The Five Eyes Cybersecurity Agencies have issued a warning that previously disclosed vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways are being actively exploited by multiple threat actors and have been since early December 2023.

The flaws – CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 – affect all supported versions (9.x and 22.x) and can be chained to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. According to the alert, Ivanti’s internal and previous external Integrity Checker Tool (ICT) failed to detect malicious activity associated with exploitation. CISA demonstrated in a test environment that the ICT is not sufficient to detect compromise and that it is possible to gain root-level persistence despite issuing factory resets.

Alphabet’s Mandiant has been investigating the exploitation of the zero day vulnerabilities and said the exploitation had likely impacted thousands of devices across multiple industry verticals. Some of those attacks were linked with a suspected Chinese cyber espionage group it tracks as UNC5325. The threat actor used living-of-the-land techniques and novel malware to achieve persistence. Mandiant said the patches released by Ivanti are effective at preventing exploitation, provided UNC5325 did not exploit the vulnerability before the patches were applied. Mandiant said UNC5325 has maintained access even after customers have initiated factory resets, patching, and applying the recommended security updates.

The Five Eyes agencies recommend that network defenders assume that user and service account credentials stored in affected Ivanti VPN appliances are likely compromised and should hunt for malicious activity using the detection mechanisms and IoCs details in its alert, and should also run the latest version of Ivanti’s external ICT. If the vulnerabilities have yet to be patched, network defenders should ensure they are applied as soon as possible and should follow the recommendations detailed in the latest Ivanti security advisory. Mandiant also recommends following the guidance provided in its updated Ivanti Connect Secure Hardening Guide.

The post Five Eyes Agencies Warn of Ongoing Exploitation of Ivanti Connect Secure and Policy Secure Flaws appeared first on HIPAA Journal.

Two high-severity vulnerabilities have been identified in the free-to-use MicroDicom DICOM Viewer, which is used to view and manipulate DICOM images. Successful exploitation of the vulnerabilities could lead to remote code execution and memory corruption.

The first is a heap-based buffer overflow vulnerability tracked as CVE-2024-22100 which can be exploited in a low-complexity attack by tricking a user into opening a malicious DCM file, which would allow a remote attacker to execute arbitrary code on vulnerable versions of the DICOM Viewer.

The second vulnerability is an out-of-bounds write issue due to a lack of proper validation of user-supplied data. Successful exploitation of the flaw could result in memory corruption within the application. The vulnerability is tracked as CVE-2024-25578.

The vulnerabilities affect MicroDicom DICOM Viewer versions 2023.3 (Build 9342) and prior versions and have been fixed in version 2024.1. Users have been advised to update to the latest version as soon as possible. There are currently no indications that the vulnerabilities have been exploited in attacks.

The post High Severity Vulnerabilities Identified in MicroDicom DICOM Viewer appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have shared the latest threat intelligence about Phobos ransomware, which has been used to attack municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities. Phobos ransomware is related to multiple ransomware variants, including Elking, Eight, Devos, Backmydata, and Faust ransomware. The Backmydata variant was used in a February 2024 attack in Romania that resulted in systems being taken offline at around 100 healthcare facilities.

Phobos ransomware is a ransomware-as-a-service (RaaS) group that has been active since May 2019. The group commonly gains access to victims’ networks through phishing campaigns that deliver malware via spoofed attachments with hidden payloads, including the Smokeloader backdoor trojan. Affiliates also use IP scanning tools such as Angry IP Scanner to identify vulnerable Remote Desktop Protocol (RDP) ports that are subjected to brute force attacks, and affiliates have been observed leveraging RDP to attack Microsoft Windows devices. Attacks often involve Cobalt Strike, Bloodhound, and Sharphound, Mimikatz to obtain credentials, NirSoft, and Remote Desktop Passview to export browser client credentials.

Phobos engages in double extortion tactics, where sensitive data is exfiltrated in addition to file encryption and victims have to pay for the keys to decrypt data and to prevent the publication of their stolen data on the group’s data leak site. Volume shadow copies are deleted from Windows environments to hinder attempts to recover without paying the ransom. The ransom demands are often of the order of several million dollars.

