Healthcare Cybersecurity

Feds Share Threat Intelligence on Play Ransomware Operation

Posted by Steve Alder

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about Play ransomware, aka Playcrypt. Play ransomware is believed to be a closed group rather than a ransomware-as-a-service operation and has been active since June 2022. The Play ransomware group engages in double extortion tactics, exfiltrating sensitive data before encrypting files. The stolen data is used as leverage to get victims to pay the ransom. Victims are required to contact the group via email to find out how much they must pay to prevent the release of stolen data on the group’s data leak site and to obtain the keys to decrypt data.

From June 2022 until October 2023, the Play ransomware group is known to have conducted at least 300 attacks on organizations around the world, including critical infrastructure in the United States. An analysis of the operation by Trend Micro in July 2023 found that 13.9% of victims of Play ransomware attacks were in the healthcare sector, with most attacks conducted on organizations in the United States. The group uses a variety of methods to gain initial access to victims’ networks, including abusing valid accounts and exploiting vulnerabilities in public-facing applications. The group has previously exploited vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and the ProxyNotShell vulnerabilities in Microsoft Exchange (CVE-2022-41040 and CVE-2022-41082), and in some attacks has used Remote Desktop Protocol and VPNs for initial access. Once initial access has been gained, the group uses tools such as Cobalt Strike, PsExec, and SystemBC for file execution and lateral movement, Mimikatz for credential theft, and WinSCP for data exfiltration.

The cybersecurity alert includes details of the MITRE ATT&CK tactics and techniques used by the group, Indicators of Compromise (IoCs) from attacks as recent as October 2023, and recommended mitigations for hardening defenses. These include implementing multifactor authentication, keeping software, operating systems, and firmware up to date, segmenting networks to hamper attempts at lateral movement, filtering network traffic, disabling unused ports, and regularly conducting reviews of logs of systems activity and audits of user accounts.

The post Feds Share Threat Intelligence on Play Ransomware Operation appeared first on HIPAA Journal.

Feds Share Threat Intelligence on Play Ransomware Operation

Posted by Steve Alder

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about Play ransomware, aka Playcrypt. Play ransomware is believed to be a closed group rather than a ransomware-as-a-service operation and has been active since June 2022. The Play ransomware group engages in double extortion tactics, exfiltrating sensitive data before encrypting files. The stolen data is used as leverage to get victims to pay the ransom. Victims are required to contact the group via email to find out how much they must pay to prevent the release of stolen data on the group’s data leak site and to obtain the keys to decrypt data.

From June 2022 until October 2023, the Play ransomware group is known to have conducted at least 300 attacks on organizations around the world, including critical infrastructure in the United States. An analysis of the operation by Trend Micro in July 2023 found that 13.9% of victims of Play ransomware attacks were in the healthcare sector, with most attacks conducted on organizations in the United States. The group uses a variety of methods to gain initial access to victims’ networks, including abusing valid accounts and exploiting vulnerabilities in public-facing applications. The group has previously exploited vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and the ProxyNotShell vulnerabilities in Microsoft Exchange (CVE-2022-41040 and CVE-2022-41082), and in some attacks has used Remote Desktop Protocol and VPNs for initial access. Once initial access has been gained, the group uses tools such as Cobalt Strike, PsExec, and SystemBC for file execution and lateral movement, Mimikatz for credential theft, and WinSCP for data exfiltration.

The cybersecurity alert includes details of the MITRE ATT&CK tactics and techniques used by the group, Indicators of Compromise (IoCs) from attacks as recent as October 2023, and recommended mitigations for hardening defenses. These include implementing multifactor authentication, keeping software, operating systems, and firmware up to date, segmenting networks to hamper attempts at lateral movement, filtering network traffic, disabling unused ports, and regularly conducting reviews of logs of systems activity and audits of user accounts.

The post Feds Share Threat Intelligence on Play Ransomware Operation appeared first on HIPAA Journal.

