Prior to the 2019 Novel Coronavirus pandemic, many companies allowed some of their employees to spend some of the week working from home; however, COVID-19 dramatically changed the way people work, with national lockdowns forcing employers to rapidly change working practices and allow virtually all of their employees to work remotely.

When lockdowns were lifted, many employees continued to work from home. The new remote working environment is considered by many to be now be the new normal. Remote working has created many challenges, especially for cybersecurity as it is harder for organizations to prevent, detect, and contain cyberattacks when much of the workforce is working remotely.

A recent survey conducted on 2,215 IT and IT security professionals by the Ponemon Institute on behalf of Keeper Security explores the cybersecurity challenges of teleworking and assesses how companies have adapted cybersecurity practices to address the risks of teleworking.

One of the key findings from the survey is remote working has significantly reduced the effectiveness of organizations’ security posture.  When respondents were asked about the effectiveness of their security defenses before and during the pandemic, 71% rated their security defenses as either very or highly effective before the pandemic, with only 44% rating their defenses so highly during the pandemic.

The survey uncovered several reasons for the perceived decline in the effectiveness of those defenses.  When employees work on-site, physical security measures are in place to prevent the theft of equipment and data. 47% of respondents said the lack of physical security at employees’ homes was a significant concern.

71% of IT professionals felt that remote workers were putting their organization at risk of a data breach, while 57% said remote workers are a prime target for cybercriminals looking to exploit vulnerabilities.

Remote workers need to access business-critical applications, with 59% of respondents reporting that remote access to those applications increased during the pandemic. On average, organizations have 51 business-critical applications and 56% of those applications are being accessed remotely.

56% of respondents said the time to respond to a cyberattack has increased during the pandemic and 42% of respondents said they have no understanding about how to protect against cyberattacks with so many remote workers.

There has been a major increase in the use of personal devices due to the pandemic, and BYOD schemes have reduced organizations’ security posture. 67% of respondents said remote workers were using personal devices for work purposes during the pandemic, including mobile phones, which are the most vulnerable devices.

Intrusion detection systems that were effective with office-based working are far less effective with teleworking. 51% of respondents reported an exploit or malware infection that evaded their intrusion detection systems during the pandemic and 61% said they had experienced a cyberattack during the pandemic, with phishing and social engineering attacks the most common attack method.

Despite the risk of cyberattacks, 31% of organizations said they have not implemented multi-factor authentication for remote workers, only 43% provide security awareness training covering the risks of remote working, and only 47% are monitoring their networks 24/7. Less than half of respondents protect company-owned devices with up-to-date anti-virus, device encryption and firewalls. If these security issues are not addressed, organizations will face a far higher risk of experiencing a cyberattack and costly data breach. You can view the full findings of the survey and recommendations on this link.

The post Survey Explores Cybersecurity Impact of COVID-19 Enforced Switch to a Remote Working Environment appeared first on HIPAA Journal.

Several vulnerabilities have recently been identified in B. Braun products used by healthcare organizations in the United States.

B.Braun OnlineSuite

Three vulnerabilities have been identified in B. Braun OnlineSuite, a clinical IT solution for creating and sending drug libraries and managing infusion devices and other medical equipment. If exploited, an attacker could escalate privileges, upload and download arbitrary files, and remotely execute code.

The most serious flaws are a relative path traversal vulnerability – CVE-2020-25172 – which allows uploads and downloads of files by unauthenticated individuals, and a remote code execution vulnerability – CVE-2020-25174 – which allows a local attacker to execute code as a high privileged user. The flaws have been assigned CVSS v3 base scores of 8.6 and 8.4 out of 10.

An Excel macro vulnerability – CVE-2020-25170 – has also been identified in the export feature, caused by the mishandling of multiple input fields, which has been assigned a CVSS v3 base score of 6.9.

The flaws are present in OnlineSuite AP 3.0 and earlier. B.Braun has addressed the flaws in the update, OnlineSuite Field Service Information AIS06/20, which users are advised to apply as soon as possible.

SpaceCom and Battery Pack SP with Wi-Fi

11 vulnerabilities have been identified in SpaceCom, which is used to connect external devices for data documentation in a Patient Data Management System, PC or USB memory stick, and Battery Pack with WiFi.

The flaws affect SpaceCom, software Versions U61 and earlier and Battery pack with Wi-Fi, software Versions U61 and earlier.

If exploited, an attacker could compromise the security of SpaceCom devices and escalate privileges, view sensitive information, upload arbitrary files, and remotely execute arbitrary code.

• CVE-2020-25158 (CVSS 7.6) – Reflected cross-site scripting (XSS) vulnerability allowing injection of arbitrary web script or HTML into various locations.
• CVE-2020-25150 (CVSS 7.6) -Relative path traversal attack vulnerability allowing an attacker with service user privileges to upload arbitrary files and execute arbitrary commands.
• CVE-2020-25162 (CVSS 7.5) – Path injection vulnerability allowing unauthenticated individuals to access sensitive information and escalate privileges.
• CVE-2020-25156 (CVSS 7.2) – Active debug code that enables attackers in possession of cryptographic material to access the device as root.
• CVE-2020-25160 (CVSS 6.8) -Improper access controls that allow extraction and tampering with the device’s network configuration.
• CVE-2020-25166 (CVSS 6.8) -Improper verification of the cryptographic signature of firmware updates, which allows an attacker to generate valid firmware updates with arbitrary content that can be used to tamper with devices.
• CVE-2020-16238 (CVSS 6.7) – Improper privilege management that gives attackers command line access to the underlying Linux system, and privileges to be escalated to root user.
• CVE-2020-25152 (CVSS 6.5) -Session fixation vulnerability allowing hijacking of web sessions and escalation of privileges.
• CVE-2020-25154 (CVSS 5.4) – Open redirect vulnerability allowing redirection to malicious websites.
• CVE-2020-25164 (CVSS 5.1) – Use of a one-way hash which allows the recovery of user credentials of the administrative interface.
• CVE-2020-25168 (CVSS 3.3) – Use of hard-coded credentials that would allow command line access to access the device’s Wi-Fi module

Braun has released updates to correct the flaws. Users should update to SpaceCom: Version U62 or later and Battery Pack SP with Wi-Fi: Version U62 or later.