The Health Sector Cybersecurity Coordination Center issued an alert about Phobos ransomware in July 2021 after several attacks on organizations in the healthcare and public health sector. The latest alert shares updated tactics, techniques, and procedures used by the group in attacks up to February 2024, along with the latest Indicators of Compromise (IoCs), MITRE ATT&CK techniques, and recommended mitigations.

The post CISA, FBI Share Latest Threat Intelligence on Phobos Ransomware appeared first on HIPAA Journal.

A joint cybersecurity alert has been issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) to share known Indicators of Compromise (IoCs) and the latest Tactic, Techniques, and Procedures (TTPs) used by the ALPHV/Blackcat ransomware group.

In December 2023, the U.S. Department of Justice (DoJ) announced that it had disrupted the operations of the ALPHV/Blackcat. An FBI agent posed as an affiliate and gained access to the group’s computer network, resulting in the seizure of several of the websites operated by the group. Around 900 public/private key pairs were obtained which allowed a decryption tool to be developed to help those victims recover their files. Within hours of the DOJ announcement, a spokesperson for the group said it had unseized the websites and issued a threat of retaliation. The group said the restrictions that were in place for affiliates had been removed. “You can now block hospitals, nuclear power plants, anything, anywhere,” wrote ALPHV/Blackcat, and attacks on hospitals were actively encouraged. The only rule that remained was the restriction on attacks within the Commonwealth of Independent States (CIS).

According to the cybersecurity alert, it appears that hospitals have been the main focus for the group. Since December 2023, ALPHV/Blackcat has added the data of 70 victims to its data leak site and the healthcare sector has been the most victimized. While the alert does not reference specific healthcare victims, one of the latest is Change Healthcare. ALPHV/Blackcat claims to have stolen 6TB of data in the attack, including data from all of its clients including Medicare, CVS Caremark, Health Net, and Tricare. Change Healthcare was briefly added to the group’s data leak site the day after the cybersecurity alert was released.

The alert explains that ALPHV/Blackcat affiliates often pose as IT technicians or helpdesk staff to steal credentials from employees to gain initial access to healthcare networks. The group also gains initial access through phishing, using the Evilginx phishing kit to steal multifactor authentication codes, session cookies, and login credentials. They install legitimate remote access and tunneling tools software such as AnyDesk Mega sync, and Splashtop to prepare for data exfiltration, tunneling tools such as Plink and Ngrok, and Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. Affiliates move laterally to extensively compromise networks and use allowlisted applications such as Metasploit to avoid detection.

While many ALPHV/Blackcat affiliates engage in double extortion – data theft and file encryption – some choose not to encrypt files and only steal data, then threaten to publish that data if a ransom is not paid. This approach ensures faster attacks with less chance of detection. The alert shares the latest IoCs, MITRE ATT&CK tactics and techniques, incident response recommendations, and mitigations for improving cybersecurity posture, one of the most important being phishing-resistant multifactor authentication such as FIDO/WebAuthn authentication or public key infrastructure (PKI)-based MFA.

The post Feds Sound Alarm as ALPHV/Blackcat Ransomware Group Targets Healthcare appeared first on HIPAA Journal.

Adoption of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) improves resilience to cyberattacks and the reduced risk is reflected in cyber insurance premiums. A recent Healthcare Cybersecurity Benchmarking Study has confirmed that healthcare organizations that have adopted the NIST CSF had lower annual increases in their cyber insurance premiums than healthcare organizations that have not adopted the NIST CSF.

The study was the result of a collaboration between Censinet, KLAS Research, the American Hospital Association, Health-ISAC, and the Healthcare and Public Health Sector Coordinating Council and was conducted on 54 payer and provider organizations and 4 healthcare vendors in Q4, 2023. Adoption of the NIST CSF indicates a higher level of preparedness and resiliency and therefore lower risk for insurers. Healthcare organizations that use the NIST CSF as their primary cybersecurity framework report premium increases of one-third (6%) of the percentage reported by organizations that have not adopted the NIST CSF (18%).

