Healthcare Cybersecurity

Patch Issued to Fix Critical RCE Vulnerability in ZOLL Defibrillator Dashboard

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning about 6 vulnerabilities in the ZOLL Defibrillator Dashboard, including one critical 9.9 severity remote code execution flaw.

The vulnerabilities were reported to CISA anonymously and affect all versions of the ZOLL Defibrillator Dashboard prior to version 2.2. Some of the flaws can be exploited remotely and require a low level of skill to exploit.

Exploitation of the vulnerabilities could allow non-admin users to achieve remote code execution and steal credentials, which would impact the confidentiality, integrity, and availability of the application.

ZOLL has confirmed that all 6 vulnerabilities have been fixed in version 2.2 of the ZOLL Defibrillator Dashboard. Customers have been advised to upgrade the solution to version 2.2 or later as soon as possible. ZOLL also explained that in the event of any discrepancy with the Defibrillator Dashboard, the defibrillator device should be considered the source of accurate data.

The vulnerabilities are as follows:

Vulnerability CVSS Severity Score Description Risk
CVE-2021-27489 9.9 Unrestricted file upload Remote code execution
CVE-2021-27481 7.1 Hard-coded cryptographic key Theft of sensitive information
CVE-2021-27487 7.1 Sensitive data stored in cleartext Theft of sensitive information
CVE-2021-27485 7.1 Passwords stored in recoverable format Theft of credentials
CVE-2021-27483 5.3 Improper privilege management Elevation of privileges to administrator level
CVE-2021-27479 4.6 Improper neutralization of input during web page generation Injection of malicious scripts to be executed by higher privilege users

There are not believed to have been any attempted exploits of the vulnerabilities in the wild.

The post Patch Issued to Fix Critical RCE Vulnerability in ZOLL Defibrillator Dashboard appeared first on HIPAA Journal.

Critical VMWare VCenter Software Vulnerability Under Attack

Posted by HIPAA Journal

A critical remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation is being actively exploited by cyber actors to take full control of unpatched systems. The flaw, tracked as CVE-2021-21985, was announced by VMWare in late May and a patch was released to correct the flaw on May 25, 2021.

The Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert warning all users of VMware vCenter Server and VMware Cloud Foundation that the vulnerability is an attractive target for attackers and there is a high risk of exploitation. A reliable proof-of-concept exploit for the vulnerability is now in the public domain.

There are thousands of vulnerable vCenter servers accessible over the Internet that are vulnerable to attack. Mass scanning for VMware vSphere hosts vulnerable to RCE attacks are currently being conducted and several security researchers have reported the honeypots they set up with vulnerable versions of VMware vCenter Server have been scanned for the vulnerability.

Today, the Department of Health and Human Services’ Office for Civil Rights issued a cyber alert reiterating the importance of patching the vulnerability, explaining CISA identified several agencies that have not yet applied the patch and are vulnerable to attack.

According to VMWare, “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.”

Security researcher Kevin Beaumont said his honeypot was infected with a web shell after the vulnerability was exploited. “vCenter is a virtualization management software,” he said. “If you hack it, you control the virtualization layer (e.g., VMware ESXi)—which allows access before the OS layer (and security controls). This is a serious vulnerability, so organizations should patch or restrict access to the vCenter server to authorized administrators.”

If it is not possible to apply the patches immediately, there are workarounds available that can reduce the risk of exploitation. These workarounds should be implemented immediately.

The post Critical VMWare VCenter Software Vulnerability Under Attack appeared first on HIPAA Journal.

Vulnerabilities Identified in Hillrom Medical Device Management Products

Posted by HIPAA Journal

Two medium severity vulnerabilities have been identified in Hillrom medical device management tools which could result in the leakage of sensitive data, corruption of data, and remote code execution.

An out-of-bounds write vulnerability – tracked as CVE-2021-27410 – could allow an attacker to cause memory corruption which would allow the remote execution of arbitrary code. While remote code execution is possible, exploiting the flaw is highly complex. The flaw has been assigned a CVSS v3 severity score of 5.9 out of 10.

