Progress Software Warns of New MOVEit Zero-Day Vulnerability – Immediate Action Required

Posted by Steve Alder

Progress Software has issued a warning about another vulnerability in its MOVEit Transfer file transfer software, an exploit for which is in the public domain. The announcement comes as the Clop ransomware group starts to name companies that were attacked by exploiting a separate zero-day bug in May, and CISA confirms the victims include several federal agencies.

The CVE for the latest vulnerability is still pending and there is no CVSS severity score at present; however, this is a critical vulnerability and a Proof-of-Concept (PoC) exploit for the new zero-day flaw has been shared by a security researcher on Twitter, although at the time of release, code execution is not believed to have been achieved. The attacks by the Clop gang demonstrate that MOVEit vulnerabilities can be weaponized and exploited in mass attacks, so mitigations should be implemented immediately and patches applied as soon they are released.

MOVEit Transfer Zero Day Mitigations and Fixes

According to Progress Software, all users must take action to address the latest MOVEit zero day bug. The steps that need to be taken are dependent on whether patches have been applied to fix the zero-day bug (CVE-2023-34362) that was exploited by Clop and patched on May 31, 2023, and a second critical SQL injection vulnerability – CVE-2023-35036 – a patch for which was released on June 9. The May 31 and June 9 patches and remediation steps should be followed first, if they have not been already, then the June 15, 2023, patch can be applied to fix the third zero-day (CVE pending).

If it is not possible to immediately apply the June 15, 2023, patch, users should disable all HTTP and HTTPs traffic to the MOVEit Transfer environment immediately (ports 80 and 443) to prevent unauthorized access. HTTP and HTTPs traffic should not be re-enabled until the June 15, 2023, patch has been applied. While this mitigation will prevent users from being able to log into their accounts via the web user interface, transfers will still be available since the SFTP and FTP/s protocols will continue to work, and admins will still be able to access MOVEit Transfer by connecting to the Windows server via remote desktop, and then navigating to https://localhost/

Details on patching all three vulnerabilities and the mitigation steps are detailed in the latest Progress Software alert.

Progress Software said, “We have taken HTTPs traffic down for MOVEit Cloud in light of the newly published vulnerability and are asking all MOVEit Transfer customers to immediately take down their HTTP and HTTPs traffic to safeguard their environments while the patch is finalized.”

Clop Starts Publishing Victims’ Names on Dark Web Data Leak Site

The Clop gang claimed responsibility for the attacks which exploited the May 2023 vulnerability (CVE-2023-34362), and while the victim count is not known, several hundred companies are understood to have been affected. Clop provided a deadline of June 14, 2023, for payment of the ransom demands, after which the group claimed it would start releasing the stolen data. On Wednesday, names started to be published on its data leak site which include the oil and gas company Shell, the University of Georgia (UGA) and University System of Georgia (USG), UnitedHealthcare Student Resources (UHSR), Putnam Investments, Heidelberger Druck, and Landal Greenpark. Several other companies have confirmed that they were affected although they have yet to be listed on the data leak site. Those companies include Zellis, Boots, Aer Lingus, and the BBC.

CISA Confirms Federal Agencies Impacted

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that several federal agencies were attacked by the Clop gang by exploiting the May 2023 vulnerability and that it is providing support to the agencies that have suffered intrusions. Eric Goldstein, CISA executive assistant director for cybersecurity, confirmed to CNN that it is currently trying to understand the impact of those intrusions. CISA Director, Jen Easterly, said the May 2023 attacks were opportunistic in nature and were not targeted at government agencies, and while Clop is a Russian ransomware group, the attacks are not believed to be connected to the Russian government. “Although we are very concerned about this campaign, this is not a campaign like SolarWinds that poses a systemic risk,” said Easterly. Government agencies known to have been affected include the Energy Department, which confirmed that two entities within the Department have been compromised.