The report assesses cybersecurity coverage, specifically coverage of the NIST CSF and Health Industry Cybersecurity Practices (HICP), and reveals little has changed in the past 12 months with average NIST CSF coverage increasing from 69% in 2023 to 72% in 2024, and average HICP coverage increasing from 71% in 2023 to 73% in 2024. Average coverage across the 5 NIST CSF core functions – identify, protect, detect, respond, recover – ranged from 65% to 75%, with the lowest coverage in the identify function and the highest in the respond function. This indicates most healthcare organizations that participated in the study were generally more reactive than proactive in their approach to cybersecurity. Out of all categories within the NIST CSF, supply chain risk management (identity) had the lowest coverage, which is concerning given the number of third-party data breaches in healthcare. The study revealed this to be a key consideration for insurers when setting premium increases. Higher coverage of supply chain risk management was associated with smaller increases in cyber insurance premiums.

Average HCIP coverage was better, with most organizations having email protection systems (84%) in place and cybersecurity oversight and governance (83%), but there was only 50% coverage of medical device security and 60% coverage of data protection/loss prevention. 25 healthcare delivery organizations also participated in last year’s benchmarking study and their average NIST CSF and HCIP coverage was higher than other provider and payer organizations. Those repeat organizations also had lower increases in their cyber insurance premiums than other healthcare organizations, on average.

The benchmarking studies have confirmed that high program ownership by information security leaders leads to higher cybersecurity coverage. Across all organizations, average NIST CSF and HICP coverage was between 71% and 72%, but organizations that assign information security leaders higher percentages of program ownership achieved above-average cybersecurity coverage, especially in the HCIP areas of endpoint protection systems and data loss and loss prevention.

“For the second year in a row, the Benchmarking Study sets the highest standard for collaborative, impartial, and transparent insight into the current state of the health sector’s cyber maturity, and, more importantly, enables providers and payers to make more informed investment decisions to close critical gaps in controls and elevate overall cybersecurity program preparedness,” said Steve Low, President of KLAS Research.

“With comprehensive benchmarks across ‘recognized security practices’ like NIST CSF and HICP, the Benchmarking Study will drive greater, more enduring cybersecurity maturity and resilience across both our Health-ISAC member community and the broader health sector,” said Errol Weiss, Chief Security Officer of Health-ISAC.

The post Higher NIST CSF and HCIP Coverage Linked with Lower Cyber Insurance Premium Growth appeared first on HIPAA Journal.

Healthcare cyberattacks are increasing each year in number and severity. In 2023, almost 740 healthcare data breaches were reported to the HHS’ Office for Civil Rights, and those breaches affected more than 136 million individuals, breaking previous records for both the number of data breaches and the individuals affected. It is clear that cybersecurity in healthcare is in a critical state and if nothing changes, more unwanted records will be broken in 2024.

The Health Sector Coordinating Council (HSCC), a public-private coalition that represents 425 healthcare industry entities and government agencies, recently unveiled a 5-year strategic plan for the healthcare and public health sector at the ViVE 2024 conference. HSCC explained that cyberattacks and data breaches are occurring due to increasingly connected and remote use of digital health technology, widely distributed portability of health data, and shortages of qualified healthcare cybersecurity professionals. The sprawling and increased complexity of the connected healthcare ecosystem creates risks such as unanticipated and poorly understood interdependencies; unknown inherited security weaknesses; overreliance on vendor solutions; systems that fail to adequately account for human factors related to cybersecurity controls; and inconsistencies between software and equipment lifecycles, and hackers are finding it far to too easy to exploit the vulnerabilities.

The Health Industry Cybersecurity Strategic Plan (HIC-SP) aims to improve healthcare cybersecurity from the current critical status to stable by 2029. HSCC explained that the cybersecurity status of the healthcare industry was rated critical in 2017 when the Health Care Industry Cybersecurity Task Force issued a report on improving cybersecurity in the healthcare industry. The HIC-SP builds on the recommendations made in the report and aims to improve healthcare cybersecurity through the implementation of foundational cybersecurity programs that address the operational, technological, and governance challenges posed by significant healthcare industry trends over the next five years.

HSCC has worked to establish current industry trends that are likely to continue over the next 5 years, determined their likely impact on healthcare cybersecurity, and made recommendations for proactively addressing those trends. The sector is likely to continue to incorporate emerging technologies, is unlikely to address current workforce and management challenges, and there is likely to be continued instability in the healthcare supply chain. The HIC-SP assesses how these and other trends may present continuous or emerging cybersecurity challenges, and recommendations are made on how the healthcare sector and government should prepare for those changes with broad cybersecurity principles and specific actions.

