According to a recent security advisory issued by the Five Eyes Cybersecurity agencies in the US, UK, Canada, Australia, and New Zealand, the most common attack vectors used by cyber threat actors for initial access to networks are exploits of public-facing applications, external remote services, trusted relationships, phishing, and compromised credentials for valid user accounts.

These attack methods often succeed due to poor security practices, bad cyber hygiene, weak controls, and poor security configurations. The security advisory details the most commonly exploited controls and practices and provides recommendations for mitigations to strengthen security and block these attack vectors.

Top 10 Security Weaknesses Exploited by Hackers

The top ten security weaknesses exploited by hackers consist of poor security practices, weak security controls, and misconfigurations and unsecured systems, which allow the most common attack vectors to be used.

Slow software updates and patching

The failure to update software promptly and apply patches for known vulnerabilities gives attackers a window of opportunity for exploiting the vulnerabilities. Exploits for vulnerabilities are often released publicly within days or weeks. Vulnerabilities can be exploited to gain access to sensitive information, conduct denial-of-service attacks, or take full control of vulnerable systems. Slow patching is one of the commonest poor security practices.

Open ports and misconfigurations that expose services to the Internet

Another commonly identified vulnerability is the failure to close open ports. Hackers continuously scan for open ports and misconfigured services that expose systems to the Internet. The compromising of these services can provide attackers with initial access. RDP, Server Message Block (SMB), Telnet, and NetBIOS are high-risk services.

Failure to enforce multifactor authentication

Multifactor authentication should be enforced on all accounts to block attempts to use stolen credentials. This is especially important for Remote Desktop Protocol, other remote services, and accounts with administrative privileges. The lack of multifactor authentication for RDP is commonly exploited in ransomware attacks.

Use of default credentials and configurations

The failure to change default credentials provides attackers with easy access, as default credentials are often in the public domain. Default configurations are typically excessively permissible to ensure they are user-friendly, and the failure to change configurations can give attackers an avenue for exploitation.

Insufficient controls for remote access

Remote services are commonly targeted by threat actors who exploit a lack of sufficient authentication controls, such as no multifactor authentication. In addition to enforcing MFA, network defenders should consider implementing a boundary firewall in front of a VPN and IDS/IPS sensors to detect anomalous activity.

Incorrectly applied privileges or permissions, and errors within access control lists

Incorrectly applied privileges or permissions can prevent access control rules from being enforced, which could allow system processes or unauthorized users to be granted access to objects.

Poor password policies

Many different methods can be used to exploit weak, leaked, or compromised passwords to access victims’ systems. Policies should be set and enforced requiring strong, unique passwords to be used. Weak RDP passwords are commonly exploited.

Unprotected cloud services

Misconfigurations and poor security configurations can leave cloud services unprotected, giving threat actors easy access to sensitive data and permitting cryptojacking using cloud servers.

Insufficient phishing defenses

Phishing is one of the leading ways that threat actors gain a foothold in networks. Email security solutions should be used that have strong antivirus controls, use behavioral analysis to identify malware, and have the capability to scan embedded links. Security awareness training should be regularly provided to the workforce.

Poor endpoint detection and response

Endpoint detection solutions should be implemented that go beyond signature-based detection methods as threat actors commonly use obfuscated malicious scripts and PowerShell to bypass endpoint security solutions such as antivirus software.

Suggested Mitigations

The security alert includes several mitigations that can help network defenders strengthen security and protect against these commonly exploited weak security controls and practices. The suggested mitigations are concerned with controlling access, credential hardening, establishing centralized log management, deploying antivirus and other detection tools, conducting vulnerability scans, establishing a robust patch management program, and maintaining a rigorous configuration management program.

The post Cybersecurity Agencies Share Most Common Attack Vectors for Initial Access and Recommended Mitigations appeared first on HIPAA Journal.

The Health Sector Coordinating Council’s (HSCC) Cybersecurity Working Group (CWG) has published an Operational Continuity-Cyber Incident (OCCI) checklist which serves as a flexible template for responding to and recovering from serious cyberattacks that cause extended system outages, such as ransomware attacks.

Ransomware attacks on healthcare organizations increased significantly during the pandemic and continue to be conducted at elevated levels. Ransomware threat actors steal sensitive data that has a high value on the black market, threaten to publish that data to pressure visitors into paying, and the extended system outages due to the attacks can cause considerable financial losses, increasing the probability of the ransom being paid. Warnings have recently been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) about ransomware groups that are actively targeting critical infrastructure, including healthcare organizations.

