Latest HIPAA News

Biden Signs Expansive Executive Order to Improve Cybersecurity for Federal Networks

On May 13, 2021, President Biden signed an expansive Executive Order that aims to significantly bolster cybersecurity protections for federal networks, improve threat information sharing between the government, law enforcement and the private sector, and introduce a cyber threat response playbook to accelerate incident response and mitigation.

The 34-page Executive Order includes short time frames for making significant improvements to cybersecurity, with all elements of the Executive Order due to be implemented within the next 360 days and the first elements due in 30 days.  The Executive Order was penned following a series of damaging cyberattacks that impacted government departments and agencies, such as the SolarWinds Orion Supply chain attack and attacks on Microsoft Exchange Servers. The recent DarkSide ransomware attack on Colonial Pipeline served as yet another reminder of the importance of improving cybersecurity, not just for the Federal government but also the private sector which owns and operates much of the country’s critical infrastructure.

President Biden is planning to lead by example and is urging the private sector and critical infrastructure firms to follow the lead of the Federal government in improving resilience to cyberattacks and preparing for attacks to ensure that disruption to operational capabilities is kept to a minimum.

The key elements of the Executive Order on Improving the Nation’s Cybersecurity are:

  • Removing barriers to threat information sharing to make it easier for private sector companies to report threats and data breaches that could potentially have an impact on Federal networks.
  • Modernizing and implementing stronger cybersecurity standards in the Federal government. This includes widespread use of multifactor authentication, more extensive use of data encryption, the adoption of a zero-trust architecture, and a more rapid transition to secure cloud services.
  • The creation of a standard cyber incident response playbook. Government departments and agencies need to know, in advance, how to respond to threats. The playbook will ensure a rapid and uniform response to any cybersecurity incident.
  • Improvements to investigative and remediation capabilities. Detailed security event logs must be maintained by federal departments and agencies to ensure that cyberattacks can be easily investigated and remediated. Breach investigations have previously been hampered due to the lack of robust and consistent logging.
  • Improving software supply chain security. All software sold to the U.S. government will need to adhere to new security standards. Developers will be required to maintain greater visibility into their software solutions and make security data publicly available. The government will also launch a pilot “energy star” label program to demonstrate whether software was developed securely.
  • A Cybersecurity Safety Review Board will be created that consists of government and private sector leads that will meet following any significant security breach to analyze what has happened. Recommendations can then be made and implemented to ensure similar attacks are prevented in the future.
  • Improvements to cyber incident detection capabilities. A government-wide endpoint detection and response system will be implemented, along with robust intra-governmental information sharing.

“This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur,” explained the Biden Administration in a statement about the Executive Order. “It is the first of many ambitious steps the Administration is taking to modernize national cyber defenses.”

The post Biden Signs Expansive Executive Order to Improve Cybersecurity for Federal Networks appeared first on HIPAA Journal.

Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall

2020 was certainly not a typical year. The pandemic placed huge pressures on IT security teams and businesses were forced to rapidly accelerate their digital transformation plans and massively expand their remote working capabilities. Cyber actors seized the opportunities created by the pandemic and exploited vulnerabilities in security defenses to gain access to business networks and sensitive data.

In 2020, phishing and ransomware attacks increased, as did web application attacks, according to the recently published Verizon 2021 Data Breach Investigations Report. The report provides insights into the tactics, techniques and procedures used by nation state actors and cybercriminal groups and how these changed during the pandemic.

To compile the Verizon 2021 Data Breach Investigations Report, the researchers analyzed 79,635 incidents, of which 29,207 met the required quality standards and included 5,258 confirmed data breaches in 88 countries – one third more data breaches than the previous year’s DBIR.

2020 saw an 11% increase in phishing attacks, with cases of misrepresentation such as email impersonation attacks at 15 times the level of 2019. There was a 6% increase in ransomware attacks, with 10% of all data breaches in 2020 involving the use of ransomware – Twice the level of the previous year.

