The World Health Organization (WHO) and its partners have been targeted by a sophisticated group of hackers who attempted to steal login credentials to gain access to its network by impersonating WHO’s internal email system. Spear phishing emails were sent to several WHO staffers that included links to a malicious website hosting a phishing kit.

The attack was detected on March 13 by cybersecurity expert, Alexander Urbelis, an attorney with New York-based Blackstone Law Group. The malicious website used to host the fake WHO login page had previously been used in other attacks on WHO employees.

It is unclear who was responsible for the campaign, but it is believed to be a South Korea-based threat group called DarkHotel. The aims of the attackers are not known, although Urbelis suggests the highly targeted nature of the attack, suggests the attackers were looking for specific credentials. DarkHotel has previously conducted several attacks in East Asia for espionage purposes. It is possible that the hackers were trying to gain access to information about possible treatments, potential cures, or vaccines for COVID-19.

The story was first reported by Reuters, which contacted WHO CISO, Flavio Aggio for further information. Aggio said the campaign was not successful and no data was harvested by the attackers. Aggio confirmed that there has been a large increase in incidents targeting WHO in recent weeks. WHO has been impersonated in several phishing campaigns that attempt to steal credentials and spread malware. According to Aggio, attacks targeting and impersonating WHO have more than doubled during the coronavirus pandemic.

Phishers Abuse Open Redirect on HHS Website to Deliver Racoon Information Stealer

Phishers have been discovered to be abusing an open redirect on the HHS.gov website to send individuals to a phishing webpage.

Open redirects are used on websites to redirect visitors to other webpages. Open redirects can be used by anyone and are often abused by cybercriminals in phishing campaigns. URLs start with the official website of the site hosting the open redirect, so individuals checking the link may be fooled into thinking they are navigating to a legitimate website. They will be initially, but the final destination is a phishing webpage.

The email used a COVID-19 lure and provided information about the coronavirus and included a link with the text “Find and research your medical symptoms.”

The open redirect was discovered by security analyst @SecSome on a subdomain of the Departmental Contracts Information System. It was used to link to a malicious attachment that included a lnk file that unpacks a VBS script that downloads the Racoon information stealer. The Racoon information stealer is capable of stealing credentials and sensitive data from around 60 different applications.

Maze Ransomware Gang Attacks UK COVID-19 Research Firm

The Maze ransomware gang has attacked the UK vaccine research firm Hammersmith Medicines Research (HMR) and succeeded in encrypting files and stealing sensitive data. HMR has previously developed a vaccine for Ebola and performs early clinical trials. The company is also reportedly working on a vaccine for the 2019 Novel Coronavirus.

The ransomware attack occurred on March 14, 2020, prior to the press release from the Maze ransomware gang stating they would not be attacking healthcare organizations during the COVID-19 crisis. HMR detected the attack quickly and managed to block the attack, avoid downtime, and restore data the same day without having to pay the ransom. As is typical of the gang, when the ransom is not paid, sensitive data is published online to pressure victims into paying the ransom.

The published information has since been taken down but included sensitive information about past patients and employees. According to HMR, the data related to around 2,300 patients and was between 8 and 20 years old. It included passport copies, national insurance numbers, driver’s license copies, and sensitive personal and medical information. HMR said it has no intention of paying the ransom and does not have the money available to do so. The Maze gang has since taken the data offline.

The post Hackers Target WHO, HHS, and COVID-19 Research Firm appeared first on HIPAA Journal.

The COVID-19 crisis has meant many individuals have had to self-quarantine or self-isolate, and organizations are under increasing pressure to let their employees work from home whenever possible. While these measures are necessary to keep people safe and avoid infection, having so many employees working remotely increases cyber risk. When people work from home and connect to work networks remotely using portable electronic devices, the attack surface grows considerably and new vulnerabilities are introduced that can exploited by attackers. With attacks targeting remote workers increasing, it is important to ensure that cybersecurity best practices for protecting remote employees are adopted to reduce risk.

