Healthcare Cybersecurity

Immediate Patching Required for 4 New Critical Microsoft Exchange Server Vulnerabilities

Posted by HIPAA Journal

The U.S. National Security Agency (NSA) has identified four zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 which are used for on-premises Microsoft Exchange Servers. Immediate patching is required as the flaws are likely to be targeted by threat actors.

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to patch all vulnerable on-premises Exchange Servers by 12.01 AM on Friday April 16, 2021 due to the high risk of exploitation of the flaws. At the time of issuing the patches there have been no known cases of exploitation of the flaws in the wild, but it is likely that now the flaws have been publicly disclosed, the patches could be reverse engineered and working exploits developed.

All four of the vulnerabilities could lead to remote execution of arbitrary code and would allow threat actors to take full control of vulnerable Exchange Servers as well as persistent access and control of enterprise networks.

Two of the vulnerabilities can be exploited remotely by unauthenticated attackers with no user interaction required. Both of those flaws, tracked as CVE-2021-28480 and CVE-2021-28481, have been assigned a CVSS v3.1 rating of 9.8 out of 10. The third flaw, CVE-2021-28483 has a CVSS rating of 9.0 out of 10, and the fourth, CVE-2021-28482, a rating of 8.8 out of 10.

If any vulnerable Microsoft Exchange Servers cannot be updated before the Friday deadline, CISA has instructed federal agencies to remove those servers from federal networks until the updates can be applied. Technical and/or management controls must be implemented to ensure newly provisioned and previously disconnected endpoints are updated prior to connecting them to agency networks. CIOs or equivalents are required to submit a report to CISA by Noon ET on Friday confirming that all vulnerable Exchange Servers have been updated or disconnected, and should any cyber incidents be detected, Indicators of Compromise must be submitted to CISA.

Patches to correct all four flaws were released by Microsoft on April 2021 Patch Tuesday, along with patches for a further 15 critical flaws across its product suite and 88 flaws that were rated important. One zero-day vulnerability has been patched – a Win32K elevation of privilege vulnerability: CVE-2021-28310 – which Kaspersky believes is being actively exploited in the wild by at least one threat group. In combination with browser exploits, attackers can escape sandboxes and gain system privileges for further access. Exploitation would allow the remote execution of arbitrary code, the creation of new accounts with full privileges, information disclosure and destruction, and the ability to install new programs.

The post Immediate Patching Required for 4 New Critical Microsoft Exchange Server Vulnerabilities appeared first on HIPAA Journal.

HHS OIG: HHS Information Security Program Rated ‘Not Effective’

Posted by HIPAA Journal

The Department of Health and Human Services Office of Inspector General has published the findings of its annual evaluation of the HHS information security programs and practices, as required by the Federal Information Security Modernization Act of 2014 (FISMA). It was determined that the HHS information security program has not yet reached the level of maturity to be considered effective.

The independent audit was conducted on behalf of the HHS’ OIG by Ernst & Young (EY) to determine compliance with FISMA reporting metrics and to assess whether the overall security program of the HHS met the required information security standards.

The HHS was assessed against the Identify, Protect, Detect, Respond, and Recover functional areas of the Cybersecurity Framework across the FISMA domains: Risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring (ISCM), incident response, and contingency planning.

The levels of maturity for information security are Level 1 (Ad hoc policies); Level 2 (Defined); Level 3 (Consistently Implemented); Level 4 (Managed and Measurable); and Level 5 (Optimized policies). It is necessary to achieve Level 4 for an information security policy to be considered effective.

As of September 30, 2020 the HHS had made progress since the previous audit and had implemented several changes to strengthen the maturity of its enterprise-wise cybersecurity program. There were improvements across all FISMA domains, including increased maturation of data protection and privacy and continuous monitoring of information systems.

However, the HHS was given a “not effective” rating due to the failure to achieve the Level 4 maturity level in any of the 5 functional areas – Identify, Protect, Detect, Respond, and Recover function. The audit revealed there were deficiencies within the Identify, Protect, and Respond functional areas and the maturity level was below Consistently Implemented for some FISMA metric questions, both at the HHS overall and at selected operating divisions (OpDivs), in Contingency Planning.