Across all industry sectors, phishing was the main cause of data breaches and was involved in 36% of incidents. The researchers attributed the increase in phishing attacks to the pandemic, with COVID-19 and other related pandemic lures extensively used in targeted attacks on at-home workers. While phishing attacks and the use of stolen credentials are linked, the researchers found attacks involving stolen credentials were similar to the level of the previous year and were involved in 25% of breaches. Exploitation of vulnerabilities was also common, but in most cases it was not new vulnerabilities being exploited but vulnerabilities for which patches have been available for several months or years.

The increase in remote working forced businesses to move many of their business functions to the cloud and securing those cloud resources proved to be a challenge. Attacks on web applications accounted for 39% of all data breaches, far higher than the previous year. Attacks on external cloud assets were much more common than attacks on on-premises assets.

61% of data breaches involved credential theft, which is consistent with previous data breach investigation reports and 85% of data breaches involved a human element. In the majority of cases (80%), data breaches were discovered by a third party rather than the breached entity.

There were considerable variations in attacks and data breaches across the 12 different industry verticals represented in the report. In healthcare, human error continued to be the main cause of data breaches, as has been the case for the past several years. The most common cause of data breaches in misdelivery of paper and electronic documents (36%), but this was far higher in the financial sector (55%). In public administration, the main cause of data breaches was social engineering, such as phishing attacks to obtain credentials.

Healthcare Data Breaches in 2020. Source: Verizon 2021 Data Breach Investigations Report

Verizon analyzed 655 healthcare security incidents, which included 472 data breaches. 221 incidents involved malware, 178 hacking, 137 human error, and 106 social attacks. For the second consecutive year, incidents involving malicious insiders have fallen out of the top three attack types. While it is certainly good news that the number of malicious insider incidents is falling, that does not mean that these incidents are no longer occurring. It could indicate malicious insiders are able to cover their tracks much better. Attacks by external threat actors significantly increased, with healthcare industry cyberattacks commonly involving the use of ransomware. 61% of incidents were the work of external threat actors and 39% were internal data breaches.

Interestingly, considering the value of medical data on the black market, medical data was not the most commonly breached data type. Medical data was breached in 55% of data breaches, with personal data breached in 66% of incidents.  32% of breached involved the theft of credentials. Verizon suggests that could be due to the opportunistic nature of attacks by external threat actors. “With the increase of External actor breaches, it may simply be that the data taken is more opportunistic in nature. If controls, for instance, are more stringent on Medical data, an attacker may only be able to access Personal data, which is still useful for financial fraud. Simply put, they may take what they can get and run.

Breach detection has been steadily improving since 2016, when the majority of data breaches took months or more to identify. The majority of data breaches are now being discovered in days or less, although most commonly not by the breached entity.  80% of data breaches were identified by a third party.

The cost of a data breach is now estimated to be $21,659 on average, with 95% of data breaches having a financial impact of between $826 and $653,587.

The post Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall appeared first on HIPAA Journal.

Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes

Several healthcare groups have expressed concern about the HIPAA Privacy Rule changes proposed by the Department of Health and Human Services (HHS) in December 2020 and published in the Federal Register in January. The HHS has received comments from more than 1,400 individuals and organizations and will now review all feedback before issuing a final rule or releasing a new proposed rule.

There have been calls for changes to the HIPAA Privacy Rule to be made to align it more closely with other regulations, such as the 21st Century Cures Act, the 42 CFR Part 2 regulations covering federally assisted substance use disorder (SUD) treatment programs, and for there to be greater alignment with state health data privacy laws. Some of the proposed HIPAA Privacy Rule changes are intended to remove barriers to data sharing for care coordination, but the changes may still conflict with state laws, especially in relation to SUD treatment. There is concern that poor alignment with other regulations could be a major cause of confusion and could create new privacy and security risks.

Another area of concern relates to personal health applications (PHA). The HHS has defined PHAs, but many groups and organizations have voiced concern about the privacy and security risks associated with sending protected health information (PHI) to these unregulated apps. PHAs fall outside the scope of HIPAA, so any PHI that a covered entity sends to a PHA at the request of a patient could result in a patient’s PHI being used in ways not intended by the patient. A patient’s PHI could also easily be accessed and used by third parties.

PHAs may not have robust privacy and security controls since compliance with the HIPAA Security Rule would not be required. There is no requirement for covered entities to enter into business associate agreements with PHA vendors, and secondary disclosures of PHI would not be restricted by the HIPAA Privacy Rule.

