The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published healthcare sector-specific guidance on enhancing cyber resilience. The guidance is based on the findings from a two-week risk and vulnerability assessment that was performed in January 2023 at the request of a large healthcare organization that was looking to identify vulnerabilities and potential security improvements.
CISA spent the first week conducting external penetration tests to identify weaknesses that could be exploited, and a week analyzing the internal network, with its assessments including web applications, databases, wireless access points, penetration tests, and phishing testing. The unnamed organization was found to have secured its network sufficiently to prevent external attacks. CISA was unable to find any vulnerabilities that could be easily exploited by malicious actors and was unable to gain access through phishing; however, several weaknesses were identified during internal penetration tests. CISA was able to exploit misconfigurations, weak passwords, and other security issues through multiple attack paths and compromise the organization’s domain.
The penetration and web application testing uncovered no vulnerabilities that could easily be exploited and payloads used in the phishing tests were blocked by a combination of browser controls, security policies, and antivirus software. While some of the payloads were downloaded to disk, they were immediately neutralized by the antivirus software when executed, and while some payloads appeared to have evaded internal protections, they failed to make a connection with their C2 servers.
Phishing tests were also performed on end users in an attempt to harvest credentials. 12 individuals responded to the phishing attempts and disclosed their credentials, but they could not be used as those individuals only had limited access to external-facing resources, and multi-factor authentication had been implemented for cloud accounts. CISA notes that its assessments did not include adversary-in-the-middle attacks using phishing kits such as Evilginx, which can bypass multifactor authentication. CISA recommends using phishing-resistant multifactor authentication to block attacks involving these advanced phishing kits.
The internal penetration tests started with a connection to the network without a valid domain account and attempted to gain domain user access and then escalate privileges until the domain was compromised. The organization’s domain was compromised using four attack paths, and in the fifth attack path, CISA was able to access sensitive information. CISA was able to obtain 55 password hashes, one of which was for a service account that had a weak password that was easily cracked to obtain access to the organization’s domain.
The web application tests identified default credentials in multiple web applications that had not been changed, as well as default printer credentials, along with misconfigurations that allowed CISA to authenticate to the domain controller and validate administrator privileges. CISA used the CrackMapExec tool to spray easily guessable passwords and obtained two sets of valid credentials for standard domain user accounts and demonstrated a path leading to domain compromise. CISA also demonstrated that several systems on the network did not enforce SMB signing, and exploited the misconfiguration to obtain credentials for two additional domain administrator accounts, which were validated confirming a domain compromise.
The fifth attack path involved vulnerability scanning, which identified an unpatched EternalBlue vulnerability in SMB version 1. CISA used a well-known exploit for the vulnerability to establish a shell on the server which allowed commands to be executed in the context of the local SYSTEM account. CISA also identified multiple instances of password reuse, which allowed access to be gained to several resources that contained sensitive information.
The methods and tools used by CISA in its assessments are commonly used by hackers for post-compromise activities. If initial access was gained, the internal vulnerabilities could have been exploited to achieve a full domain compromise. The key findings of the assessments have been published in a cybersecurity advisory – Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment – along with recommended mitigations for addressing the vulnerabilities, which are likely to exist in many healthcare organizations. The guidance can also be applied by software companies and organizations in other critical infrastructure sectors.
The post CISA Publishes Healthcare-Specific Guidance for Improving Cyber Resilience appeared first on HIPAA Journal.