The FBI Cyber Division has issued a Private Industry Notification advising enterprises still using Windows 7 within their infrastructure to upgrade to a supported operating system due to the risk of security vulnerabilities in the Windows 7 operating system being exploited.

The FBI has observed an increase in cyberattacks on unsupported operating systems once they reach end-of-life status. Any organization that is still using Windows 7 on devices faces an increased risk of cybercriminals exploiting vulnerabilities in the operating system to remotely gain network access. “As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered,” warned the FBI.

The Windows 7 operating system reached end-of-life on January 14, 2020 and Microsoft stopped releasing free patches to correct known vulnerabilities. Microsoft is only providing security updates for Windows 7 Professional, Windows 7 Enterprise, and Windows 7 Ultimate if users sign up for the Extended Security Update (ESU) program. The ESU program will only run until January 2023, and the cost of continued support increases the longer a customer participates in the program. While security updates are being released for customers that have signed up for the ESU program, the FBI and Microsoft strongly advise users of Windows 7 to upgrade to Windows 10 or a fully supported operating system.

Updating an operating system is not without its challenges. New devices may need to be purchased and new software comes at a cost, but the cost will be negligible compared to the cost of the loss of intellectual properly and threats to an organization from the continued use of an operating system that is no longer supported.

Many organizations around the world are still using Windows 7 on at least some of their Windows devices. Data from Statcounter indicates around 20% of all Windows devices are still running Windows 7, even though free security updates are no longer being issued. An open source report published in May 2019 found that 71% of Windows devices used in healthcare were using Windows 7 or other operating systems that became unsupported in January 2020.

The FBI warned that increases in successful cyberattacks have been observed in healthcare when operating systems have reached end of life. When support for Windows XP ended on April 28, 2014, the industry saw a large increase in the number of exposed and compromised healthcare records the following year.

The FBI explained that cybercriminals are continuing to search for entry points into legacy Windows operating systems in order to leverage Remote Desktop Protocol (RDP) exploits. In May 2019, following the discovery of the BlueKeep vulnerability, Microsoft released patches for all supported operating systems and also a patch for Windows XP and other unsupported operating systems in order to prevent a WannaCry-style attack.  Since the vulnerability was discovered, working exploits have been developed to exploit the flaw and are still being used to attack unpatched Windows devices.

Vulnerabilities will be found and exploited on unpatched systems. When Microsoft released the MS17-010 patch to address several SMBv1 vulnerabilities in March 2017, many organizations were slow to apply the patch, even though there was a high risk exploitation. The WannaCry ransomware attacks exploiting the flaws started in May 2017. 98% of systems infected with WannaCry were running Windows 7.

“With fewer customers able to maintain a patched Windows 7 system after its end of life, cybercriminals will continue to view Windows 7 as a soft target” warned the FBI.

When organizations use an actively supported operating system, patches are automatically made available to fix newly discovered security vulnerabilities. Upgrading to a supported operating system is one of the most important steps to take to improve security.

“Defending against cyber criminals requires a multilayered approach, including validation of current software employed on the computer network and validation of access controls and network configurations,” explained the FBI in the alert.

In addition to upgrading the operating system and applying patches promptly, organizations should ensure antivirus software is installed, spam filters are used, and firewalls should be implemented, properly configured, and kept up to date.

Network configurations should be audited and any computer systems that cannot be updated should be isolated. The FBI also recommends auditing the network for systems using RDP and closing unused RDP ports. 2-factor authentication should be implemented as widely as possible and all RDP login attempts should be logged.

If there are reasons why Windows 7 devices cannot be updated and devices cannot be completely isolated, they should not be accessible over the internet and organizations should enroll in Microsoft’s ESU program.

The post FBI Urges Enterprises to Upgrade Windows 7 Devices to a Supported Operating System appeared first on HIPAA Journal.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a high priority alert warning enterprises of the risk of cyberattacks involving Taidoor malware, a remote access Trojan (RAT) used by the Chinese government in cyber espionage campaigns.

Taidoor was first identified in 2008 and has been used in many attacks on enterprises. The alert was issued after CISA, the FBI and the Department of Defense (DoD) identified a new variant of the Taidoor RAT which is being used in attacks on US enterprises. Strong evidence has been found suggesting the Taidoor RAT is being used by threat actors working for the Chinese government.

