Healthcare Cybersecurity

University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack

Posted by HIPAA Journal

University of California San Francisco has paid a $1.14 million ransom to the operators of NetWalker ransomware to resolve an attack that saw data on servers within the School of Medicine encrypted. The attack occurred on June 1, 2020. UCSF isolated the affected servers, but not in time to prevent file encryption.

UCSF School of Medicine is engaged in research to find a cure for COVID-19 and the university is heavily involved in antibody testing. The ransomware attack did not impede the work being conducted on COVID-19, patient care delivery operations were not affected, and UCSF does not believe the attackers gained access to patient data, although some files were stolen in the attack.

The encrypted data was essential to research being conducted by the university, and since it was not possible to recover files from backups, UCSF had little option other than to negotiate with the attackers. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained,” explained UCSF.

The BBC received an anonymous tip-off about a live chat on the dark web between the negotiators and the NetWalker ransomware operators and followed the negotiations. According to the report, a sample of data stolen in the attack was posted online by the attackers, but after UCSF made contact via email the data was taken offline while the ransom was negotiated. Initially, a ransom payment of $780,000 was offered by UCSF, but the NetWalker gang demanded a payment of $3 million. A payment of 116.4 Bitcoin – $1,140,895 – was finally negotiated a day later.

The investigation into the ransomware attack indicates that neither UCSF nor the School of Medicine were targeted in the attack. “Our investigation is ongoing but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted,” explained UCSF on its website. UCSF reported the attack to the FBI and is assisting with the investigation.

UCSF was one of three Universities in the United States to be attacked with NetWalker ransomware in the space of a week in early June. Attacks were also conducted on Columbia College, Chicago and Michigan State University. Data stolen in the attack on Columbia College has now been removed from the NetWalker website, which suggests the college also paid the ransom.

The post University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack appeared first on HIPAA Journal.

Surge in Attacks Prompts Fresh Warning to Patch Microsoft Exchange Server Vulnerability

Posted by HIPAA Journal

Microsoft has issued a further warning to all Exchange users to patch the critical Microsoft Exchange memory corruption vulnerability CVE-2020-0688.

Microsoft released an update to correct the vulnerability in February 2020 and an alert was issued in March when the flaw started to be exploited by APT groups, yet even though the vulnerability was being actively exploited in the wild, patching was still slow. Now Microsoft has detected a surge in attacks on vulnerable Exchange servers and is advising all Exchange customers to ensure the flaw is patched immediately.

Any vulnerability in Microsoft Exchange should be treated as high priority. By exploiting Exchange flaws, an attacker can gain access to the email system, which often contains an extensive amount of highly sensitive information, and often protected health information in healthcare. As is the case with this vulnerability, attackers can gain access to highly privileged accounts and not only compromise the entire email system, but also gain administrative rights to the server and from there take control of the network.

“Exchange servers have traditionally lacked antivirus solutions, network protection, the latest security updates, and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions,” warns Microsoft. “Attackers know this, and they leverage this knowledge to gain a stable foothold on a target organization.”

Microsoft explained that the CVE-2020-0688 vulnerability is an attacker’s dream. They do not need to use phishing and social engineering tactics to try to gain access to an admin account, they can simply attack the server directly.

An analysis of attacks conducted in April show APT groups are deploying web shells, running exploratory commands to perform reconnaissance, and uses EternalBlue to identify other machines on the network to attack. If the server has been misconfigured, attackers have been able to gain the highest level of privileges and access to the server without having to use remote access tools.

A new account is added that makes the attacker a domain admin with unrestricted access to users or group in the organization. The attackers have used the compromised servers to gain access to the credentials of some of the most sensitive users and groups in an organization.

Attackers are exploiting the vulnerability and gaining a stable foothold in the targeted organization’s network. They tamper with security tools, achieve lateral movement, establish remote access bypassing security restrictions, and have exfiltrated data, including entire mailboxes. The failure to apply the patch to correct the flaw could result in an extensive and costly data breach.

In addition to applying the patch, Microsoft recommends remediating any further vulnerabilities in Exchange servers immediately, installing antivirus software on Exchange servers and keeping the software up to date, and also turning on tamper protection features to prevent attackers from disabling security services.

The principle of least-privilege should be practiced, credential hygiene should be maintained, and reviews should be conducted to identify any highly privileged groups that have been added. Security teams are also advised to respond immediately to alerts about suspicious activities on Exchange servers.

