Healthcare Cybersecurity

NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities

Posted by HIPAA Journal

Tension is growing between Russian and the United States over the continuous cyberattacks on the U.S. government and public and private sector organizations by Russian government hackers. Yesterday, a joint alert was issued by the National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), warning of the continued exploitation of software vulnerabilities by the Russian Foreign Intelligence Service (SVR).

The attacks have been attributed to the Cozy Bear Advanced Persistent Threat (APT) Group – aka APT29/The Dukes – which is part of the SVR. The APT group is conducting widespread scanning and exploitation of software flaws in vulnerable systems to gain access to credentials that allow them to gain further access to devices and networks for espionage activities. The NSA, CISA, and the FBI have shared details of five software vulnerabilities that continue to be successfully exploited by the SVR to gain access to devices and networks.

The NSA, CISA, and the FBI have previously shared mitigations that can be implemented to defend against the exploitation of these vulnerabilities and patches are available to address all the software flaws. While many organizations have now patched the flaws, they may have already been exploited and networks been compromised. Steps should be taken to identify whether systems have been compromised and actions taken to mitigate the loss of sensitive information that could allow Russia to gain a strategic or competitive advantage.

The 5 software vulnerabilities most commonly exploited by the SVR hackers are:

Vulnerability Products Description Affected Versions
CVE-2018-13379 Fortinet FortiGate VPNs Unauthenticated attackers can download system files via HTTP resource requests Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
CVE-2019-9670 Synacor Zimbra Collaboration Suite XML External Entity injection (XXE) vulnerability 8.7.x before 8.7.11p10.
CVE-2019-11510 Pulse Secure VPNs An unauthenticated remote attacker can send a specially crafted Uniform Resource Identifier (URI) to perform an arbitrary file read. PCS 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
CVE-2019-19781 Citrix Application Delivery Controller and Gateway Directory traversal vulnerability allowing an unauthenticated attacker to execute arbitrary code. Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.
CVE-2020-4006 VMware Workspace One Access Command injection vulnerability that allows an attacker with a valid password to execute commands with unrestricted privileges on the underlying operating system VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 and 19.03, VMware Cloud Foundation 4.0 – 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.

“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” according to the alert (PDF).

Formal Attribution of SolarWinds Orion Supply Chain Attack

The United States government has also formally accused the Russian government of orchestrating and conducting the massive SolarWinds Orion supply chain attack, which saw the SVR gain access to around 18,000 computers worldwide and conduct more extensive attacks on cybersecurity companies of the United States and its allies – FireEye, Malwarebytes, Mimecast – and federal agencies in the United States.  Russia has also been formally accused of engaging in activities with the intent of disrupting the U.S. presidential election in November 2020.

Sanctions Imposed on Russia by President Biden

President Biden has signed an executive order blocking property and placing new restrictions of Russia’s sovereign debt to make it harder for the government to raise money. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken action against 16 entities and 16 individuals for their role in the campaign to influence the 2020 U.S. presidential election, under the direction of the Russian government.

All property and assets of those entities and individuals that are subject to U.S. jurisdiction have been blocked and the entities and individuals have been added to OFAC’s SDN list. U.S. persons have been prohibited from engaging in transactions with them. Russian Technology companies covered by the sanctions include SVA, Neobit, AST, Positive Technologies, Pasit, and ERA Technologies.

The post NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities appeared first on HIPAA Journal.

NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities

Posted by HIPAA Journal

Tension is growing between Russian and the United States over the continuous cyberattacks on the U.S. government and public and private sector organizations by Russian government hackers. Yesterday, a joint alert was issued by the National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), warning of the continued exploitation of software vulnerabilities by the Russian Foreign Intelligence Service (SVR).

The attacks have been attributed to the Cozy Bear Advanced Persistent Threat (APT) Group – aka APT29/The Dukes – which is part of the SVR. The APT group is conducting widespread scanning and exploitation of software flaws in vulnerable systems to gain access to credentials that allow them to gain further access to devices and networks for espionage activities. The NSA, CISA, and the FBI have shared details of five software vulnerabilities that continue to be successfully exploited by the SVR to gain access to devices and networks.

