The American Hospital Association (AHA) is urging the U.S. Department of Health and Human Services (HHS) to reconsider its plan to make it mandatory for hospitals to comply with new cybersecurity requirements and issue financial penalties if they fail to do so.

Last week, the HHS published its healthcare cybersecurity strategy, which outlines the steps the HHS has taken and plans to take in the future to improve healthcare cybersecurity. Those plans include introducing two tiers of Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) – essential and enhanced. The essential HPH CPGs will include high-impact cybersecurity requirements for improving cyber resiliency and are intended to establish a baseline for cybersecurity, whereas the enhanced HPH CPGs are desirable cybersecurity requirements to further improve security and protect patient privacy. While both tiers of HPH CPGs would be voluntary initially, the HHS explained in its cybersecurity strategy that it plans to make the essential HPH CPGs enforceable in the future and will be working with Congress to increase the penalties for HIPAA violations.

The AHA believes that forcing hospitals to make investments in cybersecurity and imposing financial penalties if they suffer a cyberattack and haven’t implemented certain cybersecurity measures would be counterproductive and undermine the efforts hospitals are already making to improve cybersecurity. “Hospitals and health systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks,” said AHA President and CEO Rick Pollack. “The AHA has long been committed to helping hospitals and health systems with these efforts, working closely with our federal partners, including the FBI, HHS, Cybersecurity and Infrastructure Security Agency, and many others to prevent and mitigate cyberattacks.”

While the AHA expressed support for the HHS proposal to issue incentives for improving cybersecurity and make funding available to help hospitals with low resources cover the initial cost of cybersecurity improvements, punishing hospitals financially is unfair, especially when cyberattacks are commonly conducted by sophisticated cyber actors who work in collusion with hostile nation-states.

“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime. Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks.”

The post AHA Opposes HHS Plan to Penalize Hospitals for Cybersecurity Failures appeared first on HIPAA Journal.

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has released a threat report warning about the risks of open source software, which can be far-ranging in healthcare. Open source software was first pioneered by scientists, researchers, and academics and was predicated on the free and open sharing of knowledge. The code for the software is available for anyone to inspect, and changes can be suggested to improve functionality and correct errors and vulnerabilities. As software became more commercialized, there was a decline in open source software; however, it is still pervasive, especially in healthcare where the code is used in a wide range of systems, including electronic health records, prescription software, medical billing software, clinic management software, inventory management software, and medical device components.

Benefits and Risks of Open Source Software

Open source software has many benefits such as lowering starting costs, shortening the time to market, increasing feedback and collaboration, and allowing more flexible software development processes, and these benefits can be considerable. It is therefore no surprise that this year’s Open Source Security and Risk Analysis Report from Synopsis found open source software in 96% of scanned codebases, and 76% of the code in the codebases was open source. In healthcare, health tech, and life sciences, the percentage of codebases containing open source code increased from around 65% in 2018 to 80% in 2022.

Synopsis determined that 84% of codebases contained at least one vulnerability and 48% of codebases contained high-risk vulnerabilities. While having many eyes looking at code increases the chance of vulnerabilities being identified and corrected, publishing the code does not guarantee that the code will be inspected for vulnerabilities and security issues, nor that the people who do inspect the code are capable of finding vulnerabilities. The code is also available to malicious actors who can search for vulnerabilities that they can exploit.

Open source code can be used by software developers to add certain functions quickly, easily, and cheaply, and as such, open source code is extensively used, which means that if vulnerabilities exist, they are likely to be embedded in many thousands of applications. One problem with the use of open source code is it is often incorporated into applications but is never updated and many organizations fail to track where open source code has been used. If vulnerabilities are identified and fixed in open source code, those fixes may never be applied since organizations may be unaware of the applications that need to be updated. Further, vulnerabilities may not be found and addressed, as open source projects often lack centralized quality controls, there is no guarantee that the code has been rigorously tested, and open-source projects tend to lack the structure or resources required to take accountability for security issues.