“Personal health applications should be limited to applications that do not permit third-party access to the information, include appropriate privacy protections and adequate security and are developed to correctly present health information that is received from electronic health records,” suggested the American Hospital Association in its feedback to the HHS.

The College of Healthcare Information Management Executives (CHIME) has voiced concerns about the proposal for covered entities to require PHAs to register before providing patient data, and how covered entities would be required to respond when a patient requested their health information to be sent to a PHA that does not have appropriate privacy and security protections. For instance, if a patient requested their PHI be sent to a PHA developed by nation state actor, whether providers would still be required to send PHI at the request of a patient. Concern has also been raised about the growing number of platforms that exchange PHI that fall outside the scope of HIPAA.

One of the proposed changes relates to improving patients’ access to their health data and shortening the time to provide that information from 30 to 15 days. The Association for Behavioral Health and Wellness (ABHW) and CHIME have both voiced concerns about the shortening of the timeframe for honoring patient requests for their healthcare data, as this will place a further administrative burden on healthcare providers, especially during the pandemic. CHIME said it may not be possible to provide PHI within this shortened time frame and doing so may well add costs to the healthcare system. CHIME has requested the HHS document when exceptions are allowed, such as in cases of legal disputes and custody cases. ABHW believes the time frame should not be changed and should remain as 30 days.

It is likely that if the final rule is issued this year, it will be necessary for organizations to ensure compliance during the pandemic, which could prove to be extremely challenging. ABHW has recommended delaying the proposed rule for an additional year to ease the burden on covered entities. CHIME has suggested the HHS should not issue a final rule based on the feedback received, but instead reissue the questions raised in the proposed rule as a request for information and to host a listening session to obtain more granular feedback and then enter into a dialogue about the proposed changes.

The post Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes appeared first on HIPAA Journal.

CISA/FBI Provide Best Practices for Preventing Business Disruption from Ransomware Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert about DarkSide ransomware in the wake of the attack on the fuel pipeline company Colonial Pipeline.

The cyberattack caused major disruption to fuel supplies to the East Coast. Colonial Pipeline was forced to shut down systems to contain the threat, including the operational technology of its 5,500-mile pipeline which supplies diesel, gasoline, and jet fuel to the U.S. East Coast. The four main pipelines were shut down over the weekend, and while smaller pipelines were quickly restored, the main pipelines have remained shut down pending safety assessments. The pipelines transport around 2.5 million barrels of fuel a day and provide 45% of the East Coast’s fuel.

The attack affected Colonial Pipeline’s information technology network, but its operational technology network was not affected. The DarkSide ransomware gang issued a statement shortly after the attack explaining the attacks was conducted purely for financial reasons and not for political reasons or to cause economic or social disruption. The group also said it would be vetting future ransomware attacks by its affiliates and partners to avoid social consequences in the future.

The joint advisory from CISA and the FBI includes technical details of the attack along with several mitigations to reduce the risk of compromise in DarkSide ransomware attacks and ransomware attacks in general. All critical infrastructure owners and operators are being urged to implement the mitigations to prevent similar attacks.

Previous attacks by DarkSide partners have gained initial access to networks via phishing emails and the exploitation of vulnerabilities in remotely accessible accounts and systems and Virtual Desktop Infrastructure. The group is known to use Remote Desktop Protocol (RDP) to maintain persistence. As with many other human-operated ransomware operations, prior to the deployment of ransomware the attackers exfiltrate sensitive data and threaten to sell or publish the data if the ransom is not paid.

Preventing DarkSide and other ransomware attacks requires steps to be taken to block the initial attack vectors. Strong spam filters are required to prevent phishing emails from reaching inboxes and multi-factor authentication should be enabled for email accounts to prevent the stolen credentials from being used. MFA should also be implemented on all remote access to operational technology (OT) and information technology (IT) networks. An end user training program should be implemented to train employees how to recognize spear phishing emails and to teach cybersecurity best practices.

Network traffic should be filtered to prohibit communications with known malicious IP addresses, and web filtering technology used to prevent users from accessing malicious websites. It is vital for software and operating systems to be kept up to date and for patches to be applied promptly. CISA recommends using a centralized patch management system and a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.

