PoC Exploit Published for CISCO AnyConnect Secure Vulnerability

Posted by Steve Alder

Proof-of-concept exploit code has been released for a high-severity vulnerability in AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. Users that have yet to apply the patch should do so immediately to prevent exploitation. Unpatched flaws in Cisco Secure Client Software have been targeted by malicious actors in the past.

Cisco Secure Client Software is a remote access solution that allows employees to connect to the network from any location via a Virtual Private Network and is used by IT admins for endpoint management. The vulnerability is tracked as CVE-2023-20178 and has a CVSS base score of 7.8.

The vulnerability affects the client update process and can be exploited by an authenticated, local attacker to elevate privileges to SYSTEM level. The vulnerability is due to improper permissions on a temporary directory created during the update process and can be exploited by abusing a specific function of the Windows installer process. An attack exploiting the vulnerability has low complexity and requires no user interaction. The vulnerability was discovered by security researcher, Filip Dragovic, who reported the flaw to CISCO. He recently published the PoC exploit after successfully testing it on Secure Client version 5.0.01242 and AnyConnect Secure Mobility Client version 4.10.06079.

CISCO says there are no workarounds and patching is the only way to fix the vulnerability and prevent exploitation. A patch to fix the flaw was released on June 13, 2023, and, at the time of release, there had been no detected instances of exploitation. The flaw has been corrected in AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2.

The post PoC Exploit Published for CISCO AnyConnect Secure Vulnerability appeared first on HIPAA Journal.

Kannact & Vincera Institute Fall Victim to Cyberattacks

Posted by Steve Alder

Kannact Inc., an Albany, OR-based home care service, says it detected unauthorized access to its computer network on March 13, 2023. A third-party cybersecurity firm was engaged to investigate the incident and confirmed that the parts of the network that were accessed contained patients’ protected health information, although, at this stage of the investigation, it is unclear if patient data was viewed or copied from its systems. Kannact has received no reports at the time of providing notice to indicate any misuse of patient data.

The review of the files that could potentially have been accessed revealed they contained a range of information, which varied from individual to individual. Information potentially compromised included names in combination with one or more of the following data elements: date of birth, address, phone number, Social Security Number, driver’s license number, and health information such as medical diagnosis, treatment information, and pharmaceutical records.

Kannact said that it disabled its third-party managed file transfer software, deactivated all related API keys, and is improving its patient data ingestion process. Individuals whose Social Security and driver’s license numbers were impacted have been offered complimentary credit monitoring and identity theft protection services.

The incident was reported to the HHS’ Office for Civil Rights on June 20, 2023, as affecting up to 103,547 individuals.

Vincera Institute Falls Victim to Ransomware Attack

Vincera Institute in Philadelphia, PA, has confirmed that it fell victim to a ransomware attack on April 29, 2023. Immediate action was taken to secure its systems to prevent further unauthorized access to its network and patient information, and cybersecurity professionals were engaged to investigate the incident. In a June 20, 2023, press release, Vincera Institute said the investigation into the data breach is ongoing, but it has been determined that the threat actors behind the attack had access to parts of its network that contained patient information; however, unauthorized access to and misuse of patient data has not been detected.

The files potentially accessed in the attack included full names, addresses, phone numbers, email addresses, Social Security numbers, date of birth, medical histories and treatment records, insurance information, and other information provided by patients. Security safeguards have been enhanced in response to the incident, and monitoring processes have been improved.

The incident was reported to the HHS’ Office for Civil Rights on June 20, 2023, in four breach reports, covering Vincera Imaging LLC (5,000 individuals), Vincera Rehab LLC (5,000 individuals), Vincera Surgery Center (5,000 individuals), and Core Performance Physicians, dba Vincera Core Physicians (10,000 individuals).

The post Kannact & Vincera Institute Fall Victim to Cyberattacks appeared first on HIPAA Journal.

Critical Vulnerability in VMware Aria Operations for Networks Now Actively Exploited

Posted by Steve Alder

VMware has confirmed that a remote code execution vulnerability in the VMware Aria Operations for Networks (previously vRealize Network Insight) network analytics tool is now being exploited in the wild.  The vulnerability is tracked as CVE-2023-20887, has a CVSS severity score of 9.8, and has been fixed in the latest version of the tool.

A proof-of-concept exploit for the pre-authentication command injection vulnerability was published on June 13, 2023, by security researcher Sina Kheirkhah of Summoning Team. Exploitation of the flaw on unpatched systems started two days later. Researchers at the cybersecurity firm GreyNoise detected mass-scanning activity to identify unpatched systems shortly after the PoC exploit was published. The vulnerability is one of three recently discovered vulnerabilities in VMware Aria Operations for Networks, the other two being another critical flaw – CVE-2023-20888 – and an important flaw – CVE-2023-20889. VMWare released patches to fix all three flaws around two weeks ago. All three were identified by Kheirkhah and were reported to VMWare, although the exploited CVE-2023-20887 flaw had been previously discovered and reported to VMware by an anonymous security researcher.

CVE-2023-20887 can be exploited by a malicious actor with network access to VMware Aria Operations for Networks in a command injection attack that can lead to remote code execution. CVE-2023-20888 can be exploited by a malicious actor with network access to VMware Aria Operations for Networks and allows a deserialization attack, resulting in remote code execution. The third vulnerability can be exploited to perform a command injection attack resulting in information disclosure.

VMware says there are no workarounds. The only way to address the flaws is to update to a fixed version. All VMware Aria Operations Networks 6.x on-prem installations must be patched to prevent exploitation. All three flaws have been fixed in version KB92684.

The post Critical Vulnerability in VMware Aria Operations for Networks Now Actively Exploited appeared first on HIPAA Journal.