Open Source Software Vulnerabilities Exploited in Healthcare Cyberattacks

While there have been no documented cyberattacks that have specifically targeted medical devices by exploiting open source software vulnerabilities, the potential for harm from attacks on medical devices is considerable. Attacks exploiting open source vulnerabilities could result in medical devices such as insulin pumps, implanted cardioverter defibrillators, defibrillators, and ventilators malfunctioning, with severe implications for patient safety.

Open source software vulnerabilities have been exploited in attacks on the healthcare sector, such as the Heartbleed vulnerability discovered in August 2014 which left networks vulnerable to eavesdropping and data theft. One attack on a health system exploited Heartbleed to gain access to the PHI of 4.5 million patients. More recently, in August 2020, several zero-day vulnerabilities in an open-source integrated information management system at a hospital exposed patients’ test results, and in December 2021, the Log4Shell flaw in the open source Log4j software, which is used to add logging capabilities to Java-based applications, was extensively exploited. The flaw was exploited by nation-state hacking groups such as HAFNIUM, PHOSPHOROUS, and APT35 and allowed access to be gained to sensitive data and for hackers to take full control of vulnerable devices. The vulnerability was also exploited by cybercriminal groups such as Conti in ransomware attacks. In January this year, a series of flaws were found in the open source software used by OpenEMR, which could be exploited to steal patient data and potentially compromise the entire IT infrastructure of an organization.

Recommendations for Reducing Open Source Software Risks

In order to address the risks of open source software, organizations need to know what open source components have been used. There has been a push for software developers to provide a Software Bill of Materials (SBOM) with their software, and healthcare organizations should demand an SBOM from their vendors and should conduct a software composition analysis (SCA) – an automated process to identify open source software in a codebase. HC3 also recommends other steps that can be taken by small and medium/large organizations to reduce open source software risks.

The post Healthcare and Public Health Sector Warned About Open Source Software Risks appeared first on HIPAA Journal.

Three critical vulnerabilities in the ownCloud platform have been identified, one of which is being actively exploited. Urgent action is required to address the vulnerabilities to protect sensitive networks and sensitive data.

The ownCloud platform is used extensively in healthcare for storing, synchronizing, and sharing files and collaborating and consolidating work processes. As such, the platform is a prime target for malicious actors as it allows them to access highly sensitive data. The Clop hacking groups demonstrated how serious vulnerabilities in file sharing platforms can be, having mass exploited vulnerabilities in Fortra’s GoAnywhere MFT and Progress Software’s MOVEit Transfer solution earlier this year.

Security advisories were issued by ownCloud on November 21, 2023, about three vulnerabilities, the most serious of which has a maximum CVSS v3.1 severity score of 10. The remaining two vulnerabilities have been assigned CVSS scores of 9.8 and 9. Evidence of active exploitation of the flaws was identified by the cybersecurity firm Greynoise from November 25, 2023, with the malicious activity originating from 32 unique IP addresses.

• CVE-2023-49103 – A critical vulnerability in versions 0.2.0 – 0.3.0 of the graphapi app that allows disclosure of sensitive credentials and configuration in containerized deployments. The graphapi app relies on a third-party library that provides a URL. When the URL is accessed, it reveals the configuration details of the PHP environment, which includes environment variables for the webserver. In containerized deployments, the disclosed information can include the ownCloud admin password, mail server credentials, and license key. The vulnerability has a CVSS severity score of 10 out of 10.
• CVE-2023-49105 – A critical WebDAV API authentication bypass vulnerability using pre-signed URLs. The vulnerability affects core 10.6.0 – 10.13.0 and can be exploited to access, modify, or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured, which is the default setting. The vulnerability has a CVSS severity score of 9.8 out of 10.
• CVE-2023-49104 – A critical subdomain validation bypass vulnerability in oauth2 < 0.6.1. An attacker can pass in a specially crafted redirect-URL that bypasses the validation code, allowing the attacker to redirect callbacks to a TLD controlled by the attacker. The vulnerability has a CVSS severity score of 9.0 out of 10.

The Health Sector Cybersecurity Coordination Center (HC3) issued a warning on December 5, 2023, urging HPH sector organizations to take immediate action and apply the actions recommended by ownCloud. “The nature of this platform is such that it needs to be integrated into the information infrastructure of a customer organization to function, which provides attackers with a target that can potentially provide access to sensitive information, as well as a staging point for further attacks,” explained HC3.

