Becton, Dickinson and Company (BD) has recently disclosed seven vulnerabilities in its FACSChorus software. The vulnerabilities are low- to medium-severity with CVSS scores ranging from 2.4 to 5.4. Successful exploitation of the vulnerabilities could allow an attacker to modify system configurations, access sensitive data, or access system components; however, in order to exploit the vulnerabilities an attacker would need to have physical access.

The vulnerabilities, in order of severity, are:

CVE-2023-29060 – Missing protection mechanism for alternate hardware interface – CVSS 5.4

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1 – The workstation operating system does not restrict what devices can interact with its USB ports. The vulnerability could be exploited with physical access to gain access to system information and potentially exfiltrate data.

CVE-2023-29061 – Missing authentication for critical function – CVSS 5.2

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1. The workstation has no BIOS password. The vulnerability could be exploited with physical access to change the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication.

CVE-2023-29064 – Hard-coded credentials – CVSS 4.1

Vulnerability is present in BD FACSChorus v5.0 and v5.1. The software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, including tokens and passwords for administrative accounts.

CVE-2023-29065 – Insecure inherited permissions – CVSS 4.1

Vulnerability is present in BD FACSChorus v5.0 and v5.1. The software database can be accessed directly with the privileges of the currently logged-in user. Exploitation would allow a threat actor with physical access to potentially gain credentials, and then alter or destroy data stored in the database.

CVE-2023-29062 – Improper authentication – CVSS 3.8

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1. The operating system hosting the FACSChorus application is configured to allow the transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. NTLMv2 hashes can be sent to a malicious entity position on the local network and can be brute-forced if a weak password is used.

CVE-2023-29066 – Incorrect privilege assignment – CVSS 3.2

Vulnerability is present in BD FACSChorus v5.0 and v5.1 and the respective workstations. The software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders.

CVE-2023-29063 – Missing protection mechanism for alternate hardware interface – CVSS 2.4

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1. The workstation does not prevent physical access to its PCI express (PCIe) slots. A threat actor could insert a PCI card designed for memory capture and isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup.

BD notified CISA about the vulnerabilities and confirmed that all 7 of the vulnerabilities will be addressed in an upcoming software release but has suggested mitigations and compensating controls that can be implemented in the interim. These include ensuring physical access controls are in place to restrict access to the software and respective workstations to authorized end users, ensuring industry-standard security controls are implemented if the workstations are connected to the local network, and tightly controlling administrative access to the software and workstations.

The post BD Discloses Vulnerabilities in FACSChorus Software appeared first on HIPAA Journal.

An international law enforcement operation has led to the arrest of multiple core members of an organized group of ransomware affiliates in Ukraine. The members of the group were behind attacks involving ransomware variants such as LockerGoga, MegaCortex, HIVE, and Dharma, which were used in more than 250 ransomware attacks in large organizations in 71 countries. The attacks conducted by the group resulted in losses of several hundred million dollars.

The group exploited unpatched vulnerabilities, conducted brute force and SQL injection attacks, and also used stolen credentials and phishing for initial access. Once access was gained to networks, the group used tools such as TrickBot malware, along with post-exploitation frameworks such as Cobalt Strike and PowerShell Empire to move laterally and remain inside networks undetected. In some cases, the dwell time was several months before ransomware was deployed to encrypt files. Members of the group had different responsibilities, with some tasked with gaining access to networks while others were responsible for negotiating with victims and laundering the proceeds of the attacks.

A joint investigation was launched in September 2019 by the French authorities that involved law enforcement agencies in Norway, the United Kingdom, and Ukraine, with financial support provided by Eurojust and assistance provided by Europol. Parallel investigations were also conducted by law enforcement agencies in the Netherlands, Germany, Switzerland, and the United States which helped uncover the true magnitude and complexity of the operation. Europol established a virtual command center in the Netherlands which received data seized in the raids.