Braun also recommends devices should not be accessible directly from the internet and to use a firewall and isolate medical devices from the business network.

The vulnerabilities were identified by Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH.

The post Vulnerabilities Identified in B. Braun OnlineSuite and SpaceCom appeared first on HIPAA Journal.

The Iran-based hacking group known as Silent Librarian – aka Cobalt Dickens and TA407 – has recommenced spear phishing attacks on universities in the United States and around the world. The hacking group has been conducting attacks since 2013 to gain access to login credentials and steal intellectual property and research data. Credentials and data stolen in the attacks are subsequently sold via the hacking group’s portals.

The U.S. Department of Justice indicted 9 Iranians in connection with the attacks in 2018, but the indictments have had no effect on the campaigns which have continued. Those individuals have yet to be brought to justice.

The spear phishing campaigns usually recommence in September to coincide with the start of the new academic year. The hackers have developed many different phishing websites which are used in the campaigns, and while many of these sites are taken down, sufficient numbers are used to ensure the campaigns can continue. This year, the group is known to be using sites hosted in Iran, which could hamper efforts to have the sites shut down due to a lack of cooperation between Iran and the United States and Europe.

Spear phishing emails are highly targeted and are sent to relatively few individuals at each targeted institution. The emails often spoof university libraries and prompt users to click links and login to the university’s web portal.

The domains used in the campaign closely resemble the official domains used by the universities. For instance, attacks on Western University Canada use login.proxy1.lib.uwo.ca.sftt.cf instead of login.proxy1.lib.uwo.ca, and the campaign targeting Stony Brook University uses the domain blackboard.stonybrook.ernn.me instead of blackboard.stonybrook.edu.

The threat group is known to use URL shortening services for links to the phishing domains to mask the true destination URL. Malwarebytes, which discovered the latest campaign, reports that Silent Librarian is using Cloudflare this year for most of their phishing hostnames to hide the real origin of the sites, which are mostly hosted in Iran this year.

The landing pages on the phishing pages are virtual carbon copies of those used by the universities being targeted, so if a user lands on one of those pages and fails to identify the incorrect URL, there is a strong likelihood that login credentials will be entered and captured by the group.

This year’s campaign could be even more effective. Many students and staff are remote due to COVID-19, which could potentially be exploited to steal more credentials and data.

The hacking group is known to have conducted attacks on at least 40 organizations and more than 140 educational institutions since 2013 and was discovered to have stolen more than 30 TB of data between 2013 and 2017. Malwarebytes reports that well over a dozen universities are known to have been targeted in the latest campaign, but says only a small sample of the emails have been intercepted and the campaign is likely to be far more extensive.

The post Universities Targeted in Silent Librarian Spear Phishing Campaign appeared first on HIPAA Journal.

On October 2020 Patch Tuesday, Microsoft released a patch to correct a critical remove code execution vulnerability in the Microsoft Windows Transmission Control Protocol (TCP)/IP stack. The flaw concerns how the TCP/IP stack handles Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. The flaw was assigned a CVSS v3 score of 9.8 out of 10.

While all patches should be applied promptly to prevent exploitation, there is usually a delay between patches being released and exploits being developed and used offensively against organizations; however, due to the severity of the flaw and the ease at which it can be exploited, patching this vulnerability is especially important. So much so that the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) took to Twitter to urge all organizations to apply the patch immediately.

An attacker could exploit the flaw remotely in a Denial of Service attack, resulting in a ‘blue screen of death’ system crash; however, exploitation could also allow the remote execution of arbitrary code on the vulnerable systems. To exploit the flaw, an unauthenticated hacker need only send specially crafted ICMPv6 Router Advertisement to a vulnerable Windows computer – A device running Windows 10 1709 to 2004, Windows Server versions 1903 to 2004, or Windows Server 2019.

While there have been no known exploits of the vulnerability in the wild, the flaw will be attractive to hackers. McAfee Labs reports that a proof-of-concept exploit for the flaw was sent to Microsoft Active Protection Program members that it reports is “extremely simple and perfectly reliable.”  In addition to being easy to exploit, the vulnerability is potentially wormable, so attacking one device could easily see all other vulnerable devices on the network similarly compromised.

McAfee Labs nicknamed the vulnerability “Bad Neighbor” as it resides in the ICMPv6 Neighbor Discovery “Protocol”, using the Router Advertisement type, and is due to the TCP/IP stack improperly handling ICMPv6 Router Advertisement packets that use Option Type 25 (Recursive DNS Server Option) and a length field value that is even.

If it is not possible to patch immediately, mitigations need to be implemented to reduce the potential for exploitation.

Microsoft recommends administrators disable ICMPv6 RDNSS to prevent exploitation. This can be achieved using a simple PowerShell command:

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

However, this option will disable RA-based DNS configuration, so cannot be used on network infrastructure that relies on RA-based DNS configuration. Also, this mitigating measure is only effective on Windows 10 1709 and later versions.

Alternatively, it is possible to prevent exploitation by disabling ipv6 traffic on the NIC or at the network perimeter, but this is only possible if ipv6 traffic is not essential.

The post Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Flaw Now, Warns CISA appeared first on HIPAA Journal.