Critical Vulnerability Identified in Emerson Appleton UPSMON-PRO

Posted by Steve Alder

A critical vulnerability has been identified in Emerson Appleton UPSMON-PRO, monitoring and power management software for uninterruptible power supplies. The software is used by healthcare and public health sector organizations to ensure power is maintained for essential equipment.

The vulnerability was identified by security researcher Kimiya, working with the Trend Micro Zero Day Initiative, who reported the issue to the Cybersecurity and Infrastructure Security Agency (CISA). The stack-based buffer overflow vulnerability is tracked as CVE-2024-3871 and has been assigned a CVSS v3.1 base score of 9.3 (CVSS v4 9.8). The vulnerability can be exploited by sending a specially crafted UDP packet to the default UDP port 2601, which can cause an overflow of the buffer stack, overwriting critical memory locations.

Successful exploitation of the vulnerability could allow an unauthorized individual to execute arbitrary code with SYSTEM privileges if the UPSMONProService service communication is not properly validated.

The vulnerability affects Appleton UPSMON-PRO versions 2.6 and earlier. Emerson has warned that the affected versions have reached end-of-life, so patches are not being released to fix the vulnerability. Any user who has yet to replace the affected UPSMON-PRO version with an actively supported UPS monitoring solution should do so as soon as possible.

While there is no patch, there are recommended mitigations to reduce the potential for exploitation. Users should block UDP port 2601 at the firewall level for all UPSMON-PRO installations, UPS monitoring networks should be isolated from general corporate networks, network-level packet filtering should reject oversized UDP packets to port 2601, and UPSMON-ProSer.exe should be monitored for server crashes as potential indicators of exploitation attempts.

CISA recommends ensuring that Emerson Appleton UPSMON-PRO is not accessible from the Internet, and if remote access is required, to ensure that secure methods are used to connect remotely, such as virtual private networks running the most up-to-date software version.

The post Critical Vulnerability Identified in Emerson Appleton UPSMON-PRO appeared first on The HIPAA Journal.

The HIPAA Journal Launches the Gold Standard in HIPAA Training for Employees

Posted by Ian

The HIPAA Journal is launching a new HIPAA  employee training program designed to be the gold standard in HIPAA education by combining accurate HIPAA content, practical guidance for employees, and behavior-focused learning. The HIPAA Journal’s mission is to promote patient privacy and data security. Every single member of the team is deeply committed to this mission. There was a lengthy thought process behind the design and content of the training that took over a year and ended up involving dozens of HIPAA experts and hundreds of contributors (privacy officers, compliance officers, IT security managers, practice managers) via surveys.

What Prompted The HIPAA Journal to Publish its Own Online HIPAA Training? 

We report on HIPAA violations and breaches every week and they are increasing every year. We have noticed that many of the HIPAA violations are preventable staff errors. We wondered why this is happening considering everyone in the healthcare sector must be aware of HIPAA. That led us to focus on staff training. We found that existing training is factually inaccurate. Put simply, a lot of HIPAA training is just factually wrong about HIPAA. In many cases, existing training is factually incorrect because it is out-of-date regarding new rules or new guidelines from HHS. But what concerned us most was that so much of the HIPAA training on sale at the moment was incomplete.

We set out to design comprehensive HIPAA training that produces employees that are more confident in their responses to common work scenarios that are HIPAA violations, which in turn reduces risk of costly breaches and penalties.

Our Training Content 

The topics covered in our training are based on feedback from surveys about what compliance officers and managers want their staff to know, but also how they want their staff to behave. Our core HIPAA training is complete, and we still have several more suggestions for specialist topics. If this training seems longer than other training available online, it may help to put this in perspective: we think a new HIPAA privacy officer or compliance officer needs at least 30 hours of training to cover everything.

We do not expect learners to take the entire course in one session, and we do not expect learners to remember everything. So our training is an annual subscription, and employees can always return to the training at any time for clarification or a refresher on any aspect of the training. We know that some HIPAA training providers restrict access after a number of months, but we think that defeats the purpose.