On November 21, 2023, coordinated raids were conducted at 30 locations in Kyiv, Cherkasy, Rivne, and Vinnytsia in Ukraine. More than 20 investigators took part in the operation and assisted the Ukrainian National Police. The Ukrainian National Police seized computer equipment, electronic media, and other evidence of illegal activities, along with cars, bank and SIM cards, and almost 4 million hryvnias ($110,050) in cash and cryptocurrency assets. The 32-year-old mastermind of the operation was arrested along with four of his most active accomplices.

The latest arrests follow a first round of arrests in 2021 using the same investigation framework. 12 individuals were arrested in the raids on October 26, 2021, in Ukraine and Switzerland, all of whom had been involved in multiple ransomware attacks. In addition to the arrests, $52,000 in cash was seized along with 5 luxury vehicles and many electronic devices. The analysis of the electronic devices and other evidence collected in the first round of raids led to the identification of the suspects that were targeted in the latest phase of the operation.

The post Ransomware Affiliate Group Dismantled in International Law Enforcement Operation appeared first on HIPAA Journal.

Data breaches have recently been reported by Warren General Hospital in Pennsylvania, Southwest Behavioral Health Center in Utah, CareTree in Illinois, and the Medical University of South Carolina.

Warren General Hospital Data Breach

On November 9, 2023, Warren General Hospital (WGH) in Warren, PA, announced it had fallen victim to a cyberattack that potentially affected the confidential information of current and former patients and employees. Suspicious activity was detected within its network on September 24, 2023. Assisted by third-party cybersecurity experts, WGH determined that an unauthorized actor had access to its network between September 15, 2023, and September 23, 2023, and during that time, downloaded files from its network.

The review of the files confirmed they contained names, in combination with one or more of the following:  address, date of birth, Social Security number, financial account information, payment card information, health insurance claims information, and medical information, which may have included diagnosis, medications, lab results, and other treatment information.

WGH said existing policies and procedures have been reviewed, administrative and technical controls have been enhanced, and additional security training has been provided to the workforce. The breach was recently reported to the HHS’ Office for Civil Rights as affecting 168,921 patients.

Southwest Behavioral Health Center Data Breach

Southwest Behavioral Health Center, a Saint George, UT-based provider of mental health treatment and psychiatric services, has recently reported a data breach to the HHS’ Office for Civil Rights that affected 17,147 current and former patients.

A security breach was detected on March 13, 2023, and a third-party cybersecurity firm was engaged to investigate and determine the extent to which patient data had been compromised. The investigation revealed an unauthorized third party gained access to parts of its system containing files that included patient data prior to March 13, 2023l however, it was not possible to determine the specific files that may have been accessed or copied from its network.

The review of the files potentially involved confirmed they contained patient data such as names, dates of birth, Social Security numbers, personal health record information, and medical information. After verifying contact information, notification letters started to be issued on November 9, 2023, to all patients that had potentially been affected.

Medical University of South Carolina Data Breach

The Medical University of South Carolina (SUMC) in Charleston has been affected by a data breach at one of its third-party vendors. Westat collects data from SUMC patients on behalf of the Centers for Disease Control and Prevention (CDC) for public health reporting purposes. Westat used Progress Software’s MOVEit Transfer file transfer solution, a zero-day vulnerability in which was exploited by the Clop hacking group between May 28 and May 29, 2023. Westat has already reported the breach to the HHS’ Office for Civil Rights in two separate reports, one affecting 50,065 individuals and a second affecting 20,045. SUMC reported the breach as affecting 1,758 individuals and said it involved names, addresses, dates of birth, diagnoses, provider names, and insurance information.

CareTree Data Breach

CareTree Inc., a Chicago, IL-based provider of smart care management and patient advocate software for care providers, has recently confirmed there has been unauthorized access to the CareTree platform. Suspicious activity was detected within its platform on or around August 16, 2023. The forensic investigation confirmed access to the platform was gained on July 21, 2023.