CISA explains in the alert that the threat actors are using the malware in conjunction with proxy servers to hide their location and gain persistent access to victims’ networks and for further network exploitation.

Two versions of the malware have been identified which are being used to target 32-bit and 64-bit systems. Taidoor is downloaded onto victims’ systems as a service dynamic link library (DLL) and consists of two files: A loader that is started as a service, which decrypts and executes a second file in the memory. The second file is the main Taidoor Remote Access Trojan (RAT). The Taidoor RAT provides gives the attackers persistent access to enterprise networks and allows data exfiltration and other malware to be downloaded.

CISA has published a Malware Analysis Report that includes confirmed indicators of compromise (IoCs), suggested mitigations, and recommended actions that can improve protection against Taidoor malware attacks. In the event of an attack, victims should give the activity the highest priority for enhanced mitigation and the attack should be reported to either CISA or FBI Cyber Watch.

CISA recommended actions for administrators include maintaining up to date antivirus signatures, keeping operating systems and software patched, disabling file and printer sharing (or using strong passwords if file and printer sharing is needed), restricting the use of admin privileges, exercising caution when opening email attachments, implementing a strong password policy, enabling firewalls on all workstations to deny unsolicited connection requests, disabling unnecessary services on workstations, monitoring users’ web browsing habits, and scanning all software downloaded from the Internet prior to execution.

The IOCs, mitigations, and recommendations can be found here.

The malware warning follows a joint alert issued by CISA and the FBI in May about attempts by Chinese hackers to gain access to the networks of organizations involved in COVID-19 research and vaccine development to steal intellectual property and public health data. The agencies have observed an increase in attacks spreading malware under the guise of updates on COVID-19 and spear phishing attacks using COVID-19 themes lures. In July, the Department of Justice announced that two Chinese hackers had been indicted for hacking US healthcare firms, government agencies, medical research institutions and other targets.

The post CISA Warns of Increase in Cyberattacks by Chinese Nation State Threat Groups using the Taidoor RAT appeared first on HIPAA Journal.

This week, the Federal Bureau of Investigation (FBI) issued a (TLP:WHITE) FLASH alert following an increase in attacks involving NetWalker ransomware. NetWalker is a relatively new ransomware threat that was recognized in March 2020 following attacks on a transportation and logistics company in Australia and the University of California, San Francisco. UC San Francisco was forced to pay a ransom of around $1.14 million for the keys to unlock encrypted files to recover essential research data. One of the most recent healthcare victims was the Maryland-based nursing home operator, Lorien Health Services.

The threat group has taken advantage of the COVID-19 pandemic to conduct attacks and has targeted government organizations, private companies, educational institutions, healthcare providers, and entities involved in COVID-19 research.

The threat group initially used email as their attack vector, sending phishing emails containing a malicious Visual Basic Scripting (.vbs) file attachment in COVID-19 themed emails. In April, the group also started exploiting unpatched vulnerabilities in Virtual Private Networking (VPN) appliances such as the Pulse Secure VPN flaw (CVE-2019- 11510) and Telerik UI (CVE-2019-18935).

The threat group is also known to attack insecure user interface components in web applications. Mimikatz is deployed to steal credentials, and the penetration testing tool PsExec is used to gain access to networks. Prior to encrypting files with NetWalker ransomware, sensitive data is located and exfiltrated to cloud services. Initially, data was exfiltrated via the MEGA website or by installing the MEGA client application directly on a victim’s computer and more recently through the website.dropmefiles.com file sharing service.

Earlier this year, the NetWalker operators started advertising on hacking forums looking to recruit a select group of affiliates that could provide access to the networks of large enterprises. It is unclear how successful the group has been at recruiting affiliates, but attacks have been increasing throughout June and July.

The FBI has advised victims not to pay the ransom and to report any attacks to their local FBI field office. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities,” explained the FBI in the alert. “Paying the ransom also does not guarantee that a victim’s files will be recovered. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”

A range of different techniques are being used to gain access to networks so there is no single mitigation that can be implemented to prevent attacks from being successful. The FBI recommends keeping all computers, devices, and applications up to date and applying patches promptly. Multi-factor authentication should be implemented to prevent stolen credentials from being used to access systems, and strong passwords should be set to thwart brute force attempts to guess passwords. Anti-virus/anti-malware software should be installed on all hosts and should be kept updated, and regular scans should be conducted.