The second flaw is an out-of-bounds read issue that could result in information leakage and arbitrary code execution if combined with the out-of-bounds write vulnerability. The flaw is tracked as CVE-2021-27408 and has been assigned a CVSS severity score of 5.9.

The flaws affected the following Hillrom Welch Allyn medical device management tools:

  • Welch Allyn Service Tool: versions prior to v1.10
  • Welch Allyn Connex Device Integration Suite – Network Connectivity Engine (NCE): versions prior to v5.3
  • Welch Allyn Software Development Kit (SDK): versions prior to v3.2
  • Welch Allyn Connex Central Station (CS): versions prior to v1.8.6
  • Welch Allyn Service Monitor: versions prior to v1.7.0.0
  • Welch Allyn Connex Vital Signs Monitor (CVSM): versions prior to v2.43.02
  • Welch Allyn Connex Integrated Wall System (CIWS): versions prior to v2.43.02
  • Welch Allyn Connex Spot Monitor (CSM): versions prior to v1.52
  • Welch Allyn Spot Vital Signs 4400 Device (Spot 4400) / Welch Allyn Spot 4400 Vital Signs Extended Care Device: versions prior to v1.11.00

The vulnerabilities were identified by Itamar Cohen-Matalon of Medigate Reserach Labs who reported the vulnerabilities to Hillrom. Hillrom has now released software updates to correct the flaws. Customers are advised to upgrade to the latest versions of the software to fix the flaws to prevent exploitation. At present, there are no reported cases of exploitation of the vulnerabilities.

Product versions with the vulnerabilities corrected are listed below:

  • Welch Allyn Service Tool: v1.10
  • Welch Allyn Connex Device Integration Suite – Network Connectivity Engine (NCE): v5.3 (available Summer 2021)
  • Welch Allyn Software Development Kit (SDK): v3.2
  • Welch Allyn Connex Central Station (CS): v1.8.6 (available Fall 2021)
  • Welch Allyn Service Monitor: v1.7.0.0
  • Welch Allyn Connex Vital Signs Monitor (CVSM): v2.43.02
  • Welch Allen Connex Integrated Wall System (CIWS): v2.43.02
  • Welch Allyn Connex Spot Monitor (CSM): v1.52
  • Welch Allyn Spot Vital Signs 4400 Device (Spot 4400) / Welch Allyn Spot 4400 Vital Signs Extended Care Device: v1.11.00 (available Fall 2021)

Hillrom also recommends applying proper network and physical security controls, applying authentication for server access, and applying data execution prevention (DEP) where possible to prevent shellcode from running.

The post Vulnerabilities Identified in Hillrom Medical Device Management Products appeared first on HIPAA Journal.

Critical Vulnerabilities identified in MesaLabs Laboratory Temperature Monitoring System

Posted by HIPAA Journal

Five vulnerabilities have been identified in the MesaLabs AmegaView continuous monitoring system used in hospital laboratories, forensics labs, and biotech firms. Two of the flaws are critical command injection vulnerabilities with CVSS severity scores of 9.9/10 and 10/10. The vulnerabilities affect AmegaView Versions 3.0 and prior and were identified by Stephen Yackey of Securifera.

In order of severity, the vulnerabilities are as follows:

  • CVE-2021-27447 – CVSS 10/10 – Flaw due to improper neutralization of special elements used in a command, which could allow an attacker to execute arbitrary code.
  • CVE-2021-27449 – CVSS 9.9/10 – Flaw due to improper neutralization of special elements used in a command, which could allow an attacker to execute commands in the web server.
  • CVE-2021-27445 – CVSS 7.8/10 – Insecure file permissions which could be exploited to elevate privileges on the device.
  • CVE-2021-27451 – CVSS 7.3/10 – Improper authentication due to passcodes being generated by an easily reversible algorithm, which could allow an attacker to gain access to the device.
  • CVE-2021-27453 – CVSS 7.3/10 – Authentication bypass issue that could allow an attacker to gain access to the web application.