The post Surge in Attacks Prompts Fresh Warning to Patch Microsoft Exchange Server Vulnerability appeared first on HIPAA Journal.

Vulnerability identified in Philips Ultrasound Systems

Posted by HIPAA Journal

Philips has discovered an authentication bypass issue affecting Philips Ultrasound Systems that could potentially be exploited by an attacker to view or modify information. The flaw is due to the presence of an alternative path or channel that can be used to bypass authentication controls.

The flaw has been assigned CVE-2020-14477 but is considered a low severity flaw and has been assigned a CVSS v3 base score of 3.6 out of 10. To exploit the vulnerability, an attacker would require local access to a vulnerable system. The vulnerability cannot be exploited remotely and does not place patient safety at risk.

The flaw affects the following Philips Ultrasound Systems:

  • Ultrasound ClearVue Versions 3.2 and prior
  • Ultrasound CX Versions 5.0.2 and prior
  • Ultrasound EPIQ/Affiniti Versions VM5.0 and prior
  • Ultrasound Sparq Version 3.0.2 and prior and
  • Ultrasound Xperius all versions

The flaw has been corrected for Ultrasound EPIQ/Affiniti systems in the VM6.0 release. Users of these systems should contact their Philips representative for further information on installing the update.

Users of all other affected systems will have to wait until Q4, 2020 for an update to be released. Philips will correct the flaw in Ultrasound ClearVue Version 3.3, Ultrasound CX Version 5.0.3, and Ultrasound Sparq Version 3.0.3 release in Q4 2020.

In the meantime, as an interim measure, Philips recommends users ensure their services providers guarantee device integrity during service and repair operations. It is also advisable to implement physical security measures to prevent unauthorized access to the devices.

The post Vulnerability identified in Philips Ultrasound Systems appeared first on HIPAA Journal.

May 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

May 2020 saw a marked fall in the number of reported healthcare data breaches compared to April, with 28 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights. That is the lowest number of monthly breaches since December 2018 and the first time in 17 months that healthcare data breaches have been reported at a rate of less than one per day. The monthly total would have been even lower had one breach been reported by the business associate responsible for an improper disposal incident, rather than the 7 healthcare providers impacted by the breach.

Several cybersecurity companies have reported an increase in COVID-19-related breaches, such as phishing attacks that use COVID-19-themed lures. While there is strong evidence to suggest that these types of attacks have increased since the start of the pandemic, the number of cyberattacks appears to have broadly remained the same or increased slightly. Microsoft has reported that its data shows a slight increase in attacks, but says it only represents a blip and the number of threats and cyberattacks has changed little during the pandemic.

Threat activity does not appear to have dropped, so the fall in reported cyberattacks and data breaches could indicate that threat actors have taken the decision not to attack healthcare providers on the front line in the fight against COVID-19. The Maze ransomware gang publicly stated that it would not target healthcare providers during the COVID-19 pandemic, but many other ransomware gangs appear to have stepped up their attacks and are making no such concessions.

It is also possible that rather than cyberattacks and data breaches falling, covered entities and business associates have not been detecting breaches or have delayed reporting. The reason for the fall in reported breaches is likely to become clearer over the coming weeks and months and we will see if this is part of a new trend or if the drop is simply a blip.

While it is certainly good news that the number of breaches has fallen, there was a significant increase in the number of exposed and compromised healthcare records. There were 10 fewer data breaches reported in May 2020 than April, but 1,064,652 healthcare records were breached in May. That is more than twice the number of records breached in April.

Largest Healthcare Data Breaches in May 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
Elkhart Emergency Physicians, Inc. IN Healthcare Provider 550,000 Improper Disposal
BJC Health System MO Business Associate 287,876 Hacking/IT Incident
Saint Francis Healthcare Partners CT Business Associate 38,529 Hacking/IT Incident
Everett & Hurite Ophthalmic Association PA Healthcare Provider 34,113 Hacking/IT Incident
Management and Network Services, LLC OH Business Associate 30,132 Hacking/IT Incident
Sanitas Dental Management FL Healthcare Provider 19,000 Loss
Mediclaim, LLC MI Business Associate 14,931 Hacking/IT Incident
Woodlawn Dental Center OH Healthcare Provider 14,419 Hacking/IT Incident
Mat-Su Surgical Associates, APC AK Healthcare Provider 13,146 Hacking/IT Incident
Mille Lacs Health System MN Healthcare Provider 10,630 Hacking/IT Incident

Causes of May 2020 Healthcare Data Breaches

The largest healthcare data breach of the month affected Elkhart Emergency Physicians, Inc. and involved the improper disposal of paper records by business associate Central Files Inc. Elkhart Emergency Physicians was one of seven Indiana healthcare providers to be affected by the breach. In total, the records of 554,876 patients were exposed as a result of that improper disposal incident. There was one other improper disposal incident reported in May, making this the joint second biggest cause of data breaches in the month. Those improper disposal incidents accounted for 52.17% of breached records in May. The mean breach size was 69,434 records and the median breach size was 938 records.