The post Progress Software Warns of New MOVEit Zero-Day Vulnerability – Immediate Action Required appeared first on HIPAA Journal.

Great Valley Cardiology Notifies 181,700+ Individuals About PHI Exposure

Posted by Steve Alder

Commonwealth Health Physician Network-Cardiology, aka Great Valley Cardiology in Scranton, PA, has notified 181,764 current and former patients about a cyberattack and data breach that was discovered on April 13, 2023. The forensic investigation confirmed that the information potentially compromised in the attack included names in combination with addresses, birth dates, Social Security numbers, driver’s license numbers, passport numbers, bank account and credit/debit card information, diagnosis, medications, lab test results, and health insurance/claims information.

Hackers first gained access to Great Valley Cardiology’s systems on February 2, 2023, and access remained possible until its systems were secured on April 14, 2023. The healthcare provider was reportedly notified about the attack by the Department of Homeland Security, with access to its systems gained as a result of a successful brute force attack.

Affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months as a precaution, although there are no indications that there has been any misuse of patient data as a result of the security breach.

EpiSource Confirms Breach of its AWS Environment

The Gardena, CA-based medical coding vendor, EpiSource, has confirmed that the protected health information of patients of its healthcare clients has been exposed and potentially compromised in a February 2023 cyberattack on its Amazon Web Services (AWS) environment.

The cyberattack was detected by its threat detection system on February 20, 2023. The investigation confirmed its AWS environment had been accessed by an unauthorized individual between February 19 and 21, 2023. The forensic investigation confirmed on April 20, 2023, that health and personal information had potentially been accessed or obtained such as names, dates of birth, addresses, phone numbers, medical record numbers, health plan ID numbers, provider information, diagnoses, and medications. EpiSource said security controls and monitoring practices have been enhanced following the attack and affected individuals have been offered one year of complimentary identity theft protection services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many people have been affected.

Business Associate Data Breach Impacts 25K UPMC Patients

University of Pittsburg Medical Center (UPMC) has confirmed that approximately 25,000 patients have been affected by a data breach at a business associate that provides billing and collection services. The data breach occurred at Intellihartx LLC, which is issuing notifications to the affected UPMC patients. The breach involved names, addresses, Social Security numbers, and other personal information. Complimentary credit monitoring services have been offered to affected individuals. Intellihartx reported the breach to the Maine Attorney General as affecting 489,830 individuals. Further information on the data breach has been covered by The HIPAA Journal here.

Idaho Medicaid Recipients Affected by Data Breach at Claims Processor

The Idaho Department of Health and Welfare has confirmed that the personal information of 2,501 Medicaid recipients has potentially been accessed and/or obtained in a data breach at its claims processor, Gainwell Technologies. An unauthorized individual obtained credentials that allowed access to be gained to the Gainwell portal, which allowed access to information such as names ID numbers, billing codes, and treatment information.

The breach was discovered on May 12, 2023, and following an investigation and review, affected individuals were notified on June 9, 2023. Credit monitoring and identity theft protection services have been offered to affected individuals.

Utah Department of Health and Human Services Notifies 5,800 Health Plan About Mailing Error

The Utah Department of Health and Human Services (DHHS) has confirmed that the protected health information of 5,800 Medicaid recipients has been impermissibly disclosed due to a mailing error. As a result of the error, benefit letters were accidentally grouped together and sent to incorrect individuals. The error was discovered on May 8, 2023, and the mailing process was halted to prevent further impermissible disclosures.

The letters included Medicaid benefit information, although only around 200 of the 5,800 individuals affected had either their Medicare health insurance claim number (HICN) or Social Security number disclosed. Those individuals have been offered complimentary credit monitoring services. The DHHS said it has worked with its business associate, Client Network Services (CNSI), to ensure the error is corrected and system testing and quality protocols have been enhanced.

The post Great Valley Cardiology Notifies 181,700+ Individuals About PHI Exposure appeared first on HIPAA Journal.