The aim is to provide C-Suite executives with actionable and measurable risk reduction activities based on the current cybersecurity landscape and projected industry trends. Healthcare security decision-makers can use the HIC-SP to inform decisions about cybersecurity investments and the implementation of specific cybersecurity measures, and since the HIC-SP is modular, organizations can use it to identify high-level goals and implement objectives to address the areas in most need of attention.

The HSCC says the HIC-SP complements other efforts to improve healthcare cybersecurity, such as the HHS’ Healthcare Sector Cybersecurity Strategy that was published in December 2023 and the voluntary healthcare cybersecurity performance goals announced by the HHS in January, and together with its government partners, the HSCC Cybersecurity Working Group will be working to achieve the goals of the plan through education and policy incentives and plans to release a set of measurable outcomes and metrics for success by the end of the year. By 2029, it is hoped that healthcare cybersecurity will have become as ingrained as a public health and patient safety standard.

The post HSCC Releases 5-Year Strategic Plan for Improving Healthcare Cybersecurity appeared first on HIPAA Journal.

The prolific LockBit ransomware-as-a-service (RaaS) group has been severely disrupted by a global law enforcement operation that has seen much of the group’s infrastructure seized, including servers, its affiliate portal, Tor sites, Stealbit data exfiltration tool, public-facing data leak site, and more than 200 cryptocurrency wallets. Two individuals who conducted attacks using LockBit ransomware have been arrested in Poland and Ukraine, and they will be extradited to the United States to face trial. The French and U.S. judicial authorities have also issued three international arrest warrants and five indictments. More than 1,000 decryption keys were obtained and a free decryptor for LockBit 3.0 has been created and made available on the No More Ransom portal. The seizure of the cryptocurrency wallets means it might be possible for victims to recover some of the ransoms they paid.

LockBit was branded the world’s most harmful cybercrime group by the UK’s National Crime Agency (NCA). The RaaS group has been active for the past four years and has targeted thousands of organizations around the world, and in Q3, 2023 alone the group added 275 new victims to its data leak site. The group has conducted many attacks on critical infrastructure entities, including healthcare organizations, and the attacks have caused billions of dollars of losses. According to the Department of Justice, the group conducted attacks on more than 2,000 victims, issued ransom demands of hundreds of millions of dollars, and had been paid at least $120 million.

Law enforcement agencies in 10 countries participated in “Operation Cronos,” which was headed by the NCA and coordinated by Europol and Eurojust. The operation commenced in April 2022 and has resulted in 34 servers being taken down in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom, and more than 14,000 rogue accounts have been identified and referred for removal by law enforcement. The accounts were used by LockBit members for hosting tools and software used in attacks and for storing data stolen from victims.

The affiliate panel now displays a message for all affiliates from the NCA, FBI, Europol, and the Operation Cronos Law Enforcement Task Force. “Law enforcement has taken control of LockBit’s platform and obtained all the information on its servers. This information relates to the LockBit group and you, their affiliate. We have source code details of the victims you have attacked, the amount of money stolen, chats, and much, much more. You can thank LockBitSupp and their flawed infrastructure for this situation… we may be in touch with you very soon.”

LockBitSupp is the threat actor that controls the LockBit RaaS operation, with the LockBitSupp persona believed to be run by one or two individuals. The Russian-speaking threat actor claimed that the law enforcement operation exploited a critical PHP vulnerability, CVE-2023-3824, that was first disclosed in August 2023. The vulnerability leads to a stack buffer overflow, potential memory corruption, and remote code execution.

The takedown of the group’s infrastructure is significant and the extent of the data breach will be of concern to affiliates of the group, especially those that reside in locations where they can be reached by law enforcement. It is unlikely, however, that the core members of the group will be brought to justice as they are believed to reside in Russia. They may choose to rebuild and return with a new operation, as ransomware groups typically do following law enforcement disruption.

“A vast amount of data gathered throughout the investigation is now in the possession of law enforcement,” explained Europol. “This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure and criminal assets linked to these criminal activities.”

The U.S. Department of State is also offering a reward of up to $15 million via the Transnational Organized Crime Rewards Program for anyone with information about LockBit associates, including a reward of up to $10 million for information leading to the identification or location of any individual who holds a leadership role in the LockBit operation, and a reward offer of up to $5 million for information that leads to the arrest and/or conviction of any individual conspiring to participate in or attempting to participate in LockBit ransomware activities.