There were 8 reported unauthorized access/disclosure incidents reported, although those breaches only accounted for 2.35% of breached records in May. The mean breach size was 3,124 records and the median breach size was 3,220 records.

Hacking/IT incidents once again topped the list as the main cause of healthcare data breaches, accounting for 39.28% of the month’s breaches and 43.69% of breached records in May. The mean breach size was 42,290 records and the median breach size was 14,419 records.

There was one loss incident involving a network server that contained the records of 19,000 patients. There were no reports of theft of physical records or devices containing electronic protected health information.

The graph below shows the location of breached protected health information. For the past several months, email has been the most common location of breached PHI due to the high number of healthcare phishing attacks. The number of reported phishing attacks dropped in May, hence the lower than average number of email-related breaches. While the number of incidents fell, there was one major phishing attack reported. An attack on BJC Health System saw 3 email accounts compromised. Those accounts included emails and attachments containing the PHI of 287,876 patients.

May 2020 Healthcare Data Breaches by Covered Entity Type

In line with virtually every other month since the HITECH Act mandated the HHS’ Office for Civil Rights to start publishing summaries of data breaches on its’ Wall of Shame’, healthcare providers were hardest hit, with 21 reported data breaches. It was a good month for health plans, with only one reported breach, but a particularly bad month for business associates. 6 business associates reported data breaches in May, and a further 8 breaches involved business associates but were reported by the covered entity.

Healthcare Data Breaches by State

Data breaches were reported by covered entities and business associates in 17 states in May. Indiana was the worst affected state with 7 reported breaches of 500 or more records, all of which were due to the improper disposal of records by business associate, Central Files, Inc.

There were 3 data breaches reported in each of Michigan and Ohio, two breaches reported by healthcare providers in Pennsylvania, and one breach was reported in each of Alaska, Arizona, California, Connecticut, Florida, Georgia, Illinois, Maryland, Minnesota, Missouri, Nebraska, New York, and Texas.

HIPAA Enforcement Activity in May 2020

There were no announcements about HIPAA penalties from the HHS’ Office for Civil Rights or state attorneys general in May 2020.

The post May 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Lack of Visibility and Poor Access Management are Major Contributors to Cloud Data Breaches

Posted by HIPAA Journal

More companies are now completing their digital transformations and are taking advantage of the flexibility, scalability, and cost savings provided by public cloud environments, but securing public clouds can be a major challenge.

One of the main factors that has stopped companies from taking advantage of the public cloud has been security. Security teams often feel protecting an on-premise data center is much easier than protecting data in public clouds, although many are now being won over and understand that public clouds can be protected just as easily.

Public cloud providers now offer a range of security tools that can help companies secure their cloud environments. While these offerings can certainly make cloud security more straightforward, organizations must still ensure that their cloud services are configured correctly, identities and access rights are correctly managed, and they have full visibility into all of their cloud workloads.

Cloud security vendor Ermetic recently commissioned IDC to conduct a survey of CISOs to explore the challenges associated with cloud security and see how well organizations were faring at securing their public clouds. More than 300 CISOs and IT decision makers took part in the survey.

79% of respondents said they had experienced a cloud data breach in the past 18 months, and 43% of respondents said they had experienced 10 or more cloud data breaches during that time, strongly suggesting they are finding securing their public cloud environments something of a challenge.

When asked about the biggest security risks, 67% said they were concerned about security misconfigurations, 64% said a lack of visibility into access settings and activities was a key factor contributing to cloud data breaches, and 61% said access management and permission errors were a major breach risk.

The complexity of public cloud environments makes security challenging. The flexibility of the cloud means it is easy to quickly provision more resources on demand, but what often happens is cloud deployments become a maze of interconnected machines, users, applications, services, and containers. If organizations do not have complete visibility into their public cloud environments, it is difficult to ensure appropriate permissions are and the principle of least privilege is correctly applied.