The NSA, CISA, and the FBI have previously shared mitigations that can be implemented to defend against the exploitation of these vulnerabilities and patches are available to address all the software flaws. While many organizations have now patched the flaws, they may have already been exploited and networks been compromised. Steps should be taken to identify whether systems have been compromised and actions taken to mitigate the loss of sensitive information that could allow Russia to gain a strategic or competitive advantage.

The 5 software vulnerabilities most commonly exploited by the SVR hackers are:

Vulnerability Products Description Affected Versions
CVE-2018-13379 Fortinet FortiGate VPNs Unauthenticated attackers can download system files via HTTP resource requests Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
CVE-2019-9670 Synacor Zimbra Collaboration Suite XML External Entity injection (XXE) vulnerability 8.7.x before 8.7.11p10.
CVE-2019-11510 Pulse Secure VPNs An unauthenticated remote attacker can send a specially crafted Uniform Resource Identifier (URI) to perform an arbitrary file read. PCS 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
CVE-2019-19781 Citrix Application Delivery Controller and Gateway Directory traversal vulnerability allowing an unauthenticated attacker to execute arbitrary code. Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.
CVE-2020-4006 VMware Workspace One Access Command injection vulnerability that allows an attacker with a valid password to execute commands with unrestricted privileges on the underlying operating system VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 – 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 – 3.3.3 and 19.03, VMware Cloud Foundation 4.0 – 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.

“NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations,” according to the alert (PDF).

Formal Attribution of SolarWinds Orion Supply Chain Attack

The United States government has also formally accused the Russian government of orchestrating and conducting the massive SolarWinds Orion supply chain attack, which saw the SVR gain access to around 18,000 computers worldwide and conduct more extensive attacks on cybersecurity companies of the United States and its allies – FireEye, Malwarebytes, Mimecast – and federal agencies in the United States.  Russia has also been formally accused of engaging in activities with the intent of disrupting the U.S. presidential election in November 2020.

Sanctions Imposed on Russia by President Biden

President Biden has signed an executive order blocking property and placing new restrictions of Russia’s sovereign debt to make it harder for the government to raise money. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken action against 16 entities and 16 individuals for their role in the campaign to influence the 2020 U.S. presidential election, under the direction of the Russian government.

All property and assets of those entities and individuals that are subject to U.S. jurisdiction have been blocked and the entities and individuals have been added to OFAC’s SDN list. U.S. persons have been prohibited from engaging in transactions with them. Russian Technology companies covered by the sanctions include SVA, Neobit, AST, Positive Technologies, Pasit, and ERA Technologies.

The post NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities appeared first on HIPAA Journal.

COVID-19 Vaccine Cold Chain Continues to Be Targeted by Threat Groups

Posted by HIPAA Journal

The global COVID-19 vaccine cold chain continues to be targeted advanced persistent threat groups, according to an updated report from IBM Security X-Force. X-Force researchers previously published a report in December 2020 warning that cyber adversaries were targeting the COVID-19 cold chain to gain access to vaccine data and attacks continue to pose a major threat to vaccine distribution and storage.

There are currently more than 350 logistics partners that are part of the cold chain and are involved in the delivery and storage of vaccines at low temperatures. Since the initial report was published on cold chain phishing attacks, IBM X-Force researchers have identified a further 50 email message files tied to spear phishing campaigns, which have targeted 44 companies in 14 countries throughout Europe, the Americas, Africa, and Asia.

The companies being targeted underpin the transport, warehousing, storage, and distribution of COVID-19 vaccines, with the most targeted organizations involved in transportation, IT and electronics, and healthcare such companies in biomedical research, medical manufacturing, and pharmaceutical and hygiene services.

