Latest HIPAA News

Third Version of Log4j Released to Fix High Severity DoS Vulnerability

Posted by HIPAA Journal

The original vulnerability identified in Log4j (CVE-2021-44228) that sent shockwaves around the world due to its seriousness, ease of exploitation, and the extent to which it impacts software and cloud services, is not the only vulnerability in the Java-based logging utility.

After releasing version 2.15.0 to fix the flaw, it was determined that version 2.15.0 was still vulnerable in certain non-default configurations due to an incomplete patch. The new vulnerability is tracked as CVE-2021-45046 and was fixed in version 2.16.0 of Log4j. Initially, the vulnerability was assigned a CVSS score of 3.7 (low severity); however, the severity score has since been increased to critical (CVSS 9.0), as while this flaw was initially reported as a denial-of-service bug, it was later determined that it could be exploited to allow data exfiltration and remote code execution.

According to Apache, “When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process.”

Apache strongly recommended organizations upgrade again to version 2.16.0 to prevent exploitation of the new vulnerability; however, a further vulnerability has now been identified, which is tracked as CVE-2021-45105. CVE-2021-45105 is a high severity DoS bug (CVSS 7.5) and affects all versions of Log4j from 2.0-beta9 to 2.16.0.

According to the Apache Software Foundation (ASF), “Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process.”

CVE-2021-45105 has now been corrected in version 2.17.0, which is the third version of Log4j to be released in 10 days. Further information on the Log4j vulnerabilities and the latest updates can be found here.

The post Third Version of Log4j Released to Fix High Severity DoS Vulnerability appeared first on HIPAA Journal.

Most Patients Don’t Trust Their Healthcare Providers to Securely Store PII and Payment Information

Posted by HIPAA Journal

In 2019, it was alarming that healthcare data breaches were being reported at a rate of more than 1 a day. In 2021, there have been several months where healthcare data breaches have been occurring at a rate of more than 2 per day. With data breaches occurring so regularly and ransomware attacks disrupting healthcare services, it is no surprise that many patients do not have much trust in their healthcare providers to protect sensitive personally identifiable information (PII).

That has been confirmed by a recent survey conducted by Dynata on behalf of Semafone. 56% of patients at private practices said they do not trust their healthcare providers to protect PII and payment information. Smaller healthcare providers have smaller budgets for cybersecurity than larger healthcare networks, but trust in large hospital networks is far lower. Only 33% of patients of large hospital networks trusted them to be able to safeguard their PII.

The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, has stepped up enforcement of compliance with the HIPAA Rules in recent years and is increasingly imposing financial penalties for HIPAA Privacy and Security Rule violations. The survey confirmed that patients want healthcare providers to face financial penalties when they fail to ensure the confidentiality of healthcare data. 9 out of 10 patients were in favor of financial penalties for healthcare providers that fail to implement appropriate protections to prevent healthcare data breaches.

Further, when data breaches occur, patients are willing to switch providers. 66% of patients said they would leave their healthcare provider if their PII or payment information was compromised in a data breach that occurred as a result of the failure to implement appropriate security measures. Another 2021 survey, conducted on behalf of Armis, had similar findings. 49% of patients said they would switch provider if their PHI was compromised in a ransomware attack.

The pandemic has increased the risk patients face from healthcare data breaches. Before the pandemic, many patients paid their medical bills in person or by mail, but the Semafone survey showed both payment methods are in decline, with many patients now choosing to pay electronically. There has been a 28% fall in in-person payments and a 17% drop in mail-in payments. With financial information more likely to be stored by healthcare providers, the risk of financial harm from a data breach has increased substantially.

Semafone explained in its 2021 State of Healthcare Payment Experience and Security Report that the increase in healthcare data breaches has led to patients having a heightened sense of awareness and interest in the processes their providers take to protect their information. Semafone suggests healthcare providers, and especially large hospital networks, need to pay more attention to the digital transformation measures they take to keep sensitive information secure.

“Regardless of size, the entire healthcare industry must do better at navigating and preventing data breaches,” said Gary E. Barnett, CEO of Semafone. “The sheer number of breaches in and out of healthcare is problematic. Fortunately, there are solutions that provide security and help meet compliance standards, but many of today’s companies still rely on outdated processes for operations. It is no longer acceptable to claim they aren’t aware that highly efficient, effective, and automated solutions exist to save time, money, and risk. Healthcare organizations must seek the right technologies and processes to protect the patient experience.”