Phishing Campaigns Targeting Remote Workers

Cybercriminals are already exploiting the coronavirus pandemic and are using COVID-19 and coronavirus-themed lures in phishing and social engineering attacks to steal credentials and spread malware. The first major coronavirus-themed phishing and malware distribution campaigns were detected in early January and the volume of malicious messages has grown substantially in the following weeks. Phishing attacks are likely to continue to rise as cybercriminals try to steal remote access credentials, as are weaponized email attacks that spread malware.

Campaigns have also recently been detected targeting remote workers. One such campaign alerts remote employees to positive COVID-19 tests in their organization. The messages impersonate their employer and claim to contain details of emergency protocols that have been implemented, which remote workers are told they must open, read and print out. Opening the attachments and enabling content will see malware downloaded. Security researchers have also detected an increase in domains being used for drive-by malware attacks.

VPN Vulnerabilities Being Exploited

Last year, several critical vulnerabilities were identified in the Virtual Private Network (VPN) solutions that are used by remote workers to securely connect to their work networks. Pulse Connect Secure and Pulse Policy Secure gateways and FortiGuard solutions were discovered to have vulnerabilities, and while patches were released to correct the flaws, many organizations failed to apply the patches since the solutions were in use 24/7. APT groups took advantage and exploited the vulnerabilities to gain access to organizations’ networks. Now with so many workers using VPNs and working from home, attacks are increasing again.

Many organizations are now using teleconferencing solutions, VPN services, and other remote access tools for the first time, and have had to deploy the solutions rapidly. Web and email services that were only accessed internally have now had to be reconfigured to ensure external access is possible. For the first time those internal services have been exposed to the internet. The speed at which the changes have been made to accommodate telecommuting workers has meant organizations have not had time to test thoroughly and ensure security is buttoned down.

Cybersecurity Best Practices for Protecting Remote Employees

With attacks increasing it is important to adopt cybersecurity best practices for protecting remote employees against phishing attacks and malware infections.

Organizations must ensure that the latest versions of VPNs are used and patches are applied promptly. On March 13, the DHS Cybersecurity and Infrastructure Security Agency (CISA) issued another warning about patching and updating VPNs for remote workers to make sure vulnerabilities are addressed. Organizations were also urged to implement multifactor authentication for all VPNs to further enhance security.

The COVID-19 crisis is likely to last for several months, during which time many updates will need to be performed on software and operating systems. Scanning devices and ensuring patches are applied becomes more complicated with remote workers. Because it is difficult to maintain a persistent and routable connection to users’ devices when working remotely, the cloud should be considered for managing cybersecurity rather than in-house corporate cybersecurity solutions.

Ensure multifactor authentication is implemented for all applications accessed remotely by employees. An increase in phishing attacks targeting remote workers means it is more likely that credentials will be compromised. Multifactor authentication will help to ensure stolen credentials cannot be used to access company resources.

It is essential for home workers to have effective security solutions on their devices. IT teams can ensure solutions are deployed on corporate-issued devices, but email security, web security, and anti-virus solutions must also be deployed on employee-owned devices that are allowed to connect to the network.

Implement a zero-trust architecture on the network for remote workers and apply the principle of least privilege. Make sure remote workers only have access to the resources they need to perform their work duties and restrict privileges as far as is possible. If credentials are compromised, this will limit the harm that can be caused.

IT departments are now seeing large numbers of new devices remotely connecting to their networks, some of which will not have connected to the network before. That makes it much harder to identify attackers and easier for them to hide their connections from the security team. Monitoring must therefore be stepped up to identify malicious and suspicious behavior to identify cyberattacks in progress.

You must ensure you have sufficient licenses for software and SaaS applications to cope with the increase in remote workers. Sufficient bandwidth must be made available to cope with the increase in remote traffic. Calculate how much bandwidth you will need, then double it.

It is important not to underestimate the importance of training. A large percentage of cyberattacks occur as a result of user error. Refresher training is important for all remote workers to remind them about the risks of phishing and spoofing. With phishing attacks on remote workers soaring, training and phishing simulations are more important than ever.

Some workers may be using laptops to connect to work networks for the first time. It is essential for them to be trained on how to use new applications and security solutions. Unfamiliarity increases the potential for errors.

Remote employees should also be reminded of basic IT security practices that must be adopted when working from home. Remote workers must also be reminded about the procedures for reporting threats and potential compromises, and what to do if they think they have fallen for a scam.