ALPHV/BlackCat Ransomware Operation Disrupted by FBI

Posted by Steve Alder

The ALPHV/BlackCat ransomware group has been disrupted by the Federal Bureau of Investigation, in partnership with Europol and law enforcement agencies in Denmark, Germany, Australia, Spain, Austria, the Netherlands, and the United Kingdom, in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.

ALPHV/BlackCat ransomware group first emerged in November 2021 and became one of the most prolific ransomware groups of recent years, second only to the LockBit ransomware group. ALPHV/BlackCat is a ransomware-as-a-service operation that uses affiliates to conduct attacks for a cut of any ransoms they generate. In its 2 years of operation, the group has claimed more than 1,000 victims worldwide and has collected hundreds of millions of dollars in ransom payments.

In early December 2023, the group’s Tor negotiation and data leak sites were taken offline which led to several security researchers suggesting that the group may have been the subject of a law enforcement operation, although a spokesperson for the group refuted those claims and said the websites were down due to a hosting issue. However, the U.S. Department of Justice (DoJ) has now confirmed that the outage was due to a law enforcement operation that saw the FBI successfully gain access to ALPHV’s infrastructure.

The law enforcement operation has been ongoing for several months. After breaching the servers, the FBI silently monitored operations and was able to obtain decryption keys, which allowed the FBI to develop a decryption tool that has helped more than 500 ALPHV victims decrypt their data without paying the ransom. According to the DoJ, the decryption tool has prevented the payment of around $68 million in ransom payments. The FBI was also able to seize the ALPHV data leak site, which now displays a banner stating the domain has been seized as part of an international law enforcement operation. The FBI obtained 946 public and private key pairs for the group’s affiliate panel, communication sites, and Tor sites that supported its operations.

ALPHV/BlackCat started out under the name DarkSide in the summer of 2020 and was behind the ransomware attack on Colonial Pipeline in May 2021. The high-profile attack on a U.S. critical infrastructure organization attracted considerable attention from law enforcement, and the group promptly shut down its operation and reformed under the name BlackMatter. In June 2021, the Department of Justice announced that it had seized $2.3 million in cryptocurrency from the DarkSide affiliate responsible for the attack. The BlackMatter operation was short-lived and was shut down in November 2021 after a decryptor was developed and law enforcement seized its servers; and was immediately replaced with ALPHV/BlackCat, which has been highly active until the recent takedown.

“Today’s announcement highlights the Justice Department’s ability to take on even the most sophisticated and prolific cybercriminals,” said U.S. Attorney Markenzy Lapointe for the Southern District of Florida. “As a result of our office’s tireless efforts, alongside FBI Miami, U.S. Secret Service, and our foreign law enforcement partners, we have provided Blackcat’s victims, in the Southern District of Florida and around the world, the opportunity to get back on their feet and to fortify their digital defenses. We will continue to focus on holding the people behind the Blackcat ransomware group accountable for their crimes.”

While the law enforcement operation has been successful, the group is likely to rebrand as it has done in the past and continue its attacks under a different name. In the meantime, affiliates that have been working with ALPHV/BlackCat may choose to join other ransomware groups such as LockBit.

The post ALPHV/BlackCat Ransomware Operation Disrupted by FBI appeared first on HIPAA Journal.

CISA Publishes Healthcare-Specific Guidance for Improving Cyber Resilience

Posted by Steve Alder

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published healthcare sector-specific guidance on enhancing cyber resilience. The guidance is based on the findings from a two-week risk and vulnerability assessment that was performed in January 2023 at the request of a large healthcare organization that was looking to identify vulnerabilities and potential security improvements.

CISA spent the first week conducting external penetration tests to identify weaknesses that could be exploited, and a week analyzing the internal network, with its assessments including web applications, databases, wireless access points, penetration tests, and phishing testing. The unnamed organization was found to have secured its network sufficiently to prevent external attacks. CISA was unable to find any vulnerabilities that could be easily exploited by malicious actors and was unable to gain access through phishing; however, several weaknesses were identified during internal penetration tests. CISA was able to exploit misconfigurations, weak passwords, and other security issues through multiple attack paths and compromise the organization’s domain.