The HHS achieved Defined (Level 2) for 17 FISMA metrics and Consistently Implemented (Level 3) for 42 FISMA metrics but had yet to achieve Managed and Measurable (level 4) in any of the IG FISMA metrics. There was no change in any of the FISMA metrics from the audit in FY19, although the audit revealed progress had been made in several individual IG FISMA metrics, such as consistent implementation of data exfiltration systems, ongoing Authorization to Operate (ATO) monitoring, and configuration management controls. Progress had not been achieved in other areas due to the lack of information security continuous monitoring across the different HHS operating divisions, which is essential for providing reliable data for informing risk management decisions.

Several recommendations were made to strengthen the HHS’ enterprise-wide cybersecurity program. The HHS concurred with 11 of the recommendations and did not concur with 2.

The post HHS OIG: HHS Information Security Program Rated ‘Not Effective’ appeared first on HIPAA Journal.

CISA Releases Tool for Assessing Post Compromise Activity in Microsoft 365 Environments

Posted by HIPAA Journal

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to accompany the open-source PowerShell-based Sparrow detection tool released in December 2020 to help network defenders detect potential compromised accounts in their Azure, Microsoft 365, and Office 365 environments.

Sparrow was created following the SolarWinds cyberattack to help network defenders identify whether their cloud environments had been compromised. The new tool, named Aviary, is a Splunk-based dashboard that can be used to visualize and analyze data outputs from the Sparrow tool to identify post-compromise threat activity in Azure, Microsoft 365, and Office 365 accounts.

The Aviary dashboard helps network defenders analyze PowerShell logs and analyze mailbox sign-ins to determine if the activity is legitimate. Through the dashboard, PowerShell usage by employees can also be examined along with Azure AD domains to determine if they have been modified.

CISA is encouraging network defenders to review the previously released AA21-008A alert on detecting post compromise activity in Microsoft Cloud environments, which has now been updated to include instructions on using the Aviary dashboard. The Aviary dashboard is available for download on CISA’s Sparrow GitHub pages.

In order to use the Aviary dashboard, users must ingest Sparrow logs, import Aviary .xml code into the dashboard, point Aviary to Sparrow data using the index and host selection, and review the output.

In addition to these tools, CISA released the Python-based CHIRP IOC detection tool in March, which can be used to identify signs of malicious activity linked to the SolarWinds cyberattack on Windows operating systems within an on-premises environment. The tool examines Windows events logs and the Windows registry for evidence of intrusions, and can be used to query Windows artifacts and apply YARA rules to detect malware, backdoors, and implanted malicious code.

The post CISA Releases Tool for Assessing Post Compromise Activity in Microsoft 365 Environments appeared first on HIPAA Journal.

Vulnerabilities in Mission Critical SAP Systems Actively Exploited by Multiple Threat Groups

Posted by HIPAA Journal

Researchers at security firm Onapsis have observed cybercriminals exploiting multiple vulnerabilities in mission-critical SAP systems. Since mid-2020, there have been more than 300 observed attacks exploiting one or more of six unpatched vulnerabilities.

Vulnerabilities in SAP systems are highly sought after by cybercriminals due to the widespread use of SAP systems. SAP says 92% of the Forbes Global 2000 use SAP to power their operations, including the majority of pharmaceutical firms, critical infrastructure and utility companies, food distributors, defense contractors and others. Over 400,000 organizations use SAP globally and 77% of the world’s transactional revenue touches a SAP system.

Onapsis reports critical SAP vulnerabilities are typically weaponized within 72 hours of patches being released. Unprotected SAP applications in cloud environments are often discovered and compromised in less than 3 hours. Despite the high risk of exploitation, many organizations are slow to apply patches. One of the vulnerabilities currently being exploited is 11 years old, while the others were patched promptly by SAP and the patches have been available for months.

The severity of the flaws and the extent to which they are being targeted by multiple threat groups has prompted the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert to all SAP users about the threat of attack, following the coordinated release of a report by Onapsis/SAP.