Setting and managing access policies is a major challenge. Access policies need to be adjusted frequently, yet 80% of respondents said they could not effectively manage excessive data access for IaaS and PaaS. Excessive permissions are frequently abused by cybercriminals, who use them for a range of malicious activities such as data theft, data deletion, and delivering malware or ransomware.

“Some of the most high-profile cybersecurity incidents in recent years were the direct result of customers failing to properly configure their cloud environments, or granting excessive or inappropriate access permissions to cloud services, rather than a failure of the cloud provider in fulfilling its responsibilities,” explained Ermetic.

When asked about the main cloud security priorities, 78% of respondents said compliance monitoring, 75% said authorization and permission management, and 73% said security configuration management (73%). One of the biggest concerns was detection of excessive permissions, which was rated important or very important by 71% of respondents; however, only 20% of respondents said they were able to identify situations when employees had been given excessive permissions.

“An overworked security or IT admin may fail to identify and remove such permissions and create a significant vulnerability that may only be detected after the fact. Furthermore, early detection doesn’t necessarily guarantee prevention; more than 13% of respondents that detected excessive permissions reported that they were unable to mitigate the risks before data was exposed,” explained Ermetic in the report.

The survey confirmed that excessive permissions are a major problem in healthcare. 31.25% of healthcare organizations said they had identified a situation where employees had been given excessive permissions.

There have been many cases where security misconfigurations have lead to the exposure of sensitive data, with misconfigured Elasticsearch instances and AWS S3 buckets a common reason for data breaches, but it is also important to ensure that identities and permissions are properly managed.

Ensuring users, applications, and services can access only the cloud data and cloud resources that are necessary for their legitimate purposes was cited as the biggest cloud data protection challenge by respondents to the survey.

“Even though most of the companies surveyed are already using IAM, data loss prevention, data classification and privileged account management products, more than half claimed these were not adequate for protecting cloud environments,” said Ermetic CEO Shai Morag. “In fact, two thirds cited cloud native capabilities for authorization and permission management, and security configuration as either a high or an essential priority.”

The post Lack of Visibility and Poor Access Management are Major Contributors to Cloud Data Breaches appeared first on HIPAA Journal.

Advisories Issued About Vulnerabilities in Baxter, BD, and BIOTRONIK Medical Devices

Posted by HIPAA Journal

The DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued medical advisories about vulnerabilities in medical devices manufactured by Baxter, Becton, Dickinson and Company (BD), and BIOTRONIK.

The following products are affected:

  • Baxter PrismaFlex (all versions)
  • Baxter PrisMax (all versions prior to 3.x)
  • Baxter ExactaMix EM 2400 (Versions 1.10, 1.11, 1.13, 1.14)
  • Baxter ExactaMix EM 1200 (Versions 1.1, 1.2, 1.4, 1.5)
  • Baxter Phoenix Hemodialysis Delivery System (SW 3.36 and 3.40)
  • Baxter Sigma Spectrum Infusion Pumps (see below)
  • BIOTRONIK CardioMessenger II-S T-Line (T4APP 2.20)
  • BIOTRONIK CardioMessenger II-S GSM (T4APP 2.20)
  • BD Alaris PCU (Versions 9.13, 9.19, 9.33, and 12.1)

Baxter PrismaFlex and PrisMax

Three vulnerabilities have been identified in Baxter PrismaFlex and PrisMax systems that could allow an attacker to obtain sensitive data, although network access would first be required.

The vulnerabilities are:

  • CVE-2020-12036 – Cleartext transmission of sensitive information when the system is configured to send treatment data to a Patient Data Management System (PDMS) or EMR system. The vulnerability has been assigned a CVSS v3 base score of 6.5 out of 10.
  • CVE-2020-12035 – Vulnerable devices do not require authentication if configured to send treatment data to a PDMS or EMR system, which could allow an attacker to change treatment status information. The vulnerability has been assigned a CVSS v3 base score of 7.6 out of 10.
  • CVE-2020-12037 – The PrismaFlex device has a hard-coded service password which gives access to biomedical information, device settings, calibration settings, and the network configuration. The vulnerability has been assigned a CVSS v3 base score of 5.4 out of 10.

Users should update to PrismaFlex Versions SW 8.2 and PrisMaxv3 with DCM, limit physical access to devices and apply a defense-in-depth approach to security. It is also important to verify compatibility if the affected devices are used with PDMS or EMR systems.

