Latest HIPAA News

Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps

A large-scale phishing campaign conducted in 62 countries has been shut down by Microsoft.  The campaign was first identified by Microsoft’s Digital Crimes Unit (DCU) in December 2019. The phishing campaign targeted businesses and was conducted to obtain Office 365 credentials. Those credentials were then used to access victims’ accounts to obtain sensitive information and contact lists. The accounts were then used for business email compromise (BEC) attacks to obtain fraudulent wire transfers and redirect payroll.

Initially, the emails used in the campaign appeared to have been sent by an employer and contained business-related reports with a malicious email attachment titled Q4 Report – Dec19. Recently, the phishing campaign changed and the attackers switched to COVID-19 lures to exploit financial concerns related to the pandemic. One of the lures used the term “COVID-19 bonus” to get victims to open malicious email attachments or click malicious links.

When the email attachments were opened or links clicked, users were directed to a webpage hosting a malicious application. The web apps closely resemble legitimate web apps that are often used by businesses to improve productivity and security and support remote workers. Users were requested to grant Office 365 OAuth applications access to their Office 365 accounts.

When permission is granted, the attackers obtained access and refresh tokens that allowed them to gain access to the victims’ Office 365 accounts. In addition to gaining access to contact lists, emails, attachments, notes, tasks, and profiles, they also had access to the SharePoint document management system and OneDrive for Business, and any files in those cloud storage accounts.

Microsoft implemented technical measures to block the phishing emails and filed a civil case in the U.S. District Court for the Eastern District of Virginia to obtain a court order to seize six domains being used by the scammers to host the malicious apps. Recently, the court order was obtained and Microsoft has now disabled the domains. Without access to their infrastructure, the cybercriminals are no longer able to conduct cyberattacks. The campaign is believed to be the work of a cybercriminal organization rather than a nation state-sponsored group.

“This unique civil case against COVID-19-themed BEC attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers,” explained Microsoft.

Microsoft also shared best practices to help organizations to improve defenses against phishing and BEC attacks. The first step to take is to enable multifactor authentication on all email accounts, both business and personal. Businesses should provide training to employees to teach them how to identify phishing and BEC attacks and security alerts should be enabled for suspicious links and files.

Any email forwarding rules should be checked to identify suspicious activity and organizations should educate staff on how Microsoft permissions and the consent framework works.  Audits should be conducted on apps and consent permissions to ensure that applications are only granted access to the data they need.

The post Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps appeared first on HIPAA Journal.

Extent of Magellan Health Ransomware Becomes Clear: More Than 364,000 Individuals Affected

HIPAA Journal previously reported on an April 2020 ransomware attack on Magellan Health. Further information on the attack has now been released that shows the scale of the attack.

The incident has now been listed on the HHS’ Office for Civil Rights breach portal as affecting 6 Magellan entities, each of which has reported the incident separately. Several other entities have also submitted breach reports confirming their patients and subscribers have also been affected.

It is too early to tell exactly how many individuals have been affected by the ransomware attack, but the total as of July 1, 2020 exceeds 364,000, making the attack the third largest healthcare data breach to be reported in 2020. There may still be some entities that have yet to report the breach.

Entities known to have been impacted by the breach are listed in the table below.

Affected Entity Entity Type Individuals Affected
Magellan Healthcare, Maryland Business Associate 50,410
Magellan Complete Care of Florida Health Plan 76,236
Magellan Rx Pharmacy Healthcare Provider 33,040
Magellan Complete Care of Virginia Health Plan 3,568
Merit Health Insurance Company Health Plan 102,748
National Imaging Associates Business Associate 22,560
University of Florida Jacksonville Healthcare Provider 54,002
University of Florida, Health Shands Healthcare Provider 13,146
University of Florida Healthcare Provider 9,182
Total   364,892

In contrast to many of the healthcare ransomware attacks that have been reported in recent weeks, where access to networks was gained through brute force attacks on remote desktop services or the exploitation of vulnerabilities in VPNs, this attack started with a spear phishing email in which a Magellan client was impersonated. That email was sent on April 6 and the ransomware was deployed less than a week later.

Magellan explained in its substitute breach notification letter sent to the California Attorney General’s Office that the attacker downloaded malware that was designed to steal login credentials and passwords, and gained access to a single Magellan corporate server and stole employee information. The data stolen in the attack related to current employees and included the following data elements: Address, employee ID number, and W-2 or 1099 details such as Social Security number or Taxpayer ID number. For a limited number of employees, usernames and passwords were also obtained.