The post International Law Enforcement Operation Takes Down LockBit RaaS Infrastructure appeared first on HIPAA Journal.

Healthcare organizations that have been unable to recover files that were encrypted in Rhysida ransomware attacks may now be able to recover the files for free as a decryptor has been released.

Rhysida is a ransomware-as-a-service operation that emerged in May 2023. Like many emerging ransomware groups, attacks have been conducted on U.S. healthcare organizations. In August 2023, following attacks on the healthcare and public health sector, the HHS’ Health Sector Cybersecurity Coordination Center issued an alert about the group. In November, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint cybersecurity advisory and shared indicators of compromise and mitigations.

Organizations that were unable to prevent attacks and chose not to pay the ransom may now be able to recover their encrypted files. Researchers in South Korea identified an encryption flaw in the encryptor used by Rhysida ransomware, which has allowed them to develop a Windows decryptor. The random number generator (CSPRNG) used to generate a unique private encryption key was flawed, which allowed them to determine the initial state of CSPRNG during an attack. Since the method used does not include high entropy data sources, the seed value used when encrypting files is predictable. Knowing the initial CSPRNG state and then reviewing logs and other data at the time of the infection allowed the researchers to identify a range for the seed value. The decryptor tries potential seed values until it finds the correct value and from there it is possible to determine all random numbers used to encrypt files and recover all locked data.

An automated decryption tool was developed and has been made available free of charge on the Korean Internet & Security Agency (KISA) website along with a technical paper in English and Korean that explains how to use the decryptor. The decryptor can only be used to recover files that have been encrypted using the Rhysida Windows encryptor. Several cybersecurity firms had already found the flaw and were able to recover files encrypted by Rhysida. Unfortunately, now that the flaw has been made public, the ransomware developer is likely to fix it. When that happens, recovery of files will only be possible from backups or by paying the ransom.

The post Free Decryptor Released for Rhysida Ransomware appeared first on HIPAA Journal.

A bipartisan Senate bill has been introduced that aims to improve healthcare cybersecurity and ensure that the Department of Health and Human Services (HHS) is implementing effective cybersecurity measures to combat evolving cyber threats. In 2023, record numbers of healthcare records were compromised, and more data breaches were reported than in any other year to date. More than 133 million healthcare records were compromised in 2023 across more than 725 reported breaches, the majority of which were hacking incidents.

Healthcare organizations must ensure that they are compliant with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which sets minimum standards for cybersecurity. The HHS is the main enforcer of compliance with the HIPAA Rules and issues guidance on healthcare cybersecurity. The HHS also manages the health data of approximately 65 million Americans who receive healthcare services through Medicare. As such, it is vital that the cybersecurity measures at the HHS are robust and capable of defending against evolving cyber threats.

The Strengthening Cybersecurity in Health Care Act was introduced by Senator Angus King (I-MA), Co-Chair of the Cybersecurity Solarium Commission and a member of the Senate Armed Services (SASC) and Intelligence Committees (SSCI), and Senator Marco Rubio (R-FL) and takes aim at the HHS and the cybersecurity protocols and practices that the HHS has introduced to combat evolving cyber threats.

“In recent years, several of Maine’s major healthcare providers have been the victims of cyberattacks. This threat to America’s critical infrastructure is real, and could literally mean the difference between life and death — we must take proactive steps to enhance the cybersecurity of our healthcare and public health sectors,” said Senator King. “The bipartisan Strengthening Cybersecurity in Health Care Act would help ensure that health institutions have the resources to keep patient data safe. As the number of threats continues to grow, consistent evaluations will prove to be a lifeline to the medical community treating our family and friends.”

The Strengthening Cybersecurity in Health Care Act requires the Inspector General of the HHS to evaluate the cybersecurity practices and protocols of the HHS. At least every two years, cybersecurity reviews and penetration tests should be conducted on HHS IT systems, and biennial reports should be submitted to Congress on the current cybersecurity practices at the HHS and its progress on future security practices that it is working on.

The post Bipartisan Bill Aims to Ensure the HHS is Implementing Effective Cybersecurity Measures appeared first on HIPAA Journal.