While most patients (75%) said they feel confident that their healthcare providers are doing a good job at disclosing how payment information is secured, only 50% said they know where their payment data was stored. “As a patient, understanding where and how personal and payment information is stored is important to protect against potential fraud and breaches,” explained Semafone in the report. “Given the large number unaware of where their data is stored, providers have an opportunity to increase education and communication with patients to, in turn, improve the experience and overall sentiment toward the providers for the future.”

The post Most Patients Don’t Trust Their Healthcare Providers to Securely Store PII and Payment Information appeared first on HIPAA Journal.

Payroll of Healthcare Providers Threatened by Ransomware Attack on Kronos

Posted by HIPAA Journal

The number of healthcare providers affected by the recent ransomware attack on Kronos has been growing over the past few days. 7 healthcare providers have now confirmed they have been affected by the attack.

Kronos is a Lowell, MA-based workforce management and human capital management solution provider that many healthcare organizations use for payroll, scheduling, and other services. On December 11, 2021, Kronos discovered unusual activity in its systems deployed within the Kronos Private Cloud. Steps were immediately taken to investigate the activity and block any unauthorized access. It was rapidly determined to be a ransomware attack, that affected parts of its cloud environment where Ultimate Kronos Group (UKG) solutions are deployed, including UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling.

UKG said it engaged a leading cyber security firm to assess and mitigate the attack and the investigation into the breach is ongoing. The affected solutions remain offline and Kronos has strongly suggested its clients should evaluate and implement alternative business continuity protocols related to the affected UKG solutions as it may take several weeks to restore system availability.

Seven healthcare provider clients have recently confirmed that they have been affected by the ransomware attack: Allegheny Health Network, Highmark Health, Baptist Health, UF Health, Ascension, Shannon Medical Center, and Franciscan Missionaries of Our Lady Health System.

San Angelo, TX-based Shanon Medical Center, Jackson, Fl-based Baptist Health, Gainesville, FL-based UF Health, and Indianapolis, IN-based Ascension St. Vincent Hospital said payroll has been affected and they have switched to alternate systems to ensure their employees get paid, while Pittsburg, PA-based Allegheny Health Network and Highmark Health said they are doing everything they can to ensure employees are paid on time.

Baton Rouge, LA-based Franciscan Missionaries of Our Lady Health System used Kronos for timekeeping and scheduling and has switched to emergency downtime procedures to ensure there is no disruption to its services.

The American Hospital Association (AHA) said it has received several reports from members confirming they have been affected and are working to minimize disruption. “A lack of the availability of those services could be quite disruptive for health care providers, many of whom are experiencing surges of COVID-19 and flu patients,” said John Riggi, AHA senior advisor for cybersecurity and risk. “This attack once again highlights the need for robust third-party risk management programs that identify mission-critical dependencies and downtime preparedness. If mission-critical third-party services are made unavailable due to a cyberattack, it may result in disruptions to hospital operations. As such, we urge all third-party providers that serve the health care community to examine their cyber readiness, response, and resiliency capabilities.”

The post Payroll of Healthcare Providers Threatened by Ransomware Attack on Kronos appeared first on HIPAA Journal.

Webinar Today: 02/17: Lessons and Examples from 2021’s HIPAA Breaches and Fines

Posted by HIPAA Journal

2021 has been a tough year for the healthcare industry with huge numbers of data breaches occurring and vast numbers of healthcare records exposed as hackers stepped up their attacks on healthcare providers and ransomware actors ran riot.  The HHS’ Office for Civil Rights has continued to impose large numbers of fines on covered entities and business associates for noncompliance with the HIPAA Rules, even during the pandemic. The trend for the past year was a major focus on violations of the HIPAA Right of Access, and many of the fines were imposed on smaller healthcare practices.

The webinar will cover:

  • The data breaches and fines in 2021 (what caused them, who was affected, etc.)
  • How to protect yourself from suffering a breach or financial penalty in the New Year.
  • Predictions of what will happen in the future and what to look out for

You will also get the inside scoop from compliance experts and find out how you can start protecting your business in 2022!