Access to resources over networks should be restricted, especially RDP, which should be disabled if not operationally necessary. If RDP is required, MFA should be implemented. Steps should also be taken to prevent unauthorized execution of code, including disabling Office Macros and implementing application allowlisting to ensure only authorized programs can be executed in accordance with the security policy.

Inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected should be monitored and/or blocked and signatures should be deployed to block inbound connection from Cobalt Strike servers and other post exploitation tools.

It may not be possible to block all attacks, so steps should be taken to limit the severity of a successful attack to reduce the risk of severe business or functional degradation. These measures include robust network segmentation, organizing assets into logical zones, and implementing regular and robust backup procedures.

You can view the alert and recommended mitigations here.

The post CISA/FBI Provide Best Practices for Preventing Business Disruption from Ransomware Attacks appeared first on HIPAA Journal.

NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance

The National Institute of Standards and Technology (NIST) is planning on revising and updating its guidance on implementing the HIPAA Security Rule and is seeking comment from stakeholders on aspects of the guidance that should be changed.

NIST published the guidance – NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – in October 2008. During the past 13 years, cybersecurity has evolved and the threat landscape has changed considerably. NIST’s cybersecurity resources have also evolved during that time and an update to the guidance is now long overdue.

NIST will be updating the guidance to reference its new cybersecurity resources, will amplify awareness of non-NIST resources relevant to compliance with the HIPAA Security Rule, and will update its implementation guidance for HIPAA-covered entities and business associates.

Specifically, NIST has requested comment from stakeholders on their experiences applying and using the resource guide, including the parts of the guidance that have been helpful and those that have not, with the reasons why.

NIST wants to hear from covered entities and business associates that have used the guidance and have found key concepts to be missing, and for stakeholders who found the guidance not to be applicable to their organization to provide information on how it can be made more useful, relatable, and actionable to a wider range of audiences.

Covered entities and business associates have complied with the HIPAA Security Rule in a range of different ways. NIST is seeking information on any tools, resources, and techniques that have been adopted that have proven useful, and for covered entities that have enjoyed successes with their compliance programs to share information on how they manage compliance and security simultaneously, assess risks to ePHI, determine whether the security measures implemented are effective at safeguarding ePHI, and how they document demonstrating adequate implementation. NIST also wants to hear from any covered entity or business associate that has implemented recognized security practices that have diverged from compliance with the HIPAA Security Rule.

Stakeholders are invited to submit comment through June 15, 2021 for consideration ahead of the proposed update. Submitted comments will be considered and implemented as far as is practicable.

The post NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance appeared first on HIPAA Journal.

CISA/NIST Issue Guidance on Improving Defenses Against Software Supply Chain Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have published guidance to help organizations improve their defenses against software supply chain attacks.

The guidance documentDefending Against Software Supply Chain Attacks – explains the three most common methods that threat groups use in supply chain attacks along with in-depth recommendations for software customers and vendors for prevention, mitigation, and improving resilience against software supply chain attacks.

Like many supply chain attacks, the recent SolarWinds Orion attack involved hijacking the software update mechanism of the platform to deliver a version of the software with malicious code that provided the attackers with persistent access to the solution on more than 18,000 customers’ systems, with the attackers then cherry picking targets of interest for more extensive compromises. This was also the method used by the threat group behind the NotPetya wiper attacks in 2017. The software update mechanism used by a popular tax accounting software in Ukraine was hijacked to gain control of the software for use in destructive attacks.

It is also common for attackers to undermine the code signing process to hijack software update mechanisms to deliver malicious code. This is often achieved by self-signing certificates and exploiting misconfigured access controls to impersonate trusted vendors. CISA reports that the Chinese advanced persistent threat group APT41 commonly undermines code signing in its sophisticated attacks in the United States.

The third most common method used in supply chain attacks is to target publicly accessible code libraries and insert malicious code, which is subsequently downloaded by developers. In May 2020, GitHub, the largest platform for open source software, discovered 26 open source projects had been compromised as a result of malicious code being injected into open source software. Blocks of open source code are also commonly used in privately owned software solutions and these too can be easily compromised.