Threat actors, believed to be backed by nation states, have expanded their campaigns and are using spear phishing emails to steal credentials of CEOs, global sales officers, purchasing managers, HR officers, heads of plant engineering and others to gain privileged insight into national Advance Market Commitment (AMC) negotiations related to the procurement of vaccines, time tables for distribution, information on the passage of vaccines through nations and territories, export controls and international property rights, World Trade Organization (WTO) trade facilitation agreements, technical vaccine information, and other sensitive data.

The threat group behind this campaign appears to have an in depth understanding of the vaccine cold chain. The emails used in the spear phishing campaign impersonate an executive from the Chinese biomedical company, Haier Biomedical, which is the world’s only complete cold chain provider.

The emails request price quotations for service contracts regarding the Cold Chain Equipment Optimization Platform (CCEOP) program and reference products such as a solar-powered vaccine refrigerator and ice-lined refrigerator from the Haier Biomedical product line. The emails also mention organizations involved in petrochemical production and the manufacturing of solar panels that aligns with those products, and the language used in the email reflects the educational background of the sender that is spoofed in the signature block.

The emails have malicious HTML attachments which are opened locally, with the user requested to provide their credentials to view the file. If credentials are entered, they are captured and exfiltrated to the attackers’ command and control server.

“While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat,” wrote the researchers.

With vaccine nationalism and global competition related to access to vaccines, attacks that disrupt the cold chain were inevitable. While the researchers have not been able to attribute the campaign to any threat group, there is a strong likelihood that this is a nation state operation.

If the cold chain is disrupted it could result in delays delivering the vaccines or could disrupt the conditions required for safe vaccine transport and storage, which could render the vaccines unsafe or useless. IBM has published Indicators of Compromise in its report to help organizations in the COVID-19 cold chain protect against attacks.

The post COVID-19 Vaccine Cold Chain Continues to Be Targeted by Threat Groups appeared first on HIPAA Journal.

100 Million+ Devices Affected by NAME:WRECK DNS Vulnerabilities

Posted by HIPAA Journal

Researchers at Forescout and JSOF have identified 9 vulnerabilities in Internet-connected devices that could be exploited in denial-of-service and remote code execution attacks. The flaws have been identified in certain implementations of the Domain Name System (DNS) protocol in TCP/IP network communication stacks.

The flaws are mostly due to how parsing of domain names occurs, which can breach DNS implementations, and problems with DNS compression, which devices use to compress data to communicate over the Internet using TCP/IP.

This class of vulnerabilities has been named NAME:WRECK. They affect common IoT and operational technology systems, including FreeBSD, IPnet, Nucleus NET, and NetX. While the use of these IoT/OP systems does not necessarily mean devices are vulnerable, many will be. The researchers suggest that around 1% of IoT devices are likely to be susceptible to the flaws, which is more than 100 million devices worldwide.

Vulnerable devices are used in a range of industry sectors, including healthcare, retail, manufacturing, and the government, with healthcare organizations and government agencies two of the top three worst affected sectors. Fortunately, the vulnerabilities are not straightforward to exploit. A malicious packet must be sent in response to a legitimate DNS request, so exploitation would require a man-in-the-middle attack or the use of an exploit for a different vulnerability between the target device and the DNS server. E.g., DNSpooq.

The 9 vulnerabilities are detailed in the table below, along with the products and TCP/IP stacks affected:

Vulnerability CVE Stack Impact CVSS Score
CVE-2016-20009 IPnet Remote Code Execution 9.8
CVE-2020-15795 Nucleus NET Remote Code Execution 8.1
CVE-2020-27009 Nucleus NET Remote Code Execution 8.1
CVE-2020-27736 Nucleus NET Denial of Service 6.5
CVE-2020-27737 Nucleus NET Denial of Service 6.5
CVE-2020-27738 Nucleus NET Denial of Service 6.5
CVE-2020-25677 Nucleus NET DNS Cache Poisoning 5.3
CVE-2020-7461 FreeBSD Remote Code Execution 7.7
Awaiting CVE NetX Denial of Service 6.5

The flaws range in severity, with the most serious vulnerabilities rated critical. The vulnerabilities can also be chained. For example, with CVE-2020-27009, an attacker can craft a DNS response packet and write arbitrary data in sensitive parts of the memory. CVE-2020-15795 allows the attacker to craft meaningful code to be injected, and CVE-2021-25667 allows a bypass of DNS query-response matching to deliver the malicious packet to the target.