The notice of security incident on the Magellan Health websites confirms patients of Magellan Health and its subsidiaries and affiliates were also impacted, and the following types of data were exposed: Treatment information, health insurance account information, member ID, other health-related information, email addresses, phone numbers, and physical addresses.  In certain instances, Social Security numbers were also affected.

No mention is made on the June 12, 2020 website notice whether protected health information was also stolen in the attack. In all cases, Magellan Health says no evidence has been uncovered to date to suggest any patient or employee information has been misused.

The post Extent of Magellan Health Ransomware Becomes Clear: More Than 364,000 Individuals Affected appeared first on HIPAA Journal.

UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit

Des Moines, Iowa-based UnityPoint Health has agreed to settle a proposed class action lawsuit filed by victims of two phishing attacks in 2017 and 2018 that saw the protected health information of 1.4 million patients exposed.

The first phishing attack occurred in November 2017 and was discovered on February 15, 2018. The attackers had access to the email accounts of certain employees of its Madison campus for more than 3 months and potentially obtained the protected health information of approximately 16,429 patients. Patients were notified about the breach in April 2018.

The second phishing attach was much more extensive. The campaign saw a UnityPoint executive impersonated in March 2018, and several employees responded to the message and disclosed their login credentials. The breach was detected in May 2018 and the investigation revealed the compromised email accounts contained the protected health information of 1.4 million patients, making it the second largest healthcare data breach to be reported in 2018.  The attackers had access to the email accounts for almost a month before the breach was detected and email accounts were secured. Notification letters were sent to affected individuals in August 2018.

A lawsuit was filed soon after the announcement about the breach was made. The lawsuit alleged UnityPoint Health mishandled the breach and misrepresented the nature, breadth, scope, harm, and cost of the breach. It was alleged that UnityPoint Health did not notify affected individuals within the 60-day time frame demanded by the HIPAA Breach Notification Rule and when notifications were issued, patients were not informed that their Social Security numbers had been exposed.

In the breach notification letters UnityPoint Health explained that no evidence was found to suggest the protected health information exposed in the attack was or will be used for unintended purposes, suggesting affected patients were not placed at risk. UnityPoint Health also failed to offer breach victims credit monitoring or identity theft protection services, even though Social Security numbers and river’s license numbers had been exposed.

UnityPoint Health attempted to have the lawsuit dismissed and was partially successful. In July 2019, a US District Court Judge partially dismissed some of the claims in the lawsuit, although other claims were allowed to proceed. The judge ruled that the plaintiffs’ alleged facts sufficient to establish there was an objectively reasonable likelihood of future identity theft.

A settlement was proposed on June 26, 2020 to resolve the lawsuit and will provide victims with monetary and injunctive relief. Under the terms of the proposed settlement, UnityPoint Health has agreed to make a minimum of $2.8 million available to class members to cover claims. Each affected individual can submit a claim of up to $1,000 to cover documented ordinary out-of-pocket expenses such as credit monitoring and identity theft protection services, and up to 3 hours in lost time charged at $15 per hour.

A claim of up to $6,000 can be made per person to cover extraordinary expenses which includes documented out-of-pocket expenses and up to 10 hours per person at $15 per hour for time lost arranging credit monitoring services, credit freezes, and other actions taken as a result of the breach.  In contrast to most data breach settlements, UnityPoint Health has not placed a cap on extraordinary expenses claims, so UnityPoint Health will cover actual losses if breach victims submit a valid claim. All victims will also be entitled to a year’s membership to credit monitoring and identity theft protection services and will be protected by a $1 million insurance policy against identity theft. The credit monitoring services and insurance policy are estimated to cost around $200 per class member.

The four breach victims named in the lawsuit will also be entitled to claim an additional $2,500 per person. The full costs of notice and claims administration and attorney fees will be paid by UnityPoint Health up to a maximum value of $1.58 million.

UnityPoint Health has also agreed to make improvements to network and data security and will undergo an annual audit by a third-party security firm to ensure that security measures are adequate, and the healthcare provider is complying with its security policies.