Baxter ExactaMix

Seven vulnerabilities have been identified in ExactaMix EM2400 and EM1200 systems that could allow access to sensitive data, changes to system configuration, and alteration of system resources, which could impact system availability.

  • CVE-2020-12016 – Use of a hard-coded password could allow an unauthorized individual who has access to system resources to view PHI. The vulnerability has been assigned a CVSS v3 base score of 8.1 out of 10.
  • CVE-2020-12012 – Hard-coded administrative account credentials could allow an individual with physical access to the system to view and update system information, which could compromise system integrity and expose PHI. The vulnerability has been assigned a CVSS v3 base score of 6.8 out of 10.
  • CVE-2020-12008 – The use of cleartext messages to communicate order information with an order entry system could expose PHI. The vulnerability has been assigned a CVSS v3 base score of 7.5 out of 10.
  • CVE-2020-12032 – Device data with sensitive information is stored in an unencrypted database. An attacker with network access could view or change PHI. The vulnerability has been assigned a CVSS v3 base score of 8.1 out of 10.
  • CVE-2020-12024 – An unauthorized individual with physical access could use the USB interface to load and run unauthorized payloads, which could affect the confidentiality of data and integrity of the system. The vulnerability has been assigned a CVSS v3 base score of 6.8 out of 10.
  • CVE-2020-12020 – Non administrative users can gain access to the operating system and edit the application startup script. The vulnerability has been assigned a CVSS v3 base score of 6.1 out of 10.
  • CVE-2017-0143 – An SMBv1 input validation vulnerability could allow a remote attacker to gain unauthorized access to sensitive information, create denial of service conditions, or execute arbitrary code. The vulnerability has been assigned a CVSS v3 base score of 8.1 out of 10.

Users should contact their service support team to discuss upgrading to the ExactaMix Version 1.4 (EM1200) and ExactaMix Version 1.13 (EM2400) compounders.

Baxter Phoenix Hemodialysis Delivery System

Baxter has identified a vulnerability in its Phoenix Hemodialysis Delivery System which could allow an attacker with network access to steal sensitive data as a result of transmission of data in cleartext.

This is due to the system not supporting encryption of treatment and prescription data in transit (TLS/SSL) between the Phoenix system and the Exalis dialysis data management tool. The vulnerability is tracked as CVE-2020-12048 and has been assigned a CVSS v3 base score of 7.5 out of 10.

Baxter recommends employing cybersecurity defense-in-depth strategies such as network segmentation, and placing Phoenix machines and Exalis Server PCs on a dedicated subnetwork. If remote access is required, only allow connections using a VPN, admins should firewall each network segment, limit inbound and outbound connections, and scan for malware and unauthorized network access.

Baxter Sigma Spectrum Infusion Pumps

Baxter has identified six vulnerabilities in the following models of its Sigma Spectrum infusion systems:

  • Sigma Spectrum v6.x model 35700BAX
  • Baxter Spectrum v8.x model 35700BAX2
  • Sigma Spectrum v6.x with Wireless Battery Modules v9, v11, v13, v14, v15, v16, v20D29, v20D30, v20D31, and v22D24
  • Baxter Spectrum v8.x with Wireless Battery Modules v17, v20D29, v20D30, v20D31, and v22D24
  • Baxter Spectrum Wireless Battery Modules v17, v20D29, v20D30, v20D31, and v22D24
  • Baxter Spectrum LVP v8.x with Wireless Battery Modules v17, v20D29, v20D30, v20D31, and v22D24

An attacker exploiting the flaws could obtain sensitive data and change the system configuration, which could affect system availability.