At present, only the CVE-2023-49103 is believed to have been actively exploited in attacks in the wild. This vulnerability should therefore be treated with the highest priority; however, the remaining vulnerabilities should also be addressed as soon as possible as exploitation is likely.

ownCloud notes that while the graphapi app can be disabled, that will not fully address the CVE-2023-49103 vulnerability. The owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file should also be deleted and the phpinfo function should be disabled in Docker containers. Owncloud also recommends changing potentially exposed secrets such as the credentials for ownCloud administration, the mail server, the database, and the Object-Store/S3 access key. Owncloud’s mitigations for the vulnerabilities can be found on the following links:

• CVE-2023-49103 mitigations
• CVE-2023-49105 mitigations
• CVE-2023-49104 mitigations

The post Urgent Action Required to Address Critical ownCloud Vulnerabilities appeared first on HIPAA Journal.

Concern is growing as ransomware groups ramp up exploitation of a critical vulnerability in NetScaler ADS (formerly Citrix ADC) and NetScaler Gateway (Citrix Gateway) devices, dubbed Citrix Bleed.

Citrix issued a security advisory about the vulnerability on October 10, 2023, and issued a patch to correct the flaw, which can be exploited to bypass password protection and multifactor authentication. The buffer overflow vulnerability is tracked as CVE-2023-4966 and has a CVSS severity score of 9.4 out of 10. The vulnerability appears to have been exploited in the wild since August 2023. The vulnerability is easy to exploit and allows threat actors to take over legitimate user sessions. Once initial access has been gained, threat actors can elevate privileges, harvest credentials, move laterally, and access sensitive data and resources.

The vulnerability affects the following NetScaler ADC and Gateway versions:

• NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
• NetScaler ADC and NetScaler Gateway  13.1-49.15 and later releases of 13.1
• NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
• NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
• NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
• NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
• NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL). Customers still using these versions should upgrade their appliances to one of the supported versions.

On October 18, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability Catalog, and a security advisory about the flaw was issued on November 21, 2023, as it became clear that the vulnerability was being exploited more widely, including by the LockBit 3.0 ransomware group in attacks on critical infrastructure.

On November 22, 2023, the Health Sector Cybersecurity Coordination Center (HC3) issued an urgent security advisory to the healthcare and public health (HPH) sector about the flaw along with a further advisory on November 30, 2023, urging healthcare organizations to patch the vulnerability as soon as possible to protect against exploitation. Applying the patch will prevent the vulnerability from being exploited; however, if it has already been exploited, the compromised sessions will remain active. Steps must therefore also be taken to ensure all active sessions are removed.

To remove active and persistent sessions after the patch has been applied, admins should run the following commands:

• kill aaa session -all
• kill icaconnection -all
• kill rdp connection -all
• kill pcoipConnection -all
• clear lb persistentSessions

Steps should also be taken to investigate potential exploits of the vulnerability. NetScaler has issued guidance for investigations and CISA has published Indicators of Compromise associated with LockBit 3.0 along with the tactics, techniques, and procedures (TTPs) used by the group and mitigation steps for defending against ransomware attacks.

The American Hospital Association has recently issued a security advisory urging hospitals to take immediate action to protect against exploitation of the Citrix Bleed vulnerability, given that hospitals are prime targets for ransomware groups. “This urgent warning by HC3 signifies the seriousness of the Citrix Bleed vulnerability and the urgent need to deploy the existing Citrix patches and upgrades to secure our systems,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “This situation also demonstrates the aggressiveness by which foreign ransomware gangs, primarily Russian-speaking groups, continue to target hospitals and health systems.  Ransomware attacks disrupt and delay health care delivery, placing patient lives in danger. We must remain vigilant and harden our cyber defenses, as there is no doubt that cyber criminals will continue to target the field, especially during the holiday season.”

The post Citrix Bleed Vulnerability Requires Urgent Action as Ransomware Groups Scale Up Attacks appeared first on HIPAA Journal.

