Healthcare Cybersecurity

Vendor Access and HIPAA Compliance: Are you Secured?

It can be hard to remember a time before the Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in 1996. These were the days that paper files were still stored in cabinets and sensitive information was generally delivered by hand, or if you were really sophisticated, it was sent via a fax machine.

Fast forward almost 25 years later and unsurprisingly, the world in the healthcare industry looks completely different, except some do still use fax machines. Nothing surprising here, but everything is now stored on computers and transmitted over the internet, which has led to obvious increases in terms of efficiency, but, with this comes risk. We’ve seen an increase in serious data breaches tied to healthcare entities that are exposing highly sensitive personal health information. And not just any type of data breach, these are the ones that are tied to third-party and vendor access, which are known to be more costly in terms of fines and reputational damage.

A hacker can quickly access hundreds of patient files and cause widespread damage, including a release of private information, deletion of crucial health reports, large-scale identify theft, and the increasingly popular route of ransomware.

Gone are the days where healthcare companies only had to deal with issues related to patient care because they now find themselves grappling with complicated cybersecurity issues far outside the medical space.

Considering the risks of HIPAA noncompliance, healthcare companies generally benefit from hiring third-party vendors that specifically handle HIPAA regulatory compliance. To fully protect patients, these vendors should have clear policies that restrict access, remain transparent and auditable, and maintain the most updated data security measures.

How to Restrict Vendor Access

Who has access to the patients’ information, how are they accessing the information, and how much access do they have (or should they have)? These are crucial questions for any technology vendor.

First, each member of the IT team should have only the level of access required to ensure both HIPAA compliance and data security, including restrictions on time, scope, and job function. Each vendor rep should use a unique username and password to log into the system and go through multi-level authentication that’s attached to their identities. On top of that, an automatic logoff upon a short period of inactivity can prevent unauthorized access under another’s credentials.

Why Auditable Reports are Necessary

An automatic audit system permits healthcare companies to screen for unauthorized access and to trace the source of the data breach. An effective audit system maintains detailed login information of every support connection system and delivers a complete history of every login, including time, place, personnel and scope of access to the patients’ records, and other sensitive information.

These reports are not only necessary for internal security purposes, but are integral for proving HIPAA compliance in relation to allowing vendors on your network.

The Importance of Data Integrity and Security

The weak link in data security generally occurs at the points of access and transmission. However, regular updates to security settings protect data from corruption and prevent a breach of data during transmission. To protect the data’s integrity and security, recommendations include customer control of configurable encryption, advanced transmission standards (AES) in 128-, 192-, and 256-bit modes, and data encryption standards (DES) of Triple DES10.

Be Sure, Be Secure

Ultimately, the healthcare business bears the burden if patient information is compromised. A third-party IT security vendor should, therefore, have the knowledge and experience to meet the highest standards for HIPAA compliance. If you’re worried about your vendors not having your compliance in mind, it is of the utmost importance to ensure you are vetting them before onboarding them, as well as checking in on them and doing an “audit” of some sort to make sure you have a ledger of all vendors.

Remote access to a healthcare facility’s networks and systems is an often overlooked area that can represent significant potential exposure for HIPAA breaches. Know your vendors, why they’re connecting, and ensure compliance.

Author: Ellen Neveux, SecureLink

SecureLink provides a remote-access platform that reduces the risks associated with providing remote access to internal networks to vendors and clients

The post Vendor Access and HIPAA Compliance: Are you Secured? appeared first on HIPAA Journal.

Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development

Advanced Persistent Threat (APT) groups in Russia and North Korea are targeting companies involved in research into COVID-19 and vaccine development, according to Microsoft. Six large pharmaceutical firms and a clinical research company are known to have been targeted by three APT groups who are attempting to gain access to research and vaccine data.

The cyberattacks have been on “pharmaceutical companies in Canada, France, India, South Korea and the United States,” according to Microsoft and three APT groups are known to be conducting attacks – the Russian APT group Strontium (aka Fancy Bear/APT28) and two APT groups with links to North Korea – The Lazarus Group (aka Zinc) and Cerium. Additionally, in the summer of 2020, warnings were issued by several government agencies about attacks on COVID-19 research firms by another Russian APT group, Cozy Bear (aka APT29).

