A bipartisan group of Senators has written to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and U.S. Cyber Command requesting healthcare-specific cybersecurity guidance on how to deal with coronavirus and COVID-19-related threats.

Richard Blumenthal, (D-CT), Mark Warner (D-VA), Tom Cotton (R-AR), David Perdue (R-GA), and Edward J. Markey (D-MA) penned the letter in response to the escalating cyber espionage and cybercriminal activity targeting the healthcare, public health, and research sectors during the COVID-19 pandemic.

The letter cites a report from cybersecurity firm FireEye which identified a major campaign being conducted by the Chinese hacking group, APT41, targeting the healthcare sector. The hacking group is exploiting vulnerabilities in networking equipment, cloud software and IT management tools to gain access to healthcare networks – The same systems that are now being used by telecommuting workers for providing telehealth during the pandemic. Several other threat groups with links to China have also stepped up their attacks and are using COVID-19-themed campaigns on U.S. targets.

Threat actors in Russia, Iran, and North Korea have also been conducting attacks on international health organizations and public health institutions of U.S. allies. There have also been several misinformation campaigns that have been linked to Russia, Iran, and China which are attempting to derail the response of the United States to the pandemic.

The healthcare industry was already struggling to defend against attacks from nation state hackers and cybercriminal gangs before the SARS-CoV-2 pandemic. Healthcare organizations are now stretched and stressed due to the COVID-19 pandemic and the situation is now critical. If the cyberattacks succeed, there is a major risk of disruption of the public health response.

Hospitals are dependent on electronic data such as electronic medical records, email, and their internal networks, many of which are heavily reliant on legacy equipment. Any attack that causes disruption will see resources diverted and critical time lost. Even a relatively minor attack has potential to cause major disruption. As an example, the Senators cited an attack on the Department of Health and Human Services. A relatively minor technical issue was experienced with email, but it was enough to hamper the efforts of the HHS to coordinate the federal government’s service.

Ransomware attacks that take EHRs out of action have even greater potential to cause disruption, and the consequences of these attacks can be grave. “During this moment of national crisis, the cybersecurity and digital resilience of our healthcare, public health, and research sectors are literally matters of life-or-death,” wrote the Senators.

The Senators have called for the two agencies to use the expertise and resources that have been developed to defend against these threats and to take the necessary measures to protect the healthcare industry during the coronavirus pandemic.

The Senators have requested private and public cyber threat intelligence such as indicators of compromise from attacks on the healthcare, public health, and research sectors to be broadly shared to help network defenders block the attacks. They have also requested the agencies coordinate with the HHS, Federal Trade Commission (FTC), and Federal Bureau of Investigation (FBI) to help increase awareness of cyberespionage, cybercrime, and disinformation campaigns.

The Senators have asked for the National Guard Bureau to be provided with threat assessments, resources, and additional guidance to support personnel supporting state public health departments and local emergency management agencies to ensure they have the information they need to defend critical infrastructure from cybersecurity breaches.

The agencies have been asked to consult with partners in the private healthcare, public health, and research sectors on the resources and information needed to improve defenses against attacks, such as vulnerability detection tools and threat hunting.

To counter the disinformation campaigns that are being conducted, the Senators have asked the agencies to consider issuing public statements “to put advisories on notice”, similar to the joint statement issued in relation to election interference on March 2^nd.

Finally, they asked the agencies to evaluate further necessary action to defend forward to detect and deter attempts to intrude, exploit, and interfere with the healthcare, public health, and research sectors.

The post Senators Call for CISA and U.S. Cyber Command to Issue Healthcare-specific Cybersecurity Guidance appeared first on HIPAA Journal.

The Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA) has issued a warning to all organizations using Pulse Secure VPN servers that patching vulnerabilities will not necessarily prevent cyberattacks. CISA is aware of attacks occurring even after patches have been applied to address known vulnerabilities.

CISA issued an alert about a year ago warning organizations to patch a vulnerability (CVE-2019-1151) in Pulse Secure Virtual Private Network appliances due to a high risk of exploitation. Many companies were slow to apply the patch, and hackers took advantage.

CVE-2019-1151 is an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances. The vulnerability was identified in the spring of 2019 and Pulse Secure released a patch to address the vulnerability in April 2019. Several advanced persistent threat groups are known to have exploited the vulnerability to steal data and install malware and ransomware. By exploiting the vulnerability and stealing credentials, the attackers were able to gain persistent access to networks even after the vulnerability was patched, if credentials were not also changed at the same time.