Becton, Dickinson and Company (BD) has recently disclosed seven vulnerabilities in its FACSChorus software. The vulnerabilities are low- to medium-severity with CVSS scores ranging from 2.4 to 5.4. Successful exploitation of the vulnerabilities could allow an attacker to modify system configurations, access sensitive data, or access system components; however, in order to exploit the vulnerabilities an attacker would need to have physical access.

The vulnerabilities, in order of severity, are:

CVE-2023-29060 – Missing protection mechanism for alternate hardware interface – CVSS 5.4

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1 – The workstation operating system does not restrict what devices can interact with its USB ports. The vulnerability could be exploited with physical access to gain access to system information and potentially exfiltrate data.

CVE-2023-29061 – Missing authentication for critical function – CVSS 5.2

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1. The workstation has no BIOS password. The vulnerability could be exploited with physical access to change the BIOS configuration and modify the drive boot order and BIOS pre-boot authentication.

CVE-2023-29064 – Hard-coded credentials – CVSS 4.1

Vulnerability is present in BD FACSChorus v5.0 and v5.1. The software contains sensitive information stored in plaintext. A threat actor could gain hardcoded secrets used by the application, including tokens and passwords for administrative accounts.

CVE-2023-29065 – Insecure inherited permissions – CVSS 4.1

Vulnerability is present in BD FACSChorus v5.0 and v5.1. The software database can be accessed directly with the privileges of the currently logged-in user. Exploitation would allow a threat actor with physical access to potentially gain credentials, and then alter or destroy data stored in the database.

CVE-2023-29062 – Improper authentication – CVSS 3.8

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1. The operating system hosting the FACSChorus application is configured to allow the transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. NTLMv2 hashes can be sent to a malicious entity position on the local network and can be brute-forced if a weak password is used.

CVE-2023-29066 – Incorrect privilege assignment – CVSS 3.2

Vulnerability is present in BD FACSChorus v5.0 and v5.1 and the respective workstations. The software does not properly assign data access privileges for operating system user accounts. A non-administrative OS account can modify information stored in the local application data folders.

CVE-2023-29063 – Missing protection mechanism for alternate hardware interface – CVSS 2.4

Vulnerability is present in BD FACSChorus v5.0, v5.1, v3.0, and v3.1. The workstation does not prevent physical access to its PCI express (PCIe) slots. A threat actor could insert a PCI card designed for memory capture and isolate sensitive information such as a BitLocker encryption key from a dump of the workstation RAM during startup.

BD notified CISA about the vulnerabilities and confirmed that all 7 of the vulnerabilities will be addressed in an upcoming software release but has suggested mitigations and compensating controls that can be implemented in the interim. These include ensuring physical access controls are in place to restrict access to the software and respective workstations to authorized end users, ensuring industry-standard security controls are implemented if the workstations are connected to the local network, and tightly controlling administrative access to the software and workstations.

The post BD Discloses Vulnerabilities in FACSChorus Software appeared first on HIPAA Journal.

An international law enforcement operation has led to the arrest of multiple core members of an organized group of ransomware affiliates in Ukraine. The members of the group were behind attacks involving ransomware variants such as LockerGoga, MegaCortex, HIVE, and Dharma, which were used in more than 250 ransomware attacks in large organizations in 71 countries. The attacks conducted by the group resulted in losses of several hundred million dollars.

The group exploited unpatched vulnerabilities, conducted brute force and SQL injection attacks, and also used stolen credentials and phishing for initial access. Once access was gained to networks, the group used tools such as TrickBot malware, along with post-exploitation frameworks such as Cobalt Strike and PowerShell Empire to move laterally and remain inside networks undetected. In some cases, the dwell time was several months before ransomware was deployed to encrypt files. Members of the group had different responsibilities, with some tasked with gaining access to networks while others were responsible for negotiating with victims and laundering the proceeds of the attacks.

