat (APT) actor on critical infrastructure sectors including the healthcare and public health sector.

Cyber actors known to be associated with the Iranian government have been exploiting vulnerabilities in the Fortinet FortiOS operating system since at least March 2021, and have been leveraging a Microsoft Exchange ProxyShell vulnerability since October 2021 to gain access to targets’ networks.

The attacks appear to be focused on exploiting the vulnerabilities rather than any specific sector. Once the vulnerabilities have been exploited to gain a foothold in networks, the threat actor can perform a range of follow-on operations, which have included data exfiltration and data encryption.

The threat actors are exploiting three vulnerabilities in Fortinet Devices – CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812, and the CVE-2021-34473 in Microsoft Exchange. Patches have been released to fix the flaws that are being exploited, but many organizations have been slow to apply the patches and remain vulnerable.

Post-exploitation, the threat actors use legitimate tools to achieve their objectives, including Mimikatz for credential theft, WinPEAS for privilege escalation, SharpWMI, WinRAR for archiving data of interest, and FileZilla for transferring files. They are known to make modifications to the Task Scheduler and establish new user accounts on domain controllers, servers, workstations, and active directories. In some attacks, the accounts have been created to look similar to genuine accounts on the network to reduce the risk of detection. Data of interest have been exfiltrated via File Transfer Protocol (FTP) transfers over port 443.

The alert provides Indicators of Compromise (IoCs) for organizations using Fortinet devices and/or Microsoft Exchange, and several mitigations that will reduce the risk of compromise, the most important of which is to apply the patches to fix the above vulnerabilities as soon as possible.

The post Iranian APT Actors Actively Exploiting Microsoft Exchange and Fortinet Vulnerabilities appeared first on HIPAA Journal.