Atlassian Confluence Data Center and Server Vulnerability Actively Exploited by Chinese APT Actor

Posted by Steve Alder

Microsoft has issued a security alert warning that a Chinese Advanced Persistent Threat (APT) Group has been exploiting a zero-day vulnerability in Atlassian Confluence Data Center and Server products.

The vulnerability, CVE-2023-22515, is a critical privilege escalation vulnerability caused by broken access controls. The vulnerability has a maximum CVSS severity score of 10 and can be exploited by any device with a network connection to a vulnerable application. Successful exploitation of the vulnerability allows unauthorized individuals to create Confluence administrator accounts and access Confluence instances.

Atlassian issued a security advisory about the vulnerability on October 4, 2023, and released patches to fix the flaw. Fixed versions are 8.3.3 or later, 8.4.3 or later, and 8.5.2 or later. The vulnerability does not affect Atlassian Cloud sites. Microsoft said it has observed the Chinese APT group Storm-0062 (aka DarkShadow/Oro0lxy) exploiting the flaw since September 14, 2023, and identified four malicious IP addresses sending exploit traffic: 192.69.90[.]31 104.128.89[.]92 23.105.208[.]154 199.193.127[.]231. The extent to which the vulnerability has been exploited has not been disclosed, although Atlassian said earlier this month that a handful of customers had been targeted.

Atlassian and Microsoft say urgent action is required to prevent the vulnerability from being exploited and warn that publicly accessible Confluence Data Center and Server instances are at critical risk. Customers should ensure they upgrade their instances to a fixed version and should conduct comprehensive threat detection. After updating their instances, customers should search for unexpected members of the confluence-administrators group, unexpected newly created user accounts, requests to /setup/*.action in network access logs, and look for the presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory.

The post Atlassian Confluence Data Center and Server Vulnerability Actively Exploited by Chinese APT Actor appeared first on HIPAA Journal.

66% of Healthcare Organizations Say Patient Care was Disrupted by a Cyberattack

Posted by Steve Alder

More than 700 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and 2022, and 2023 is on track to become the third successive year with 700+ large healthcare data breaches. Malicious actors continue to target healthcare organizations as they store large amounts of easily monetized data, which can be held to ransom or sold. Cyberattacks on healthcare organizations have financial and human costs. Healthcare organizations are having to pay millions in breach costs and the attacks often cause disruption to patient care, which increases the risk of complications, affects patient outcomes, and causes an increase in patient mortality rates.

A recent survey of 653 healthcare IT and security professionals has confirmed the impact of these attacks on healthcare organizations. The survey was conducted by the Ponemon Institute on behalf of the cybersecurity firm Proofpoint for its Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023 report. The survey confirmed the extent to which healthcare organizations are being attacked. 88% of the surveyed organizations experienced an average of 40 attacks in the past 12 months, with the attacks costing an average of $4.99 million per incident, which is a 13% increase from the previous year.

The four most common types of attacks were cloud compromise, ransomware, supply chain, and business email compromise (BEC), all of which were found to result in disruption to patient care. Two-thirds (66%) of organizations that experienced one or more of these common attacks said they disrupted patient care, 50% reported an increase in medical procedure complications, and 23% said the attacks increased patient mortality rates. The findings are similar to the previous year, indicating healthcare organizations have not made much progress in improving patient safety and well-being following cyberattacks.

Out of the four most common types of attacks, supply chain attacks were the most likely to negatively affect patient care. Supply chain attacks were experienced by 64% of surveyed organizations in the past 2 years and 77% of those organizations said the attacks caused disruption to patient care, up from 70% in 2022. All 653 surveyed organizations said they had experienced at least one incident that involved the loss or exfiltration of sensitive data in the past 2 years, and on average, 19 such incidents occurred at each organization. 43% of respondents said these incidents impacted patient care, 46% of those organizations experienced an increase in patient mortality rates, and 38% saw increased complications from medical procedures.

BEC attacks were most likely to result in poor outcomes due to delayed procedures (71%). BEC attacks also resulted in an increase in medical procedure complications (56%) and longer lengths of stay (55%). 59% of organizations that suffered a ransomware attack said it resulted in poorer outcomes due to delayed procedures, and 68% said a ransomware attack caused disruption to patient care.

Ransomware attacks have increased in 2023.  54% of surveyed organizations said they experienced an attack in the past 12 months, up from 41% in 2022; however, fewer healthcare organizations are paying ransoms to obtain the keys to decrypt files and/or prevent the release of stolen data. 40% of organizations that suffered a ransomware attack paid the ransom, compared to 51% in 2022. Threat actors have responded to the falling ransom payments by increasing their ransom demands. The average total cost for the highest ransom payment spiked 29% to $995,450 in 2023.

When healthcare IT professionals were asked about their biggest concerns about cyberattacks, cloud compromise (74%) was the biggest worry followed by supply chain attacks (63%), BEC (62%), and ransomware (48%). The two biggest cybersecurity challenges were both related to staffing. 58% of respondents said a lack of in-house cybersecurity expertise was keeping their organization’s cybersecurity posture from being fully effective, and 50% said insufficient staffing was a major challenge.