The review of the affected files confirmed that they contained the information of 1,097 CareTree patients; however, CareTree was unable to confirm the specific information exposed for each patient because the information is no longer available. The types of information potentially compromised included names, addresses, driver’s license numbers, Social Security numbers, financial account information, dates of birth, medical information including diagnosis, lab results, medications or other treatment information, and/or health insurance information. In its substitute breach notice, CareTree said, “CareTree will provide notice of this event to all individuals whose personal information was involved, along with information and steps potentially impacted individuals can take to better protect their information.”

The post Warren General Hospital Data Breach Affects 169,000 Patients appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has warned healthcare organizations that use Fortinet’s FortiSIEM platform to patch a critical vulnerability that is likely to be targeted by malicious actors and has issued a threat brief on Emotet malware.

FortiSIEM Command Injection Vulnerability – CVE-2023-36553

A critical vulnerability has been identified by Fortinet in its FortiSIEM platform. The vulnerability has been assigned a CVSS v3.1 severity score of 9.8 out of 10 and can be exploited remotely by malicious actors to execute arbitrary commands. The flaw is related to a bug discovered and patched by Fortinet in October 2023 – CVE-2023-34992. While there have been no known instances of the vulnerability being exploited in attacks, Fortinet vulnerabilities are actively targeted by malicious actors and exploitation of the flaw is likely.

“An improper neutralization of special elements used in an OS command vulnerability in FortiSIEM report server may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests,” said Fortinet in a recent security advisory.

The vulnerability affects the following FortiSIEM versions: 4.7, 4.9, 4.10, 5.0, 5.1, 5.2, 5.3, and 5.4. Users should upgrade to a fixed version as soon as possible. The vulnerability has been fixed in versions: 7.1.0, 7.0.1, 6.7.6, 6.6.4, 6.5.2, 6.4.3, or later.

Emotet Malware – A Persistent Threat to the HPH Sector

Emotet malware was first identified in 2014 and started life as a banking Trojan; however, the malware has evolved over the years and is now commonly used as a first-stage malware for delivering other malware payloads such as banking Trojans, multi-purpose malware, information stealers, and ransomware, including the infamous TrickBot Trojan. Devices infected with Emotet are added to a botnet under the control of the operator of the malware, a group tracked as Mummy Spider, also known as TA542, GOLD CABIN & Mealybug, which is believed to operate out of Ukraine.

At its height, Emotet was called the world’s most dangerous malware by Europol, and Check Point data suggests one in every 5 organizations worldwide has been infected with Emotet. Emotet activity follows a rhythm of around 2-3 months of attacks followed by a period of little to no activity, which can last between 3 and 12 months. In January 2021, an international law enforcement operation took control of the botnet’s infrastructure, and an update was pushed out that uninstalled the malware from all infected devices. 10 months later, the botnet had been rebuilt.

While activity did not recover to the levels at the height of its success, the botnet continues to grow and still poses a significant threat. There were activity spikes in late spring 2022 before activity dropped off, and activity spiked again in Spring 2022. According to Check Point, the botnet now consists of around 130,000 unique devices in 179 countries and Emotet was the most prolific malware variant in February 2023. Emotet is used to gain initial access to networks, can elevate privileges, evade defenses, steal credentials, move laterally, exfiltrate data, and download other malware payloads and has been, and still is, one of the most potent weapons against the health sector. Recent activity includes the delivery of ransomware variants such as Quantum and BlackCat.

Emotet malware is most commonly delivered via phishing emails containing malicious URLs that link to a document containing a malicious macro that downloads the Emotet payload. The malware achieves persistence through Windows registry keys which ensure the malware executes on each reboot. The malware may also achieve persistence via the Windows Startup folder or via scheduled tasks and can also run as a Windows service that is executed automatically. HC3’s Emotet Threat Brief includes recommendations for healthcare and public health sector organizations on defense and mitigations.

The post HC3 Warns HPH Sector About Critical FortiSIEM Vulnerability and Ongoing Emotet Malware Threat appeared first on HIPAA Journal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a new mitigation guide for Healthcare and Public Health (HPH) Sector for combating pervasive cyber threats affecting the sector. The guidance is a supplemental companion to the HPH Cyber Risk Summary, published by CISA on July 19, 2023, and maps CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) to the 405(d) Health Industry Cybersecurity Practices (HCIP): Managing Threats and Protecting Patients guidance that was jointly published by the Department of Health and Human Services (HHS) and the Health Sector Coordinating Council (HSCC).