Given the lack of a cap on claims, this could turn out to be one of the largest ever healthcare data breach settlements. The settlement will now need to be approved by a judge and could be finalized by the end of the year.

The post UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

May 2020 Healthcare Data Breach Report

May 2020 saw a marked fall in the number of reported healthcare data breaches compared to April, with 28 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights. That is the lowest number of monthly breaches since December 2018 and the first time in 17 months that healthcare data breaches have been reported at a rate of less than one per day. The monthly total would have been even lower had one breach been reported by the business associate responsible for an improper disposal incident, rather than the 7 healthcare providers impacted by the breach.

Several cybersecurity companies have reported an increase in COVID-19-related breaches, such as phishing attacks that use COVID-19-themed lures. While there is strong evidence to suggest that these types of attacks have increased since the start of the pandemic, the number of cyberattacks appears to have broadly remained the same or increased slightly. Microsoft has reported that its data shows a slight increase in attacks, but says it only represents a blip and the number of threats and cyberattacks has changed little during the pandemic.

Threat activity does not appear to have dropped, so the fall in reported cyberattacks and data breaches could indicate that threat actors have taken the decision not to attack healthcare providers on the front line in the fight against COVID-19. The Maze ransomware gang publicly stated that it would not target healthcare providers during the COVID-19 pandemic, but many other ransomware gangs appear to have stepped up their attacks and are making no such concessions.

It is also possible that rather than cyberattacks and data breaches falling, covered entities and business associates have not been detecting breaches or have delayed reporting. The reason for the fall in reported breaches is likely to become clearer over the coming weeks and months and we will see if this is part of a new trend or if the drop is simply a blip.

While it is certainly good news that the number of breaches has fallen, there was a significant increase in the number of exposed and compromised healthcare records. There were 10 fewer data breaches reported in May 2020 than April, but 1,064,652 healthcare records were breached in May. That is more than twice the number of records breached in April.

Largest Healthcare Data Breaches in May 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
Elkhart Emergency Physicians, Inc. IN Healthcare Provider 550,000 Improper Disposal
BJC Health System MO Business Associate 287,876 Hacking/IT Incident
Saint Francis Healthcare Partners CT Business Associate 38,529 Hacking/IT Incident
Everett & Hurite Ophthalmic Association PA Healthcare Provider 34,113 Hacking/IT Incident
Management and Network Services, LLC OH Business Associate 30,132 Hacking/IT Incident
Sanitas Dental Management FL Healthcare Provider 19,000 Loss
Mediclaim, LLC MI Business Associate 14,931 Hacking/IT Incident
Woodlawn Dental Center OH Healthcare Provider 14,419 Hacking/IT Incident
Mat-Su Surgical Associates, APC AK Healthcare Provider 13,146 Hacking/IT Incident
Mille Lacs Health System MN Healthcare Provider 10,630 Hacking/IT Incident

Causes of May 2020 Healthcare Data Breaches

The largest healthcare data breach of the month affected Elkhart Emergency Physicians, Inc. and involved the improper disposal of paper records by business associate Central Files Inc. Elkhart Emergency Physicians was one of seven Indiana healthcare providers to be affected by the breach. In total, the records of 554,876 patients were exposed as a result of that improper disposal incident. There was one other improper disposal incident reported in May, making this the joint second biggest cause of data breaches in the month. Those improper disposal incidents accounted for 52.17% of breached records in May. The mean breach size was 69,434 records and the median breach size was 938 records.

There were 8 reported unauthorized access/disclosure incidents reported, although those breaches only accounted for 2.35% of breached records in May. The mean breach size was 3,124 records and the median breach size was 3,220 records.

Hacking/IT incidents once again topped the list as the main cause of healthcare data breaches, accounting for 39.28% of the month’s breaches and 43.69% of breached records in May. The mean breach size was 42,290 records and the median breach size was 14,419 records.

There was one loss incident involving a network server that contained the records of 19,000 patients. There were no reports of theft of physical records or devices containing electronic protected health information.

The graph below shows the location of breached protected health information. For the past several months, email has been the most common location of breached PHI due to the high number of healthcare phishing attacks. The number of reported phishing attacks dropped in May, hence the lower than average number of email-related breaches. While the number of incidents fell, there was one major phishing attack reported. An attack on BJC Health System saw 3 email accounts compromised. Those accounts included emails and attachments containing the PHI of 287,876 patients.