  • CVE-2020-12045 is due to the Baxter Spectrum WBM operating a Telnet service on Port 1023 with hard-coded credentials, when used in conjunction with a Baxter Spectrum v8.x. The vulnerability has been assigned a CVSS v3 base score of 8.6 out of 10.
  • CVE-2020-12041 is due to the Baxter Spectrum WBM telnet Command-Line Interface granting access to sensitive data stored on the WBM that permits temporary configuration changes to network settings of the WBM and allow a WBM reboot. The reboot would remove temporary configuration changes to network settings. The vulnerability has been assigned a CVSS v3 base score of 8.6 out of 10.
  • CVE-2020-12047 is due to the use of hard-coded credentials. The Baxter Spectrum WBM (v17, v20D29, v20D30, v20D31, and v22D24), when used with a Baxter Spectrum v8.x (model 35700BAX2) in a factory-default wireless configuration, enables an FTP service with hard-coded credentials. The vulnerability has been assigned a CVSS v3 base score of 7.3 out of 10.
  • CVE-2020-12040 is due to the use of an unauthenticated clear-text communication channel to send and receive system status and operational data. The flaw could be exploited in an MitM attack and could result in circumvention of network security measures and access to sensitive data. The vulnerability has been assigned a CVSS v3 base score of 7.3 out of 10.
  • CVE-2020-12043 affects the Baxter Spectrum WBM and is due to the FTP service operating on the WBM remaining operational until the WBM is rebooted, when configured for wireless networking. The vulnerability has been assigned a CVSS v3 base score of 7.3 out of 10.
  • CVE-2020-12039 is due to the use of hard-coded passwords which could be entered on the keypad to access menus and change the device settings. Physical access would be required to exploit the flaw. The vulnerability has been assigned a CVSS v3 base score of 4.3 out of 10.

Mitigations include controlling physical access to vulnerable devices, operating the devices on a separate VLAN, segregating the system from other hospital systems, and using wireless network security protocols to provide authentication/encryption of wireless data sent to/from the Spectrum Infusion System. It is also recommended that admins should monitor for/block unexpected traffic at network boundaries into the Spectrum-specific VLAN.

BIOTRONIK CardioMessenger II

Five vulnerabilities have been identified in BIOTRONIK CardioMessenger II-S T-Line and II-S GSM (T4APP 2.20) cardiac activity monitors.

Exploitation of the flaws could lead to theft of sensitive data and could allow an attacker to influence communications between the Home Monitoring Unit (HMU) and the Access Point Name (APN) gateway network. In order to exploit the flaws an attacker would need adjacent access.

  • CVE-2019-18246 is due to improper authentication between the affected products and BIOTRONIK Remote Communication infrastructure. The vulnerability has been assigned a CVSS v3 base score of 4.3 out of 10
  • CVE-2019-18248 is due to the products transmitting credentials in plaintext before switching to an encrypted communication channel. The vulnerability has been assigned a CVSS v3 base score of 4.3 out of 10
  • CVE-2019-18252 is a further improper authentication issue, allowing credential reuse for multiple authentication purposes. The vulnerability has been assigned a CVSS v3 base score of 4.3 out of 10
  • CVE-2019-18254 is due to a lack of encryption for sensitive data at rest. The vulnerability has been assigned a CVSS v3 base score of 4.3 out of 10.
  • CVE-2019-18256 is due to the storage of passwords in a recoverable format. The passwords could be used for network authentication and decryption of local data in transit. The vulnerability has been assigned a CVSS v3 base score of 4.6 out of 10

BIOTRONIK has determined the vulnerabilities do not introduce new safety risks and, as such, the company will not be issuing a security update to correct the flaws. The following compensating controls will reduce the risk of exploitation.

These are:

  • Maintain good physical control over home monitoring units.
  • Use only home monitoring units obtained directly from a trusted healthcare provider or a BIOTRONIK representative to ensure integrity of the system.
  • Report any concerning behavior regarding these products to your healthcare provider or a BIOTRONIK representative.

BD Alaris PCUs

A vulnerability has been identified in certain BD Alaris PCUs that could potentially be exploited to trigger a denial of service condition that could affect the wireless functionality of vulnerable devices. The flaw is due to a hard-coded Linux kernel maximum segment size overflow.

The vulnerability only affects the versions 9.13, 9.19, 9.33, and 12.1 of the Alaris PC Unit that have implemented the Linux Kernel v4.4.97 within the Laird Wireless Module WB40N. The vulnerability is tracked as CVE-2019-11479 and has been assigned a CVSSv3 base score of 5.3 out of 10.

BD proactively identified the vulnerability and reported it to CISA. BD recommends using stronger network controls for wireless authentication such as WPA2 protocols, to monitor wireless networks with patient connected devices for possible malicious activity, to operate BD Alaris Systems Manger behind a firewall and to patch regularly, and to separate the BD Alaris PC Unit and BD Alaris Systems Manager with a firewall.

The post Advisories Issued About Vulnerabilities in Baxter, BD, and BIOTRONIK Medical Devices appeared first on HIPAA Journal.

CISA Warns of Ongoing Ransomware Campaign Exploiting Vulnerabilities in RDP and VPNs

Posted by HIPAA Journal

The DHS Cybersecurity & Infrastructure Security Agency (CISA) has issued an alert about an ongoing Nefilim ransomware campaign, following the release of a security advisory by the New Zealand Computer Emergency Response Team (CERT NZ).