The post Cybersecurity Best Practices for Protecting Remote Employees During the COVID-19 Crisis appeared first on HIPAA Journal.

Advisories have been issued about recently discovered vulnerabilities in the Insulet Omnipod Insulin Management System and the Systech NDS-5000 Terminal Server.

Improper Access Control Identified in Insulet Omnipod Insulin Management System

ThirdwayV Inc. has discovered a high severity flaw in the Omnipod Insulin Management System which could allow an attacker with access to a vulnerable insulin pump to access the Pod and intercept and modify data, change insulin pump settings, and control insulin delivery.

The vulnerable insulin pumps communicate with an Insulet manufactured Personal Diabetes Manager device using wireless RF. The researchers discovered the RF communication protocol does not implement authentication or authorization properly.

The following versions are affected:

• Omnipod Insulin Management System Product ID/Reorder number: 19191 and 40160
• UDI/Model/NDC number: ZXP425 (10-Pack) and ZXR425 (10-Pack Canada)

The vulnerability is tracked as CVE-2020-10597 and has been assigned a CVSS v3 base score of 7.3 out of 10. There have been no reported cases of exploitation of the vulnerability.

Patients should not connect any third-party devices or use unauthorized software and should be attentive to pump notifications, alarms and alerts. Patients should monitor their blood glucose levels carefully and any unintended boluses should be cancelled at once. Insulet recommends updating to the latest model of the insulin pump, which has greater cybersecurity protections.

Patients using one of the vulnerable products have been advised to contact Insulet Customer Care or their healthcare provider for further information on the risk posed by the vulnerability.

Cross-Site Scripting Vulnerability Found in Systech NDS-5000 Terminal Server

An NDS-5000 Terminal Server cross-site scripting vulnerability has been identified that could allow an attacker to perform privileged operations on behalf of the users, access sensitive data, limit system availability, and potentially remotely execute arbitrary code. The vulnerability can be exploited remotely and requires only a low level of skill to exploit.

The vulnerability is tracked as CVE-2020-7006 and has been assigned a CVSS v3 base score of 6.8 out of 10 (medium severity). The vulnerability affects DS-5000 Terminal Server, NDS/5008 (8 Port, RJ45), firmware Version 02D.30 and has been corrected in firmware version 02F.6.

Uses of the affected product should contact Systech Technical Support for further information on updating the firmware to prevent exploitation.

The vulnerability was identified by Murat Aydemir, Critical Infrastructure Penetration Test Specialist at Biznet Bilisim A.S.

The post Vulnerabilities Identified in Insulet Omnipod and Systech NDS-5000 Terminal Server appeared first on HIPAA Journal.

In an effort to prevent the spread of the coronavirus, many employers are telling their employees to work from home. While this measure is important for reducing the risk of contracting Coronavirus Disease 2019 (COVID-19), working from home introduces other risks.

In order to protect against cyberattacks, enterprise-class virtual private networks (VPN) solutions should be used to connect remotely to the network. VPNs secure the connection between a user’s device and the network, allowing them to access and share healthcare information securely.

While VPNs will improve security, many VPN solutions have vulnerabilities that can be exploited by cybercriminals. If those vulnerabilities are exploited, sensitive data can be intercepted, and an attacker could even take control of affected systems. Cybercriminals are actively searching for vulnerabilities in VPNs to exploit, and the increase in remote workers as a result of the coronavirus gives them many more targets to attack.

The risks associates with VPNs and the increase in the number of remote workers due to the coronavirus has prompted the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) to issue an alert advising organizations to increase VPN security and adopt cybersecurity best practices to protect against cyberattacks.

Several vulnerabilities have been discovered in popular VPN solutions in the past 12 months, including VPN applications from Palo Alto Networks, Pulse Secure, and FortiGuard. While patches have been released to address the vulnerabilities, many organizations have not updated their software to the latest version. The failure to patch negates the protection provided by the VPN.

A campaign was detected in January 2020 targeting the CVE-2019-11510 remote code execution vulnerability in Pulse Secure Connect and Pulse Policy Secure to deliver REvil ransomware. By exploiting the vulnerability, an attacker could potentially gain access to all active users and obtain their credentials in plaintext and execute arbitrary commands on VPN clients as they connect to the server. A patch to correct the vulnerability was released by Pulse Secure on April 24, 2019, yet 9 months later, many organizations are still using vulnerable versions of the VPN.