Due to popular demand, this January webinar is being run again on February 17, 2022.

Lessons and Examples from 2021’s HIPAA Breaches and Fines

Date: February 17, 2022 @ 2:00 p.m. ET | 11.00 a.m. PT

Host: Compliancy Group

[contact-form-7]

The post Webinar Today: 02/17: Lessons and Examples from 2021’s HIPAA Breaches and Fines appeared first on HIPAA Journal.

New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations

Posted by HIPAA Journal

The New Jersey Division of Consumer Affairs has agreed to settle a data breach investigation that uncovered violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA)

Hackensack, NJ-based Regional Cancer Care Associates is an umbrella name for three healthcare providers that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland: Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC.

Between April and June 2019, several employee email accounts were compromised. Employees had responded to targeted phishing emails and disclosed their credentials, which allowed the scammers to access their email accounts and the protected health information (PHI) of more than 105,000 individuals. The email accounts contained PHI such as names, Social Security numbers, driver’s license numbers, health records, bank account information, and credit card details.

In July 2019, notification letters were sent to 13,047 individuals by a third-party vendor; however, the letters were mismailed to the individuals’ next-of-kin. The notification letters disclosed sensitive information such as the patient’s medical conditions, including cancer diagnoses, when consent to disclose that information had not been provided by the patients.

Across the two incidents, the PHI of more than 105,000 individuals was exposed or impermissibly disclosed, including the PHI of more than 80,000 New Jersey residents.

“New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats,” said New Jersey Acting Attorney General Bruck. “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short.”

The companies are alleged to have violated HIPAA and the Consumer Fraud Act by failing to ensure the confidentiality, integrity, and availability of patient data, did not protect against reasonably anticipated threats to the security/integrity of patient data, did not implement security measures to reduce risks and vulnerabilities to an acceptable level, did not conduct an accurate and comprehensive risk assessment, and had not implemented a security awareness and training program for all members of its workforce.

Under the terms of the settlement, three companies will pay a financial penalty of $425,000 and are required to implement further privacy and security measures to ensure the confidentiality, integrity, and availability of PHI.

The companies are required to implement and maintain a comprehensive information security program, a written incident response plan and cybersecurity operations center, employ a CISO to oversee cybersecurity, conduct initial training for employees and annual training on information privacy and security policies, and obtain a third-party assessment on policies and procedures relating to the collection, storage, maintenance, transmission, and disposal of patient data.

“Companies have a duty to take meaningful steps to safeguard protected health and personal information, and to avoid unauthorized disclosures,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Our investigation revealed RCCA failed to fully comply with HIPAA requirements, and I am pleased that the companies have agreed to improve their security measures to ensure consumers’ information is protected.”

New Jersey has been one of the most active states in HIPAA enforcement. In the past few months, settlements have been reached with two other companies for violations of HIPAA and the Consumer Fraud Act. In October, a New Jersey fertility clinic was fined $495,000, and two printing companies were fined $130,000 in November.

The post New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations appeared first on HIPAA Journal.

Learnings from a Major Healthcare Ransomware Attack

Posted by HIPAA Journal

One of the most serious healthcare ransomware attacks occurred in Ireland earlier this year. The Health Service Executive (HSE), the Republic of Ireland’s national health system, suffered a major attack that resulted in Conti ransomware being deployed and forced its National Healthcare Network to be taken offline. That meant healthcare professionals across the country were prevented from accessing all HSE IT systems, including clinical care systems, patient records, laboratory systems, payroll, and other clinical and non-clinical systems which caused major disruption to healthcare services across the country.

Following the attack, the HSE Board commissioned PricewaterhouseCoopers (PWC) to conduct an independent post-incident review into the attack to establish the facts related to technical and operational preparedness and the circumstances that allowed the attackers to gain access to its systems, exfiltrate sensitive data, encrypt files, and extort the HSE.

Cybersecurity Failures that are Common in the Healthcare Industry

PWC’s recently published report highlights a number of security failures that allowed HSE systems to be infiltrated. While the report is specific to the HSE cyberattack, its findings are applicable to many healthcare organizations in the United States that have similar unaddressed vulnerabilities and a lack of preparedness for ransomware attacks. The recommendations made by PWC can be used to strengthen defenses to prevent similar attacks from occurring.