In addition to cybercriminal groups, hospitals are a target for nation-state threat actors. The Five Eyes cybersecurity agencies recently warned that there is an elevated threat of cyberattacks on critical infrastructure in retaliation to the sanctions imposed on Russia by the United States. There is also a risk that healthcare organizations may fall victim to cyber incidents that have been directed at organizations in Ukraine, as was the case with the NotPetya wiper malware attacks in 2017. The development and release of the checklist were accelerated in light of the rising geopolitical tensions from the Ukraine-Russia conflict, and the increased threat to healthcare organizations in the United States.

Due to the high risk of attacks, healthcare organizations need to prepare for attacks and ensure that the business can continue to operate should it not be possible to immediately restore access to critical systems. Having an incident response plan that can be immediately implemented will help to minimize the damage caused and the impact on patients and medical services.

The OCCI toolkit includes a checklist of the steps that should be taken during the first 12 hours after a security incident occurs and outlines actions and considerations for the duration of cybersecurity incidents. The checklist is broken down into role-based modules that align with the Incident Command System but can be refined or modified to match the size, resources, complexity, and capabilities of different organizations, from small physician practices up to large hospitals and health systems.

An incident commander should be appointed to provide overall strategic direction on all response actions and activities, a medical-technical specialist should advise the Incident Commander on issues related to the response, and a public information officer is required to communicate with internal and external stakeholders, site personnel, patients and their families, and the media. The checklist also provides a list of steps that need to be completed by the safety officer and section chiefs. For smaller organizations, those roles may need to be combined to suit their organizational structures.

The checklist was created from input provided by leading health sector cybersecurity and emergency management executives that participate in the HSCC Incident Response/Business Continuity (IRBC) Task Group.

The post Operational Continuity-Cyber Incident Checklist Published by HSCC appeared first on HIPAA Journal.

The Five Eyes security agencies, an alliance of intelligence agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States, have issued a joint advisory about the 15 vulnerabilities in software and operating systems that were most commonly targeted by nation-state hackers and cybercriminal organizations in 2021.

Throughout 2021, malicious cyber actors targeted newly disclosed critical software vulnerabilities in attacks against a wide range of industry sectors, including public and private sector organizations. 11 of the most routinely targeted vulnerabilities were publicly disclosed in 2021, although older vulnerabilities continue to be exploited. The 15 most exploited vulnerabilities include 9 that allow remote code execution, 2 elevation of privilege flaws, and security bypass, path traversal, arbitrary file reading, and arbitrary code execution flaws.

Top of the list was the maximum severity Log4Shell vulnerability in the Apache Log4j open source logging framework. The vulnerability – CVE-2021-44228 – can be remotely exploited by a threat actor allowing the execution of arbitrary code, which would give the attacker full control of a vulnerable system. The vulnerability was only disclosed publicly in December 2021, yet still ranked first as the most commonly exploited vulnerability, demonstrating how hackers can quickly weaponize and exploit vulnerabilities before organizations can patch. The flaw was rated one of the most serious vulnerabilities to be discovered in the past decade.

The remote code execution vulnerability in Zoho ManageEngine AD SelfService Plus – CVE-2021-40539 – has a 9.8 CVSS severity rating and was the second most exploited vulnerability, with attacks exploiting the vulnerability continuing in 2022. The flaw can be exploited remotely and allows web shells to be implanted in a network, allowing the attacker to compromise credentials, move laterally, and exfiltrate sensitive data.

The ProxyLogon flaws in Microsoft Exchange email servers were also extensively exploited. These flaws – CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065 – allow remote attackers to execute arbitrary code on vulnerable exchange servers to gain access to files and mailboxes on the servers, along with any credentials stored on the servers.

Three ProxyShell vulnerabilities made the top 15 list. These vulnerabilities – CVE-2021-34523, CVE-2021-34473, CVE-2021-31207 – can be exploited on Microsoft Exchange email servers that have the Microsoft Client Access Service (CAS) exposed to the Internet. This is a common configuration that allows users to access their emails on their mobile devices and via web browsers. The flaws can be exploited to remotely execute arbitrary code on vulnerable servers.

In many cases, vulnerabilities were exploited within two weeks of the vulnerabilities being publicly disclosed, most commonly as a result of security researchers publishing proof-of-concept exploits, which helped a much broader range of threat actors quickly exploit the vulnerabilities before organizations had the time to patch.

A further 21 vulnerabilities are listed that are also routinely exploited, including many from 2021 and some dating back to 2017.  Patching these vulnerabilities promptly will ensure they cannot be exploited. The Five Eyes agencies have also included a list of mitigations that make it harder for threat actors to exploit these and other vulnerabilities.

The post 15 Most Exploited Vulnerabilities in 2021 appeared first on HIPAA Journal.