The Health Sector Cybersecurity Coordination Center (HC3) has warned healthcare organizations that use Fortinet’s FortiSIEM platform to patch a critical vulnerability that is likely to be targeted by malicious actors and has issued a threat brief on Emotet malware.

FortiSIEM Command Injection Vulnerability – CVE-2023-36553

A critical vulnerability has been identified by Fortinet in its FortiSIEM platform. The vulnerability has been assigned a CVSS v3.1 severity score of 9.8 out of 10 and can be exploited remotely by malicious actors to execute arbitrary commands. The flaw is related to a bug discovered and patched by Fortinet in October 2023 – CVE-2023-34992. While there have been no known instances of the vulnerability being exploited in attacks, Fortinet vulnerabilities are actively targeted by malicious actors and exploitation of the flaw is likely.

“An improper neutralization of special elements used in an OS command vulnerability in FortiSIEM report server may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests,” said Fortinet in a recent security advisory.

The vulnerability affects the following FortiSIEM versions: 4.7, 4.9, 4.10, 5.0, 5.1, 5.2, 5.3, and 5.4. Users should upgrade to a fixed version as soon as possible. The vulnerability has been fixed in versions: 7.1.0, 7.0.1, 6.7.6, 6.6.4, 6.5.2, 6.4.3, or later.

Emotet Malware – A Persistent Threat to the HPH Sector

Emotet malware was first identified in 2014 and started life as a banking Trojan; however, the malware has evolved over the years and is now commonly used as a first-stage malware for delivering other malware payloads such as banking Trojans, multi-purpose malware, information stealers, and ransomware, including the infamous TrickBot Trojan. Devices infected with Emotet are added to a botnet under the control of the operator of the malware, a group tracked as Mummy Spider, also known as TA542, GOLD CABIN & Mealybug, which is believed to operate out of Ukraine.

At its height, Emotet was called the world’s most dangerous malware by Europol, and Check Point data suggests one in every 5 organizations worldwide has been infected with Emotet. Emotet activity follows a rhythm of around 2-3 months of attacks followed by a period of little to no activity, which can last between 3 and 12 months. In January 2021, an international law enforcement operation took control of the botnet’s infrastructure, and an update was pushed out that uninstalled the malware from all infected devices. 10 months later, the botnet had been rebuilt.

While activity did not recover to the levels at the height of its success, the botnet continues to grow and still poses a significant threat. There were activity spikes in late spring 2022 before activity dropped off, and activity spiked again in Spring 2022. According to Check Point, the botnet now consists of around 130,000 unique devices in 179 countries and Emotet was the most prolific malware variant in February 2023. Emotet is used to gain initial access to networks, can elevate privileges, evade defenses, steal credentials, move laterally, exfiltrate data, and download other malware payloads and has been, and still is, one of the most potent weapons against the health sector. Recent activity includes the delivery of ransomware variants such as Quantum and BlackCat.

Emotet malware is most commonly delivered via phishing emails containing malicious URLs that link to a document containing a malicious macro that downloads the Emotet payload. The malware achieves persistence through Windows registry keys which ensure the malware executes on each reboot. The malware may also achieve persistence via the Windows Startup folder or via scheduled tasks and can also run as a Windows service that is executed automatically. HC3’s Emotet Threat Brief includes recommendations for healthcare and public health sector organizations on defense and mitigations.

The post HC3 Warns HPH Sector About Critical FortiSIEM Vulnerability and Ongoing Emotet Malware Threat appeared first on HIPAA Journal.