Five vulnerabilities have been identified in the MesaLabs AmegaView continuous monitoring system used in hospital laboratories, forensics labs, and biotech firms. Two of the flaws are critical command injection vulnerabilities with CVSS severity scores of 9.9/10 and 10/10. The vulnerabilities affect AmegaView Versions 3.0 and prior and were identified by Stephen Yackey of Securifera.

In order of severity, the vulnerabilities are as follows:

• CVE-2021-27447 – CVSS 10/10 – Flaw due to improper neutralization of special elements used in a command, which could allow an attacker to execute arbitrary code.
• CVE-2021-27449 – CVSS 9.9/10 – Flaw due to improper neutralization of special elements used in a command, which could allow an attacker to execute commands in the web server.
• CVE-2021-27445 – CVSS 7.8/10 – Insecure file permissions which could be exploited to elevate privileges on the device.
• CVE-2021-27451 – CVSS 7.3/10 – Improper authentication due to passcodes being generated by an easily reversible algorithm, which could allow an attacker to gain access to the device.
• CVE-2021-27453 – CVSS 7.3/10 – Authentication bypass issue that could allow an attacker to gain access to the web application.

There are currently no public exploits that specifically target these vulnerabilities. Since AmegaView reaches end-of-life at the end of this year, MesaLabs has taken the decision not to release patches to correct the vulnerabilities. Instead, all users of the vulnerable products have been advised to upgrade to newer Viewpoint software compatible with AmegaView hardware.

Should this not be possible, or until it is, it is recommended to locate vulnerable products behind firewalls and to isolate them from the network and ensure they are not accessible from the Internet. If remote access is required, Virtual Private Networks (VPNs) should be required for access, and VPNs should be updated to the most current version.

Prior to implementing any new defensive measures, an impact analysis and risk assessment should be performed.

The post Critical Vulnerabilities identified in MesaLabs Laboratory Temperature Monitoring System appeared first on HIPAA Journal.

The Federal Bureau of Investigation (FBI) has issued a Flash Alert warning users of Fortinet Fortigate appliances that Advanced Persistent Threat (APT) groups are targeting devices that have not been patched for three CVEs: CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812.

These are not zero-day vulnerabilities, as patches have been available for some time. Many organizations have been slow to apply the patches and are now being targeted. In early April, the FBI, in conduction with the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory warning that the vulnerabilities could be exploited by threat actors to conduct data exfiltration, data encryption, and to pre-position for follow-on attacks.

In the recent Flash Alert, the FBI confirmed that an APT actor has been attempting to exploit the vulnerabilities since at least May 2021, and almost certainly exploited the vulnerabilities to gain access to a webserver hosting the domain for a U.S. municipal government. In that instance, the threat actors most likely created a new account – named elie – for conducting further malicious activities on the network.

Attacks exploiting the vulnerabilities do not appear to be targeted on any specific industry sector, instead the APT actor is simply attempting to exploit unpatched vulnerabilities. To date, victims have been in a broad range of industry sectors.

The APT actor creates new user accounts on domain controllers, servers, workstations, and the active directories. In addition to creating accounts named elie and WADGUtilityAccount, new accounts have been created to look similar to legitimate existing accounts on the network and have been specific to each victim organization.

The APT actor is known to make modifications to the Task Scheduler that may display as unrecognized scheduled tasks or ‘actions’, in particular, associated with SynchronizeTimeZone. Several tools have been used in the attacks, including Mimikatz for credential theft, MinerGate for cryptocurrency mining, WinPEAS for privilege escalation, SharpWMI for Windows Management Instrumentation, BitLocker for data encryption, and FileZilla for file transfers, with outbound FTP transfers identified over port 443.

Users of Fortigate appliances should ensure that patches are applied as soon as possible to correct the above vulnerabilities, and non FortiOS users should add key artifact files used by FortiOS to execution denylists to block any attempts to run FortiOS and its associated files.

Since exploitation may have already occurred, system administrators should review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts and Task Scheduler should be reviewed for any unrecognized scheduled tasks. The FBI also recommends manually reviewing operating system defined or recognized scheduled tasks for unrecognized “actions.” Antivirus logs should also be reviewed for indications that they were unexpectedly turned off.

Further mitigations to deal with the threat are detailed in the Flash Alert, a copy of which is available from the American Hospital Association on this link.