The six vulnerabilities are a mix of critical and medium-severity vulnerabilities that can be exploited on their own or chained together to access and exfiltrate sensitive information, conduct financial fraud, disrupt mission-critical systems, download malware and ransomware, and take full control of vulnerable SAP systems. Chaining the vulnerabilities could result in attackers gaining OS-level access, which could allow the expansion of the attack beyond vulnerable SAP systems. Onapsis researchers observed one attack where an attacker chained three of the vulnerabilities and within 90 minutes downloaded a credential store of logins for high-privileged accounts and the core database, resulting in a full system compromise.

The vulnerabilities are:

  • CVE-2020-6287 – Authentication bypass issue in SAP NetWeaver Application Server Java – Allows full takeover of vulnerable SAP systems.
  • CVE-2020-6207 – Authentication bypass issue in SAP Solution Manager – Allows full takeover of vulnerable SAP systems.
  • CVE-2018-2380 – Insufficient validation of path information issue in SAP CRM – Allows database access and lateral network movement.
  • CVE-2016-9563 – Flaw in SAP NetWeaver AS Java used for XML External Entity (XXE) – Allows DoS attacks and theft of sensitive information.
  • CVE-2016-3976 – Directory traversal flaw in SAP NetWeaver AS Java – Allows reading of arbitrary files.
  • CVE-2010-5326 – Vulnerability in the Invoker Servlet on SAP NetWeaver AS Java – Allows arbitrary code execution via HTTP/HTTPS requests.
SAP Vulnerabilities

Source: Onapsis/SAP

The attacks are being conducted by multiple threat actors from a range of countries, including Hong Kong, India, Japan, Netherlands, Singapore, South Korea, Sweden, Taiwan, United States, Vietnam and Yemen. The attackers appear to have advanced domain knowledge of SAP systems, access to patches, and the ability to reconfigure systems. In some cases, the attackers have exploited the vulnerabilities, installed backdoors for persistence, and then patched the vulnerabilities themselves.

“SAP promptly patched all of the critical vulnerabilities observed being exploited,” Explained Onapsis in the alert. “Unfortunately, SAP and Onapsis continue to observe many organizations that have still not applied the relevant mitigations, allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet.”

Patches should be applied immediately to prevent exploitation of the flaws. Once updated to a secure SAP version, a compromise assessment should be performed to determine if systems have already been compromised. When future patches and software updates are released by SAP, they should be applied within 72 hours. If that is not possible, mitigations should be implemented to reduce the risk of exploitation. Further information is available in the Onapsis report.

The post Vulnerabilities in Mission Critical SAP Systems Actively Exploited by Multiple Threat Groups appeared first on HIPAA Journal.

FBI/CISA Warn of Ongoing Attacks Targeting Vulnerable Fortinet FortiOS Servers

Posted by HIPAA Journal

Vulnerabilities in the Fortinet FortiOS operating system are being targeted by advanced persistent threat (APT) actors and are being used to gain access to servers to infiltrate networks as pre-positioning for follow-on data exfiltration and data encryption attacks.

In a recent Joint Cybersecurity Advisory, the Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency warned users of the Fortinet FortiOS to immediately patch three vulnerabilities, tracked under the CVE numbers CVE-2018-13379, 2020-12812, and 2019-5591.

Patches were released to correct the flaws in May 2019, July 2019, July 2020. Fortinet communicated with affected companies and published multiple blog posts urging customers to update the FortiOS to a secure version; however, some customers have yet to apply the patches to correct the flaws and are at risk of attack.

CVE-2018-13379 is a vulnerability due to improper limitation of a pathname to a restricted directory and is present in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12. Under SSL VPN web portal, an unauthenticated attacker can download system files by sending specially crafted HTTP requests to a vulnerable server. Previously, Russian, Chinese, and Iranian APT groups have abused the vulnerability in an attempt to compromise U.S. election support systems.

CVE-2020-12812 is an improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9, which could be exploited to allow a user to login successfully without being prompted for a second authentication factor – FortiToken – if they changed the case of their username.

CVE-2019-5591 is a default configuration vulnerability in FortiOS which could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

The FBI/CISA warn that APT groups are enumerating servers that have not been patched to fix CVE-2020-12812 and CVE-2019-5591 and are scanning for devices vulnerable to CVE-2018-13379 on ports 4443, 8443, and 10443. The vulnerabilities have been exploited to gain access to multiple government, commercial, and technology services networks. Other CVEs and exploitation techniques such as spear phishing may also be used in attacks to gain access to critical infrastructure networks.

