Five Eyes Agencies Warn of Ongoing Exploitation of Ivanti Connect Secure and Policy Secure Flaws

Posted by Steve Alder

The Five Eyes Cybersecurity Agencies have issued a warning that previously disclosed vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways are being actively exploited by multiple threat actors and have been since early December 2023.

The flaws – CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 – affect all supported versions (9.x and 22.x) and can be chained to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. According to the alert, Ivanti’s internal and previous external Integrity Checker Tool (ICT) failed to detect malicious activity associated with exploitation. CISA demonstrated in a test environment that the ICT is not sufficient to detect compromise and that it is possible to gain root-level persistence despite issuing factory resets.

Alphabet’s Mandiant has been investigating the exploitation of the zero day vulnerabilities and said the exploitation had likely impacted thousands of devices across multiple industry verticals. Some of those attacks were linked with a suspected Chinese cyber espionage group it tracks as UNC5325. The threat actor used living-of-the-land techniques and novel malware to achieve persistence. Mandiant said the patches released by Ivanti are effective at preventing exploitation, provided UNC5325 did not exploit the vulnerability before the patches were applied. Mandiant said UNC5325 has maintained access even after customers have initiated factory resets, patching, and applying the recommended security updates.

The Five Eyes agencies recommend that network defenders assume that user and service account credentials stored in affected Ivanti VPN appliances are likely compromised and should hunt for malicious activity using the detection mechanisms and IoCs details in its alert, and should also run the latest version of Ivanti’s external ICT. If the vulnerabilities have yet to be patched, network defenders should ensure they are applied as soon as possible and should follow the recommendations detailed in the latest Ivanti security advisory. Mandiant also recommends following the guidance provided in its updated Ivanti Connect Secure Hardening Guide.

The post Five Eyes Agencies Warn of Ongoing Exploitation of Ivanti Connect Secure and Policy Secure Flaws appeared first on HIPAA Journal.

High Severity Vulnerabilities Identified in MicroDicom DICOM Viewer

Posted by Steve Alder

Two high-severity vulnerabilities have been identified in the free-to-use MicroDicom DICOM Viewer, which is used to view and manipulate DICOM images. Successful exploitation of the vulnerabilities could lead to remote code execution and memory corruption.

The first is a heap-based buffer overflow vulnerability tracked as CVE-2024-22100 which can be exploited in a low-complexity attack by tricking a user into opening a malicious DCM file, which would allow a remote attacker to execute arbitrary code on vulnerable versions of the DICOM Viewer.

The second vulnerability is an out-of-bounds write issue due to a lack of proper validation of user-supplied data. Successful exploitation of the flaw could result in memory corruption within the application. The vulnerability is tracked as CVE-2024-25578.

The vulnerabilities affect MicroDicom DICOM Viewer versions 2023.3 (Build 9342) and prior versions and have been fixed in version 2024.1. Users have been advised to update to the latest version as soon as possible. There are currently no indications that the vulnerabilities have been exploited in attacks.

The post High Severity Vulnerabilities Identified in MicroDicom DICOM Viewer appeared first on HIPAA Journal.

How to Write an HHS OIG Complaint

Posted by Steve Alder

The best way to write an HHS OIG complaint to increase the chances of the complaint being investigated is to prepare a narrative explaining the nature, scope, and time frame of the activity being complained about, and how you came to learn about the activity. When you submit the complaint, the chances of the complaint being investigated are further improved if you can provide supporting evidence and the contact information of a third party who can corroborate the narrative.

Each year, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) receives thousands of complaints, tips, and reports of alleged fraud, waste, and abuse in Federal healthcare programs. HHS OIG does not have the resources to investigate every one, so it prioritizes complaints according to the type of activity and the evidence submitted to support the complaint.

In addition, HHS OIG only has the authority to investigate complaints relating to certain activities, and many complaints can be rejected after being reviewed for relevance. The activities HHS OIG has the authority to investigate include:

  • Whistleblower complaints about fraud, waste, and abuse in HHS programs.
  • False or fraudulent (overpriced) claims submitted to Medicare or Medicaid.
  • Kickbacks or inducements for referrals by Medicare or Medicaid providers.
  • Medical identity theft involving Medicare and/or Medicaid beneficiaries.
  • The failure of a hospital to evaluate and stabilize an emergency patient.
  • Patient abuse or neglect in nursing homes and long-term care facilities.
  • Human trafficking by HHS employees, grantees, and contractors.
  • Crimes, gross misconduct, or conflicts of interest involving HHS employees, recipients of HHS grants, or HHS contractors.

Complaints relating to Medicare policies, coverage, claims, and payment decisions, Social Security fraud, identity theft unrelated to HHS programs, and discrimination within HHS departments are not investigated by HHS OIG. Complaints of this nature will be rejected on review without the complainant being notified of the decision. Therefore it is important that when you write an HHS OIG complaint, the nature of the activity is one that HHS OIG has the authority to investigate.

How to Submit an HHS OIG Complaint

There are various ways to submit an HHS OIG complaint. The most effective is the online OIG HHS Hotline because this method of submitting an HHS OIG complaint allows complainants to upload documents in support of the complaint electronically. Alternative methods such as mail and fax are not so easy to use; and, if you use mail, you are advised not to send original documents, digital media, or physical devices because these will not be returned even if the complaint is rejected.

When you submit an HHS OIG complaint online, you also have the option of requesting confidentiality inasmuch as your identity is only known to HHS OIG investigators (unless a disclosure is required by law). You may also submit complaints anonymously, but this course of action precludes HHS OIG from investigating a complaint as a whistleblower retaliation complaint, and may hinder the initial review and/or the subsequent investigation into your compliant.

If your complaint is investigated and upheld, there are several potential outcomes depending on the nature of the activity. Most upheld fraud, waste, and abuse complaints and violations of the HHS OIG anti-kickback regulations are resolved by a civil monetary penalty and/or a Corporate Integrity Agreement. However, more serious complaints, criminal complaints, and the failure of a hospital to evaluate and stabilize an emergency patient are likely to result in exclusion from HHS programs.

Individuals concerned about the potential consequences of submitting an HHS OIG complaint – or who need help to write an HHS OIG complaint – are advised to speak with an HHS OIG advisor on 1-800-477-8477 (1-800-HHS-TIPS). Alternatively, if you would prefer independent advice before speaking with an HHS OIG advisor, it is recommended you speak with a legal professional who has experience in healthcare regulatory compliance.

The post How to Write an HHS OIG Complaint appeared first on HIPAA Journal.