May 2020 Healthcare Data Breaches by Covered Entity Type

In line with virtually every other month since the HITECH Act mandated the HHS’ Office for Civil Rights to start publishing summaries of data breaches on its’ Wall of Shame’, healthcare providers were hardest hit, with 21 reported data breaches. It was a good month for health plans, with only one reported breach, but a particularly bad month for business associates. 6 business associates reported data breaches in May, and a further 8 breaches involved business associates but were reported by the covered entity.

Healthcare Data Breaches by State

Data breaches were reported by covered entities and business associates in 17 states in May. Indiana was the worst affected state with 7 reported breaches of 500 or more records, all of which were due to the improper disposal of records by business associate, Central Files, Inc.

There were 3 data breaches reported in each of Michigan and Ohio, two breaches reported by healthcare providers in Pennsylvania, and one breach was reported in each of Alaska, Arizona, California, Connecticut, Florida, Georgia, Illinois, Maryland, Minnesota, Missouri, Nebraska, New York, and Texas.

HIPAA Enforcement Activity in May 2020

There were no announcements about HIPAA penalties from the HHS’ Office for Civil Rights or state attorneys general in May 2020.

The post May 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Senate HELP Committee Considers Permanent Changes to Telehealth Policies

The Senate Health, Education, Labor, and Pensions (HELP) Committee is considering which of the 31 recent changes to telehealth policies should be kept in place when the COVID-19 national public health emergency comes to an end.

The temporary changes to policies on telehealth have served to expand access during the COVID-19 public health emergency. These changes were necessary to help prevent the spread of COVID-19 and ensure that Americans are given easy access to medical services. During the COVID-19 crisis, patients have embraced the new approach and many have taken advantage of virtual visits and are using remote monitoring tools.

The June 17, 2020 Senate HELP Committee meeting was convened to explore which of the recent changes should be made permanent or at least be extended once the COVID-19 crisis comes to an end. All members of the committee supported making at least some of the recent changes permanent, with HELP Committee Chairman Sen. Lamar Alexander (R-Tenn.) advocating two permanent changes: The elimination of limitations on originating sites and the expansion of the types of providers who can be reimbursed through Medicare and Medicaid for providing virtual visits.

Sen. Alexander explained that both changes will help providers to achieve better patient outcomes, will improve patient experiences, and will help to reduce the cost of healthcare provision. There is wide support for these two changes to be made permanent. “As dark as this pandemic has been, it creates an opportunity to learn from and act upon these three months of intensive telehealth experiences, specifically what permanent changes need to be made in federal and state policies,” said Sen. Alexander. He suggested that were it not for the pandemic, the recently introduced changes may not have occurred for a further 10 years. It is too early to tell whether the telehealth changes have had any significant effect on patient outcomes, but they have certainly helped to improve access to healthcare services.

The University of Virginia (UVA) experienced a 9,000% increase in virtual visits between February and May, according to Karen Rheuban, M.D., director of the UVA Center for Telehealth. Sen. Alexander explained that Ascension Saint Thomas had gone from providing around 50 telehealth visits a year to more than 30,000 per month between April and May. Between April and May, telehealth accounted for around 45% of all visits.

The HHS’ Office for Civil Rights announced a Notice of Enforcement discretion covering the platforms that could be used for providing telehealth services during the public health emergency. Aside from public-facing platforms, apps that would not normally be permitted under HIPAA could be used for telehealth. While the move was necessary, it is one of the changes that requires closer scrutiny moving forward to ensure the privacy and security of healthcare data is not placed at risk.

The expansion of telehealth services has not proven to be a great equalizer, as many people lack the technology to take advantage of telehealth services. “The disparities in access to technology reflect the underlying inequity that exists throughout society,” said Sen. Tina Smith (D-Minn), a view shared by Karen Rheuban, M.D., who suggested “Congress should provide support for further broadband deployment, including to the home, as appropriate, to reduce geographic and sociodemographic disparities in access to care.”

There was strong support for reimbursement for telephone visits to be continued. At Massachusetts General Hospital and Brigham and Women’s Hospital, 60% of telehealth visits took place over the telephone in the past 3 months. “Telephone visits are important to cross the digital divide. We should continue that level of reimbursement to address this underserved population,” said Joe Kvedar, president of the American Telemedicine Association.