Software supply chain attacks are time consuming and resource intensive and usually require long-term commitment. While criminal threat actors have successfully conducted supply chain attacks, they are more commonly conducted by state sponsored advanced persistent threat groups that have the intent, capabilities, and resources for prolonged software supply chain attack campaigns.

These attacks can allow large numbers of organizations to be compromised by attacking just one. Organizations are vulnerable to these attacks as they give software vendors privileged access to their systems to allow them to operate effectively. Vendors need regular communication with installed software solutions to provide updates to improve security against emerging threats and to fix vulnerabilities. If a vendor is compromised, the attackers can bypass security measures such as firewalls and gain persistent access to all customers’ systems.

The guidance document provides several recommendations and tips for using NIST’s Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF). Organizations can greatly improve resilience to software supply chain attacks by operating software within a C-SCRM framework with a mature risk management program.

“A mature risk management program enables an organization to understand risks presented by ICT products and services, including software, in the context of the mission or business processes they support. Organizations can manage such risks through a variety of technical and non-technical activities, including those focused on C-SCRM for software and the associated full software lifecycle,” explained NIST.

The guidance details 8 best practices for establishing a C-SCRM approach and applying it to software:

  1. Integrate C-SCRM across the organization.
  2. Establish a formal C-SCRM program.
  3. Know and manage critical components and suppliers.
  4. Understand the organization’s supply chain.
  5. Closely collaborate with key suppliers.
  6. Include key suppliers in resilience and improvement activities.
  7. Assess and monitor throughout the supplier relationship.
  8. Plan for the full lifecycle.

Even when this approach is adopted, it is not possible to prevent all supply chain attacks so it is essential for other steps to be taken to mitigate vulnerable software components.

Organizations should develop a vulnerability management program and reduce the attack surface through configuration management. This includes placing configurations under change control, conducting security impact analyses, implementing manufacturer-provided guidelines to harden software, operating systems, and firmware, and maintaining an information system component inventory. Steps should also be taken to increase resilience to a successful exploit and limit the harm that can be caused to mission critical operations, personnel and systems in the event of a successful attack.

The post CISA/NIST Issue Guidance on Improving Defenses Against Software Supply Chain Attacks appeared first on HIPAA Journal.

Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks

The increase in ransomware attacks in 2020 has continued in 2021 with healthcare one of the most targeted industries, according to the latest Coveware Quarterly Ransomware Report. Healthcare ransomware attacks accounted for 11.6% of all attacks in Q1, 2021, on a par with attacks on the public sector and second only to attacks on firms in professional services (24.9%).

While ransom demands declined in Q4, 2020, that trend abruptly stopped in Q1, 2021 with the average ransom payment increasing by 43% to $220,298 and the median ransom payment up 59% to $78,398. The increase in payments was not due to ransomware attacks but data exfiltration extortion attacks by the Clop ransomware gang.

The Clop ransomware gang exploited two zero-day vulnerabilities in the Accellion legacy File Transfer Appliance, exfiltrated customers’ data, then threatened to publish the stolen data if the ransom was not paid. When victims refused to pay, the stolen data were leaked on the Clop ransomware data leak site.

These attacks show that file encryption is not always necessary, with the threat of publication of stolen data often sufficient to ensure payment is made. Coveware notes that while exploitation of the vulnerabilities allowed data to be exfiltrated, it was not possible to deploy ransomware across victims’ networks, otherwise ransomware would most likely have also been used in the attacks.

The Clop ransomware gang was particularly active in Q1, 2020. The group often attacks large enterprises and demands huge ransoms and like many other ransomware gangs, steals data prior to file encryption and threatens to expose that data if payment is not made. These double extortion tactics have become the norm and most ransomware attacks now involve data exfiltration. In Q1, 77% of ransomware attacks involved data exfiltration up from 70% in Q4, 2020.

Ransomware victims may have no choice other than paying the ransom if they are unable to recover encrypted data from backups, but there are risks associated with paying the ransom demand, especially to prevent a data leak. There is no guarantee that data will be destroyed and could still be traded or sold to other threat groups after payment is made. Exfiltrated data may also be stored in multiple locations. Even if the threat actor destroys the data, third parties may still have a copy. Coveware notes that while data exfiltration has increased, a growing number of ransomware victims are electing not to give in to the attackers’ demands and are refusing to pay the ransom to prevent a data leak for these and other reasons.