While the HSE ransomware attack affected a huge number of IT systems, it started with a phishing email. An employee was sent an email with a malicious Microsoft Excel spreadsheet as an attachment on March 16, 2021. When the attachment was opened, malware was installed on the device. The HSE workstation had antivirus software installed, which could have detected the malicious file and prevented the malware infection; however, the virus definition list had not been updated for over a year, which rendered the protection near to non-existent.

From that single infected device, the attacker was able to move laterally within the network, compromise several accounts with high-level privileges, gain access to large numbers of servers, and exfiltrate data ‘undetected’.  On May 14, 2021, 8 weeks after the initial compromise, Conti ransomware was extensively deployed and encrypted files. The HSE detected the encryption and shut down the National Health Network to contain the attack, which prevented healthcare professionals across the country from accessing applications and essential data.

During the 8 weeks that its systems were compromised, suspicious activity was detected on more than one occasion which should have triggered an investigation into a potential security breach, but those alerts were not acted upon. Had they been investigated the deployment of ransomware could have been prevented and potentially also the exfiltration of sensitive data.

Simple Techniques Used to Devastating Effect

According to PWC, the attacker was able to use well-known and simple attack techniques to move around the network, identify and exfiltrate sensitive data, and deploy Conti ransomware over large parts of the IT network with relative ease. The attack could have been far worse. The attacker could have targeted medical devices, destroyed data at scale, used auto-propagation mechanisms such as those used in the WannaCry ransomware attacks, and could also have targeted cloud systems.

The HSE made it clear that it would not be paying the ransom. On May 20, 2021, 6 days after the HSE shut down all HSE IT system access to contain the attack, the attackers released the keys to decrypt data. Had it not been for a strong response to the attack and the release of the decryption keys the implications could have been much more severe. Even with the keys to decrypt data it took until September 21, 2021, for the HSE to successfully decrypt all of its servers and restore around 99% of its applications. The HSE estimated the cost of the attack could rise to half a billion Euros.

Ireland’s Largest Employer Had No CISO

PWC said the attack was possible due to a low level of cybersecurity maturity, weak IT systems and controls, and staffing issues.  PWC said there was a lack of cybersecurity leadership, as there was no individual in the HSE responsible for providing leadership and direction of its cybersecurity efforts, which is very unusual for an organization with the size and complexity of the HSE. The HSE is Ireland’s largest employer and had over 130,000 staff members and more than 70,000 devices at the time of the attack, but the HSE only employed 1,519 staff in cybersecurity roles. PWC said employees with responsibility for cybersecurity did not have the necessary skills to perform the tasks expected of them and the HSE should have had a Chief Information Security Officer (CISO) with overall responsibility for cybersecurity.

Lack of Monitoring and Insufficient Cybersecurity Controls

The HSE did not have the capability to effectively monitor and respond to security alerts across its entire network, patching was sluggish and updates were not applied quickly across the IT systems connected to the National Health Network. The HSE was also reliant on a single anti-malware solution which was not being monitored or effectively maintained across its entire IT environment. The HSE also continued to use legacy systems with known security issues and remains heavily reliant on Windows 7.

“The HSE is operating on a frail IT estate that has lacked the investment over many years required to maintain a secure, resilient, modern IT infrastructure. It does not possess the required cybersecurity capabilities to protect the operation of the health services and the data they process, from the cyber attacks that all organizations face today,” concluded PWC. “It does not have sufficient subject matter expertise, resources, or appropriate security tooling to detect, prevent or respond to a cyber attack of this scale. There were several missed opportunities to detect malicious activity, prior to the detonation phase of the ransomware.”

Similar vulnerabilities in people, processes, and technology can be found in many health systems around the world, and the PWC recommendations can be applied beyond the HSE to improve cybersecurity and make it harder for attacks such as this to succeed.

The PWC report, recommendations, and learnings from the incident can be found here (PDF).

The post Learnings from a Major Healthcare Ransomware Attack appeared first on HIPAA Journal.

Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access

Posted by HIPAA Journal

The Health Information Sharing and Analysis Center (Health-ISAC) has released guidance for Chief Information Security Officers (CISOs) on adopting an identity-centric approach to enabling secure and easy access to patient data to meet the interoperability, patient access, and data sharing requirements of the 21st Century Cures Act.