In addition to applying the patches to correct the flaws, the FBI/CISA recommend several other steps be taken to prevent the exploitation of vulnerabilities. These include adding key artifact files used by FortiOS to execution deny lists to prevent attempts to install and run the vulnerable program and its associated files. Systems should also be configured to require administrator credentials to be used to install software.

Multi-factor authentication should be implemented where possible, good password hygiene maintained, and audits should be conducted of accounts with admin privileges. All unused remote access/RDP ports should be disabled, and remote access/RDP logs should be audited.

Since phishing attacks are possible, messages from external sources should be flagged and hyperlinks in emails disabled. It is also important to educate the workforce on information security and how to identify phishing emails. Antivirus software should be installed on all devices and be kept up to date. Network segmentation will help to limit the harm that can be caused if a network is breached.

Since extortion and data deletion attacks may occur, it is important to regularly backup data and store a backup copy on an air-gapped device and password-protect the backup. A recovery plan should also be implemented to restore sensitive data from a physically separate, segmented, secure location.

The post FBI/CISA Warn of Ongoing Attacks Targeting Vulnerable Fortinet FortiOS Servers appeared first on HIPAA Journal.

VMware Patches High Severity Flaws in vRealize Operations, Cloud Foundation and vRealize Suite Lifecycle Manager

Posted by HIPAA Journal

VMware has released patches to correct two high severity vulnerabilities in its AI-powered IT operations management platform for private, hybrid, and multi-cloud environments – vRealize Operations. The flaws also affect VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

CVE-2021-21975 is a server side request forgery flaw which could be exploited by a remote attacker to abuse the functionality of a server and access or manipulate information that should not be directly accessible. The flaw could be exploited by sending a specially crafted request to a vulnerable vRealize Operations Manager API endpoint which would allow the attacker to steal administrative credentials. The vulnerability has been assigned a CVSS score of 8.6 out of 10.

The second vulnerability, tracked as CVE-2021-21983, is an arbitrary file write vulnerability in the vRealize Operations Manager API. The flaw has been assigned a CVSS score of 7.2 out of 10. Exploitation of the vulnerability would allow an attacker to write files to the underlying photon operating system. An attacker would first need to be authenticated with admin credentials in order to exploit the vulnerability.

The concern is that both vulnerabilities could be chained together, which would allow an attacker to achieve remote code execution of arbitrary code in the vRealize Operations platform. In order to exploit the flaws an attacker would need to have access to the vRealize Operations Manager API.

VMWare has fixed the flaws in vRealize Operations Manager versions 7.5.0 to 8.3.0. Users of the vRealize Operations platform have been advised to update to a secure version of the platform as soon as possible to prevent exploitation of the vulnerabilities.

If it is not possible to update promptly, VMware has offered a workaround which involves removing a configuration line from the casa-security-context.xml, followed by restarting the CaSA service on the affected device. The flaws were identified by Igor Dimitenko of security firm Positive Technologies.

The post VMware Patches High Severity Flaws in vRealize Operations, Cloud Foundation and vRealize Suite Lifecycle Manager appeared first on HIPAA Journal.

Iranian APT Group Linked to Spear Phishing Campaign Targeting Senior Staffers at Medical Research Firms

Posted by HIPAA Journal

The Advanced Persistent Threat (APT) group Charming Kitten has been linked to a spear phishing campaign conducted in late 2020 targeting senior professionals at medical research organizations in the United States and Israel by security firm Proofpoint.

Charming Kitting, aka Phosphorus, Ajax, and TA453, is an APT group with links to the Islamic Revolutionary Guard Corps (IRCG) in Iran. Charming Kitting has been active since at least 2014 and is primarily involved in espionage campaigns involving spear phishing attacks and custom malware. The attacks previously linked to the APT group have been on dissidents, academics, and journalists, so the latest spear phishing campaign targeting medical research organizations is a departure from the group’s usual targets.