“Over hundreds of cases, we have yet to encounter an example where paying a cybercriminal to suppress stolen data helped the victim mitigate liability or avoid business / brand damage.” – Coveware.

Many RaaS operations have increased the number of attacks by recruiting more affiliates, but some RaaS operations have struggled to scale up their operations. The Conti gang outsourced their chat operations which made negotiations and recoveries more difficult. The Lockbit and BlackKingdom gangs experienced technical difficulties which resulted in permanent data loss for some of their victims, and even the most prolific ransomware operation – Sodinokibi – experienced problems matching encryption keys with victims resulting in permanent data loss.

These technical problems show that even ransomware operations that intend to provide the keys to decrypt data are not always able to. Coveware also observed a worrying trend where ransomware gangs deliberately disrupt recovery after the ransom is paid. The Lockbit and Conti gangs were observed attempting to steal more data during the recovery phase and even attempting to re-launch their ransomware after victims have paid. Coveware notes that this kind of disruption was rare in 2020, but it is becoming more common. Technical issues and disruption to the recovery process have contributed to an increase in downtime due to an attack, which is up 10% in Q1 to 23 days.

In Q4, email phishing became the most common method of ransomware delivery, but Remote Desktop Protocol connections are once again the most common method of gaining access to victim networks. Phishing is still commonly used and is the method of attack favored by the Conti ransomware gang – the second most prevalent ransomware operation in Q1.

Exploitation of software vulnerabilities also increased, with unpatched vulnerabilities in Fortinet and Pulse Secure VPN appliances the most commonly exploited flaws. Coveware believes the majority of ransomware-as-a-service operators and affiliates do not exploit software vulnerabilities, instead they pay specialist threat actors for access to compromised networks. Those threat actors mostly target smaller organizations, with RDP the most common method of attack for larger organizations.

The post Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks appeared first on HIPAA Journal.

Three Zero-Day Vulnerabilities in SonicWall Email Security are Being Actively Exploited

Three zero-day vulnerabilities have been identified in SonicWall Email Security products that are being actively exploited in the wild by at least one threat actor. The vulnerabilities can be chained to gain administrative access to enterprise networks and achieve code execution.

SonicWall Email Security solutions are deployed as a physical appliance, virtual appliance, software installation, or as a hosted SaaS solution and provide protection from phishing, spear phishing, malware, ransomware, and BEC attacks. The solutions do not need to be Internet facing, but hundreds are exposed to the Internet and are vulnerable to attack.

In one instance, a threat actor with intimate knowledge of the SonicWall application exploited the vulnerabilities to gain administrative access to the application and installed a backdoor that provided persistent access. The threat actor was able to access files and emails, harvest credentials from memory, and then used those credentials to move laterally within the victim’s network.

The three vulnerabilities were identified by the Mandiant Managed Defense team. SonicWall has now developed, tested, and released patches to correct the flaws. The SonicWall Hosted Email Security product was automatically updated on April 21, 2021 so customers using the hosted email security solution do not need to take any action, but users of other vulnerable SonicWall Email Security products will need to apply the patches to prevent exploitation.

SonicWall said “It is imperative that organizations using SonicWall Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade.”

The most serious vulnerability is a pre-authentication flaw with a severity score of 9.8 out of 10. The other two vulnerabilities have CVSS scores of 7.2 and 6.7.

  • CVE-2021-20021 – Pre-authentication vulnerability allowing remote attackers to create administrative accounts by sending specially crafted HTTP requests to a remote host. (CVSS 9.8)
  • CVE-2021-20022 – Post-authentication vulnerability allowing uploads of arbitrary files to a remote host. (CVSS 7.2)
  • CVE-2021-20023 – Post-authentication vulnerability allowing arbitrary file read on a remote host. (CVSS 6.7)

Mandiant identified the threat actor exploiting the vulnerabilities as UNC2682 and blocked the attack before the threat group could achieve its final aim, so the objective of the attack is unknown. Other threat groups may also attempt to exploit the vulnerabilities to obtain persistent access to enterprise networks and steal sensitive data.