FreeBSD is also used in pfSense firewalls and network appliances such as Check Point IPSO and McAfee SecurOS. NetX is used in wearable patient monitors such as those manufactured by Welch Allyn. Nucleus NET is used extensively in healthcare devices, including ZOLD defibrillators and ZONARE ultrasound machines. The flaw in FreeBSD is of particular concern as the network stack is used in many embedded devices and millions of higher performance IT servers, including those used by major websites such as Yahoo and Netflix.

The flaws could be used for extortion in denial-of-service attacks on mission-critical systems, to steal sensitive data, or could allow modifications to devices to alter functions and could cause significant damage. Since vulnerable devices are used in heating, ventilation, lighting, and security systems, critical building functions could also be tampered with.

While patches have now been released to correct the flaws, applying those patches may be problematic. Many of the vulnerable affected internet-enabled devices are used to control mission-critical applications that are always running and cannot easily be shut down.

Mitigating NAME:WRECK Vulnerabilities

The first stage is to identify all vulnerable devices. Forescout is developing an open-source script that can be used to fingerprint all vulnerable devices. Devices will not be protected until the patches are applied, so after identifying all vulnerable devices, mitigations should be implemented until the patches can be applied. Those measures should include device and network segmentation, restricting external communication with vulnerable devices, and configuring the devices to run internal DNS servers. Network traffic should also be monitored for malicious packets attempting to exploit the vulnerabilities and other flaws in DNS, mDNS, and DCHP clients.

Patches have been released for FreeBSD, Nucleus NET, and NetX and device manufacturers, including Siemens, have already started releasing patches to correct the flaws in their products.

The post 100 Million+ Devices Affected by NAME:WRECK DNS Vulnerabilities appeared first on HIPAA Journal.

Immediate Patching Required for 4 New Critical Microsoft Exchange Server Vulnerabilities

Posted by HIPAA Journal

The U.S. National Security Agency (NSA) has identified four zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 which are used for on-premises Microsoft Exchange Servers. Immediate patching is required as the flaws are likely to be targeted by threat actors.

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to patch all vulnerable on-premises Exchange Servers by 12.01 AM on Friday April 16, 2021 due to the high risk of exploitation of the flaws. At the time of issuing the patches there have been no known cases of exploitation of the flaws in the wild, but it is likely that now the flaws have been publicly disclosed, the patches could be reverse engineered and working exploits developed.

All four of the vulnerabilities could lead to remote execution of arbitrary code and would allow threat actors to take full control of vulnerable Exchange Servers as well as persistent access and control of enterprise networks.

Two of the vulnerabilities can be exploited remotely by unauthenticated attackers with no user interaction required. Both of those flaws, tracked as CVE-2021-28480 and CVE-2021-28481, have been assigned a CVSS v3.1 rating of 9.8 out of 10. The third flaw, CVE-2021-28483 has a CVSS rating of 9.0 out of 10, and the fourth, CVE-2021-28482, a rating of 8.8 out of 10.

If any vulnerable Microsoft Exchange Servers cannot be updated before the Friday deadline, CISA has instructed federal agencies to remove those servers from federal networks until the updates can be applied. Technical and/or management controls must be implemented to ensure newly provisioned and previously disconnected endpoints are updated prior to connecting them to agency networks. CIOs or equivalents are required to submit a report to CISA by Noon ET on Friday confirming that all vulnerable Exchange Servers have been updated or disconnected, and should any cyber incidents be detected, Indicators of Compromise must be submitted to CISA.