In addition to advocating for permanent changes to originating site limitations, Kvedar recommended giving the HHS the flexibility to expand the list of practitioners and therapy services eligible for telehealth reimbursement and to continue the grant and technical assistance programs and also cover infrastructure needs.

There is a commonly held view among providers that the decision to continue offering telehealth is largely dependent on reimbursement rates for telehealth. If reimbursement is lower for virtual visits, that may prevent providers from continue offering telehealth over in-person visits. Sen. Mike Braun (R-Ind) suggested that there should not be pay parity due to the differences in overheads. Sen. Bill Cassidy (R-La.) also questioned whether reimbursement should be equal when telehealth reduces providers’ overhead costs.

While access to telehealth has been expanded for Medicare and Medicaid patients, changes also need to be made in the private sector. “It would be very difficult to conduct this care model in a world where we got some payment for some things and didn’t get paid for others,” suggested Kvedar. “As much harmonization as possible would be huge incentive for adoption and expansion,” said Rheuban.

The post Senate HELP Committee Considers Permanent Changes to Telehealth Policies appeared first on HIPAA Journal.

Exploitable ‘Ripple20’ RCE TCP/IP Flaws Affect Hundreds of Millions of Connected Devices

19 zero-day vulnerabilities have been identified in the TCP/IP communication software library developed by Treck Inc. which impact hundreds of millions of connected devices across virtually all industry sectors, including healthcare.

Treck is a Cincinnatti, OH-based company that develops low-level network protocols for embedded devices. The company may not be widely known, but its software library has been used in internet-enabled devices for decades. The code is used in many low-power IoT devices and real-time operating systems due to its high performance and reliability and is used in industrial control systems, printers, medical infusion pumps and many more.

The vulnerabilities were identified by security researchers at the Israeli cybersecurity company JSOF, who named the vulnerabilities Ripple20 because of the supply chain ripple effect.

A vulnerability in small component can have wide reaching consequences and can affect a huge number of companies and products. In the case of Ripple20, companies affected include HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, B. Braun, and Baxter. JSOF has a list of 66 companies that are also potentially affected.

Four of the vulnerabilities are rated critical, with two (CVE-2020-11896 / CVE-020-11897) receiving the highest possible severity score of 10 out of 10 and the other critical bugs receiving scores of 9.0 (CVE-2020-11901) and 9.1 (CVE-2020-11898). The first three could allow remote code execution and the remaining vulnerability could result in the disclosure of sensitive information.

CVE-2020-11896 could be exploited by sending a malformed IPv4 packet to a device supporting IPv4 tunneling, and CVE-2020-11897 could be triggered by sending multiple malformed IPv6 packets to a device. Both allow stable remote code. CVE-2020-11901 can be triggered by answering a single DNS request made from a vulnerable device. This vulnerability could allow an attacker to take over a device through DNS cache poisoning and bypass all security measures.

The remaining 15 vulnerabilities range in severity from 3.1 to 8.2 and could result in information disclosure, allow a denial of service attack, and some could also potentially lead to remote code execution.

Exploitation of the vulnerabilities is possible from outside the network. An attacker could take full control of a vulnerable internet-facing device or even attack vulnerable networked devices that are not internet-enabled, if a network was infiltrated. An attacker could also broadcast an attack and take control of all vulnerable devices in the network simultaneously. These attacks require no user interaction and could be exploited in a way that bypasses NAT and firewalls. An attacker could take control of devices completely undetected and remain in control of those devices for years.

The vulnerabilities could be exploited by sending specially crafted packets that are very similar to valid packets, making it difficult to detect an attack in progress. JSOF reports that in some cases, completely valid packets could be used, which would make an attack almost impossible to detect.

“The risks inherent in this situation are high,” explained JSOF. “Just a few examples: Data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years.”

The video below shows an example of an exploit on a UPS to which several devices are connected, including a drug infusion pump.

Treck is currently reaching out to its clients to warn them about the vulnerabilities. The flaws have been patched in its TCP/IPv4/v6 software, so organizations impacted by the flaws should ensure Treck’s software stack version or higher is used.

You can view the ICS-CERT advisory here

The post Exploitable ‘Ripple20’ RCE TCP/IP Flaws Affect Hundreds of Millions of Connected Devices appeared first on HIPAA Journal.