CISA has identified vulnerabilities and insecure configurations across the HPH sector that present opportunities for mitigating risks before they can be exploited by threat actors. The top vulnerabilities in the HPH sector are web application vulnerabilities, encryption weaknesses, unsupported software and Windows operating systems, known exploited vulnerabilities, and vulnerable services. These vulnerabilities are commonly exploited in phishing, ransomware, and denial of service attacks, and often lead to data breaches. The 25-page guidance document outlines three mitigation strategies for improving defenses against the most common attack vectors and includes recommendations and cybersecurity best practices for asset management and security, identity management and device security, and vulnerability, patch, and configuration management.

Knowing what assets are on the organization’s network is fundamental to cybersecurity. All assets must be known, as well as their relationships and interdependencies, the functions of each asset, what each exposes, and the software/firmware that each is running.  Organizations that have not implemented and maintained a complete inventory of all assets risk exposing vulnerabilities and services that can be exploited by threat actors. Once the asset inventory has been created, healthcare organizations can focus on securing all assets, segmenting networks to limit the potential for lateral movement, and using demilitarized zones (DMZs) and firewalls to shield assets from unauthorized access. The guidance includes recommendations for network segmentation, securing vulnerable and exploitable services, and asset security mitigations.

As the HPH sector continues to transition from on-premises to online systems, is vital that devices and digital accounts are properly secured through effective identity management and device security controls. The guidance suggests several focus areas, including email security and phishing prevention, access management, password policies, data protection and data loss prevention strategies, and logging and monitoring for unauthorized access.

Vulnerabilities and weak configurations are commonly exploited by cyber actors to gain initial access to internal systems and data. CISA stresses the importance of proactively scanning devices and systems for vulnerabilities or technology flaws that threat actors could exploit, and engaging in a continuous process of identifying vulnerabilities, assessing and prioritizing threats, mitigating vulnerabilities, verifying vulnerabilities have been addressed, and improving defenses. In addition to vulnerability management, HPH entities should implement security configuration management (SecCM) to identify and address misconfigurations in default system settings.

In addition to the recommendations for healthcare organizations, CISA has urged technology manufacturers to employ secure by design principles and ensure their products have the necessary security measures built in for the entire product lifecycle and to ensure that their default configurations are secure.

The post CISA Publishes Mitigation Guide for the Healthcare and Public Health Sector appeared first on HIPAA Journal.

The U.S. Food and Drug Administration (FDA) has published a report it commissioned that makes recommendations on how to manage the cybersecurity risks of legacy medical devices. Legacy medical devices are classed as devices that can no longer be reasonably protected against current cybersecurity threats, even though they may still adequately perform their primary function and have a useful life beyond the declared end-of-support or end-of-life date.

When medical devices reach end-of-life, patches stop being released to fix vulnerabilities, and unpatched vulnerabilities can be exploited to gain access to the devices and networks to which they are connected. In many cases, the vendors of the devices cannot continue to issue software patches due to outdated technology and compatibility issues and healthcare delivery organizations (HDOs) may not be able to replace them due to the high cost of doing so. If the devices were to be removed from use, it could have serious implications for patient safety and clinical operations.

Medical devices are regulated by the FDA, which was tasked by Congress in 2022 to ensure the cybersecurity of medical devices. The FDA has already issued final guidance on premarket submissions for medical devices, which must now meet minimum standards for cybersecurity in order to be approved for use in the United States by the FDA. While the final guidance addresses cybersecurity risks associated with new medical devices that come onto the market, it does nothing to address the cybersecurity of the millions of devices that are already in use at hospitals across the United States.