Patches to correct all four flaws were released by Microsoft on April 2021 Patch Tuesday, along with patches for a further 15 critical flaws across its product suite and 88 flaws that were rated important. One zero-day vulnerability has been patched – a Win32K elevation of privilege vulnerability: CVE-2021-28310 – which Kaspersky believes is being actively exploited in the wild by at least one threat group. In combination with browser exploits, attackers can escape sandboxes and gain system privileges for further access. Exploitation would allow the remote execution of arbitrary code, the creation of new accounts with full privileges, information disclosure and destruction, and the ability to install new programs.

The post Immediate Patching Required for 4 New Critical Microsoft Exchange Server Vulnerabilities appeared first on HIPAA Journal.

HHS OIG: HHS Information Security Program Rated ‘Not Effective’

Posted by HIPAA Journal

The Department of Health and Human Services Office of Inspector General has published the findings of its annual evaluation of the HHS information security programs and practices, as required by the Federal Information Security Modernization Act of 2014 (FISMA). It was determined that the HHS information security program has not yet reached the level of maturity to be considered effective.

The independent audit was conducted on behalf of the HHS’ OIG by Ernst & Young (EY) to determine compliance with FISMA reporting metrics and to assess whether the overall security program of the HHS met the required information security standards.

The HHS was assessed against the Identify, Protect, Detect, Respond, and Recover functional areas of the Cybersecurity Framework across the FISMA domains: Risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring (ISCM), incident response, and contingency planning.

The levels of maturity for information security are Level 1 (Ad hoc policies); Level 2 (Defined); Level 3 (Consistently Implemented); Level 4 (Managed and Measurable); and Level 5 (Optimized policies). It is necessary to achieve Level 4 for an information security policy to be considered effective.

As of September 30, 2020 the HHS had made progress since the previous audit and had implemented several changes to strengthen the maturity of its enterprise-wise cybersecurity program. There were improvements across all FISMA domains, including increased maturation of data protection and privacy and continuous monitoring of information systems.

However, the HHS was given a “not effective” rating due to the failure to achieve the Level 4 maturity level in any of the 5 functional areas – Identify, Protect, Detect, Respond, and Recover function. The audit revealed there were deficiencies within the Identify, Protect, and Respond functional areas and the maturity level was below Consistently Implemented for some FISMA metric questions, both at the HHS overall and at selected operating divisions (OpDivs), in Contingency Planning.

The HHS achieved Defined (Level 2) for 17 FISMA metrics and Consistently Implemented (Level 3) for 42 FISMA metrics but had yet to achieve Managed and Measurable (level 4) in any of the IG FISMA metrics. There was no change in any of the FISMA metrics from the audit in FY19, although the audit revealed progress had been made in several individual IG FISMA metrics, such as consistent implementation of data exfiltration systems, ongoing Authorization to Operate (ATO) monitoring, and configuration management controls. Progress had not been achieved in other areas due to the lack of information security continuous monitoring across the different HHS operating divisions, which is essential for providing reliable data for informing risk management decisions.

Several recommendations were made to strengthen the HHS’ enterprise-wide cybersecurity program. The HHS concurred with 11 of the recommendations and did not concur with 2.

The post HHS OIG: HHS Information Security Program Rated ‘Not Effective’ appeared first on HIPAA Journal.

CISA Releases Tool for Assessing Post Compromise Activity in Microsoft 365 Environments

Posted by HIPAA Journal

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to accompany the open-source PowerShell-based Sparrow detection tool released in December 2020 to help network defenders detect potential compromised accounts in their Azure, Microsoft 365, and Office 365 environments.

Sparrow was created following the SolarWinds cyberattack to help network defenders identify whether their cloud environments had been compromised. The new tool, named Aviary, is a Splunk-based dashboard that can be used to visualize and analyze data outputs from the Sparrow tool to identify post-compromise threat activity in Azure, Microsoft 365, and Office 365 accounts.

The Aviary dashboard helps network defenders analyze PowerShell logs and analyze mailbox sign-ins to determine if the activity is legitimate. Through the dashboard, PowerShell usage by employees can also be examined along with Azure AD domains to determine if they have been modified.

