CISA Publishes Healthcare-Specific Guidance for Improving Cyber Resilience

Posted by Steve Alder

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published healthcare sector-specific guidance on enhancing cyber resilience. The guidance is based on the findings from a two-week risk and vulnerability assessment that was performed in January 2023 at the request of a large healthcare organization that was looking to identify vulnerabilities and potential security improvements.

CISA spent the first week conducting external penetration tests to identify weaknesses that could be exploited, and a week analyzing the internal network, with its assessments including web applications, databases, wireless access points, penetration tests, and phishing testing. The unnamed organization was found to have secured its network sufficiently to prevent external attacks. CISA was unable to find any vulnerabilities that could be easily exploited by malicious actors and was unable to gain access through phishing; however, several weaknesses were identified during internal penetration tests. CISA was able to exploit misconfigurations, weak passwords, and other security issues through multiple attack paths and compromise the organization’s domain.

The penetration and web application testing uncovered no vulnerabilities that could easily be exploited and payloads used in the phishing tests were blocked by a combination of browser controls, security policies, and antivirus software. While some of the payloads were downloaded to disk, they were immediately neutralized by the antivirus software when executed, and while some payloads appeared to have evaded internal protections, they failed to make a connection with their C2 servers.

Phishing tests were also performed on end users in an attempt to harvest credentials. 12 individuals responded to the phishing attempts and disclosed their credentials, but they could not be used as those individuals only had limited access to external-facing resources, and multi-factor authentication had been implemented for cloud accounts. CISA notes that its assessments did not include adversary-in-the-middle attacks using phishing kits such as Evilginx, which can bypass multifactor authentication. CISA recommends using phishing-resistant multifactor authentication to block attacks involving these advanced phishing kits.

The internal penetration tests started with a connection to the network without a valid domain account and attempted to gain domain user access and then escalate privileges until the domain was compromised. The organization’s domain was compromised using four attack paths, and in the fifth attack path, CISA was able to access sensitive information. CISA was able to obtain 55 password hashes, one of which was for a service account that had a weak password that was easily cracked to obtain access to the organization’s domain.

The web application tests identified default credentials in multiple web applications that had not been changed, as well as default printer credentials, along with misconfigurations that allowed CISA to authenticate to the domain controller and validate administrator privileges. CISA used the CrackMapExec tool to spray easily guessable passwords and obtained two sets of valid credentials for standard domain user accounts and demonstrated a path leading to domain compromise. CISA also demonstrated that several systems on the network did not enforce SMB signing, and exploited the misconfiguration to obtain credentials for two additional domain administrator accounts, which were validated confirming a domain compromise.

The fifth attack path involved vulnerability scanning, which identified an unpatched EternalBlue vulnerability in SMB version 1. CISA used a well-known exploit for the vulnerability to establish a shell on the server which allowed commands to be executed in the context of the local SYSTEM account. CISA also identified multiple instances of password reuse, which allowed access to be gained to several resources that contained sensitive information.

The methods and tools used by CISA in its assessments are commonly used by hackers for post-compromise activities. If initial access was gained, the internal vulnerabilities could have been exploited to achieve a full domain compromise. The key findings of the assessments have been published in a cybersecurity advisory – Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment – along with recommended mitigations for addressing the vulnerabilities, which are likely to exist in many healthcare organizations. The guidance can also be applied by software companies and organizations in other critical infrastructure sectors.

The post CISA Publishes Healthcare-Specific Guidance for Improving Cyber Resilience appeared first on HIPAA Journal.

Delta Dental of California Data Breach: 7 Million Individuals Affected

Posted by Steve Alder

Delta Dental of California Says 6,928,932 Individuals Affected by MOVEit Hack

Delta Dental of California has recently confirmed that it was one of the victims of Clop hacking group’s mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer solution.  Delta Dental of California, part of the Delta Dental Plans Association, provides dental insurance to 45 million people. According to the breach notification sent to the Maine Attorney General, the information of almost 7 million individuals was stolen in the attack, including members of Delta Dental of California plans and those of its affiliates.

Delta Dental discovered on June 1, 2023, that the SQL injection vulnerability – CVE-2023-34362 – in the MOVEit Transfer solution had been exploited. Progress Software had released an emergency patch to fix the flaw on May 31, 2023; however, the Russia-linked Clop group exploited the flaw between May 27 and May 30, 2023, before the patch was applied and exfiltrated data from Delta Dental’s MOVEit server.

On July 6, 2023, Delta Dental confirmed that plan members’ data had been accessed and acquired without authorization, and third-party computer forensics experts were engaged to help with analytics and data mining to determine exactly what data had been stolen. Due to the extent of the data involved, the analysis has only just been completed, with the final list of the affected individuals and types of data involved finalized on November 27, 2023. Notification letters started to be sent to those individuals on December 14, 2023.

Delta Dental said the stolen data includes names in combination with one or more of the following: address, Social Security number, driver’s license number, other state identification number, passport number, financial account information, tax identification number, individual health insurance policy number, and/or health information. The affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services.

Delta Dental stressed in its notification letters that this was a mass exploitation incident that affected thousands of companies; however, the Delta Dental of California data breach stands out due to the number of individuals affected. With 6,928,932 dental plan members affected, this is the third largest healthcare MOVEit-related breach to have been reported, behind Maximus Inc. (11 million) and Welltok (8.5 million).

The HIPAA Breach Notification Rule requires notification letters to be issued within 60 days of the discovery of a breach. The Delta Dental of California data breach was reported to the HHS’ Office for Civil Rights on September 6, 2023, within 60 days of discovering that PHI was involved. It was unclear at the time how many individuals were affected so an interim figure of 501 was used. “The delay between detecting the incident, responding to it, and identifying what data has been accessed and by whom, along with which individuals are impacted is not surprising. To determine this typically relies on specialist digital forensic and incident response providers who need to forensically comb through logs and individual data objects using a combination of forensic tools and deep cybersecurity expertise to piece together what happened down to the individual data objects,” Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems, told The HIPAA Journal. “Modern data security tools can speed up the identification of what data is impacted, particularly at scale, so hopefully we will see these timeframes reduce as these tools get adopted. However, it will still take time to map those data objects to the individuals impacted at scale with forensic quality that can stand up in court.”

The post Delta Dental of California Data Breach: 7 Million Individuals Affected appeared first on HIPAA Journal.