To ensure recovery from an attack is possible without paying the ransom, organizations should backup all critical data and store those backups offline on a non-networked device or in the cloud. The backup should not be accessible from the system where the data resides. Ideally, create more than one backup copy and store each copy in a different location.

The post FBI Issues Flash Alert Warning of Increasing NetWalker Ransomware Attacks appeared first on HIPAA Journal.

The biomedical community is working hard to develop vaccines against SARS-CoV-2 and discover new treatments for COVID-19 and nation-state hackers and cybercriminal organizations are targeting those organizations to gain access to their research data.

Recently, security agencies in the United States, Canada, and the United Kingdom issued alerts about state-sponsored Russian hackers targeting organizations involved in COVID-19 research and vaccine development. The security agencies had found evidence that the Russian hacking group APT29 was actively conducting scans against the external IP addresses of companies engaged in COVID-19 research and vaccine development, and that it was almost certain that the hackers were working with the Russian intelligence services.

An joint alert was also issued by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the FBI indicating hackers linked to China were conducting similar attacks on pharmaceutical companies and academic research facilities to obtain intellectual property and sensitive data related to COVID-19. There have also been reports that hackers in Iran are conducting similar attacks.

In light of the recent attacks and targeting of research facilities, BitSight conducted a study to determine how well COVID-19 vaccine manufacturers and biomedical companies are performing at protecting their systems and data from hackers. BitSight researchers assessed 17 companies for the study, each of which has a major role in COVID-19 research and vaccine development. Those companies ranged from small firms with fewer than 200 employees to large companies with more than 200,000 employees.

BitSight found several security vulnerabilities that could be exploited by hackers to gain access to intellectual property and vaccine and COVID-19 research data. The security vulnerabilities were divided into four areas: Open ports, unpatched vulnerabilities, web application security, and systems that had already been compromised.

BitSight found 8 of the 17 companies had their systems compromised in the past year and had computers that were part of a botnet, and 7 companies had computers added to a botnet in the past 6 months. BitSight searched for software running on systems that the companies likely did not install. These Potentially Unwanted Programs (PUPs) were found on 9 company systems and 8 companies had PUPS installed in the past 6 months. Five companies had computers that were sending spam and the researchers identified unsolicited communications at three companies. Compromised systems show the companies’ security controls have failed and that the companies could, or already have been, hacked by adversaries seeking access to COVID-19 data.

The majority of companies had open ports which exposed insecure services over the internet, including 7 companies with exposed Microsoft RDP and a further 7 with LDAP exposed. 5 companies had exposed MySQL, MS SQL or Postgres SQL databases and a further 5 had an exposed Telnet service. The exposed Microsoft RDP was of particular concern, since hackers and ransomware gangs are actively searching for exposed RDP devices.

14 of the 17 companies were found to have unpatched vulnerabilities that could potentially be exploited remotely by hackers.  10 companies had more than 10 unpatched vulnerabilities and 6 had unpatched vulnerabilities with a CVSS score greater than 9.

Web application security issues were also common, such as insecure redirects from HTTPS to HTTP, insecure authentication, and a mixture of secure and insecure content on web pages. Many of the companies had more than one web application security issue. These security issues placed the companies at risk of man-in-the-middle and cross-site scripting attacks, which could potentially result in hackers capturing sensitive data, obtaining credentials, and compromising email systems.

“In light of these risks, the bioscience community must step up its cyber vigilance. It only takes a misconfigured piece of software, an inadvertently exposed port, or an insecure remote office network for a hacker to gain entry to systems that store scientific research, intellectual property, and the personal data of subjects involved in clinical trials,” warned BitSight. “[Companies] must revisit basic cybersecurity hygiene practices and find proven and efficient ways to continuously discover and manage risk exposure — across the extended attack surface and third-party ecosystem. Only then can remediation be prioritized, and life-saving science innovation assured.”

The post Study Reveals COVID-19 Research Companies are Vulnerable to Cyberattacks appeared first on HIPAA Journal.