Guidance on Contacting COVID-19 Patients to Request Blood and Plasma Donations

When patients contract an infectious respiratory disease such as COVID-19, the immune system develops antibodies that provide protection if the pathogen is encountered again. The antibodies in the blood of patients who recover from such an illness are valuable, as not only will they provide protection for the patient, that protection could potentially be transferred to other patients.

Through the donation of blood and plasma two preparations can be made: Convalescent plasma and hyperimmune immunoglobulin. Convalescent plasma and hyperimmune immunoglobulin have both been used to successfully treat patients who have contracted other viral respiratory diseases. Given the severity of COVID-19 and the high mortality rate, these treatments could be vital for patients who are struggling to fight the infection. Research studies are now underway to test whether antibody treatments are effective against COVID-19.

To participate in these programs, patients who have previously been diagnosed with COVID-19 will need to be contacted and asked if they are willing to donate blood and plasma, but is this contact permitted by the HIPAA Privacy Rule?

On June 12, 2020, the Department of Health and Human Services’ Office for Civil Rights issued guidance to healthcare providers on the HIPAA Privacy Rule and contacting COVID-19 patients to request blood and plasma donations.

OCR explained that the HIPAA Privacy Rule does not prohibit healthcare providers from contacting COVID-19 patients to request blood and plasma donations and prior authorization from the patient is not required.

Healthcare providers can contact patients to advise them about the opportunities for donating blood and plasma to support the response to COVID-19 to improve other patents’ chances of beating the disease.

HIPAA covered entities and business associates acting on their behalf can use or disclose PHI for the purpose of treatment, payment, and healthcare operations, without first receiving authorization to do so from a patient. Requesting a donation of blood or plasma does not fall into the category of treatment, as the blood/plasma will not be used to treat the patient, instead it is being used for population-based health care operations to improve health, case management, and care-coordination, which are included in the definition of healthcare operations.

There is some confusion over whether contacting patients to solicit blood donations would constitute marketing communications, which are generally not permitted by the HIPAA Privacy Rule without prior authorization from a patient.

In this case, an exception to the Privacy Rule’s Marketing provision applies. “A covered health care provider is permitted to make such communication for the covered entity’s population-based case management and related health care operations activities, provided that the covered entity receives no direct or indirect payment from, or on behalf of, the third party whose service is being described in the communication (e.g., a blood and plasma donation center),” explained OCR in the guidance.

An authorization is required from a patient before PHI can be disclosed to a third party, such as a blood and plasma donation center, to allow a COVID-19 patient to be contacted to request blood and plasma donations for the donation center’s own purposes.

The post Guidance on Contacting COVID-19 Patients to Request Blood and Plasma Donations appeared first on HIPAA Journal.

Misconfigured Public Cloud Databases are Found and Attacked Within Hours

Misconfigured public cloud databases are often discovered by security researchers. Misconfigurations that leave cloud data exposed could be due to a lack of understanding about cloud security or policies, poor oversight to identify errors, or negligent behavior by insiders to name but a few. A recent report from Trend Micro revealed cloud misconfigurations were the number one cause of cloud security issues.

Security researchers at Comparitech often discover unsecured cloud resources, commonly Elasticsearch instances and unsecured AWS S3 buckets. When the unsecured cloud databases are discovered, the owners are identified and notified to ensure data is secured quickly. Providing the owner can be identified, the databases are usually secured within a matter of hours, but there have been several cases where the database owner has been contacted but no response is received, and it is not always apparent to whom the data belongs.

In these cases, data can be left exposed online for several days or even weeks. During that time, the databases remain unprotected and can be accessed and downloaded by anyone that knows where to find them. Comparitech researchers are well practiced at finding unsecured Elasticsearch databases and AWS S3 buckets, but how quickly can malicious actors sniff out an unsecured database? Comparitech decided to find out. It turns out that it does not take long.

To determine the time it takes for unsecured data to be found, Comparitech’s security team conducted an exercise where they created a simulation of an Elasticsearch instance, similar to the many Elasticsearch instances they have found unsecured. They populated it with fake user data and left it exposed without any access controls. The database was exposed from May 11, 2020 to May 22, 2020.

In a recent blog post detailing the exercise, Comparitech security researcher Paul Bischoff explained that the first access request occurred 8 hours and 35 minutes after the database was created. During the 11 days that the database was exposed, there were 175 access requests. Their honeypot averaged 18 requests a day.