The penetration and web application testing uncovered no vulnerabilities that could easily be exploited and payloads used in the phishing tests were blocked by a combination of browser controls, security policies, and antivirus software. While some of the payloads were downloaded to disk, they were immediately neutralized by the antivirus software when executed, and while some payloads appeared to have evaded internal protections, they failed to make a connection with their C2 servers.

Phishing tests were also performed on end users in an attempt to harvest credentials. 12 individuals responded to the phishing attempts and disclosed their credentials, but they could not be used as those individuals only had limited access to external-facing resources, and multi-factor authentication had been implemented for cloud accounts. CISA notes that its assessments did not include adversary-in-the-middle attacks using phishing kits such as Evilginx, which can bypass multifactor authentication. CISA recommends using phishing-resistant multifactor authentication to block attacks involving these advanced phishing kits.

The internal penetration tests started with a connection to the network without a valid domain account and attempted to gain domain user access and then escalate privileges until the domain was compromised. The organization’s domain was compromised using four attack paths, and in the fifth attack path, CISA was able to access sensitive information. CISA was able to obtain 55 password hashes, one of which was for a service account that had a weak password that was easily cracked to obtain access to the organization’s domain.

The web application tests identified default credentials in multiple web applications that had not been changed, as well as default printer credentials, along with misconfigurations that allowed CISA to authenticate to the domain controller and validate administrator privileges. CISA used the CrackMapExec tool to spray easily guessable passwords and obtained two sets of valid credentials for standard domain user accounts and demonstrated a path leading to domain compromise. CISA also demonstrated that several systems on the network did not enforce SMB signing, and exploited the misconfiguration to obtain credentials for two additional domain administrator accounts, which were validated confirming a domain compromise.

The fifth attack path involved vulnerability scanning, which identified an unpatched EternalBlue vulnerability in SMB version 1. CISA used a well-known exploit for the vulnerability to establish a shell on the server which allowed commands to be executed in the context of the local SYSTEM account. CISA also identified multiple instances of password reuse, which allowed access to be gained to several resources that contained sensitive information.

The methods and tools used by CISA in its assessments are commonly used by hackers for post-compromise activities. If initial access was gained, the internal vulnerabilities could have been exploited to achieve a full domain compromise. The key findings of the assessments have been published in a cybersecurity advisory – Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment – along with recommended mitigations for addressing the vulnerabilities, which are likely to exist in many healthcare organizations. The guidance can also be applied by software companies and organizations in other critical infrastructure sectors.

The post CISA Publishes Healthcare-Specific Guidance for Improving Cyber Resilience appeared first on HIPAA Journal.

AHA Opposes HHS Plan to Penalize Hospitals for Cybersecurity Failures

Posted by Steve Alder

The American Hospital Association (AHA) is urging the U.S. Department of Health and Human Services (HHS) to reconsider its plan to make it mandatory for hospitals to comply with new cybersecurity requirements and issue financial penalties if they fail to do so.

Last week, the HHS published its healthcare cybersecurity strategy, which outlines the steps the HHS has taken and plans to take in the future to improve healthcare cybersecurity. Those plans include introducing two tiers of Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) – essential and enhanced. The essential HPH CPGs will include high-impact cybersecurity requirements for improving cyber resiliency and are intended to establish a baseline for cybersecurity, whereas the enhanced HPH CPGs are desirable cybersecurity requirements to further improve security and protect patient privacy. While both tiers of HPH CPGs would be voluntary initially, the HHS explained in its cybersecurity strategy that it plans to make the essential HPH CPGs enforceable in the future and will be working with Congress to increase the penalties for HIPAA violations.

The AHA believes that forcing hospitals to make investments in cybersecurity and imposing financial penalties if they suffer a cyberattack and haven’t implemented certain cybersecurity measures would be counterproductive and undermine the efforts hospitals are already making to improve cybersecurity. “Hospitals and health systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks,” said AHA President and CEO Rick Pollack. “The AHA has long been committed to helping hospitals and health systems with these efforts, working closely with our federal partners, including the FBI, HHS, Cybersecurity and Infrastructure Security Agency, and many others to prevent and mitigate cyberattacks.”