“While the healthcare sector remains highly vulnerable to cybersecurity attacks, I’m encouraged that industry executives understand how a cyber event can adversely impact patient care. I’m also more optimistic that significant progress can be made to protect patients from the physical harm that such attacks may cause,” said Ryan Witt, chair, Healthcare Customer Advisory Board at Proofpoint. “Our survey shows that healthcare organizations are already aware of the cyber risks they face. Now they must work together with their industry peers and embrace governmental support to build a stronger cybersecurity posture—and consequently, deliver the best patient care possible.”

The post 66% of Healthcare Organizations Say Patient Care was Disrupted by a Cyberattack appeared first on HIPAA Journal.

First Lawsuit Filed Over 23andMe Data Breach

Posted by Steve Alder

On Friday, October 6, 2023, 23andMe, a direct-to-consumer genetic testing that offers ancestry and health reports, confirmed that it was investigating a cyberattack that resulted in unauthorized individuals gaining access to certain customer accounts. The announcement about the 23andMe data breach came a few days after stolen data started to be listed for sale on a dark net marketplace.

In the website announcement, 23andMe said it had launched an investigation and engaged third-party forensics experts to assist, and said the investigation is ongoing. The preliminary results suggest there has not been a breach of its systems, although 23andMe said in the breach notice that an unauthorized third party obtained certain information from users’ accounts, although did not mention in the website notice that stolen data had been listed for sale, although confirmed to certain media outlets that it is in the process of validating the listed data. The stolen data included names, sex, date of birth, genetic ancestry results, profile photos, and geographical location that had been gathered from the DNA Relatives feature but does not appear to have included any raw genetic data. The hacker claims to have obtained millions of data profiles that are being offered for sale. The listings were first identified by a researcher on October 4, 2023.

“While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked,” explained 23andMe in its website notice. “We believe the threat actor may have then, in violation of our Terms of Service, accessed 23andMe.com accounts without authorization and obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service.”

23andMe explained that it monitors accounts for unauthorized access and investigates suspicious activity, its security measures exceed industry data protection standards, has confirmed it has attained multiple ISO certifications, and has offered users of the service multifactor authentication since 2019. The website notice was updated on October 9, 2023. “We are reaching out to our customers to provide an update on the investigation and to encourage them to take additional actions to keep their account and password secure. Out of caution, we are requiring that all customers reset their passwords and are encouraging the use of multi-factor authentication (MFA).

On Monday, October 9, 2023, a lawsuit – Santana v. 23andMe Inc. – was filed in the U.S. District Court for the Northern District of California on behalf of plaintiffs Monica Santana and Paula Kleynburd who allege negligence, invasion of privacy, unjust enrichment, and breach of implied contract. The plaintiffs are represented by the law firm, Edelsberg Law PA.

According to the lawsuit, “23andMe attempts to redirect the blame on to the criminal actors that gained access to Defendant’s customer accounts, in violation of their Terms of Service, while avoiding mention that their safeguards were inadequate,” and also alleges “23andME fails to state if they were able to contain or end the cybersecurity threat, leaving victims to fear whether the PII that 23andMe continues to maintain is secure and 23andMe fails to state how the breach itself occurred.”

The lawsuit alleges 23andMe was negligent for failing to implement reasonable and appropriate safeguards to protect sensitive user data, that it maintained users’ personally identifiable information in a reckless manner, did not protect its systems against unauthorized intrusions, did not take reasonable steps to prevent data breaches, did not provide adequate training to its staff, and despite publishing a notice on its website two days after a breach was known to have occurred, failed to provide timely notice of the data breach.

The lawsuit alleges the plaintiff and class members “suffered injury and ascertainable losses in the form of the present and imminent threat of fraud and identity theft, loss of the benefit of their bargain, out-of-pocket expenses, loss of value of their time reasonably incurred to remedy or mitigate the effects of the attack, and the loss of, and diminution in, value of their PII.” The lawsuit seeks class action certification, a jury trial, actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest.

The data breach highlights the risks of reusing passwords for multiple accounts. If there is a data breach on one platform, the stolen usernames and passwords can be used to access all other accounts where the login credentials have been used. These attacks are termed credential stuffing attacks, they are common and are one of the easiest ways that hackers can gain access to sensitive data. If a unique password is used for each account, these attacks can be prevented. Multifactor authentication adds an extra layer of security against these types of attacks, as an additional authentication factor must be provided in addition to a username and password for account access to be granted.

Setting strong and unique passwords and implementing multifactor authentication are the first two of the four cybersecurity measures being promoted this Cybersecurity Awareness Month. The 23andMe data breach clearly demonstrates why these two cybersecurity measures are so important.

The post First Lawsuit Filed Over 23andMe Data Breach appeared first on HIPAA Journal.