CISA observed threat actors exploiting the vulnerability to deploy ransomware at several government agencies and hospitals, even after patches had been applied. First, the vulnerability was exploited to gain access to the network through vulnerable VPN devices. The threat actors were then able to obtain plaintext Active Directory credentials, and those accounts were used with external remote services for access, remote services for lateral movement, and the attackers then deployed ransomware and malware and/or exfiltrated and sold sensitive company data.

The attackers used Tor infrastructure and virtual private servers to minimize the chance of detection when they were connected to victims’ VPN appliances. Many victims failed to detect the compromise as their antivirus and intrusion detection systems did not detect the remote access as suspicious, as genuine login credentials and remote services were used. Some attackers used LogMeIn and TeamViewer to ensure they had persistent access even if the primary connection was lost.

When patches are applied to address vulnerabilities that are known to be actively exploited in real world attacks, organizations then need to conduct analyses to determine if the vulnerability has already been exploited to gain access to their networks. Patching will prevent any further threat actors from exploiting the vulnerability, but if a network compromise has already occurred, applying the patch will not kick the attackers out of systems.

CISA has now developed a tool that can be used by organizations to determine if the Pule Secure VPN vulnerability has already been exploited. The tool can be used to scan the log files of Pulse Secure VPN servers to determine if the gateway has been compromised. In addition to helping system administrators triage logs, the tool will also scan for Indicators of Compromise (IoCs) associated with exploitation of the Pulse Security vulnerability.

“If organizations find evidence of malicious, suspicious, or anomalous activity or files, they should consider reimaging the workstation or server and redeploying back into the environment. CISA recommends performing checks to ensure the infection is gone even if the workstation or host has been reimaged,” wrote CISA.

In addition to performing the scans, CISA recommends changing Active Directory passwords and conducting a search for unauthorized applications, scheduled tasks, and any remote access tools that have been installed that have not been approved by the IT departments. Scans should also be performed to identify any remote access Trojans and other malware that may have been installed.

Many organizations that use VPN servers to allow remote access do not use multi-factor authentication, which means that any stolen credentials can be used to gain access to networks via the VPN gateways. With multi-factor authentication in place, use of stolen credentials becomes much harder, as a second factor will be required before access is granted.

The post CISA Warns of Continuing Attacks on Pulse Secure VPNs After Patching appeared first on HIPAA Journal.

Ransomware gangs are concentrating their attacks on smaller healthcare providers and clinics, according to a new report from RiskIQ. Healthcare providers with fewer than 500 employees are key targets for the gangs, with these organizations accounting for 70% of all successful healthcare ransomware attacks since 2016.

RiskIQ’s analysis of 127 healthcare ransomware attacks revealed there has been a 35% increase in attacks between 2016 and 2019. Hospitals and healthcare centers accounted for 51% of ransomware attacks, 24% of attacks were on medical practices, with 17% on health and wellness centers.

The cybersecurity defenses at smaller healthcare organizations are likely to be far less effective than those at larger healthcare systems. RiskIQ reports that 85% of small- and medium-sized hospitals do not have a qualified IT security person on staff, so there is a higher chance of gaps in security being left unaddressed. Ransom payments are more likely to be paid to avoid the costly downtime that is often caused by an attack. It can often take several weeks for an organization to fully recover when the ransom is not paid.

A Perfect Storm of New Targets and Methods

The RiskIQ intelligence brief – Ransomware in the Health Sector 2020 – says there has been “a perfect storm of new targets and methods,” due to the digital revolution in healthcare, but recent events have left the healthcare industry even more exposed to attack. The 2019 Novel Coronavirus pandemic has forced healthcare providers to make major changes. “Almost overnight, workforces and business operations decentralized and were flung around the world, widening the protection gaps and decreasing visibility into their attack surfaces,” explained RiskIQ.

Some ransomware groups have claimed they will not attack healthcare organizations during the COVID-19 public health emergency, but there are some groups that are making no such allowances. Attacks have become easier and they are taking advantage. “Cybercriminals are capitalizing on coronavirus concerns, which has led to a spike in malicious online activity that we assess will increasingly impact healthcare facilities and COVID-19 responders.”