“At the time of activity, the victim organization was using the same local Administrator password across multiple hosts in their domain, which provided the adversary an easy opportunity to move laterally under the context of this account – highlighting the value of randomizing passwords to built-in Windows accounts on each host within a domain,” explained Mandiant. “The adversary managed to briefly perform internal reconnaissance activity prior to being isolated and removed from the environment.”

Affected Product Version Patched Version CVEs
SonicWall Email Security versions 10.0.4-Present 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 10.0.3 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 10.0.2 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 10.0.1 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 7.0.0-9.2.2 Active support license allows upgrade to above secure versions but without an active support license upgrades are not possible CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.4-Present HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.3 HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.2 HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.1 HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023

The post Three Zero-Day Vulnerabilities in SonicWall Email Security are Being Actively Exploited appeared first on HIPAA Journal.

Pulse Connect Secure Vulnerabilities Being Actively Exploited, Including New Zero-Day Flaw

At least one threat group is exploiting vulnerabilities in Ivanti’s Pulse Connect Secure products, according to a recent alert from the DHS’ Cybersecurity and Infrastructure Security Agency (CISA). While there has not been an official attribution, the threat actor has been linked to China by some security researchers and targets have included government, defense, financial, and critical infrastructure organizations.

FireEye has been tracking the malicious activity and reports that at least 12 malware families have been involved in cyberattacks exploiting the vulnerabilities since August 2020. These attacks have involved the harvesting of credentials to allow lateral movement within victim networks and the use of scripts and the replacement of files to achieve persistence.

Several entities have now confirmed that they have been attacked after they identified malicious activity using the Pulse Connect Secure Integrity Tool. Access has been gained to Pulse Connect Secure appliance by exploiting multiple vulnerabilities including three vulnerabilities that were disclosed in 2019 and 2020 and one recently disclosed zero-day vulnerability. Patches have been available for several months to fix the first three vulnerabilities – CVE-2019-11510, CVE-2020-8260 and CVE-2020-8243; however, a patch has yet to be released to correct the most recently disclosed zero-day vulnerability – CVE-2021-22893.

The CVE-2021-2893 authentication bypass vulnerability has received the maximum CVSS vulnerability severity score of 10/10. Ivanti published a security advisory about the new vulnerability on April 20, 2021. Exploitation of the flaw allows a remote unauthenticated attacker to execute arbitrary code in the Pulse Connect Secure Gateway. The flaw is believed to be exploitable by sending a specially crafted HTTP request to a vulnerable device, although this has yet to be confirmed by Ivanti. The vulnerability affects Pulse Connect Secure 9.0R3 and higher.

At least one threat group is exploiting the vulnerabilities to place web shells on vulnerable Pulse Secure VPN appliances. The web shells allow the threat actor to bypass authentication and multi-factor authentication controls, log passwords, and gain persistent access to the appliance even after the patches have been applied.

Ivanti and CISA strongly advise all users of the vulnerable Pulse Connect Secure appliances to apply the patches immediately to prevent exploitation and to implement the mitigations recently published by Ivanti to reduce the risk of exploitation of the CVE-2021-22893 vulnerability until a patch is released. The workaround involves deleting two Pulse Connect Secure features – Windows File Share Browser and Pulse Secure Collaboration – which can be achieved by importing the workaround-2104.xml file. A patch is expected to be released to correct the CVE-2021-22893 in May 2021.

Since patching will not block unauthorized access if the vulnerabilities have already been exploited, CISA strongly recommends using the Pulse Connect Secure Integrity Tool to investigate whether the vulnerabilities have already been exploited.

CISA has issued an emergency directive requiring all federal agencies to enumerate all instances of Pulse Connect Secure virtual and hardware appliances, deploy and run the Pulse Connect Secure Integrity Tool to identify malicious activity, and apply the mitigation against CVE-2021-22893. The actions must be taken by 5 pm Eastern Daylight Time on Friday, April 23, 2021.

The post Pulse Connect Secure Vulnerabilities Being Actively Exploited, Including New Zero-Day Flaw appeared first on HIPAA Journal.