The targeted organizations have contracts with or investments from governments to advance research into COVID-19 and vaccine development. Most of the targeted companies have developed vaccines which are currently in advanced clinical trials. One of the targeted companies has developed a COVID-19 test and the clinical research firm is involved in conducting COVID-19 vaccine trials. While the attacked companies were not named by Microsoft, cyberattacks have been reported by the Indian pharma firms Dr. Reddy’s and Lupin, and the U.S. biotech firm Moderna is known to have been attacked.

Microsoft reports that some of the attacks have been successful, although Microsoft did not say whether that means systems have been breached or if intellectual property and vaccine and research data were obtained.

The Russian Strontium group has favored brute force tactics to crack passwords for employee accounts, while the Lazarus group has been sending spear phishing emails to key employees to obtain passwords. One tactic used by the Lazarus group involves posing as recruiters and sending fake job descriptions. Cerium, which is believed to be a new North Korean hacking group, has also been using phishing emails to gain access to employee credentials. Its campaign involved impersonating the World Health Organization (WHO).

The motivation behind the attacks are clear. Research and vaccine data would give foreign countries a huge strategic advantage, with research and vaccine data potentially worth billions of dollars. These attacks appear to be solely concerned with data theft. The attacks so far do not appear to have been conducted to hamper efforts to conduct research or develop vaccines but there are many cybercriminal groups that are conducting destructive cyberattacks.

Healthcare organizations have faced a barrage of financially motivated cyberattacks by cybercriminals organizations using ransomware in recent months. Recently, CISA, the FBI, and HHS issued a joint advisory following an increase in targeted Ryuk ransomware attacks on healthcare organizations in the United States. The Ryuk and other ransomware gangs have also attacked healthcare organizations in France, Germany, Thailand, Spain, and the Czech Republic. The ransomware attack on a hospital in Germany resulted in the first known patient death due to a ransomware attack, and several attacks in the United States have resulted in major disruption and have forced hospitals to cancel elective procedures and reroute patients to alternative healthcare facilities.

Several industry groups are offering assistance to organizations in the healthcare sector such as the Health Sector Coordinating Council and Health-ISAC, and are providing indicators of compromise (IoCs) and detailed information on recent attacks to help organizations improve their defenses against cyberattacks and better defend their networks and data.

Microsoft has been taking an active role in attack prevention and has recently participated in the Paris Peace forum, a multi-stakeholder coalition working on combating these attacks, in particular to stop attacks on critical infrastructure from succeeding. Prior to the Paris Peace Forum, over 65 healthcare organizations joined the Paris Call for Trust and Security in Cyberspace. The Paris Call is largest multi-stakeholder coalition to date that addresses cybersecurity issues faced by the healthcare industry.

“Microsoft is calling on the world’s leaders to affirm that international law protects healthcare facilities and to take action to enforce the law,” said Tom Burt, Microsoft Vice President for Customer Security & Trust, in a Friday blog post. “We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate – or even facilitate – within their borders. This is criminal activity that cannot be tolerated.”

The post Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development appeared first on HIPAA Journal.

Phishing Campaign Uses Employment Termination Lure to Deliver Bazar and Buer Malware

A new phishing campaign is being conducted using the TrickBot botnet which delivers the Bazar backdoor and Buer loader malware. The campaign was detected by researchers at Area 1 Security and has been running since early October.

The Bazar backdoor is used to gain persistent access to victims’ networks, while the Buer loader is used to download additional malicious payloads. Previously, Buer has been used to deliver ransomware payloads such as Ryuk and tools such as CobaltStrike.

Area 1 Security researchers detected two email lures in this campaign. One is a fake notification about termination of employment and the other a fake customer compliant. The employment termination email appears to have been sent by an authority figure in the head office of the company being targeted and states that the individual has been terminated. Further information on the termination and payout are provided in a document that appears to be hosted on Google Docs.

If the link is clicked, the user will be directed to a Google Doc decoy preview page and is advised to click another link if they are not redirected. That link directs them to a URL where a file download is initiated. The user will be presented with a security warning asking if they want to run the file. Doing so launches a PE32+ executable on Windows systems and triggers a sequence of events that results in the download of either the Buer loader or the Bazar backdoor. Constant Contact links are also being used in this campaign.