A joint investigation was launched in September 2019 by the French authorities that involved law enforcement agencies in Norway, the United Kingdom, and Ukraine, with financial support provided by Eurojust and assistance provided by Europol. Parallel investigations were also conducted by law enforcement agencies in the Netherlands, Germany, Switzerland, and the United States which helped uncover the true magnitude and complexity of the operation. Europol established a virtual command center in the Netherlands which received data seized in the raids.

On November 21, 2023, coordinated raids were conducted at 30 locations in Kyiv, Cherkasy, Rivne, and Vinnytsia in Ukraine. More than 20 investigators took part in the operation and assisted the Ukrainian National Police. The Ukrainian National Police seized computer equipment, electronic media, and other evidence of illegal activities, along with cars, bank and SIM cards, and almost 4 million hryvnias ($110,050) in cash and cryptocurrency assets. The 32-year-old mastermind of the operation was arrested along with four of his most active accomplices.

The latest arrests follow a first round of arrests in 2021 using the same investigation framework. 12 individuals were arrested in the raids on October 26, 2021, in Ukraine and Switzerland, all of whom had been involved in multiple ransomware attacks. In addition to the arrests, $52,000 in cash was seized along with 5 luxury vehicles and many electronic devices. The analysis of the electronic devices and other evidence collected in the first round of raids led to the identification of the suspects that were targeted in the latest phase of the operation.

The post Ransomware Affiliate Group Dismantled in International Law Enforcement Operation appeared first on HIPAA Journal.

Data breaches have recently been reported by Warren General Hospital in Pennsylvania, Southwest Behavioral Health Center in Utah, CareTree in Illinois, and the Medical University of South Carolina.

Warren General Hospital Data Breach

On November 9, 2023, Warren General Hospital (WGH) in Warren, PA, announced it had fallen victim to a cyberattack that potentially affected the confidential information of current and former patients and employees. Suspicious activity was detected within its network on September 24, 2023. Assisted by third-party cybersecurity experts, WGH determined that an unauthorized actor had access to its network between September 15, 2023, and September 23, 2023, and during that time, downloaded files from its network.

The review of the files confirmed they contained names, in combination with one or more of the following:  address, date of birth, Social Security number, financial account information, payment card information, health insurance claims information, and medical information, which may have included diagnosis, medications, lab results, and other treatment information.

WGH said existing policies and procedures have been reviewed, administrative and technical controls have been enhanced, and additional security training has been provided to the workforce. The breach was recently reported to the HHS’ Office for Civil Rights as affecting 168,921 patients.

Southwest Behavioral Health Center Data Breach

Southwest Behavioral Health Center, a Saint George, UT-based provider of mental health treatment and psychiatric services, has recently reported a data breach to the HHS’ Office for Civil Rights that affected 17,147 current and former patients.

A security breach was detected on March 13, 2023, and a third-party cybersecurity firm was engaged to investigate and determine the extent to which patient data had been compromised. The investigation revealed an unauthorized third party gained access to parts of its system containing files that included patient data prior to March 13, 2023l however, it was not possible to determine the specific files that may have been accessed or copied from its network.

The review of the files potentially involved confirmed they contained patient data such as names, dates of birth, Social Security numbers, personal health record information, and medical information. After verifying contact information, notification letters started to be issued on November 9, 2023, to all patients that had potentially been affected.

Medical University of South Carolina Data Breach

The Medical University of South Carolina (SUMC) in Charleston has been affected by a data breach at one of its third-party vendors. Westat collects data from SUMC patients on behalf of the Centers for Disease Control and Prevention (CDC) for public health reporting purposes. Westat used Progress Software’s MOVEit Transfer file transfer solution, a zero-day vulnerability in which was exploited by the Clop hacking group between May 28 and May 29, 2023. Westat has already reported the breach to the HHS’ Office for Civil Rights in two separate reports, one affecting 50,065 individuals and a second affecting 20,045. SUMC reported the breach as affecting 1,758 individuals and said it involved names, addresses, dates of birth, diagnoses, provider names, and insurance information.

CareTree Data Breach

CareTree Inc., a Chicago, IL-based provider of smart care management and patient advocate software for care providers, has recently confirmed there has been unauthorized access to the CareTree platform. Suspicious activity was detected within its platform on or around August 16, 2023. The forensic investigation confirmed access to the platform was gained on July 21, 2023.