While the AHA expressed support for the HHS proposal to issue incentives for improving cybersecurity and make funding available to help hospitals with low resources cover the initial cost of cybersecurity improvements, punishing hospitals financially is unfair, especially when cyberattacks are commonly conducted by sophisticated cyber actors who work in collusion with hostile nation-states.

“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime. Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks.”

The post AHA Opposes HHS Plan to Penalize Hospitals for Cybersecurity Failures appeared first on HIPAA Journal.

Healthcare and Public Health Sector Warned About Open Source Software Risks

Posted by Steve Alder

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has released a threat report warning about the risks of open source software, which can be far-ranging in healthcare. Open source software was first pioneered by scientists, researchers, and academics and was predicated on the free and open sharing of knowledge. The code for the software is available for anyone to inspect, and changes can be suggested to improve functionality and correct errors and vulnerabilities. As software became more commercialized, there was a decline in open source software; however, it is still pervasive, especially in healthcare where the code is used in a wide range of systems, including electronic health records, prescription software, medical billing software, clinic management software, inventory management software, and medical device components.

Benefits and Risks of Open Source Software

Open source software has many benefits such as lowering starting costs, shortening the time to market, increasing feedback and collaboration, and allowing more flexible software development processes, and these benefits can be considerable. It is therefore no surprise that this year’s Open Source Security and Risk Analysis Report from Synopsis found open source software in 96% of scanned codebases, and 76% of the code in the codebases was open source. In healthcare, health tech, and life sciences, the percentage of codebases containing open source code increased from around 65% in 2018 to 80% in 2022.

Synopsis determined that 84% of codebases contained at least one vulnerability and 48% of codebases contained high-risk vulnerabilities. While having many eyes looking at code increases the chance of vulnerabilities being identified and corrected, publishing the code does not guarantee that the code will be inspected for vulnerabilities and security issues, nor that the people who do inspect the code are capable of finding vulnerabilities. The code is also available to malicious actors who can search for vulnerabilities that they can exploit.

Open source code can be used by software developers to add certain functions quickly, easily, and cheaply, and as such, open source code is extensively used, which means that if vulnerabilities exist, they are likely to be embedded in many thousands of applications. One problem with the use of open source code is it is often incorporated into applications but is never updated and many organizations fail to track where open source code has been used. If vulnerabilities are identified and fixed in open source code, those fixes may never be applied since organizations may be unaware of the applications that need to be updated. Further, vulnerabilities may not be found and addressed, as open source projects often lack centralized quality controls, there is no guarantee that the code has been rigorously tested, and open-source projects tend to lack the structure or resources required to take accountability for security issues.

Open Source Software Vulnerabilities Exploited in Healthcare Cyberattacks

While there have been no documented cyberattacks that have specifically targeted medical devices by exploiting open source software vulnerabilities, the potential for harm from attacks on medical devices is considerable. Attacks exploiting open source vulnerabilities could result in medical devices such as insulin pumps, implanted cardioverter defibrillators, defibrillators, and ventilators malfunctioning, with severe implications for patient safety.

Open source software vulnerabilities have been exploited in attacks on the healthcare sector, such as the Heartbleed vulnerability discovered in August 2014 which left networks vulnerable to eavesdropping and data theft. One attack on a health system exploited Heartbleed to gain access to the PHI of 4.5 million patients. More recently, in August 2020, several zero-day vulnerabilities in an open-source integrated information management system at a hospital exposed patients’ test results, and in December 2021, the Log4Shell flaw in the open source Log4j software, which is used to add logging capabilities to Java-based applications, was extensively exploited. The flaw was exploited by nation-state hacking groups such as HAFNIUM, PHOSPHOROUS, and APT35 and allowed access to be gained to sensitive data and for hackers to take full control of vulnerable devices. The vulnerability was also exploited by cybercriminal groups such as Conti in ransomware attacks. In January this year, a series of flaws were found in the open source software used by OpenEMR, which could be exploited to steal patient data and potentially compromise the entire IT infrastructure of an organization.