The core HIPAA training covers the full HIPAA rule set from an employee perspective. We also provide a number of additional modules. The training also addresses state privacy laws that add an extra compliance layer, specifically Texas and California, which both have multiple laws that employees must comply with.  

Motivating Better Employee Behavior

Many HIPAA courses recite regulations (what we call internally “rulebook training”) but do not explain what employees need to actually do in their day-to-day work activities. Our training is designed for employees. The training is focused on motivating better employee behavior rather than overall HIPAA-covered entity compliance.

Too often, HIPAA education is a HIPAA rules recital when it should be a practical playbook. We designed the course to be theory-light and practice-heavy. That translates into not only explaining in practical terms what to do in order to comply with the HIPAA rules, but also how to do it. More importantly, it encourages employees to be responsible for their personal compliance.

Promoting Employee Personal Responsibility

The training emphasizes the personal nature of staff security responsibilities and explains how to recognize and report security incidents. The training highlights that every employee plays a direct role in protecting medical data, whether by following proper procedures, securing physical devices, or remaining alert to suspicious activity. The training explains the consequences of HIPAA violations and data breaches.

Emphasizing the Consequences for Employees of HIPAA Violations

The format of the training is to explain the HIPAA rules and compliance requirements, explain how employees must follow those HIPAA rules in their day-to-day activities, and then explain the negative personal consequences for not complying with HIPAA. Employees learn that if they do not follow HIPAA rules, they can face disciplinary action, termination, personal fines, loss of professional licenses, and even criminal charges in serious cases.

New HIPAA Compliance Challenges: Social Media and Artificial Intelligence Tools

Many everyday tools, email, messaging, social media, and now AI, emerged or evolved after HIPAA’s original rules, so staff need additional, targeted training to stay compliant. We have added modules that address these new HIPAA compliance challenges. We’re aware that it’s a fast-evolving problem and that we have to constantly update the training.

The Special Circumstances of Small Medical Practices Employees

One interesting new development in HIPAA training is that we have developed modules for staff working in small medical practices. People working in larger hospitals may not often encounter family or friends, but staff in small medical practices are much more likely to be locally based and under constant strain to resist inappropriate requests or pressure related to patient information.

Small medical practices also have fewer compliance resources compared with larger HIPAA-covered entities that have full-time HIPAA Compliance Officers, HIPAA Privacy Officers, and HIPAA Security Officers. In small facilities, a staff member with other duties may also be assigned the role of ensuring HIPAA compliance.

Specialized HIPAA Training for Business Associate Employees

HIPAA compliance for employees in HIPAA Business Associates can be particularly challenging because of the physical and perhaps mental distance between these employees and the patients. The extra training for Business Associate staff therefore focuses on explaining why HIPAA applies to them and motivating them to take responsibility for their personal HIPAA compliance.

How Our Online Training Works ADD MORE IN HERE

The training is delivered online. 

The relevant modules have random quiz tests with a question bank of over 700 questions.  The quizzes force the learners to pay attention to the training and reflect on the quiz answers. The learners can take the quiz as many times as required to get all of the questions correct. A certificate is issued at the end of the course.

The training is an annual subscription and learners have access to the modules whenever they want a refresher on any aspect of the training.

There are separate courses for HIPAA Business Associates and Small Medical Practices.

Training manager with access to all trainee records. 

Team Effort with Expert Input

Everyone on The HIPAA Journal team involved in the training content has over 10 years of experience in HIPAA. This was heavily supplemented by the input of over 200 contributors who responded to our surveys about HIPAA training. And finally, I need to thank the privacy and compliance officers who reviewed our training and provided their expert feedback that resulted in several additional modules being added to the originally planned core modules.

One little-understood aspect of HIPAA compliance is the role of IT staff and managers, who make up about one-fifth of our readership and are particularly focused on the HIPAA Security Rule and HIPAA Privacy Rule. Their concerns resulted in a decision to develop cybersecurity training as a complement to the HIPAA training that delivers security awareness training.