Paying the Ransom Does Not Guarantee Recovery

16% of healthcare victims have reported they paid the ransom to obtain the keys to unlock their files. The report suggests the average ransom payment in those attacks was $59,000. While paying the ransom is an option, it is discouraged by the FBI as it just encourages further attacks and there is no guarantee that files can be recovered. The RiskIQ report cites a Wall Street Journal article that suggests fewer than 50% of the decryption keys are effective, so some data loss is inevitable even if the ransom is paid. There have also been cases where ransom payments have been made only for the attackers to then demand a further payment to provide the keys to unlock encryption. Paying a ransom also sends a message to other attackers that payment is likely if they are attacked, so the organization may be targeted again by the same or different threat actors.

Ransomware gangs are using a variety of methods to gain access to healthcare networks to deploy ransomware. Spam email is commonly used to trick healthcare employees into clicking malicious links that trigger a ransomware download or opening malicious email attachments containing ransomware downloaders. Vulnerabilities in software are commonly exploited, with many attacks taking advantage of vulnerabilities in Remote Desktop Protocol. The high number of workers now accessing healthcare networks remotely using Virtual Private Networks (VPNs) has seen VPN vulnerabilities targeted by ransomware gangs. Several vulnerabilities have been identified in VPN infrastructure over the past year, and while patches have been released to correct flaws, they are often not applied.

Steps to Take to Reduce Risk and Prevent Ransomware Attacks

The advice to all organizations has long been to ensure backups are regularly made to allow files to be recovered in the event of an attack, but having backups is no guarantee that they can be used to restore data. Several threat groups have been conducting manual ransomware attacks and spend long periods of time with network access before deploying ransomware. In addition to moving laterally and gaining access to large parts of the network, they have also been able to insert their ransomware into backup systems to ensure that backups are also encrypted.

RiskIQ advises healthcare organizations to ensure backups are created often and stored offline, or at least on different networks. Encryption of stored data is also important. There has been an increase in data theft prior to ransomware deployment. If data is encrypted, even if it is stolen it will ensure that the attackers cannot access the data.

RiskIQ emphasizes the importance for having an incident response plan, as this will help ensure attacks can be mitigated quickly to minimize the damage caused. Prompt patching is also essential. The importance of patching cannot be overstated, warns RiskIQ.

It is especially important during the COVID-19 crisis to ensure all digital assets that connect to the organization from outside the protection of the firewall are tracked and protected, as attackers are actively searching for these devices. they often provide an easy entry point to healthcare networks.

It is also important to prepare the workforce and provide training to help employees identify threats such as phishing attacks. Phishing simulation exercises can help to reduce susceptibility to ransomware attacks. IT teams should also keep up to date on the latest attack trends, as they are constantly changing.

The post Small- and Medium-Sized Healthcare Providers Most Likely to Be Attacked with Ransomware appeared first on HIPAA Journal.

On April 2020 Patch Tuesday, Microsoft released updates to correct 113 vulnerabilities in its operating systems and software solutions, 19 of which have been rated critical. This month’s round of updates includes fixes for at least 3 zero-day vulnerabilities that are being actively exploited in real world attacks.

Two of the actively exploited vulnerabilities were announced by Microsoft in March and Microsoft suggested workarounds to limit the potential for exploitation. The flaws – CVE-2020-0938 and CVE-2020-1020 – both affect the Adobe Font Manager Library and can lead to remote code execution on all supported Windows versions. The flaws are partially mitigated in Windows 10 and could only result in code execution in an AppContainer sandbox with limited privileges and capabilities. The flaws could be exploited if a user is convinced to open a specially crafted document or if it is viewed in the Windows Preview pane.

The third actively exploited zero-day is a Windows Kernel vulnerability that was discovered by Google’s Project Zero team. The flaw, tracked as CVE-2020-1027, could allow remote code execution with elevated privileges. The flaw has been exploited in attacks on Windows 10 devices, but older operating systems are also vulnerable.

A further flaw was initially reported as having been exploited but is now marked as “exploitation likely”. The flaw, tracked as CVE-2020-0968, affects Internet Explorer and concerns how the scripting engine handles objects in the memory.

A further vulnerability, CVE-2020-0935, which affects OneDrive for Windows, is rated important but it has been publicly disclosed. The flaw is due to improper handling of shortcut links. Exploitation of the flaw would allow an attacker to further compromise systems and execute additional payloads. Since OneDrive is installed on many devices and is being used extensively by remote workers for sharing and storing files, it would be an attractive vulnerability for hackers. It should therefore be prioritized along with the critical and actively exploited flaws.