CISA is encouraging network defenders to review the previously released AA21-008A alert on detecting post compromise activity in Microsoft Cloud environments, which has now been updated to include instructions on using the Aviary dashboard. The Aviary dashboard is available for download on CISA’s Sparrow GitHub pages.

In order to use the Aviary dashboard, users must ingest Sparrow logs, import Aviary .xml code into the dashboard, point Aviary to Sparrow data using the index and host selection, and review the output.

In addition to these tools, CISA released the Python-based CHIRP IOC detection tool in March, which can be used to identify signs of malicious activity linked to the SolarWinds cyberattack on Windows operating systems within an on-premises environment. The tool examines Windows events logs and the Windows registry for evidence of intrusions, and can be used to query Windows artifacts and apply YARA rules to detect malware, backdoors, and implanted malicious code.

The post CISA Releases Tool for Assessing Post Compromise Activity in Microsoft 365 Environments appeared first on HIPAA Journal.

Vulnerabilities in Mission Critical SAP Systems Actively Exploited by Multiple Threat Groups

Posted by HIPAA Journal

Researchers at security firm Onapsis have observed cybercriminals exploiting multiple vulnerabilities in mission-critical SAP systems. Since mid-2020, there have been more than 300 observed attacks exploiting one or more of six unpatched vulnerabilities.

Vulnerabilities in SAP systems are highly sought after by cybercriminals due to the widespread use of SAP systems. SAP says 92% of the Forbes Global 2000 use SAP to power their operations, including the majority of pharmaceutical firms, critical infrastructure and utility companies, food distributors, defense contractors and others. Over 400,000 organizations use SAP globally and 77% of the world’s transactional revenue touches a SAP system.

Onapsis reports critical SAP vulnerabilities are typically weaponized within 72 hours of patches being released. Unprotected SAP applications in cloud environments are often discovered and compromised in less than 3 hours. Despite the high risk of exploitation, many organizations are slow to apply patches. One of the vulnerabilities currently being exploited is 11 years old, while the others were patched promptly by SAP and the patches have been available for months.

The severity of the flaws and the extent to which they are being targeted by multiple threat groups has prompted the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert to all SAP users about the threat of attack, following the coordinated release of a report by Onapsis/SAP.

The six vulnerabilities are a mix of critical and medium-severity vulnerabilities that can be exploited on their own or chained together to access and exfiltrate sensitive information, conduct financial fraud, disrupt mission-critical systems, download malware and ransomware, and take full control of vulnerable SAP systems. Chaining the vulnerabilities could result in attackers gaining OS-level access, which could allow the expansion of the attack beyond vulnerable SAP systems. Onapsis researchers observed one attack where an attacker chained three of the vulnerabilities and within 90 minutes downloaded a credential store of logins for high-privileged accounts and the core database, resulting in a full system compromise.

The vulnerabilities are:

  • CVE-2020-6287 – Authentication bypass issue in SAP NetWeaver Application Server Java – Allows full takeover of vulnerable SAP systems.
  • CVE-2020-6207 – Authentication bypass issue in SAP Solution Manager – Allows full takeover of vulnerable SAP systems.
  • CVE-2018-2380 – Insufficient validation of path information issue in SAP CRM – Allows database access and lateral network movement.
  • CVE-2016-9563 – Flaw in SAP NetWeaver AS Java used for XML External Entity (XXE) – Allows DoS attacks and theft of sensitive information.
  • CVE-2016-3976 – Directory traversal flaw in SAP NetWeaver AS Java – Allows reading of arbitrary files.
  • CVE-2010-5326 – Vulnerability in the Invoker Servlet on SAP NetWeaver AS Java – Allows arbitrary code execution via HTTP/HTTPS requests.
SAP Vulnerabilities

Source: Onapsis/SAP

The attacks are being conducted by multiple threat actors from a range of countries, including Hong Kong, India, Japan, Netherlands, Singapore, South Korea, Sweden, Taiwan, United States, Vietnam and Yemen. The attackers appear to have advanced domain knowledge of SAP systems, access to patches, and the ability to reconfigure systems. In some cases, the attackers have exploited the vulnerabilities, installed backdoors for persistence, and then patched the vulnerabilities themselves.