Feedback Request: We Welcome Your Feedback and Requirements

We’re committed to continuously improving our HIPAA training, enhancing existing modules and adding new modules, so we both welcome and rely on your feedback.

Your feedback directly shapes future modules and updates. Please take a moment to complete our short feedback form and tell us what would make this training even more useful for your organization.

 

The post The HIPAA Journal Launches the Gold Standard in HIPAA Training for Employees appeared first on The HIPAA Journal.

Compromised VPN Credentials Leading Attack Vector in Ransomware Campaigns

Posted by Steve Alder

Several cybersecurity firms have tracked a surge in ransomware attacks in Q3, 2025, as groups such as Akira, Qilin, and Inc Ransom have stepped up their attacks. According to Beazley Security, a subsidiary of Beazley Insurance, those three groups accounted for 65% of all ransomware attacks in the quarter. Akira had a surge in attacks, conducting 39% of all attacks in the quarter, over 20% more than the second most active group, Qilin, with 18%, and Inc Ransom with 8%.

The Beazley Security Quarterly Threat Report for Q3, 2025, shows an 11% increase in additions to dark web data leak sites compared to Q2, 2025. The biggest increase in attacks came in August, which accounted for 26% of all publicly disclosed attacks in the past six months, with high levels of ransomware activity continuing in September, which accounted for 19% of all disclosed ransomware attacks in the previous six months.

While attacks are up overall, there has not been much change in the rate of attacks on the healthcare sector, which has remained fairly constant, accounting for 12% of attacks in Q2, 2025, and 11% of attacks in Q3, making it the 4th most targeted sector. In Q3, there was a significant increase in attacks targeting the business services sector, which accounted for 28% of attacks, up from 19% in Q2. Professional services & associations was the second most targeted sector, accounting for 18% of attacks in Q3.

Beazley identified some interesting attack trends, including the continuing preference for using compromised credentials for initial access, most commonly compromised credentials for publicly accessible VPN solutions. Compromised VPN credentials were the initial access vector in 48% of attacks in Q3, up from 38% in Q2, 2025, with external services the next most common attack vector, accounting for 23% of attacks.

Compromised credentials for remote desktop services took third spot, followed by supply chain attacks and social engineering, with each of those attack vectors accounting for around 6% of all attacks in the quarter. While the top three attack vectors remain the same as in Q2, 2025, there was an increase in exploits of vulnerabilities in external services, which overtook compromised credentials to take second spot. The supply of valid credentials primarily comes from infostealer campaigns, and while there was a significant law enforcement action – Operation ENDGAME – targeting Lumma Stealer infrastructure, there was a subsequent spike in Rhadamanthys information activity, indicating the strong demand for credentials.

Akira typically targets VPNs for initial access, and in Q3, most attacks involved credential stuffing and brute force attempts to guess weak passwords, demonstrating the importance of implementing and enforcing password policies and ensuring that multifactor authentication is used. Any accounts that cannot be protected by MFA should have compensating controls. Akira also targeted vulnerabilities in SonicWall devices, where organizations were slow to patch vulnerabilities.

Qilin likewise targeted VPNs using brute force tactics to exploit weak passwords, and also abused valid compromised credentials. INC Ransom also appears to favor compromised valid credentials, gaining access to victims’ environments via VPNs and remote desktop services.

While accounting for a relatively small number of attacks, Beazley warns that several attacks started with downloads of trojanized software installers, including popular productivity and administrative tools such as PDF editors.  Ransomware actors use SEO poisoning to get their malicious download sites appearing at the top of the search engine results, along with malicious adverts (malvertising) that direct users to malicious sites.

Executing the downloaded installer may install the desired software, but it also installs malware. This technique was a common initial access vector in Rhysida ransomware attacks that Beazley investigated. Beazley suggests that organizations should consider security tools such as web filters for protecting against these attack vectors, and should ensure that they cover these techniques in organizational security awareness training programs.

The post Compromised VPN Credentials Leading Attack Vector in Ransomware Campaigns appeared first on The HIPAA Journal.