Many of the vulnerabilities could be exploited by convincing an employee to visit a malicious website or open a specially crafted document sent via email, which could then result in the installation of malware, backdoors, information disclosure, and access to devices with full user rights.  With so many work-from-home employees during the COVID-19 pandemic, and with cybercriminals targeting those individuals, it is more important than ever for patches to be applied promptly.

End of Support Delayed by Microsoft for Windows 10, Windows Server, and Software and Services

Microsoft has also announced that it will be delaying end of support for certain operating systems, software, and services in 2020, to ease the pressure on IT departments at this difficult time.

Many IT workers have also been forced to work from home and the increased stress of managing IT and providing support to a largely at-home workforce has meant there has been little time to take the necessary steps to prepare for updates to software and operating systems.

“As a member of the global community, we want to contribute to reducing the stress our customers face right now. To that end, we have delayed the scheduled end of support and servicing dates for the following products to help people and organizations focus their attention on retaining business continuity,” explained Microsoft in a recent support article.

End of support dates have been extended for the following operating systems, software, and services.

• Windows 10 1709/1809: April 14, 2020 >> October 13, 2020
• Windows Server 1809: May 12, 2020 >> November 10, 2020
• Configuration Manager version 1810: May 12, 2020 >> November 10, 2020
• SharePoint Server 2010, SharePoint Foundation 2010, and Project Serer 2010: >> May 27, 2020 >> December 1, 2020
• Dynamics 365 Cloud Services: October 13, 2020 >> April 13, 2021
• Basic Authentication in Exchange Online: September 2020 >> December 2020

End of support dates for all other software and services scheduled for 2020 remain unchanged.

The post Microsoft Patches Three Actively Exploited Flaws and Delays End of Support for Software and Services appeared first on HIPAA Journal.

On February Patch Tuesday, 2020, Microsoft released a patch for a critical vulnerability affecting Microsoft Exchange Servers which could potently be exploited by threat actors to take full control of a vulnerable system. Despite Microsoft warning that the flaw would be attractive to hackers, patching has been slow.

An analysis conducted by cybersecurity firm Rapid7 revealed more than 82% of public-facing Exchange servers remained vulnerable and had not been patched. The firm’s scan identified 433,464 public-facing Exchange servers, and at least 357,629 were vulnerable to an attack exploiting the CVE-2020-0688 vulnerability.

Exchange administrators may not have prioritized the patch as the vulnerability is a post-authorization flaw; however, attacks could take place using any stolen email credentials or by using brute force tactics to guess weak passwords.

Several proof-of-concept exploits for the flaw have been published on GitHub, and there have been reports of nation state Advanced Persistent Threat groups attempting to exploit the flaw using brute force tactics to obtain credentials and credentials stolen in previous data breaches.

If the flaw is exploited, hackers would be able to gain access to Exchange Servers and compromise the entire Exchange environment. That would allow them to obtain all email communications, create new email accounts, falsify messages, and remotely execute code on compromised servers with SYSTEM privileges.

Microsoft previously said there are no mitigations or workarounds that can be implemented to prevent exploitation. The only way to prevent the flaw from being exploited is to ensure the patch is applied on all vulnerable servers.

Since attacks are known to have already been conducted, in addition to applying the patch, administrators should also investigate to determine whether attacks have already been conducted and have been successful.

Rapid7 recommends Exchange administrators should check Windows Event and IIS logs for signs of compromise. Any email accounts that have been compromised and used in attacks on Exchange servers will leave traces of the exploit code in log files.

“The exploit attempts show up in the Windows Application event log with source MSExchange Control Panel, level Error, and event ID 4. This log entry will include the compromised user account as well as a very long error message that includes the text Invalid viewstate. What you are seeing is portions of the encoded payload,” explained Rapid7. “You can also review your IIS logs for requests to a path under /ecp (usually /ecp/default.aspx), which contain the string __VIEWSTATE and __VIEWSTATEGENERATOR.”

In addition to discovering a worrying number of Exchange servers vulnerable to the CVE-2020-0688 vulnerability, the researchers also found an alarming number of Exchange servers were missing several updates for other critical flaws. The researchers identified 31,000 Exchange servers that had not received an update since 2012 and 800 Exchange servers that had never been updated.

Come October, Microsoft will be ending support for Exchange 2010. It is concerning that there are still 166,000 public-facing Exchange servers still running Exchange 2010 so close to the end of support date.

The post More than 82% of Public-Facing Exchange Servers Still Vulnerable to Actively Exploited Critical Flaw appeared first on HIPAA Journal.