Updating VPNs can be difficult because they are often in use 24/7; however, it is essential that updates are applied due to the high risk of exploitation of unpatched vulnerabilities. CISA is urging all organizations to ensure that VPN patches are prioritized.

It is also important to make sure that users only have access to systems that are critical to perform their work duties. Ensuring remote workers have low level privileges will reduce the harm that can be caused if their credentials are compromised. IT teams should also step up monitoring of their networks and should be reviewing access logs to identify potential compromises.

CISA has also warned about an increase in phishing attacks targeting remote workers to obtain VPN credentials. Email security solutions need to be in place to capture these messages before they are delivered, and multifactor authentication should be implemented for remote access to prevent stolen credentials from being used. CISA warns that organizations that fail to implement MFA will be at greater risk from phishing attacks.

IT teams also need to make sure their systems can cope with the increased number of remote workers. CISA warns that organizations may find they only have a limited number of VPN connections, and when they are all in use some users will be prevented from accessing systems to conduct telework. “With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks,” warns CISA.

The HHS’ Centers for Medicare and Medicaid Services (CMS) has expanded Medicare telehealth benefits to help in the fight against the COVID-19 and the HHS’ Office for Civil Rights has announced it will be exercising enforcement discretion in relation to telehealth. This will allow more healthcare workers to work remotely over the coming weeks. It is therefore critical that VPN best practices are followed.

The post CISA Warns of Exploitation of Vulnerabilities in VPNs and Campaigns Targeting Remote Workers appeared first on HIPAA Journal.

The U.S. Department of Health and Human Services (HHS) has been targeted by cybercriminals in what appears to be an attempt to overwhelm its website with millions of hits. According to a statement issued by HHS spokesperson, Caitlin B. Oakley, the HHS detected “a significant increase in activity on HHS cyber infrastructure” in what appears to have been an attempted Distributed Denial of Service (DDoS) attack.

The individuals responsible for the attack were unsuccessful thanks to additional protections put in place to mitigate DDoS attacks as part of HHS preparation and response to the COVID-19 pandemic. “HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities,” explained Oakley.

No data breach was experienced and the HHS and federal networks are continuing to function normally. Federal cybersecurity professionals are continuing to monitor HHS computer networks and will take appropriate actions to protect those networks and mitigate any further attacks should they occur. The federal government is investigating the attack and at this stage it is unclear who was responsible.

“We have extremely strong barriers, we had no penetration into our networks, no degradation of the functioning of our networks, we had no limitation on the ability or capacity of our people to telework, we’ve taken very strong defensive actions,” said HHS Secretary, Alex Azar.

The White House National Security Council (NSC) sent a tweet on Sunday warning about a disinformation campaign which suggests President Trump is about to order a national quarantine and that the country will be placed on lockdown, as has been the case in Italy and Spain. The NSC tweet explained that these text message rumors are fake. It is unclear if the attempted DDoS attack and text message campaign are related.

There are also several phishing campaigns being conducted that are using fear about SARS-CoV-2 and COVID-19 to spread malware and obtain sensitive information. The malicious email campaigns are likely to increase as the pandemic develops. If you receive any email communication related to SARS-Cov-2 and COVID-19, verify the validity of the message before taking any actions.

For up to date information and guidance on SARS-Cov-2 and COVID-19, visit the Centers for Disease Control and Prevention (CDC) website – CDC.gov.

Illinois Public Health Network Suffers Ransomware Attack

Last week, cybercriminals launched a cyberattack on the Champaign-Urbana Public Health District in Illinois and deployed Netwalker (MailTo) ransomware. The attack disabled the public health district’s website on the morning of March 10, 2020. The incident was investigated and was confirmed as a ransomware attack within a couple of hours.

Employees were able to continue to access critical systems during the website outage. No electronic medical records or other sensitive data have been compromised. Medical records were migrated to the cloud 6 months previously. The Champaign-Urbana Public Health District has since been restored.

The post Department of Health and Human Services Targeted in Cyberattack appeared first on HIPAA Journal.