There are currently no public exploits that specifically target these vulnerabilities. Since AmegaView reaches end-of-life at the end of this year, MesaLabs has taken the decision not to release patches to correct the vulnerabilities. Instead, all users of the vulnerable products have been advised to upgrade to newer Viewpoint software compatible with AmegaView hardware.

Should this not be possible, or until it is, it is recommended to locate vulnerable products behind firewalls and to isolate them from the network and ensure they are not accessible from the Internet. If remote access is required, Virtual Private Networks (VPNs) should be required for access, and VPNs should be updated to the most current version.

Prior to implementing any new defensive measures, an impact analysis and risk assessment should be performed.

The post Critical Vulnerabilities identified in MesaLabs Laboratory Temperature Monitoring System appeared first on HIPAA Journal.

FBI Warns of Ongoing Exploitation of Fortinet Vulnerabilities by APT Actors

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has issued a Flash Alert warning users of Fortinet Fortigate appliances that Advanced Persistent Threat (APT) groups are targeting devices that have not been patched for three CVEs: CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812.

These are not zero-day vulnerabilities, as patches have been available for some time. Many organizations have been slow to apply the patches and are now being targeted. In early April, the FBI, in conduction with the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory warning that the vulnerabilities could be exploited by threat actors to conduct data exfiltration, data encryption, and to pre-position for follow-on attacks.

In the recent Flash Alert, the FBI confirmed that an APT actor has been attempting to exploit the vulnerabilities since at least May 2021, and almost certainly exploited the vulnerabilities to gain access to a webserver hosting the domain for a U.S. municipal government. In that instance, the threat actors most likely created a new account – named elie – for conducting further malicious activities on the network.

Attacks exploiting the vulnerabilities do not appear to be targeted on any specific industry sector, instead the APT actor is simply attempting to exploit unpatched vulnerabilities. To date, victims have been in a broad range of industry sectors.

The APT actor creates new user accounts on domain controllers, servers, workstations, and the active directories. In addition to creating accounts named elie and WADGUtilityAccount, new accounts have been created to look similar to legitimate existing accounts on the network and have been specific to each victim organization.

The APT actor is known to make modifications to the Task Scheduler that may display as unrecognized scheduled tasks or ‘actions’, in particular, associated with SynchronizeTimeZone. Several tools have been used in the attacks, including Mimikatz for credential theft, MinerGate for cryptocurrency mining, WinPEAS for privilege escalation, SharpWMI for Windows Management Instrumentation, BitLocker for data encryption, and FileZilla for file transfers, with outbound FTP transfers identified over port 443.

Users of Fortigate appliances should ensure that patches are applied as soon as possible to correct the above vulnerabilities, and non FortiOS users should add key artifact files used by FortiOS to execution denylists to block any attempts to run FortiOS and its associated files.

Since exploitation may have already occurred, system administrators should review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts and Task Scheduler should be reviewed for any unrecognized scheduled tasks. The FBI also recommends manually reviewing operating system defined or recognized scheduled tasks for unrecognized “actions.” Antivirus logs should also be reviewed for indications that they were unexpectedly turned off.

Further mitigations to deal with the threat are detailed in the Flash Alert, a copy of which is available from the American Hospital Association on this link.

The post FBI Warns of Ongoing Exploitation of Fortinet Vulnerabilities by APT Actors appeared first on HIPAA Journal.

SolarWinds Orion Hackers Targeting U.S. Organizations with New Spear Phishing Campaign

Posted by HIPAA Journal

Microsoft has discovered a large-scale spear phishing campaign being conducted by the Russian Advanced Persistent Threat (APT) group behind the SolarWinds Orion supply chain attack.

The spear phishing campaign has been active since at least January 2021 and the APT group, tracked by Microsoft as Nobelium. The APT group has been experimenting and has trialed various delivery techniques, including leveraging the Google Firebase platform to deliver a malicious ISO file via HTML email attachments that deliver a variety of malware payloads.

Nobelium escalated the campaign on May 25, 2021 when it started using the Constant Contact mass-mailing service to distribute messages to targets in a wide range of industry verticals. The latest campaign targeted around 3,000 individual accounts across 150 organizations, most of which were in the United States. Each target had its own unique infrastructure and tooling, which has helped the group stay under the radar.