The post FBI Warns of Ongoing Exploitation of Fortinet Vulnerabilities by APT Actors appeared first on HIPAA Journal.

The number of cyberattacks now being reported is higher than ever before. A couple of years ago, healthcare cyberattacks were being reported at a rate of one per day, but in 2021, there have been months where attacks have been reported at twice that rate.

The severity of cyberattacks has also increased and the cost of responding to and recovering from cyberattacks is now much higher. The likelihood of a serious cyberattack occurring and the high costs of remediating such an attack have prompted many healthcare organizations to take out a cyber insurance policy to cover the cost.

The Government Accountability Office (GAO) has recently published a study of the cyber insurance market as required by the National Defense Authorization Act for Fiscal Year 2021. GAO conducted the study of the cyber insurance market to identify key trends and the challenges faced by insurers and the options available to address them.

GAO studied cyber insurance policies, reports on cyber risk and cyber insurance from researchers, think tanks, and the insurance industry, and interviews were conducted with treasury officials and two industry associations representing cyber insurance providers, an organization providing policy language services to insurers, and one large cyber insurance provider.

GAO found the number of insurance clients that hold a cyber insurance policy has increased from 26% in 2016 to 47% in 2020 – an increase of more than 60%. As demand for cyber insurance has increased, so too have insurance premiums. The increase in attack frequency and severity has seen insurance premiums increase dramatically. According to the study, more than half of cyber insurance clients saw their insurance premiums increase by between 10% and 30% in late 2020.

Insurance costs have increased, but coverage has decreased. In certain industry sectors, including healthcare and education, insurers have reduced coverage limits, meaning victims of cyberattacks often have to cover part of the cost themselves.

Many insurers have stopped including coverage for cyberattacks within their existing policies and instead now offer policies specific to cyber risk, but there have been several challenges in creating these policies. Without access to comprehensive, high quality data on losses due to cyberattacks, the insurance industry has found it difficult to price policies appropriately. Industry stakeholders have suggested federal and state governments and industries should collect and share data on incident response, which will help the insurance industry develop better insurance products and price them accordingly.

There have also been problems with the definitions used and what exactly is covered by a cyber insurance policy. For instance, many policies cover cyberterrorism, but it is unclear exactly what cyberterrorism includes. Industry stakeholders have called for better definitions of cyberattacks to be developed to help both insurers and their clients understand exactly what is covered by insurance policies.

GAO found that many businesses, especially smaller businesses, are underestimating their cyber risks and the amount of insurance coverage they need. Researchers also identified many businesses that have failed to take out a policy as they have not understood the magnitude of risks they face, and do not see the value in cyber insurance as they do not believe it will cover the cost of a cyberattack because there are too many exclusions. Better definitions of cyberattacks and exactly what is covered could help these businesses take out the coverage they need.

The post Healthcare Organizations Facing Higher Cyber Insurance Costs for Less Coverage appeared first on HIPAA Journal.

In the wake of the SolarWinds Supply chain attack, ransomware attack on Colonial Pipeline, and President Biden’s cybersecurity executive order, the U.S. House Committee on Homeland Security has cleared five bipartisan bills that seek to address cybersecurity and improve the defenses of state, local, tribal, and territorial (SLTT) governments and critical infrastructure entities.

The cyberattack on Colonial Pipeline forced the company to shut down its 5,500-mile fuel pipeline that delivers 45% of the fuel required by the East Coast. In order to speed up recovery and minimize disruption, Colonial Pipeline’s CEO Joseph Blount authorized the payment of a $4.4 million ransom to the DarkSide ransomware gang; however, even though the ransom was paid, the fuel pipeline remained shut down for 5 days, causing major disruption to fuel supplies.

These attacks have highlighted major vulnerabilities in cybersecurity defenses which need to be addressed to improve national security.

The five bipartisan cybersecurity bills advanced this week are:

• The Pipeline Security Act (H.R. 3243)
• The State and Local Cybersecurity Improvement Act (H.R. 3138)
• The Cybersecurity Vulnerability Remediation Act (H.R. 2980)
• The CISA Cyber Exercise Act (H.R. 3223)
• The Domains Critical to Homeland Security Act (H.R. 3264)

The Pipeline Security Act (H.R. 3243), introduced by Congressman Emanuel Cleaver (D-MO), had previously been introduced two years ago but failed to gain traction. The main purpose of the reintroduced bill is to codify the role of the Transportation Safety Administration (TSA) in securing the nation’s natural gas and oil infrastructure to guard pipeline systems against cyberattacks, terrorist attacks, and other threats.