Recommendations for Reducing Open Source Software Risks

In order to address the risks of open source software, organizations need to know what open source components have been used. There has been a push for software developers to provide a Software Bill of Materials (SBOM) with their software, and healthcare organizations should demand an SBOM from their vendors and should conduct a software composition analysis (SCA) – an automated process to identify open source software in a codebase. HC3 also recommends other steps that can be taken by small and medium/large organizations to reduce open source software risks.

The post Healthcare and Public Health Sector Warned About Open Source Software Risks appeared first on HIPAA Journal.

HHS Publishes Healthcare Sector Cybersecurity Strategy

Posted by Steve Alder

On Wednesday, the U.S. Department of Health and Human Services published a concept paper that outlines the HHS’s cybersecurity strategy for the healthcare sector. The paper details the steps that the HHS has already taken to improve cybersecurity in the healthcare sector and the steps the HHS has planned for improving cyber resiliency and protecting patient safety. The Healthcare Sector Cybersecurity Strategy builds on the Biden administration’s National Cybersecurity Strategy and focuses specifically on strengthening resilience for hospitals, patients, and communities threatened by cyberattacks.

The healthcare sector has seen a massive increase in cyberattacks in recent years, with large data breaches increasing by 93% from 2018 to 2023 and ransomware attacks increasing by 278% over the same period. These attacks have resulted in extended stays in hospitals, poorer patient outcomes, delays to diagnosis and treatment, and diversions to other healthcare facilities. These adverse impacts have put patient safety at risk yet they are largely preventable.

“Since entering office, the Biden-Harris Administration has worked to strengthen the nation’s defenses against cyberattacks. The health care sector is particularly vulnerable, and the stakes are especially high. Our commitment to this work reflects that urgency and importance,” said HHS Secretary Xavier Becerra. “HHS is working with health care and public health partners to bolster our cyber security capabilities nationwide. We are taking necessary actions that will make a big difference for the hospitals, patients, and communities who are being impacted.”

The HHS has already taken several steps to improve healthcare cybersecurity. The HHS has updated its voluntary healthcare-specific cybersecurity guidance – Health Industry Cybersecurity Practices – to reflect the current cybersecurity landscape, released free healthcare-specific cybersecurity trainings to help small- and medium-sized healthcare organizations to train their staff on basic cybersecurity practices, and the HHS’ Office for Civil Rights has published telehealth guidance for healthcare providers and patients to educate patients about the privacy and security of protected health information. The Food and Drug Administration (FDA) has added new cybersecurity requirements for medical device manufacturers and has issued guidance on the pre-market cybersecurity requirements for new medical devices.

The Healthcare Sector Cybersecurity Strategy outlines the path forward and includes four pillars for action to improve cyber resilience in the health sector. The first step is to establish voluntary cybersecurity goals for the healthcare sector. Healthcare organizations have access to numerous cybersecurity standards and guidance and determining which standards should be prioritized can be confusing. The HHS will establish and publish voluntary Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) to help healthcare organizations prioritize high-impact cybersecurity practices, and will include essential and enhanced performance goals.

For many healthcare organizations, there are competing priorities and limited resources, which can mean improvements to cybersecurity are put on the back burner. The HHS plans to provide resources to incentivize healthcare organizations to implement cybersecurity practices and will be working with Congress to obtain new authority to administer financial support for domestic investments in cybersecurity. The HHS will create an upfront investment program to help high-need healthcare providers cover the upfront costs of implementing essential HPH CPGs and establish an incentive program to encourage hospitals to implement the enhanced HPH CPGs. Long term, the HHS will enforce the new cybersecurity requirements with the imposition of financial consequences for hospitals that fail to adopt essential cybersecurity practices.