The use of cloud services for hosting malicious documents is now commonplace. It is a tactic used to bypass security solutions that scan attached files for malicious code such as macros. By linking to legitimate cloud services, some security solutions will fail to detect the link as malicious and will deliver the emails to users’ inboxes. Should the links in the emails be classified as malicious by URL scanning security solutions, the attackers can simply switch to different URLs.

Last month Microsoft announced a takedown operation that saw it take control of the infrastructure used by the operators of TrickBot. This major operation was only temporarily effective at disrupting the botnet infrastructure. Microsoft said the takedown operation was only likely to be temporary, as the TrickBot operators would likely rebuild their operation on different infrastructure.

Area 1 Security researchers note that this campaign resumed after just two days after the takedown of the botnet and, this time around, the TrickBot gang is using sinkhole resistant EmerDNS TLDs, which make any further takedown attempts difficult.

The post Phishing Campaign Uses Employment Termination Lure to Deliver Bazar and Buer Malware appeared first on HIPAA Journal.

Half of Ransomware Attacks Now Involve the Theft of Data Prior to Encryption

Coveware has released its Quarterly Ransomware report for Q3, 2020 highlighting the latest ransomware attack trends. The report confirms that data exfiltration prior to the use of ransomware continues to be a popular tactic, with around half of all ransomware attacks involving data theft. Attacks involving the theft of data doubled in Q3, 2020.

In cases where data are stolen prior to file encryption, victims are told that if they do not pay the ransom demand their data will be leaked online or sold to pressure victims into paying, but ransomware victims should carefully consider whether or not to pay. There are no guarantees that paying the ransom will prevent publication of stolen data.

Ransomware Gangs Renege on Promises to Delete Data

The Maze ransomware gang started the double-extortion trend in 2019 and many ransomware operators soon followed suit. In some cases, two ransomware demands are issued; one to return or delete stolen data and the other for the keys to unlock the encrypted files, The operators of the AKO and Ranzy ransomware variants have adopted this dual ransom demand tactic.

The Coveware report reveals that, in some cases, the attackers do not make good on their promise even when the victim pays the ransom in full. There have been several cases where stolen data were leaked or stolen after the ransom was paid, and one gang is known to re-extort victims.

The report lists four ransomware operations known not to delete data after the ransom has been paid. The operators of Sodinokibi ransomware have re-extorted some victims, the Netwalker and Mespinoza operators have subsequently leaked stolen data after the ransom was paid in full, while the operators of Conti ransomware have provided victims with proof that files have been deleted, but the proof was for the deletion of fake files. Maze, Sekhmet, and Egregor have similarly leaked data on occasion, although it is unclear whether the leaks after payment were intentional.

Coveware explains that some ransomware operations see data held by multiple parties, which means that even if the threat actor deletes data, there is no guarantee that all copies will be deleted. There have been cases where stolen data are posted in error on leak sites before the victim is even given the chance to make payment.

Coveware warns its customers that payment of the ransom does not guarantee stolen data will not be shared with other threat groups or be used in further extortion attempts. Coveware tells its customers to assume theft of data is a data breach and ensure all individuals impacted by the breach are notified to give them the opportunity to monitor their accounts and take steps to protect their identities, regardless of whether the ransom demand is paid.

Ransom Demands Continue to Increase

The report shows the average ransom demand has been steadily increasing over the past 8 quarters, although the quarterly increases have been more substantial each quarter since Q3, 2019. Ransom demands increased once again in Q3, 2020 with the average demand up 31% from Q2, 2020 at $233,817, with the median payment rising by $1,935 to $110,532. The increase in the average payment indicates ransomware gangs are conducting more attacks on large organizations, where the potential returns are much higher for a similar level of effort.

Biggest Ransomware Threats in Q3, 2020

The biggest ransomware threats in Q3, 2020 were Sodinokibi, Maze, Netwalker, Phobos, and DoppelPaymer, with the top two ransomware variants accounting for 16.2% and 13.6% of attacks respectively. Attacks with Maze ransomware peaked in Q3; however, the operators have now shut down their operation, with affiliates involved in the distribution of the ransomware mostly switching to the Sekhmet and Egregor ransomware-as-a-service operations. Attacks involving those ransomware variants increased in Q3 and are expected to continue to increase in Q4.