The State and Local Cybersecurity Improvement Act (H.R. 3138), introduced by Congresswoman Yvette D. Clarke (D-NY), authorizes the creation of a new $500 million grant program that will provide funds to SLTT governments to help them secure their networks from ransomware and other types of cyberattacks.

The Cybersecurity Vulnerability Remediation Act (H.R. 2980), introduced by Congresswoman Sheila Jackson Lee (D-TX), gives the DHS’ Cybersecurity and Infrastructure Security (CISA) Agency the authority to assist critical infrastructure owners and operators in developing mitigation strategies to protect against known, critical vulnerabilities.

The CISA Cyber Exercise Act (H.R. 3223), introduced by Congresswoman Elissa Slotkin (D-MI), creates a National Cyber Exercise program within CISA that will ensure more frequent testing of preparedness and resilience to cyberattacks on critical infrastructure.

The Domains Critical to Homeland Security Act (H.R. 3264), introduced by Ranking Member John Katko (R-NY), gives the DHS the authority conduct research and development into supply chain risks for critical domains of the United States economy, and send the results to Congress.

A further two bills were introduced that tackle non-cybersecurity issues – the DHS Blue Campaign Enhancement Act (H.R. 2795) and the DHS Medical Countermeasures Act” (H.R. 3263) – which strengthen DHS’ human trafficking prevention efforts and DHS’ medical countermeasures following chemical, biological, radiological, nuclear, or explosive attacks, disease outbreaks and pandemics.

The post U.S Advances 5 Bills to Improve Cyber Defenses of SLTT Governments and Critical Infrastructure Entities appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA) has published guidance on evicting threat actors from networks compromised in the SolarWinds Orion supply chain attacks and, including subsequent compromises of Active Directory and M365 environments.

The attacks have been attributed to threat actors tied to the Russian Foreign Intelligence Service (SVR). After gaining network access through the update mechanism of SolarWinds Orion, the threat actor selected targets of interest for further compromise and bypassed multi-factor authentication methods and moved laterally into Microsoft 365 environments by compromising federated identity solutions. Most of the targets selected for further compromise were government departments and agencies and critical infrastructure organizations, although private sector organizations may also have experienced more extensive compromises.

The guidance applies to evicting adversaries from on-premises and cloud environments and includes a 3-phase remediation plan. CISA notes that malicious compromises are unique to each victim, so careful consideration must be given to each of the steps and the guidance then applied to the unique environment of each breached entity to ensure success.

All three phases are required to fully evict an adversary from either on-premises or cloud environments, so shortcuts should not be taken. The failure to follow all steps could result in substantial, long-term undetected Advanced Persistent Threat (APT) activity, prolonged theft of data, and erosion of public trust in victims’ networks.

The guidance provides the plan for evicting adversaries from a network, but does not provide specific details on how the required actions should be taken.

Any attempt to evict an adversary from the network requires a pre-eviction phase, an eviction phase, and a post-eviction phase. The pre-eviction phase is concerned with confirming tactics, techniques, and procedures (TTTPs) associated with the attacks and fully investigating the true scope of compromise. During the remediation process, steps will be taken to improve security and build more resilient networks; however, the eviction process is complex, time-consuming, and will require business networks to be disconnected from the Internet for 3-5 days.

A thorough risk assessment must be conducted prior to any eviction attempt to understand the potential impacts on critical business functions. There will likely be disruption to business operations, so it is essential that the remediation efforts are properly planned, the impact on the business is fully understood, and appropriate resources are made available to limit disruption.

After completing all eviction steps, entities enter into the post-eviction phase which involves confirming the adversary has been evicted. This phase includes integrating detection mechanisms, configuring endpoint forensics and detection solutions for aggressive collection, and maintaining vigilance, with steps taken over the 60 days after completing the eviction phase.

“In the hours, days, and weeks after the network’s internet connection is restored, the agency’s detection capability will be important in verifying that all threat actor activity within the enterprise has stopped,” explained CISA. “Extended vigilance is necessary because this threat actor has demonstrated extreme patience with follow-on activity.”

CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise – can be found on this link.

The post CISA Issues Guidance on Evicting Adversaries from Networks Following SolarWinds Attacks appeared first on HIPAA Journal.