New federal regulations tied to the 21st Century Cures Act call for healthcare organizations to provide patients with easy access to their healthcare data and ensure patients can easily share their electronic health information (EHI) data wherever, whenever, and with whomever they want. The failure of a healthcare organization to implement systems to support patient access and interoperability could be considered information blocking and would be subject to fines and penalties.

The new federal requirements are for healthcare providers and insurers to allow data sharing through Application Programming Interfaces (APIs) that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard. Healthcare providers and insurers are required to establish APIs to allow patients to access their EHI; however, providing patients with easy access to their healthcare data has the potential to introduce security vulnerabilities.

Health-ISAC says that in order to provide easy access to patient data, multiple privacy, security, and usability challenges need to be addressed, all of which are rooted in identity. When users request access to their data, strong authentication controls must be in place to verify that the person requesting EHI is who they say they are. For many years, patient matching problems have plagued the healthcare industry, and without a national patient identifier, those problems exist to this day. Those issues must also be addressed to ensure the correct EHI is provided.  Also, if an individual wants to only share part of their EHI, it needs to be possible for a portion of the data to be easily shared.

H-ISAC Framework for Managing Identity

Health-ISAC suggests a Framework for Managing Identity (above) that covers all of those functions; however, privacy and security issues also need to be addressed. For example, if a patient wants to authorize the use of EHI on behalf of someone else that he/she cares for, such as an elderly relative or a minor child, that must be possible. It must also be possible for a patient to delegate access privileges if they are being cared for by someone else, and for appropriate authentication controls to be in place to accommodate such requests. API-level security is also required. FHIR APIs are in the public domain, so they must be secured after authorization to use is granted.

Health-ISAC suggests that healthcare organizations should adopt an identity-centric approach to data sharing to solve these issues. “The most effective way of mitigating the risk that these issues pose to organizations is through the implementation of a modern, robust, and secure identity infrastructure that can securely authenticate and authorize users and incoming requests, enforce the appropriate consent requests, and tightly govern the use of identities,” said Health-ISAC. “By design, this is exactly what the Health-ISAC framework is meant to achieve.”

Additionally, Health-ISAC strongly recommends implementing multi-factor authentication, as while this is not explicitly required by the new ONC and CMS Rules, guidance issued by the government strongly points to the use of MFA. There are risks associated with not implementing MFA due to its importance for authentication.  The HHS’ Office for Civil Rights (OCR) has fined health organizations for HIPAA violations related to inadequate authentication in the past. Health-ISAC has produced a white paper – All About Authentication – which explains the best approach for implementing MFA.

“Identity is a journey. As the healthcare industry focuses on digital adoption, identity will continue to play a foundational role. Whether your implementation of a modern identity system is driven by regulatory and compliance requirements, security and privacy concerns, or a desire to improve customer experience, a well-architected, robust digital identity solution can address all of these drivers,” concludes Health-ISAC.

The post Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access appeared first on HIPAA Journal.

APT Actor Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells

Posted by HIPAA Journal

An APT actor that was targeting a vulnerability in the enterprise password management and single sign-on solution Zoho ManageEngine ADSelfService Plus has started exploiting another critical vulnerability in a different Zoho product, the IT helpdesk and asset management solution Zoho ManageEngine ServiceDesk Plus.

The APT group had been exploiting a critical vulnerability in ManageEngine ADSelfService Plus tracked as CVE-2021-40539, which affects Zoho ManageEngine ADSelfService Plus version 6113 and prior, and is a REST API authentication bypass that can be exploited to allow remote code execution.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on December 2, 2021, about a different vulnerability being exploited by the APT actor. The vulnerability, CVE-2021-44077, affects all versions of Zoho ManageEngine ServiceDesk Plus prior to version 11306, ServiceDesk Plus MSP prior to version 10530, and SupportCenter Plus prior to version 11014. The vulnerability is related to RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration. Successful exploitation of the flaw will allow remote code execution.