“SAP promptly patched all of the critical vulnerabilities observed being exploited,” Explained Onapsis in the alert. “Unfortunately, SAP and Onapsis continue to observe many organizations that have still not applied the relevant mitigations, allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet.”

Patches should be applied immediately to prevent exploitation of the flaws. Once updated to a secure SAP version, a compromise assessment should be performed to determine if systems have already been compromised. When future patches and software updates are released by SAP, they should be applied within 72 hours. If that is not possible, mitigations should be implemented to reduce the risk of exploitation. Further information is available in the Onapsis report.

The post Vulnerabilities in Mission Critical SAP Systems Actively Exploited by Multiple Threat Groups appeared first on HIPAA Journal.

FBI/CISA Warn of Ongoing Attacks Targeting Vulnerable Fortinet FortiOS Servers

Posted by HIPAA Journal

Vulnerabilities in the Fortinet FortiOS operating system are being targeted by advanced persistent threat (APT) actors and are being used to gain access to servers to infiltrate networks as pre-positioning for follow-on data exfiltration and data encryption attacks.

In a recent Joint Cybersecurity Advisory, the Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency warned users of the Fortinet FortiOS to immediately patch three vulnerabilities, tracked under the CVE numbers CVE-2018-13379, 2020-12812, and 2019-5591.

Patches were released to correct the flaws in May 2019, July 2019, July 2020. Fortinet communicated with affected companies and published multiple blog posts urging customers to update the FortiOS to a secure version; however, some customers have yet to apply the patches to correct the flaws and are at risk of attack.

CVE-2018-13379 is a vulnerability due to improper limitation of a pathname to a restricted directory and is present in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12. Under SSL VPN web portal, an unauthenticated attacker can download system files by sending specially crafted HTTP requests to a vulnerable server. Previously, Russian, Chinese, and Iranian APT groups have abused the vulnerability in an attempt to compromise U.S. election support systems.

CVE-2020-12812 is an improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9, which could be exploited to allow a user to login successfully without being prompted for a second authentication factor – FortiToken – if they changed the case of their username.

CVE-2019-5591 is a default configuration vulnerability in FortiOS which could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

The FBI/CISA warn that APT groups are enumerating servers that have not been patched to fix CVE-2020-12812 and CVE-2019-5591 and are scanning for devices vulnerable to CVE-2018-13379 on ports 4443, 8443, and 10443. The vulnerabilities have been exploited to gain access to multiple government, commercial, and technology services networks. Other CVEs and exploitation techniques such as spear phishing may also be used in attacks to gain access to critical infrastructure networks.

In addition to applying the patches to correct the flaws, the FBI/CISA recommend several other steps be taken to prevent the exploitation of vulnerabilities. These include adding key artifact files used by FortiOS to execution deny lists to prevent attempts to install and run the vulnerable program and its associated files. Systems should also be configured to require administrator credentials to be used to install software.

Multi-factor authentication should be implemented where possible, good password hygiene maintained, and audits should be conducted of accounts with admin privileges. All unused remote access/RDP ports should be disabled, and remote access/RDP logs should be audited.

Since phishing attacks are possible, messages from external sources should be flagged and hyperlinks in emails disabled. It is also important to educate the workforce on information security and how to identify phishing emails. Antivirus software should be installed on all devices and be kept up to date. Network segmentation will help to limit the harm that can be caused if a network is breached.

Since extortion and data deletion attacks may occur, it is important to regularly backup data and store a backup copy on an air-gapped device and password-protect the backup. A recovery plan should also be implemented to restore sensitive data from a physically separate, segmented, secure location.

The post FBI/CISA Warn of Ongoing Attacks Targeting Vulnerable Fortinet FortiOS Servers appeared first on HIPAA Journal.