RDP and Phishing are the Main Attack Vectors

The most common attack vectors used to distribute ransomware have changed little over the past few quarters. Attacks on RDP are still the most common, accounting for more than 50% of infections. This is the attack vector favored by the most prolific ransomware groups such as Sodinokibi and Maze (Sekhmet/Egregor). Almost 30% of attacks see the ransomware distributed via phishing emails, with the number of phishing-related attacks having steadily increased since Q4, 2019. Software vulnerabilities and other forms of compromise are used in less than 10% of attacks.

There are worrying signs that the supply of stolen RDP credentials is now outstripping demand, which is seeing the price for those credentials falling. As the cost goes down it opens up this attack vector to other less technically sophisticated groups, who may choose this method to attack organizations. Coveware warns that this method of attack is the most cost-effective way to compromise organizations, and the importance of properly securing RDP connections cannot be overstated.

The post Half of Ransomware Attacks Now Involve the Theft of Data Prior to Encryption appeared first on HIPAA Journal.

Majority of Microsoft 365 Admins Have Not Enabled Multi-Factor Authentication

A new report published by CoreView has revealed the majority of Microsoft 365 admins have not enabled multi-factor authentication to protect their accounts from unauthorized remote access and are failing to implement other basic security practices. According to the study, 78% of Microsoft 365 administrators have not activated multi-factor authentication and 97% of Microsoft 365 users are not using MFA.

“This is a huge security risk – particularly during a time where the majority of employees are remote – that IT departments must acknowledge and address in order to effectively deter cyberattacks and strengthen their organization’s security posture,” explained the researchers.

The SANS Institute says 99% of data breaches can be prevented by using MFA, while Microsoft explained in an August 2020 blog post that MFA is the single most important measure to implement to prevent unauthorized account access, explaining that 99.9% of account breaches can be prevented by using MFA.

The CoreView study also revealed 1% of Microsoft 365 admins do not use strong passwords, even though hackers are adept at cracking passwords with automated brute force attacks. Even when strong passwords are used, there is no guarantee that a breach will be prevented. A strong password offers no protection if a user falls for a phishing scam. If passwords are stolen, MFA offers protection and should prevent those passwords from being used to gain access to accounts.

The CoreView M365 Application Security, Data Governance and Shadow IT Report revealed Microsoft 365 administrators are given excessive control and have access to a treasure trove of sensitive information. 57% of Microsoft 365 admins were fund to have excessive permissions to access, modify, and share business-critical data. Further 36% of Microsoft 365 administrators are global admins, giving them full control over their organization’s entire Microsoft 365 environment and 17% of Microsoft 365 admins are also Exchange admins and have access to the email accounts of the entire organization, including C-Suite accounts. Should Microsoft 365 admin accounts be compromised, hackers would have access to the entire Microsoft 365 environment and huge volumes of sensitive data. Not only does the Microsoft 365 environment contain a huge amount of easily monetized data, accounts are also linked to other systems and could be used for a much broader attack on the organization.

The study also revealed companies have invested heavily in productivity and operations applications that empower employees to communicate, collaborate, and work more efficiently, but there has been a rise in shadow IT, especially SaaS applications. SaaS applications are often used by employees without the knowledge of the IT department. Many of those SaaS applications lack appropriate security and open the door to preventable cyberattacks.

“At a basic level, malicious apps can siphon off critical data. Users could also potentially be sharing sensitive company information through these apps to compromised parties, putting organizations at a substantial risk of a data breach,” explained CoreView in the report. “It’s vital that organizations properly monitor these apps for potential security gaps.”

Organizations that move to Microsoft 365 often underestimate their security and governance responsibilities, mistakenly believing that Microsoft 365 is secure by default and includes the necessary protections to prevent data breaches. While Microsoft 365 can be secure, organizations must be proactive and ensure that security is addressed, there is sufficient oversight of shadow IT, and proper data governance.

The post Majority of Microsoft 365 Admins Have Not Enabled Multi-Factor Authentication appeared first on HIPAA Journal.