In November 2023, the FDA contracted with MITRE to produce a report on legacy medical devices, which were legally sold and had cybersecurity controls that were effective at the point of purchase but can no longer be reasonably protected. In an ideal world, these devices should be replaced; however, the issue is complex, and it must be managed in a way that minimizes negative impacts on patient care and safety.

To produce the report, Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks, MITRE interviewed medical device manufacturers, healthcare providers, and cybersecurity experts to identify potential solutions for reducing the cybersecurity risks associated with legacy devices, and the report includes recommendations for reducing cyber risks for hospitals that do not have the resources and budgets to replace the devices. The recommendations address the challenges of shared responsibility over the medical device lifecycle, vulnerability management, workforce development, and mutual aid for less well-resourced healthcare delivery organizations (HDOs).

The 8 recommendations made in the report are:

• Collection of quantitative and qualitative data to allow HDOs and medical device manufacturers (MDMs) to make informed decisions about the risks and costs of replacement versus the continued use of legacy devices.
• Development of information sharing agreement templates to increase transparency and ensure appropriate expectations are included for managing legacy medical device security risks.
• Establishment of a security architecture working group including a broad range of stakeholders to identify and prioritize security controls that may be implemented within an HDO’s infrastructure to improve cyber risk management.
• Development of a research program in modular design for medical devices. If medical devices were designed to be modular, HDOs could have the option of replacing legacy software or hardware components rather than having to totally replace devices.
• Conduction of a study on vulnerability management coordination to explore approaches to streamline and improve vulnerability management processes, which are often costly and resource-intensive.
• Development of competency models for roles related to legacy cyber risk management to help less well-resourced HDOs and support workforce training.
• Participation in mutual aid partnerships, including ad-hoc relationships, private sector partnerships, and state/local government partnerships.

The post FDA Releases Guidance on Managing Legacy Medical Device Cybersecurity Risks appeared first on HIPAA Journal.

A joint cybersecurity advisory has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) about Rhysida ransomware.

Rhysida ransomware is a ransomware-as-a-service (RaaS) operation that first emerged in May 2023. The group engages in double extortion tactics, involving data theft and encryption, with ransom payment required to obtain the keys to decrypt files and prevent the public release of stolen data. Researchers at Check Point identified significant similarities between Rhysida ransomware and Vice Society, one of the most prolific ransomware groups since 2021 that aggressively targeted the education and healthcare sectors.

In August 2023, the HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued its own advisory about Rhysida ransomware following several attacks on the healthcare sector, including the attack on Prospect Medical Holdings, which affected 17 hospitals and 166 clinics across the United States. The latest cybersecurity advisory includes an update on the tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IoCs) from malware analyses and recent incident response investigations to help network defenders and incident response teams detect and block attacks in progress.

Rhysida ransomware actors have been observed using a variety of techniques for gaining initial access to victims’ networks, including leveraging external-facing remote services such as virtual private networks (VPNs), commonly through the use of compromised credentials. These attacks have proven successful against organizations that have failed to implement multi-factor authentication for VPN connections. Rhysida ransomware actors have also exploited unpatched vulnerabilities, such as the Zerologon (CVE-2020-1472) vulnerability in Microsoft’s Netlogon Remote Protocol, and commonly use phishing emails. Once initial access has been achieved, the group often creates Remote Desktop Protocol (RDP) connections for lateral movement, establishes VPN access, and uses PowerShell and native network administration tools to perform operations, which helps them to evade detection by hiding their activity within normal Windows systems and network activities.

The FBI, CISA, and the MS-ISAC suggest several mitigations for hardening security, including steps that can be taken to block the main attack vectors, restrict lateral movement, and detect attacks in progress. These include enabling phishing-resistant multifactor authentication, especially for webmail, VPNs, and accounts that access critical systems; disabling command-line and scripting activities and permissions; restricting the use of PowerShell; enhancing PowerShell logging and logging within processes; restricting the use of RDP; and securing remote access through application controls.

The post Feds Issue Updated Mitigations for Blocking Rhysida Ransomware Attacks appeared first on HIPAA Journal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an updated cybersecurity advisory about Royal ransomware, which is thought to be about to shut down and rebrand.