The alert warns that APT actors and other threat groups are believed to be exploiting the vulnerability to upload executable files and place webshells on vulnerable systems. The webshells allow a range of different post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

Zoho released a security advisory and patch to correct the CVE-2021-44077 flaw on September 16, 2021, with a further alert issued on November 22, 2021, warning that the vulnerability was being exploited in the wild. The first know exploits of the vulnerability were used in late October 2021, prior to any proof-of-concept exploit being publicly released, indicating the exploit for the vulnerability was developed by the APT actor.

According to Palo Alto Networks, the APT actor has conducted three campaigns this year, first exploiting the CVE-2021-40539 in attacks on US ports and defense firms, the second exploited the same vulnerability on targets in a range of different sectors, including healthcare, with the latest campaign exploiting the CVE-2021-44077 vulnerability in attacks on the healthcare, education, technology, defense, finance, and entertainment sectors.

In the latest campaign, the APT actor exploits the flaw by sending two requests to the REST API, one uploads an executable file and the second launches the payload. The flaw can be exploited without authentication on vulnerable ServiceDesk servers and has been exploited to deliver a variant of the Godzilla webshell that is different from the variant used in the first two campaigns.

Palo Alto Networks has found evidence that suggests the attack may be conducted by the Chinese nation-state APT group tracked as APT 27/Emissary Panda, although the evidence is not sufficient to attribute the attacks to that group. The attacks have mostly been conducted in the United States, with a small number of attacks conducted on targets in India, Turkey, Russia, and the UK.

The FBI and CISA have shared technical details of the attacks, indicators of compromise, network indicators, and YARA rules in the security Alert AA21-336A.

The post APT Actor Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells appeared first on HIPAA Journal.

APT Actor Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells

Posted by HIPAA Journal

An APT actor that was targeting a vulnerability in the enterprise password management and single sign-on solution Zoho ManageEngine ADSelfService Plus has started exploiting another critical vulnerability in a different Zoho product, the IT helpdesk and asset management solution Zoho ManageEngine ServiceDesk Plus.

The APT group had been exploiting a critical vulnerability in ManageEngine ADSelfService Plus tracked as CVE-2021-40539, which affects Zoho ManageEngine ADSelfService Plus version 6113 and prior, and is a REST API authentication bypass that can be exploited to allow remote code execution.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on December 2, 2021, about a different vulnerability being exploited by the APT actor. The vulnerability, CVE-2021-44077, affects all versions of Zoho ManageEngine ServiceDesk Plus prior to version 11306, ServiceDesk Plus MSP prior to version 10530, and SupportCenter Plus prior to version 11014. The vulnerability is related to RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration. Successful exploitation of the flaw will allow remote code execution.

The alert warns that APT actors and other threat groups are believed to be exploiting the vulnerability to upload executable files and place webshells on vulnerable systems. The webshells allow a range of different post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

Zoho released a security advisory and patch to correct the CVE-2021-44077 flaw on September 16, 2021, with a further alert issued on November 22, 2021, warning that the vulnerability was being exploited in the wild. The first know exploits of the vulnerability were used in late October 2021, prior to any proof-of-concept exploit being publicly released, indicating the exploit for the vulnerability was developed by the APT actor.

According to Palo Alto Networks, the APT actor has conducted three campaigns this year, first exploiting the CVE-2021-40539 in attacks on US ports and defense firms, the second exploited the same vulnerability on targets in a range of different sectors, including healthcare, with the latest campaign exploiting the CVE-2021-44077 vulnerability in attacks on the healthcare, education, technology, defense, finance, and entertainment sectors.

In the latest campaign, the APT actor exploits the flaw by sending two requests to the REST API, one uploads an executable file and the second launches the payload. The flaw can be exploited without authentication on vulnerable ServiceDesk servers and has been exploited to deliver a variant of the Godzilla webshell that is different from the variant used in the first two campaigns.

Palo Alto Networks has found evidence that suggests the attack may be conducted by the Chinese nation-state APT group tracked as APT 27/Emissary Panda, although the evidence is not sufficient to attribute the attacks to that group. The attacks have mostly been conducted in the United States, with a small number of attacks conducted on targets in India, Turkey, Russia, and the UK.

The FBI and CISA have shared technical details of the attacks, indicators of compromise, network indicators, and YARA rules in the security Alert AA21-336A.

The post APT Actor Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells appeared first on HIPAA Journal.