The attackers gained access to the Constant Contact account of the U.S. Agency for International Development (USAID) and delivered spear phishing messages under the guise of a USAID Special Alert. The messages have a reply-to address on the usaid.gov domain and were sent from the in.constantcontact.com domain.

Example Phishing email. Source: Microsoft

The messages claimed “Donald Trump has published new documents on election fraud”, with the messages including a button to click to view the documents. If the recipient clicks the link in the email, they are directed to the legitimate Constant Contact service, and then redirected to a URL under the control of Nobelium that delivers a malicious ISO file. Within the ISO file are a decoy document, a .lnk shortcut that executes a Cobalt Strike Beacon loader, and a malicious DLL file that is a Cobalt Strike Beacon loader and backdoor dubbed NativeZone by Microsoft.

Once the payloads are deployed, Nobelium gains persistent access to compromised systems and can subsequently complete further objectives such as lateral movement, data exfiltration, and the delivery of additional malware.

A previous campaign in May also used the combination of HTML and ISO files, which dropped a .NET first-stage implant – TrojanDownloader:MSIL/BoomBox – that was used for reconnaissance and to download additional malicious payloads from Dropbox.

The phishing campaign is being investigated by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). Constant Contact issued a statement confirming that the account credentials of one of its customers were compromised. “This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement,” said Constant Contact.

Microsoft has warned that the tactics, techniques, and procedures used by Nobelium have had a high rate of evolution. “It is anticipated that additional activity may be carried out by the group using an evolving set of tactics,” warned Microsoft.

Microsoft has published Indicators of Compromise (IoCs) and has suggested several mitigations that can reduce the impact of this threat, including the use of antivirus software, enabling network protection to prevent applications or users from accessing malicious domains, and implementing multi-factor authentication to prevent the use of compromised credentials.

The post SolarWinds Orion Hackers Targeting U.S. Organizations with New Spear Phishing Campaign appeared first on HIPAA Journal.

Healthcare Organizations Facing Higher Cyber Insurance Costs for Less Coverage

Posted by HIPAA Journal

The number of cyberattacks now being reported is higher than ever before. A couple of years ago, healthcare cyberattacks were being reported at a rate of one per day, but in 2021, there have been months where attacks have been reported at twice that rate.

The severity of cyberattacks has also increased and the cost of responding to and recovering from cyberattacks is now much higher. The likelihood of a serious cyberattack occurring and the high costs of remediating such an attack have prompted many healthcare organizations to take out a cyber insurance policy to cover the cost.

The Government Accountability Office (GAO) has recently published a study of the cyber insurance market as required by the National Defense Authorization Act for Fiscal Year 2021. GAO conducted the study of the cyber insurance market to identify key trends and the challenges faced by insurers and the options available to address them.

GAO studied cyber insurance policies, reports on cyber risk and cyber insurance from researchers, think tanks, and the insurance industry, and interviews were conducted with treasury officials and two industry associations representing cyber insurance providers, an organization providing policy language services to insurers, and one large cyber insurance provider.

GAO found the number of insurance clients that hold a cyber insurance policy has increased from 26% in 2016 to 47% in 2020 – an increase of more than 60%. As demand for cyber insurance has increased, so too have insurance premiums. The increase in attack frequency and severity has seen insurance premiums increase dramatically. According to the study, more than half of cyber insurance clients saw their insurance premiums increase by between 10% and 30% in late 2020.

Insurance costs have increased, but coverage has decreased. In certain industry sectors, including healthcare and education, insurers have reduced coverage limits, meaning victims of cyberattacks often have to cover part of the cost themselves.

Many insurers have stopped including coverage for cyberattacks within their existing policies and instead now offer policies specific to cyber risk, but there have been several challenges in creating these policies. Without access to comprehensive, high quality data on losses due to cyberattacks, the insurance industry has found it difficult to price policies appropriately. Industry stakeholders have suggested federal and state governments and industries should collect and share data on incident response, which will help the insurance industry develop better insurance products and price them accordingly.