Nefilim ransomware is the successor of Nemty ransomware and was first discovered in February 2020. In contrast to Nemty, Nefilim ransomware is not distributed under the ransomware-as-a-service model. The developers of the ransomware conduct their own attacks and deploy the ransomware manually after gaining access to enterprise networks.

As with other manual ransomware groups, data is stolen from victims prior to deploying the ransomware. The group then threatens to publish or sell the stolen data if the ransom demand is not met. The group responsible for the attacks gains access to enterprise networks by exploiting vulnerabilities in remote desktop protocol (RDP) and virtual private networks (VPNs). The group uses brute force tactics to exploit weak authentication and the lack of multi-factor authentication, and also exploits unpatched vulnerabilities in VPN software.

Once a foothold has been gained in the network, the attackers use tools such as mimikatz, PsExec, and Cobalt Strike for privilege escalation, lateral movement, and to gain persistence and exfiltrate sensitive data.

The group is highly skilled, and their attacks are sophisticated and well crafted. The extent of network infiltration means it is not possible to recover from an attack simply by restoring data from backups. A comprehensive forensic investigation needs to be conducted to fully investigate the attack and ensure backdoors are identified and removed and the attackers are permanently ejected from the network.

All organizations that use remote access systems that have not been properly secured are at risk of an attack. To prevent an attack, it is essential for RDP vulnerabilities to be addressed and for remote access software to be kept fully patched and up to date. Strong authentication should be used and multi-factor authentication should be enabled.

Application whitelisting and network segmentation can reduce the severity of an attack, and it is important for networks and remote access systems to be monitored for signs of unauthorized access. Backups should be regularly performed, and one copy of a backup should be stored securely on an air-gapped device or media that cannot be accessed through the network.

The post CISA Warns of Ongoing Ransomware Campaign Exploiting Vulnerabilities in RDP and VPNs appeared first on HIPAA Journal.

Exploitable ‘Ripple20’ RCE TCP/IP Flaws Affect Hundreds of Millions of Connected Devices

Posted by HIPAA Journal

19 zero-day vulnerabilities have been identified in the TCP/IP communication software library developed by Treck Inc. which impact hundreds of millions of connected devices across virtually all industry sectors, including healthcare.

Treck is a Cincinnatti, OH-based company that develops low-level network protocols for embedded devices. The company may not be widely known, but its software library has been used in internet-enabled devices for decades. The code is used in many low-power IoT devices and real-time operating systems due to its high performance and reliability and is used in industrial control systems, printers, medical infusion pumps and many more.

The vulnerabilities were identified by security researchers at the Israeli cybersecurity company JSOF, who named the vulnerabilities Ripple20 because of the supply chain ripple effect.

A vulnerability in small component can have wide reaching consequences and can affect a huge number of companies and products. In the case of Ripple20, companies affected include HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, B. Braun, and Baxter. JSOF has a list of 66 companies that are also potentially affected.

Four of the vulnerabilities are rated critical, with two (CVE-2020-11896 / CVE-020-11897) receiving the highest possible severity score of 10 out of 10 and the other critical bugs receiving scores of 9.0 (CVE-2020-11901) and 9.1 (CVE-2020-11898). The first three could allow remote code execution and the remaining vulnerability could result in the disclosure of sensitive information.

CVE-2020-11896 could be exploited by sending a malformed IPv4 packet to a device supporting IPv4 tunneling, and CVE-2020-11897 could be triggered by sending multiple malformed IPv6 packets to a device. Both allow stable remote code. CVE-2020-11901 can be triggered by answering a single DNS request made from a vulnerable device. This vulnerability could allow an attacker to take over a device through DNS cache poisoning and bypass all security measures.

The remaining 15 vulnerabilities range in severity from 3.1 to 8.2 and could result in information disclosure, allow a denial of service attack, and some could also potentially lead to remote code execution.

Exploitation of the vulnerabilities is possible from outside the network. An attacker could take full control of a vulnerable internet-facing device or even attack vulnerable networked devices that are not internet-enabled, if a network was infiltrated. An attacker could also broadcast an attack and take control of all vulnerable devices in the network simultaneously. These attacks require no user interaction and could be exploited in a way that bypasses NAT and firewalls. An attacker could take control of devices completely undetected and remain in control of those devices for years.