The HHS plans an update to the HIPAA Security Rule in the spring of 2024 and will be adding new cybersecurity requirements. The HHS believes regulatory updates are required in addition to funding and voluntary goals, and those alone will not be enough to drive the behavioral changes needed across the sector. As part of an HHS-wide strategy, the Centers for Medicare and Medicaid Services (CMS) will propose new cybersecurity requirements for hospitals through the Medicare and Medicaid programs and the HSS will work with Congress to increase the penalties for HIPAA violations. The HHS is also working with Congress to get increased resources to allow OCR to investigate potential HIPAA violations, conduct proactive audits, and scale outreach and technical assistance for organizations with low resources to help them improve HIPAA compliance.

The fourth pillar for action is to expand and mature the one-stop-shop within the HHS for healthcare cybersecurity within the Administration of Strategic Preparedness and Response (ASPR) to make it easier for the industry to access the support and services provided by the Federal Government. This will enhance coordination between the HHS and the Federal Government, deepen partnerships with private industry, increase the incident response capabilities of the HHS, and promote greater uptake of services and resources such as vulnerability scanning and technical assistance.

“Taken together, HHS believes these goals, supports, and accountability measures can comprehensively and systematically advance the healthcare sector along the spectrum of cyber resiliency to better meet the growing threat of cyber incidents, especially for high-risk targets like hospitals,” wrote the HHS. “Acting on these priorities will protect the health and privacy of all Americans and enable safe access to health care.”

The post HHS Publishes Healthcare Sector Cybersecurity Strategy appeared first on HIPAA Journal.

Urgent Action Required to Address Critical ownCloud Vulnerabilities

Posted by Steve Alder

Three critical vulnerabilities in the ownCloud platform have been identified, one of which is being actively exploited. Urgent action is required to address the vulnerabilities to protect sensitive networks and sensitive data.

The ownCloud platform is used extensively in healthcare for storing, synchronizing, and sharing files and collaborating and consolidating work processes. As such, the platform is a prime target for malicious actors as it allows them to access highly sensitive data. The Clop hacking groups demonstrated how serious vulnerabilities in file sharing platforms can be, having mass exploited vulnerabilities in Fortra’s GoAnywhere MFT and Progress Software’s MOVEit Transfer solution earlier this year.

Security advisories were issued by ownCloud on November 21, 2023, about three vulnerabilities, the most serious of which has a maximum CVSS v3.1 severity score of 10. The remaining two vulnerabilities have been assigned CVSS scores of 9.8 and 9. Evidence of active exploitation of the flaws was identified by the cybersecurity firm Greynoise from November 25, 2023, with the malicious activity originating from 32 unique IP addresses.

  • CVE-2023-49103 – A critical vulnerability in versions 0.2.0 – 0.3.0 of the graphapi app that allows disclosure of sensitive credentials and configuration in containerized deployments. The graphapi app relies on a third-party library that provides a URL. When the URL is accessed, it reveals the configuration details of the PHP environment, which includes environment variables for the webserver. In containerized deployments, the disclosed information can include the ownCloud admin password, mail server credentials, and license key. The vulnerability has a CVSS severity score of 10 out of 10.
  • CVE-2023-49105 – A critical WebDAV API authentication bypass vulnerability using pre-signed URLs. The vulnerability affects core 10.6.0 – 10.13.0 and can be exploited to access, modify, or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured, which is the default setting. The vulnerability has a CVSS severity score of 9.8 out of 10.
  • CVE-2023-49104 – A critical subdomain validation bypass vulnerability in oauth2 < 0.6.1. An attacker can pass in a specially crafted redirect-URL that bypasses the validation code, allowing the attacker to redirect callbacks to a TLD controlled by the attacker. The vulnerability has a CVSS severity score of 9.0 out of 10.

The Health Sector Cybersecurity Coordination Center (HC3) issued a warning on December 5, 2023, urging HPH sector organizations to take immediate action and apply the actions recommended by ownCloud. “The nature of this platform is such that it needs to be integrated into the information infrastructure of a customer organization to function, which provides attackers with a target that can potentially provide access to sensitive information, as well as a staging point for further attacks,” explained HC3.