There have also been problems with the definitions used and what exactly is covered by a cyber insurance policy. For instance, many policies cover cyberterrorism, but it is unclear exactly what cyberterrorism includes. Industry stakeholders have called for better definitions of cyberattacks to be developed to help both insurers and their clients understand exactly what is covered by insurance policies.

GAO found that many businesses, especially smaller businesses, are underestimating their cyber risks and the amount of insurance coverage they need. Researchers also identified many businesses that have failed to take out a policy as they have not understood the magnitude of risks they face, and do not see the value in cyber insurance as they do not believe it will cover the cost of a cyberattack because there are too many exclusions. Better definitions of cyberattacks and exactly what is covered could help these businesses take out the coverage they need.

The post Healthcare Organizations Facing Higher Cyber Insurance Costs for Less Coverage appeared first on HIPAA Journal.

FBI Warns of Ongoing Conti Ransomware Attacks on Healthcare Organizations and First Responders

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has issued a TLP:WHITE Flash notice about ongoing Conti ransomware attacks targeting healthcare and first responder networks. According to the FBI, the Conti ransomware gang has attacked 16 healthcare and first responder organizations in the United States.

In addition to healthcare providers, the gang has attempted ransomware attacks on 911 dispatch centers, emergency medical services, law enforcement agencies and municipalities. The gang is known to have conducted attacks on 400 organizations worldwide, including a recent attack on the Health Service Executive (HSE) and Department of Health (DoH) in Ireland. To date, the gang has claimed 290 victims in the United States.

Conti ransomware is believed to be operated by the Russian cybercrime group Wizard Spider and is a ransomware-as-a-service (RaaS) operation. The threat group is known for attacking large organizations and issuing huge ransom demands, which have been as high as $25 million. The ransom demand set for each victim based on the extent of the encryption and the perceived ability of the victim to pay.

As is common now with ransomware attacks, the Conti ransomware gang exfiltrates sensitive data prior to file encryption and threatens to sell or publish the data if the ransom is not paid. Victims are given 8 days to make payment, although if attempts have not been made by the victims to get in touch with the gang, contact is often made using Voice Over Internet Protocol (VOIP) services or encrypted email such as ProtonMail after 2-8 days to pressure victims into paying.

Attacks usually start with phishing emails that include weaponized hyperlinks or email attachments or the use of stolen Remote Desktop Protocol (RDP) credentials. Prior to the disruption of the Emotet botnet, the attackers used malicious Word documents with embedded PowerShell scripts, first to stage Cobalt Strike and then to deploy the Emotet Trojan onto the network, which allowed the threat group to deliver their ransomware payload. The group has also been known to use the TrickBot Trojan in their attacks. The time from the initial compromise to the deployment of ransomware is usually between 4 days and 3 weeks, with the ransomware payload often delivered using dynamic link libraries (DLLs).

The threat group uses living-off-the-land techniques to escalate privileges and move laterally within networks, such as Sysinternals and Mimikatz. After encrypting files, the gang often remains in the network and beacons out using Anchor DNS. Remote access tools used by the gang beacon out to domestic and international VPS infrastructure over posts 80, 443, 8443, with port 53 often used for persistence. Indicators of attacks in progress include the creation of new accounts and the installation of tools such as Sysinternals, along with disabled detection and constant HTTP and DNS beacons.

The FBI does not recommend paying ransoms as payment does not guarantee the recovery of files nor the sale or publication of stolen data. The FBI has requested all victims of Conti ransomware attacks share information about the attacks with the FBI including boundary logs showing communications to and from foreign IP addresses, Bitcoin wallet information, decryptor files and/or benign samples of encrypted files.