The phishing campaign, dubbed BadBlood, attempted to steal Microsoft Office credentials and coincided with growing tensions between Iran, the United States, and Israel. It is unclear at this stage whether the targeting of very senior professionals in medical research firms is part of a wider campaign or was simply an outlier event. The researchers suspect the latter to be the case and the groups was attempting to obtain specific types of intelligence.

The campaign was detected in December 2020, around a month after the U.S Department of Justice seized 27 website domains operated by IRCG that were being used for covert campaigns that attempted to influence events in the United States and other countries.

The spear phishing campaign involved emails from a Gmail account that impersonated a prominent Israeli physicist, Daniel Zajfman. The emails had the subject line “Nuclear weapons at a glance: Israel” and social engineering methods were used to convince the recipients to click a link in the emails and visit a Charming Kitten domain that spoofed Microsoft OneDrive. An image of a PDF file was hosted on the landing page stating that the file could not be opened. Clicking the image directed the individual to web page with a fake Microsoft Office login prompt that harvested credentials. After credentials were stolen, the victim was redirected to a page containing a document with the same title as the email with content related to that topic.

Proofpoint researchers were unable to determine what Charming Kitten did with the stolen credentials, but they point out that previous phishing campaigns conducted by the group have resulted in the contents of compromised email accounts being exfiltrated by the APT group and the accounts used in further phishing campaigns.

The researchers suggest the attackers appear to have a mission to gain access to information related to genetics, oncology, and neurology, that they were also seeking access to patient data, and they wanted to obtain credentials for use in further phishing campaigns. This was a highly targeted campaign that attempted to obtain the credentials of fewer than 25 senior-level staffers at medical research organizations.

“While targeting medical experts in genetics, neurology and oncology may not be a lasting shift in TA453 targeting, it does indicate at least a temporary change in TA453 collection priorities. BadBlood is aligned with an escalating trend globally of medical research being increasingly targeted by espionage motivated focused threat actors,” said Proofpoint’s Joshua Miller.

The post Iranian APT Group Linked to Spear Phishing Campaign Targeting Senior Staffers at Medical Research Firms appeared first on HIPAA Journal.

New Report Provides Deep Dive into COVID-19 Themed Phishing Tactics

Posted by HIPAA Journal

In early 2020, phishers started to take advantage of the pandemic and switched from their standard lures to a wide variety of pandemic-related themes for their campaigns. To coincide with the one-year anniversary of the pandemic, researchers at the Palo Alto Networks Unit 42 Team analyzed the phishing trends over the course of the past year to review the changes in the tactics, techniques, and procedures (TTPs) of phishers and the extent to which COVID-19 was used in their phishing campaigns.

The researchers analyzed all phishing URLs detected between January 2020 and February 2021 to determine how many had a COVID-19 theme, using specific keywords and phrases related to COVID-19 and other aspects of the pandemic. The researchers identified 69,950 unique phishing URLs related to COVID-19 topics, with almost half of those URLs directly related to COVID-19.

Phishing campaigns were promptly adapted to the latest news and thoughts on the coronavirus and closely mirrored the latest pandemic trends. Following the World Health Organization’s declaration of the pandemic in March 2020 there was a global shortage of personal protective equipment (PPE) and testing kits, and phishing campaigns were launched offering access to stocks. Government stimulus programs were then launched, and phishing campaigns were quickly adapted to include lures related to those programs. For instance, the volume of phishing emails related to COVID-19 online test kits closely followed the popularity of test kit-related searches on Google.

Source: Palo Alto Networks COVID19 Phishing Report

Throughout the pandemic, the websites of genuine vendors of COVID-19 test kits were targeted. Access to the sites was gained and phishing kits were uploaded to steal credentials. In December 2020, when the vaccine rollout started, campaigns switched to vaccine related lures using domains that spoofed vaccine developers such as Pfizer, BioNTech and others. The websites of pharmaceutical companies were targeted and had phishing content added related to vaccines. Between December 2020 and February 2021, vaccine-related phishing scams increased by 530%.

One off the techniques employed by phishers to evade security solutions is to use a two-step process on their phishing websites that requires the visitor to first click to login before being presented with the phishing form – a tactic called client-side cloaking. Many anti-phishing solutions will visit the URL linked in an email to assess the content but will only check the landing page for phishing content. By using client-side cloaking the malicious content is less likely to be detected.