Royal ransomware first emerged in September 2022 and is thought to have split from the Conti ransomware operation, with a brief spell operating as Quantum in between. Royal ransomware has been a prolific ransomware operation, having conducted more than 350 attacks since September 2022 and has issued ransom demands in excess of $275 million, according to the FBI. Royal ransomware is a private ransomware group that has targeted organizations in healthcare and public health (HPH), education, manufacturing, and communications. The number of attacks on HPH sector organizations prompted an earlier cybersecurity advisory from CISA, the FBI, and the HHS, which shared the latest tactics, techniques, and procedures (TTPs) used by the group and Indicators of Compromise (IoCs). They have been updated in the latest advisory.

In May 2023, a new ransomware variant was detected that had several coding similarities to Royal ransomware, and similar intrusion techniques were used. Researchers at Trend Micro found the two ransomware variants were almost identical, with 98% similar functions, 98.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff. The two groups have been observed using similar software and open source tools in their attacks such as Chisel and Cloudflared for network tunneling, Secure Shell (SSH) Client, OpenSSH, and MobaXterm for SSH connections, Mimikatz and Nirsoft for credential harvesting, and the attacks involved similar remote access tools.

Along with those similarities was the timing of the emergence of the new ransomware variant – Blacksuit – which led security researchers to believe that Royal was about to rebrand. Royal has just conducted a major attack on the city of Dallas which attracted considerable attention from law enforcement and, as is common after major attacks, ransomware groups often rebrand. Royal did not rebrand immediately, and it has been suggested that all did not go well with the new ransomware variant, and the rebrand was delayed. Alternatively, Blacksuit could be a spinoff variant of Royal. CISA and the FBI are convinced that the two ransomware variants are linked.

LockBit 3.0 Exploiting Citrix Bleed Vulnerability

The LockBit 3.0 group has been exploiting the critical Citrix Bleed vulnerability that affects Citrix NetScaler ADC and Gateway to gain access to the systems of its victims. The vulnerability, tracked as CVE-2023-4966, was patched by Citrix in October 2023; however, many organizations have been slow to patch and are running vulnerable appliances.

According to Security researcher Kevin Beaumont, who has been tracking the group’s attacks, several of the group’s recent victims had exposed Citrix servers that were vulnerable to the Citrix Bleed flaw, and that appears to have been exploited using a publicly available exploit.

Currently, there are more than 3,000 Citrix servers in the United States that are exposed to the Internet and vulnerable to the Citrix Bleed flaw which can be exploited remotely with no user interaction. Immediate patching is strongly recommended to prevent exploitation of the flaw.

Hunters International Ransomware Group Takes over from Hive

Hive, one of the most notorious ransomware groups in recent years, was shut down in January this year following an international law enforcement operation. The group had obtained more than $100 million in ransom payments and conducted more than 1,500 attacks worldwide, including many attacks on healthcare organizations.

Following law enforcement takedowns, ransomware groups often go quiet and then reemerge months later with a new ransomware variant. A new threat group, Hunters International, has since emerged and several similarities have been found with Hive, including coding overlaps and a 60% match between the group’s code, according to security researcher BushidoToken.

According to a recent report from Martin Zugec, technical solutions director at Bitdefender, a member of the Hunter’s International group issued a statement confirming that Hive and Hunter’s International are two separate groups and Hive’s source code and infrastructure were acquired. The Hive spokesperson said Hive sold their source code, website, and old Goland and C versions, and Hunter’s purchased them. The spokesperson for Hunter’s said encryption isn’t its primary goal, which is why the group didn’t develop everything from scratch. Bitdefender’s research uncovered evidence to suggest the adoption of Hive’s code rather than a rebrand, thus corroborating the Hunter’s International statement. Bitdefender’s analysis, recommendations, and IoCs can be found here.

The post Updates on Royal Ransomware, LockBit 3.0 and Hunters International Ransomware Groups appeared first on HIPAA Journal.