The FBI has published several mitigations that can be implemented to harden defenses against Conti and other ransomware attacks.  These include:

  • Regularly back up data, test backups, and store backups on air-gapped devices.
  • Retain multiple copies of sensitive and proprietary data on servers that are physically separate and cannot be accessed from the systems where data resides.
  • Implement network segmentation.
  • Use multi-factor authentication.
  • Patch and update systems, software, and firmware promptly.
  • Use strong passwords and regularly change passwords for network systems and accounts.
  • Disable hyperlinks in inbound email.
  • Add email banners to all inbound emails from external sources.
  • Conduct regular user account audits for accounts with administrative privileges.
  • Only use secure networks and avoid public Wi-Fi networks.
  • Use a VPN for remote access.
  • Ensure all members of the workforce are provided with regular security awareness training.

The post FBI Warns of Ongoing Conti Ransomware Attacks on Healthcare Organizations and First Responders appeared first on HIPAA Journal.

U.S Advances 5 Bills to Improve Cyber Defenses of SLTT Governments and Critical Infrastructure Entities

Posted by HIPAA Journal

In the wake of the SolarWinds Supply chain attack, ransomware attack on Colonial Pipeline, and President Biden’s cybersecurity executive order, the U.S. House Committee on Homeland Security has cleared five bipartisan bills that seek to address cybersecurity and improve the defenses of state, local, tribal, and territorial (SLTT) governments and critical infrastructure entities.

The cyberattack on Colonial Pipeline forced the company to shut down its 5,500-mile fuel pipeline that delivers 45% of the fuel required by the East Coast. In order to speed up recovery and minimize disruption, Colonial Pipeline’s CEO Joseph Blount authorized the payment of a $4.4 million ransom to the DarkSide ransomware gang; however, even though the ransom was paid, the fuel pipeline remained shut down for 5 days, causing major disruption to fuel supplies.

These attacks have highlighted major vulnerabilities in cybersecurity defenses which need to be addressed to improve national security.

The five bipartisan cybersecurity bills advanced this week are:

  • The Pipeline Security Act (H.R. 3243)
  • The State and Local Cybersecurity Improvement Act (H.R. 3138)
  • The Cybersecurity Vulnerability Remediation Act (H.R. 2980)
  • The CISA Cyber Exercise Act (H.R. 3223)
  • The Domains Critical to Homeland Security Act (H.R. 3264)

The Pipeline Security Act (H.R. 3243), introduced by Congressman Emanuel Cleaver (D-MO), had previously been introduced two years ago but failed to gain traction. The main purpose of the reintroduced bill is to codify the role of the Transportation Safety Administration (TSA) in securing the nation’s natural gas and oil infrastructure to guard pipeline systems against cyberattacks, terrorist attacks, and other threats.

The State and Local Cybersecurity Improvement Act (H.R. 3138), introduced by Congresswoman Yvette D. Clarke (D-NY), authorizes the creation of a new $500 million grant program that will provide funds to SLTT governments to help them secure their networks from ransomware and other types of cyberattacks.

The Cybersecurity Vulnerability Remediation Act (H.R. 2980), introduced by Congresswoman Sheila Jackson Lee (D-TX), gives the DHS’ Cybersecurity and Infrastructure Security (CISA) Agency the authority to assist critical infrastructure owners and operators in developing mitigation strategies to protect against known, critical vulnerabilities.

The CISA Cyber Exercise Act (H.R. 3223), introduced by Congresswoman Elissa Slotkin (D-MI), creates a National Cyber Exercise program within CISA that will ensure more frequent testing of preparedness and resilience to cyberattacks on critical infrastructure.

The Domains Critical to Homeland Security Act (H.R. 3264), introduced by Ranking Member John Katko (R-NY), gives the DHS the authority conduct research and development into supply chain risks for critical domains of the United States economy, and send the results to Congress.

A further two bills were introduced that tackle non-cybersecurity issues – the DHS Blue Campaign Enhancement Act (H.R. 2795) and the DHS Medical Countermeasures Act” (H.R. 3263) – which strengthen DHS’ human trafficking prevention efforts and DHS’ medical countermeasures following chemical, biological, radiological, nuclear, or explosive attacks, disease outbreaks and pandemics.

The post U.S Advances 5 Bills to Improve Cyber Defenses of SLTT Governments and Critical Infrastructure Entities appeared first on HIPAA Journal.