Exposed databases are usually located using an IoT search engine such as Shodan. It takes time for the data to be indexed by the search engines, in this case, Shodan indexed the database on May 16, five days after the database was created. Even though the database was not indexed until May 16, by the time it was there had been 3 dozen attempts to access the data. As soon as the database was indexed, the attacks spiked. Two access attempts were made within a minute of the database being indexed, with a further 20 access requests made that same day.

There are several reasons why attempts are made to find unsecured cloud resources. Databases often contain sensitive data, which can be used for identity theft and fraud or sold on underground forums. Databases can be hijacked and ransom demands issued to extort money from the data owners, but not all attacks were concerned with obtaining data. Several attempts were made to hijack the servers and download cryptomining scripts. In one case, an attacker attempted to switch off the firewall and delete the database.

While the test was concluded on May 22, 2020 and the data was mostly deleted, an further attack occurred on May 29. A malicious bot detected the honeypot and deleted the database, leaving a message demanding payment of 0.06 BTC to recover the data. That attack took 5 seconds from start to finish.

The exercise showed that even if databases are only exposed for a short period of time, it is highly likely that they will be found. While many companies say their data was not left unsecured for long when they are notified by Comparitech of an exposed cloud instance, it is probable that data has already been compromised unless data was only exposed for a few hours.

Comparitech pointed out that if the person setting up an Elasticsearch instance fails to put access controls in place, it is reasonable to assume that logging has also not been enabled. When companies report that no evidence was found to suggest data was accessed or exfiltrated, that does not mean data has not been accessed and stolen, only that there is a lack of evidence.   A 2019 report from McAfee suggested 99% of misconfigurations in the cloud go unreported when they are discovered. It is probable that data theft from cloud resources is far more likely than breach reports would lead you to believe.

The post Misconfigured Public Cloud Databases are Found and Attacked Within Hours appeared first on HIPAA Journal.

Proof of Concept Exploit Released for Critical SMBGhost Windows 10 SMBv3 Vulnerability

A functional proof of concept (PoC) exploit for a critical remote code execution vulnerability in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol has been released and is being used by malicious cyber actors to attack vulnerable systems, according to an alert issued by the DHS Cybersecurity and Infrastructure Security Agency (CISA).

The vulnerability, referred to as SMBGhost, is due to the way the SMBv3 protocol handles certain requests. If exploited, a malicious cyber actor could remotely execute code on a vulnerable server or client by sending a specially crafted packet to a targeted SMBv3 server. An attack against a client would also be possible if an attacker configured a malicious SMBv3 server and convinced a user to connect to it.

The vulnerability could be exploited to spread malware from one vulnerable system to another in a similar fashion to the SMBv1 vulnerability that was exploited in the 2017 WannaCry ransomware attacks. No user interaction is required to exploit the flaw on vulnerable SMBv3 servers.

The flaw – tracked as CVE-2020-0796 – is present in Windows 10 versions 1909 and 1903 and was the subject of a Microsoft security advisory in early March. The flaw received a maximum CVSS v3 severity rating of 10 out of 10.

Microsoft released a patch to correct the flaw in early March; however, almost three months on and many organizations have yet to apply the patch and are vulnerable to attack. Microsoft also released details of a workaround to prevent exploitation, which involves disabling SMBv3 compression.

While the workaround would prevent the flaw from being exploited on a SMBv3 server, it would not prevent an attack on a client. The workaround involves running a simple PowerShell command. No reboot is required after the command has been executed. Details are available here. Scanners are available on GitHub that can be used to check for the CVE-2020-0796 vulnerability.

Security researchers developed exploits for the flaw with limited success, but the PoC exploit now available would allow an attacker to escalate local privileges and deliver malware. The PoC exploit is not 100% reliable, but more refined exploits are expected to be released. In its current form it could be used to successfully attack a vulnerable SMBv3 server. If the exploit were to fail, an attacker could simply keep on trying until it worked.

CISA strongly recommends that all organizations apply the patch to prevent exploitation. If the patch cannot be applied, the workaround should be used and SMB ports should be blocked from the internet using a firewall until the patch can be applied.

The post Proof of Concept Exploit Released for Critical SMBGhost Windows 10 SMBv3 Vulnerability appeared first on HIPAA Journal.