Advisory Warns of Targeted Ryuk Ransomware Attacks on the Healthcare and Public Health Sector

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued an advisory warning about increased Ryuk ransomware activity targeting the healthcare and public health sector.

Credible evidence has been obtained indicating an increased and imminent threat to hospitals and healthcare providers in the United States. The advisory details some of the tactics, techniques, and procedures (TTPs) used by the operators of Ryuk ransomware and other cybercriminal groups who are assisting with the distribution of the ransomware to help the healthcare sector manage risk and protect their networks from attacks.

The advisory explains that Ryuk ransomware is commonly delivered as a secondary payload by the TrickBot Trojan. TrickBot is a banking Trojan that was first identified in 2016 that has since been updated with a host of new functions. In addition to stealing banking credentials, TrickBot is capable of mail exfiltration, cryptomining, data exfiltration from point of sale systems, and acts as a downloader of other malware variants, notably Ryuk ransomware.

In 2019, the FBI identified a new module had been added, named Anchor, which sends and receives data from victim machines using DNS tunneling, allowing communications with its command and control infrastructure to go undetected by many security solutions. The advisory provides indicators of compromise (IoCs) to help network defenders identify TrickBot infections.

Once Ryuk ransomware has been deployed, common off-the-shelf products such as Cobalt Strike and PowerShell Empire are used to steal credentials. “Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz,” explained CISA in the alert. “This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.”

The Ryuk threat actors use living-off-the-land techniques using tools such as net view, net computers, and ping to find mapped network shares, domain controllers, and active directory. Native tools such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (RDP), are often used to move laterally through the network, along with third-party tools such as Bloodhound.

The attackers will identify and shut down security applications to prevent detection of the ransomware and may even manually remove certain security applications that would otherwise stop the ransomware from executing. Attempts are also made to delete backup files and Volume Shadow Copies to prevent victims from recovering their files without paying the ransom.

You can view the advisory, IoCs, and suggested mitigations on this link.

Ryuk Operators Transition to Malware as a Service Tool for Distributing Ransomware

While not detailed in the recent advisory, evidence has been found to indicate the operators of Ryuk ransomware are transitioning away from TrickBot and are now using a malware-as-a-service tool to deliver their ransomware payload.

Security firm Sophos has reported the Buer loader is now being used to deliver Ryuk ransomware. The Buer loader first started to be advertised on hacking forums in August 2019 to other malware operators for use in delivering malware and ransomware payloads. According to the Sophos researchers, the operators of TrickBot have been using the Buer loader for several months.

The Buer Loader is primarily distributed using phishing emails, often using malicious Word documents. Sophos notes that the Buer loader uses PowerShell commands to change settings on Windows devices to evade detection, including modifying the Windows Defender exclusion list. A dropper is used to deposit Buer in the memory and execute the loader, which downloads Ryuk ransomware.

While the Buer loader is being used for the initial compromise to gain a foothold in networks, the tactics used by the Ryuk operators once access to the network is gained remains the same.

The post Advisory Warns of Targeted Ryuk Ransomware Attacks on the Healthcare and Public Health Sector appeared first on HIPAA Journal.

Survey Explores Cybersecurity Impact of COVID-19 Enforced Switch to a Remote Working Environment

Prior to the 2019 Novel Coronavirus pandemic, many companies allowed some of their employees to spend some of the week working from home; however, COVID-19 dramatically changed the way people work, with national lockdowns forcing employers to rapidly change working practices and allow virtually all of their employees to work remotely.

When lockdowns were lifted, many employees continued to work from home. The new remote working environment is considered by many to be now be the new normal. Remote working has created many challenges, especially for cybersecurity as it is harder for organizations to prevent, detect, and contain cyberattacks when much of the workforce is working remotely.

A recent survey conducted on 2,215 IT and IT security professionals by the Ponemon Institute on behalf of Keeper Security explores the cybersecurity challenges of teleworking and assesses how companies have adapted cybersecurity practices to address the risks of teleworking.

One of the key findings from the survey is remote working has significantly reduced the effectiveness of organizations’ security posture.  When respondents were asked about the effectiveness of their security defenses before and during the pandemic, 71% rated their security defenses as either very or highly effective before the pandemic, with only 44% rating their defenses so highly during the pandemic.