The vulnerabilities could be exploited by sending specially crafted packets that are very similar to valid packets, making it difficult to detect an attack in progress. JSOF reports that in some cases, completely valid packets could be used, which would make an attack almost impossible to detect.

“The risks inherent in this situation are high,” explained JSOF. “Just a few examples: Data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years.”

The video below shows an example of an exploit on a UPS to which several devices are connected, including a drug infusion pump.

Treck is currently reaching out to its clients to warn them about the vulnerabilities. The flaws have been patched in its TCP/IPv4/v6 software, so organizations impacted by the flaws should ensure Treck’s software stack version 6.0.1.67 or higher is used.

You can view the ICS-CERT advisory here

The post Exploitable ‘Ripple20’ RCE TCP/IP Flaws Affect Hundreds of Millions of Connected Devices appeared first on HIPAA Journal.

Misconfigured Public Cloud Databases are Found and Attacked Within Hours

Posted by HIPAA Journal

Misconfigured public cloud databases are often discovered by security researchers. Misconfigurations that leave cloud data exposed could be due to a lack of understanding about cloud security or policies, poor oversight to identify errors, or negligent behavior by insiders to name but a few. A recent report from Trend Micro revealed cloud misconfigurations were the number one cause of cloud security issues.

Security researchers at Comparitech often discover unsecured cloud resources, commonly Elasticsearch instances and unsecured AWS S3 buckets. When the unsecured cloud databases are discovered, the owners are identified and notified to ensure data is secured quickly. Providing the owner can be identified, the databases are usually secured within a matter of hours, but there have been several cases where the database owner has been contacted but no response is received, and it is not always apparent to whom the data belongs.

In these cases, data can be left exposed online for several days or even weeks. During that time, the databases remain unprotected and can be accessed and downloaded by anyone that knows where to find them. Comparitech researchers are well practiced at finding unsecured Elasticsearch databases and AWS S3 buckets, but how quickly can malicious actors sniff out an unsecured database? Comparitech decided to find out. It turns out that it does not take long.

To determine the time it takes for unsecured data to be found, Comparitech’s security team conducted an exercise where they created a simulation of an Elasticsearch instance, similar to the many Elasticsearch instances they have found unsecured. They populated it with fake user data and left it exposed without any access controls. The database was exposed from May 11, 2020 to May 22, 2020.

In a recent blog post detailing the exercise, Comparitech security researcher Paul Bischoff explained that the first access request occurred 8 hours and 35 minutes after the database was created. During the 11 days that the database was exposed, there were 175 access requests. Their honeypot averaged 18 requests a day.

Exposed databases are usually located using an IoT search engine such as Shodan. It takes time for the data to be indexed by the search engines, in this case, Shodan indexed the database on May 16, five days after the database was created. Even though the database was not indexed until May 16, by the time it was there had been 3 dozen attempts to access the data. As soon as the database was indexed, the attacks spiked. Two access attempts were made within a minute of the database being indexed, with a further 20 access requests made that same day.

There are several reasons why attempts are made to find unsecured cloud resources. Databases often contain sensitive data, which can be used for identity theft and fraud or sold on underground forums. Databases can be hijacked and ransom demands issued to extort money from the data owners, but not all attacks were concerned with obtaining data. Several attempts were made to hijack the servers and download cryptomining scripts. In one case, an attacker attempted to switch off the firewall and delete the database.

While the test was concluded on May 22, 2020 and the data was mostly deleted, an further attack occurred on May 29. A malicious bot detected the honeypot and deleted the database, leaving a message demanding payment of 0.06 BTC to recover the data. That attack took 5 seconds from start to finish.

The exercise showed that even if databases are only exposed for a short period of time, it is highly likely that they will be found. While many companies say their data was not left unsecured for long when they are notified by Comparitech of an exposed cloud instance, it is probable that data has already been compromised unless data was only exposed for a few hours.

Comparitech pointed out that if the person setting up an Elasticsearch instance fails to put access controls in place, it is reasonable to assume that logging has also not been enabled. When companies report that no evidence was found to suggest data was accessed or exfiltrated, that does not mean data has not been accessed and stolen, only that there is a lack of evidence.   A 2019 report from McAfee suggested 99% of misconfigurations in the cloud go unreported when they are discovered. It is probable that data theft from cloud resources is far more likely than breach reports would lead you to believe.

The post Misconfigured Public Cloud Databases are Found and Attacked Within Hours appeared first on HIPAA Journal.