The report highlights the opportunistic nature of phishers. They will rapidly change their TTPs in response to new trends and use lures that are likely to get the best response, including changing targets. Between December 2020 and February 2021, phishing attacks targeting pharmacies and hospitals increased by 189% as phishers switched to targeting healthcare employees to steal their credentials.

Throughout the pandemic, Microsoft was the brand most targeted by attackers. More than 23% of COVID-19 phishing URLS targeted Microsoft credentials. Fake Microsoft login pages were set up to steal the Microsoft 365 credentials of employees at pharmaceutical firms and pharmacies. When Microsoft credentials are obtained, they can be used to access email accounts to send phishing emails from genuine pharmacy and pharma company domains, increasing the chance of those emails being delivered and acted upon by the recipients. Targeted companies include Walgreens in the US, Pharmascience in Canada, Glenmark Pharmaceuticals in India, and Junshi Biosciences in China.

Currently, large numbers of phishing emails are being sent related to vaccines and as more individuals try to get themselves and their family members registered for immunization, vaccine-related phishing scams are likely to continue.

“Individuals should continue to exercise caution when viewing any emails or websites claiming to sell any goods or services or provide any benefits related to COVID-19. If it seems too good to be true, it most likely is,” warned the Unit42 researchers. “Employees in the healthcare industry in particular should view links contained in any incoming emails with suspicion, especially from emails trying to convey a sense of urgency.”

The post New Report Provides Deep Dive into COVID-19 Themed Phishing Tactics appeared first on HIPAA Journal.

FBI Issues Warning About Mamba Ransomware

Posted by HIPAA Journal

An increase in cyberattacks involving Mamba ransomware has prompted the Federal Bureau of Investigation and the Department of Homeland Security to issue a flash alert warning organizations and companies in multiple sectors about the dangers of the ransomware.

In contrast to many ransomware variants that have their own encryption routines, Mamba ransomware has weaponized the open source full disk encryption software DiskCryptor. DiskCryptor is a legitimate encryption tool that is not malicious and is therefore unlikely to be detected as such by security software.

The FBI has not provided any details of the extent to which the ransomware has been used in attacks, which have so far mostly targeted government agencies and transportation, legal services, technology, industrial, commercial, manufacturing, construction companies.

Several methods are used to gain access to systems to deploy the ransomware, including exploitation of vulnerabilities in Remote Desktop Protocol (RDP) and other unsecured methods of remote access.

Rather than searching for certain file extensions to encrypt, Mamba ransomware used DiskCryptor to encrypt entire drives, rendering all infected devices inoperable. After encryption, a ransom note is displayed that alerts the victim that their drive has been infected and an email address is provided for contact, the victim’s ID and Hostname, and a place to enter the decryption key to restore the drive.

The Mamba ransomware package includes DiskCryptor, which is unpacked and installed. The system is rebooted after around two minutes to complete the installation, and the encryption routine is started. A second restart will take place around two hours later which completes the encryption routine and displays the ransom note.

It is possible to stop an attack in progress up until the second restart. The encryption key and the shutdown time variable are saved to the configuration file – myConfig.txt – which remains readable until the second restart. The myConfig.txt cannot be accessed after the second restart and the decryption key will then be required to decrypt files. This gives network defenders a short window of opportunity to stop an attack and recover without having to pay the ransom. A list of DiskCryptor files is included in the alert to help network defenders identify attacks in progress. These files should be blacklisted if DiskCryptor is not used.

The FBI TLP: White Alert also details mitigations that will make it harder for an attack to succeed, to limit the impact of a successful attack, and ensure that systems can be recovered without paying the ransom.

Suggested mitigations include:

  • Backing up data and storing the backups on an air-gapped device.
  • Segmenting networks.
  • Configuring systems to only allow software to be installed by administrators.
  • Patching operating systems, software, and firmware promptly.
  • Implementing multifactor authentication.
  • Maintaining good password hygiene.
  • Disabling unused remote access/RDP ports and monitoring access logs.
  • Only using secure networks and implementing a VPN for remote access.

The post FBI Issues Warning About Mamba Ransomware appeared first on HIPAA Journal.