The survey uncovered several reasons for the perceived decline in the effectiveness of those defenses.  When employees work on-site, physical security measures are in place to prevent the theft of equipment and data. 47% of respondents said the lack of physical security at employees’ homes was a significant concern.

71% of IT professionals felt that remote workers were putting their organization at risk of a data breach, while 57% said remote workers are a prime target for cybercriminals looking to exploit vulnerabilities.

Remote workers need to access business-critical applications, with 59% of respondents reporting that remote access to those applications increased during the pandemic. On average, organizations have 51 business-critical applications and 56% of those applications are being accessed remotely.

56% of respondents said the time to respond to a cyberattack has increased during the pandemic and 42% of respondents said they have no understanding about how to protect against cyberattacks with so many remote workers.

There has been a major increase in the use of personal devices due to the pandemic, and BYOD schemes have reduced organizations’ security posture. 67% of respondents said remote workers were using personal devices for work purposes during the pandemic, including mobile phones, which are the most vulnerable devices.

Intrusion detection systems that were effective with office-based working are far less effective with teleworking. 51% of respondents reported an exploit or malware infection that evaded their intrusion detection systems during the pandemic and 61% said they had experienced a cyberattack during the pandemic, with phishing and social engineering attacks the most common attack method.

Despite the risk of cyberattacks, 31% of organizations said they have not implemented multi-factor authentication for remote workers, only 43% provide security awareness training covering the risks of remote working, and only 47% are monitoring their networks 24/7. Less than half of respondents protect company-owned devices with up-to-date anti-virus, device encryption and firewalls. If these security issues are not addressed, organizations will face a far higher risk of experiencing a cyberattack and costly data breach. You can view the full findings of the survey and recommendations on this link.

The post Survey Explores Cybersecurity Impact of COVID-19 Enforced Switch to a Remote Working Environment appeared first on HIPAA Journal.

Office 365 Users Targeted in Microsoft Teams Phishing Scam

A new Office 365 phishing campaign has been detected by researchers at Abnormal Security that spoofs Microsoft Teams to trick users into visiting a malicious website hosting a phishing form that harvests Office 365 credentials.

Microsoft Teams has been adopted by many organizations to allow remote workers to maintain contact with the office. In healthcare the platform is being used to provide telehealth services to help reduce the numbers of patients visiting healthcare facilities to control the spread of COVID-19.

Microsoft reported in in a June call announcing financial earnings for the quarter ended June 30, 2020 that Microsoft Teams is now used by more than 150 million students and teachers. More than 1,800 organizations have more than 10,000 Teams users, and 69 organizations have more than 100,000 users. The use of Microsoft Teams in healthcare has also been growing, with 46 million Teams meetings now being conducted for telehealth purposes. The increase in usage due to the pandemic has presented an opportunity for cybercriminals.

According to figures from Abnormal Security, the latest campaign has seen the fake Microsoft Teams emails sent to up to 50,000 Office 365 users so far. The messages appear to be sent from a user with the display name “There’s new activity in Teams,” making the messages appear to be automated notifications from Teams.

The messages advise users to login as the Team community is trying to get in touch. The emails include a button to click to login to Teams that has the display text – “Reply in Teams.” The messages include a realistic looking footer with the Microsoft logo and options to install Microsoft Teams on iOS and Android.

The links in the email direct the user to a Microsoft login page that is a carbon copy of the official login prompt, aside from the domain on which the page is hosted. That domain starts with microsftteams to make it appear genuine.

The campaign is one of many targeting Office 365 credentials and there have been several campaigns targeting videoconferening platforms in response to the increase in popularity of the solutions during the pandemic.

Emotet Trojan Campaign Uses Fake Microsoft Word Upgrade Notifications

The Emotet Trojan is being spread in a new campaign that uses fake Microsoft Word upgrade notifications as a lure to get users to install the malware. Emotet is the most widely distributed malware currently in use. Infection with the malware sees the user’s device added to a botnet that is used to infect other devices. Emotet is also a malware downloader and is used to install information stealers such as TrickBot and QBot malware, which are used to deliver ransomware variants such as Ryuk, ProLock, and Conti.