The review of the affected files confirmed that they contained the information of 1,097 CareTree patients; however, CareTree was unable to confirm the specific information exposed for each patient because the information is no longer available. The types of information potentially compromised included names, addresses, driver’s license numbers, Social Security numbers, financial account information, dates of birth, medical information including diagnosis, lab results, medications or other treatment information, and/or health insurance information. In its substitute breach notice, CareTree said, “CareTree will provide notice of this event to all individuals whose personal information was involved, along with information and steps potentially impacted individuals can take to better protect their information.”

The post Warren General Hospital Data Breach Affects 169,000 Patients appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has warned healthcare organizations that use Fortinet’s FortiSIEM platform to patch a critical vulnerability that is likely to be targeted by malicious actors and has issued a threat brief on Emotet malware.

FortiSIEM Command Injection Vulnerability – CVE-2023-36553

A critical vulnerability has been identified by Fortinet in its FortiSIEM platform. The vulnerability has been assigned a CVSS v3.1 severity score of 9.8 out of 10 and can be exploited remotely by malicious actors to execute arbitrary commands. The flaw is related to a bug discovered and patched by Fortinet in October 2023 – CVE-2023-34992. While there have been no known instances of the vulnerability being exploited in attacks, Fortinet vulnerabilities are actively targeted by malicious actors and exploitation of the flaw is likely.

“An improper neutralization of special elements used in an OS command vulnerability in FortiSIEM report server may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests,” said Fortinet in a recent security advisory.

The vulnerability affects the following FortiSIEM versions: 4.7, 4.9, 4.10, 5.0, 5.1, 5.2, 5.3, and 5.4. Users should upgrade to a fixed version as soon as possible. The vulnerability has been fixed in versions: 7.1.0, 7.0.1, 6.7.6, 6.6.4, 6.5.2, 6.4.3, or later.

Emotet Malware – A Persistent Threat to the HPH Sector

Emotet malware was first identified in 2014 and started life as a banking Trojan; however, the malware has evolved over the years and is now commonly used as a first-stage malware for delivering other malware payloads such as banking Trojans, multi-purpose malware, information stealers, and ransomware, including the infamous TrickBot Trojan. Devices infected with Emotet are added to a botnet under the control of the operator of the malware, a group tracked as Mummy Spider, also known as TA542, GOLD CABIN & Mealybug, which is believed to operate out of Ukraine.

At its height, Emotet was called the world’s most dangerous malware by Europol, and Check Point data suggests one in every 5 organizations worldwide has been infected with Emotet. Emotet activity follows a rhythm of around 2-3 months of attacks followed by a period of little to no activity, which can last between 3 and 12 months. In January 2021, an international law enforcement operation took control of the botnet’s infrastructure, and an update was pushed out that uninstalled the malware from all infected devices. 10 months later, the botnet had been rebuilt.

While activity did not recover to the levels at the height of its success, the botnet continues to grow and still poses a significant threat. There were activity spikes in late spring 2022 before activity dropped off, and activity spiked again in Spring 2022. According to Check Point, the botnet now consists of around 130,000 unique devices in 179 countries and Emotet was the most prolific malware variant in February 2023. Emotet is used to gain initial access to networks, can elevate privileges, evade defenses, steal credentials, move laterally, exfiltrate data, and download other malware payloads and has been, and still is, one of the most potent weapons against the health sector. Recent activity includes the delivery of ransomware variants such as Quantum and BlackCat.

Emotet malware is most commonly delivered via phishing emails containing malicious URLs that link to a document containing a malicious macro that downloads the Emotet payload. The malware achieves persistence through Windows registry keys which ensure the malware executes on each reboot. The malware may also achieve persistence via the Windows Startup folder or via scheduled tasks and can also run as a Windows service that is executed automatically. HC3’s Emotet Threat Brief includes recommendations for healthcare and public health sector organizations on defense and mitigations.

The post HC3 Warns HPH Sector About Critical FortiSIEM Vulnerability and Ongoing Emotet Malware Threat appeared first on HIPAA Journal.