At present, only the CVE-2023-49103 is believed to have been actively exploited in attacks in the wild. This vulnerability should therefore be treated with the highest priority; however, the remaining vulnerabilities should also be addressed as soon as possible as exploitation is likely.

ownCloud notes that while the graphapi app can be disabled, that will not fully address the CVE-2023-49103 vulnerability. The owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file should also be deleted and the phpinfo function should be disabled in Docker containers. Owncloud also recommends changing potentially exposed secrets such as the credentials for ownCloud administration, the mail server, the database, and the Object-Store/S3 access key. Owncloud’s mitigations for the vulnerabilities can be found on the following links:

The post Urgent Action Required to Address Critical ownCloud Vulnerabilities appeared first on HIPAA Journal.

Citrix Bleed Vulnerability Requires Urgent Action as Ransomware Groups Scale Up Attacks

Posted by Steve Alder

Concern is growing as ransomware groups ramp up exploitation of a critical vulnerability in NetScaler ADS (formerly Citrix ADC) and NetScaler Gateway (Citrix Gateway) devices, dubbed Citrix Bleed.

Citrix issued a security advisory about the vulnerability on October 10, 2023, and issued a patch to correct the flaw, which can be exploited to bypass password protection and multifactor authentication. The buffer overflow vulnerability is tracked as CVE-2023-4966 and has a CVSS severity score of 9.4 out of 10. The vulnerability appears to have been exploited in the wild since August 2023. The vulnerability is easy to exploit and allows threat actors to take over legitimate user sessions. Once initial access has been gained, threat actors can elevate privileges, harvest credentials, move laterally, and access sensitive data and resources.

The vulnerability affects the following NetScaler ADC and Gateway versions:

  • NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
  • NetScaler ADC and NetScaler Gateway  13.1-49.15 and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
  • NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL). Customers still using these versions should upgrade their appliances to one of the supported versions.

On October 18, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability Catalog, and a security advisory about the flaw was issued on November 21, 2023, as it became clear that the vulnerability was being exploited more widely, including by the LockBit 3.0 ransomware group in attacks on critical infrastructure.

On November 22, 2023, the Health Sector Cybersecurity Coordination Center (HC3) issued an urgent security advisory to the healthcare and public health (HPH) sector about the flaw along with a further advisory on November 30, 2023, urging healthcare organizations to patch the vulnerability as soon as possible to protect against exploitation. Applying the patch will prevent the vulnerability from being exploited; however, if it has already been exploited, the compromised sessions will remain active. Steps must therefore also be taken to ensure all active sessions are removed.

To remove active and persistent sessions after the patch has been applied, admins should run the following commands:

  • kill aaa session -all
  • kill icaconnection -all
  • kill rdp connection -all
  • kill pcoipConnection -all
  • clear lb persistentSessions

Steps should also be taken to investigate potential exploits of the vulnerability. NetScaler has issued guidance for investigations and CISA has published Indicators of Compromise associated with LockBit 3.0 along with the tactics, techniques, and procedures (TTPs) used by the group and mitigation steps for defending against ransomware attacks.

The American Hospital Association has recently issued a security advisory urging hospitals to take immediate action to protect against exploitation of the Citrix Bleed vulnerability, given that hospitals are prime targets for ransomware groups. “This urgent warning by HC3 signifies the seriousness of the Citrix Bleed vulnerability and the urgent need to deploy the existing Citrix patches and upgrades to secure our systems,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “This situation also demonstrates the aggressiveness by which foreign ransomware gangs, primarily Russian-speaking groups, continue to target hospitals and health systems.  Ransomware attacks disrupt and delay health care delivery, placing patient lives in danger. We must remain vigilant and harden our cyber defenses, as there is no doubt that cyber criminals will continue to target the field, especially during the holiday season.”

The post Citrix Bleed Vulnerability Requires Urgent Action as Ransomware Groups Scale Up Attacks appeared first on HIPAA Journal.