The messages appear to be Microsoft Office notifications that advise the user that they need to perform an upgrade of Microsoft Word to add new features. The messages have a Microsoft Word attachment and the user is instructed to Enable Editing and then Enable Content. Doing so will launch a malicious macro which will download Emotet onto the user’s device

Users should exercise caution and should avoid clicking links or opening attachments in unsolicited emails. Since Emotet hijacks the user’s email account to send further phishing emails, the messages may even be sent from an individual in the user’s contact list.

The post Office 365 Users Targeted in Microsoft Teams Phishing Scam appeared first on HIPAA Journal.

Vulnerabilities Identified in B. Braun OnlineSuite and SpaceCom

Several vulnerabilities have recently been identified in B. Braun products used by healthcare organizations in the United States.

B.Braun OnlineSuite

Three vulnerabilities have been identified in B. Braun OnlineSuite, a clinical IT solution for creating and sending drug libraries and managing infusion devices and other medical equipment. If exploited, an attacker could escalate privileges, upload and download arbitrary files, and remotely execute code.

The most serious flaws are a relative path traversal vulnerability – CVE-2020-25172 – which allows uploads and downloads of files by unauthenticated individuals, and a remote code execution vulnerability – CVE-2020-25174 – which allows a local attacker to execute code as a high privileged user. The flaws have been assigned CVSS v3 base scores of 8.6 and 8.4 out of 10.

An Excel macro vulnerability – CVE-2020-25170 – has also been identified in the export feature, caused by the mishandling of multiple input fields, which has been assigned a CVSS v3 base score of 6.9.

The flaws are present in OnlineSuite AP 3.0 and earlier. B.Braun has addressed the flaws in the update, OnlineSuite Field Service Information AIS06/20, which users are advised to apply as soon as possible.

SpaceCom and Battery Pack SP with Wi-Fi

11 vulnerabilities have been identified in SpaceCom, which is used to connect external devices for data documentation in a Patient Data Management System, PC or USB memory stick, and Battery Pack with WiFi.

The flaws affect SpaceCom, software Versions U61 and earlier and Battery pack with Wi-Fi, software Versions U61 and earlier.

If exploited, an attacker could compromise the security of SpaceCom devices and escalate privileges, view sensitive information, upload arbitrary files, and remotely execute arbitrary code.

  • CVE-2020-25158 (CVSS 7.6) – Reflected cross-site scripting (XSS) vulnerability allowing injection of arbitrary web script or HTML into various locations.
  • CVE-2020-25150 (CVSS 7.6) -Relative path traversal attack vulnerability allowing an attacker with service user privileges to upload arbitrary files and execute arbitrary commands.
  • CVE-2020-25162 (CVSS 7.5) – Path injection vulnerability allowing unauthenticated individuals to access sensitive information and escalate privileges.
  • CVE-2020-25156 (CVSS 7.2) – Active debug code that enables attackers in possession of cryptographic material to access the device as root.
  • CVE-2020-25160 (CVSS 6.8) -Improper access controls that allow extraction and tampering with the device’s network configuration.
  • CVE-2020-25166 (CVSS 6.8) -Improper verification of the cryptographic signature of firmware updates, which allows an attacker to generate valid firmware updates with arbitrary content that can be used to tamper with devices.
  • CVE-2020-16238 (CVSS 6.7) – Improper privilege management that gives attackers command line access to the underlying Linux system, and privileges to be escalated to root user.
  • CVE-2020-25152 (CVSS 6.5) -Session fixation vulnerability allowing hijacking of web sessions and escalation of privileges.
  • CVE-2020-25154 (CVSS 5.4) – Open redirect vulnerability allowing redirection to malicious websites.
  • CVE-2020-25164 (CVSS 5.1) – Use of a one-way hash which allows the recovery of user credentials of the administrative interface.
  • CVE-2020-25168 (CVSS 3.3) – Use of hard-coded credentials that would allow command line access to access the device’s Wi-Fi module

Braun has released updates to correct the flaws. Users should update to SpaceCom: Version U62 or later and Battery Pack SP with Wi-Fi: Version U62 or later.

Braun also recommends devices should not be accessible directly from the internet and to use a firewall and isolate medical devices from the business network.

The vulnerabilities were identified by Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH.

The post Vulnerabilities Identified in B. Braun OnlineSuite and SpaceCom appeared first on HIPAA Journal.