HPH Sector Warned About Exploitation of Miracle Exploit Vulnerabilities in Oracle Systems

Posted by Steve Alder

A critical vulnerability affecting multiple Oracle products is being exploited in the wild. The vulnerability was dubbed The Miracle Exploit by the security researchers who discovered it, due to its severity and the number of products they affected – all products based on Oracle Fusion Middleware and Oracle online systems. The vulnerability is one of a pair of related vulnerabilities that were discovered two years apart. The vulnerabilities can be chained, and both can lead to remote code execution.

The Oracle Fusion Middleware products are used to build web interfaces for Java EE applications and any website developed by ADF Faces framework is affected. The vulnerabilities also affect Oracle Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCenter Portal, Application Testing Suite, and Transportation Management. The vulnerabilities are tracked as CVE-2022-21445 (CVSS 9.8) and CVE-2022-21497 (CVSS 8.1) and can be exploited easily by an unauthenticated attacker with network access via HTTP for an application takeover. Successful exploitation can lead to a full system compromise and lateral movement within a network. The vulnerabilities could be exploited to steal sensitive data and could be leveraged by ransomware groups in the future.

CVE-2022-21445 is a deserialization of untrusted data vulnerability and CVE-2022-21497 is a server-side request vulnerability. The first vulnerability allows remote code execution, and the second one could be exploited for lateral movement to other Oracle systems and can also lead to remote code execution. Oracle released patches to fix the vulnerabilities in April 2022, 6 months after the CVE-2022-21445 vulnerability was discovered. In September, the Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2022-21445 Miracle Exploit vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. No information was released about the extent to which the vulnerability has been exploited, and there have been no public reports of exploitation, although CISA does receive some reports privately.

Due to the severity of the vulnerabilities and their impact, the Health Sector Cybersecurity Coordination Center has recently released an analyst note warning the healthcare and public health sector about the risk of exploitation. Healthcare organizations could be vulnerable if they use Oracle Fusion products that rely on the ADF Faces framework. HC3 warns that if the vulnerable Oracle middleware components are integrated into their software for managing electronic medical records or other critical systems, exploitation of the vulnerabilities could result in data breaches, operational disruptions, and potentially regulatory penalties.

HC3 recommends applying the latest patch for Oracle JDeveloper, segmenting networks and ensuring environments that use JDeveloper are isolated from production systems, and limiting access to JDeveloper environments to trusted users only and enforcing strong authentication mechanisms.

The post HPH Sector Warned About Exploitation of Miracle Exploit Vulnerabilities in Oracle Systems appeared first on The HIPAA Journal.

Albany ENT & Allergy Services Pays $500K Penalty and Commits to $2.25M Cybersecurity Investment

Posted by Steve Alder

The New York multi-site medical practice, Albany ENT & Allergy Services, has agreed to pay a $500,000 financial penalty to the state of New York and will invest $2.25 million to strengthen its information security practices after suffering two ransomware attacks that saw threat actors gain access to the medical records of more than 213,000 New York patients. Under the agreement, a further $500,000 in penalties must be paid if Albany ENT & Allergy Services fails to invest the required $2.25 million in upgrades and maintenance of its information security program over the next 5 years.

An investigation was launched by the Office of the New York Attorney General (OAG) following an intrusion of Albany ENT & Allergy Services’ network by two different threat actors between March 23, 2023, and April 4, 2023. The first intrusion involved ransomware and was discovered on March 27, 2023, when files were encrypted. Systems and data were restored by the healthcare provider’s IT vendor; however, the source of the intrusion was not identified before the restoration of external network access.

A different threat actor conducted a second ransomware attack 10 days later on April 2, 2023. A digital forensics firm was engaged to conduct a thorough investigation and remediate any vulnerabilities before the restoration process began. The compromised systems contained the records of 213. 935 patients, including names, addresses, birth dates, driver’s license numbers, Social Security numbers, diagnoses, test results, and treatment information.  Both threat actors provided evidence of data exfiltration when attempting to extort Albany ENT & Allergy Services; however, ransoms were not paid. The file review was completed in May 2023 and the affected individuals were notified and offered complimentary credit monitoring services.

The failure to identify the initial access vector was due to insufficient server logs. While server logs were created, they were not retained for a reasonable period, and there were no security programs in place to monitor and analyze server traffic. The company that conducted the forensic investigation after the second attack concluded that the initial access vector was likely the exploitation of an unpatched vulnerability in a Cisco VPN firewall.

The OAG investigation revealed the breach involved the protected health information of around 80,000 individuals more than the 120,000 individuals stated in the initial breach report. The additional affected individuals had their driver’s license numbers posted online by the threat actors when the ransom was not paid. OAG also determined that the threat actors gained access to six devices that hosted unencrypted personal information and some of those devices continued to store unencrypted personal information for months after the ransomware attacks. While an encryption policy had been implemented for laptop computers, it did not apply to personal information stored on other systems. Multi-factor authentication (MFA) had been implemented, but not consistently, with some remote access systems not protected by MFA.

Albany ENT & Allergy Services did not have an in-house information technology team and outsourced those functions to two third-party vendors. Outsourcing IT functions is acceptable under state law; however, a single Albany ENT & Allergy Services employee was responsible for liaising with those vendors and ensuring appropriate policies and procedures were followed and recommended practices were implemented. That employee did not have any IT or InfoSec experience or training. The lack of effective oversight meant critical security updates were not implemented in a timely manner, logs of activity in information systems were not retained for sufficiently long, MFA was not consistently implemented, and a reasonable information security program was not maintained. The security failures were determined to violate New York Business and Executive Law.

Under the agreement, Albany ENT & Allergy Services is required to implement a range of security measures including establishing a comprehensive information security program and ensuring effective oversight of its information security vendors. “Health care facilities need to take protecting patients’ private information seriously, and that means investing to protect data and responding quickly if breaches occur. Today’s agreement with AENT will strengthen its cybersecurity and protect the private information of New Yorkers who rely on this Capital Region medical provider,” said Attorney General Letitia James. “I urge all health care facilities and general companies to follow guidance from my office on how to have more secure systems to protect New Yorkers’ data.”

The post Albany ENT & Allergy Services Pays $500K Penalty and Commits to $2.25M Cybersecurity Investment appeared first on The HIPAA Journal.