Immediate Patching Recommended for Critical Fortinet FortiOS & FortiProxy Vulnerability

Posted by Steve Alder

A critical vulnerability in Fortinet’s FortiOS and FortiProxy SSL VPN has potentially already been exploited by malicious actors. The vulnerability, tracked as CVE-2023-27997, is a heap buffer overflow issue in FortiOS and FortiProxy SSL-VPN which can be exploited remotely, pre-authentication, to execute code via malicious requests to vulnerable devices. The flaw can be exploited even if multifactor authentication has been enabled.

Fortinet firewalls and VPNs are widely used and vulnerabilities are actively sought by malicious actors and have been rapidly exploited in the past. A search on the Shodan search engine indicates around 250,000 Fortinet firewalls are accessible over the Internet and the majority of those are thought to be vulnerable. Fortinet said the vulnerability was identified during a code audit conducted in response to a series of attacks exploiting a separate zero-day vulnerability – CVE-2022-42475 – in FortiOS SSL VPN that was disclosed in January. Those attacks were linked to the Chinese state-sponsored threat group, Volt Typhoon, which has been active since mid-2021 and has previously targeted critical infrastructure entities in the United States. Fortinet has not linked exploits of the most recently disclosed vulnerability to Volt Typhoon, but said the threat actor and other threat groups will likely target the vulnerability and that there may already have been limited attacks against government, manufacturing, and critical infrastructure.

Fortinet issued a security advisory on June 12 about the vulnerability, which affects virtually all versions of FortiOS and FortiProxy. Patches have been released to fix the vulnerability and customers have been urged to update their firmware to the latest version. Fortinet said the vulnerability is mitigated if customers are not operating SSL-VPN; however, all users have been recommended to update to the latest firmware version regardless.

While there is only believed to have been limited exploitation of the flaw, now that patches have been released threat actors will compare the new releases with previous firmware versions to work out what has changed and will likely rapidly discover and develop exploits for the vulnerability, so immediate patching is strongly recommended.  All users should ensure they have updated to the following firewall and VPN versions:

FortiOS-6K7K

  • FortiOS-6K7K version 7.0.12 or above
  • FortiOS-6K7K version 6.4.13 or above
  • FortiOS-6K7K version 6.2.15 or above
  • FortiOS-6K7K version 6.0.17 or above

FortiOS

  • FortiOS version 7.4.0 or above
  • FortiOS version 7.2.5 or above
  • FortiOS version 7.0.12 or above
  • FortiOS version 6.4.13 or above
  • FortiOS version 6.2.14 or above
  • FortiOS version 6.0.17 or above

FortiProxy

  • FortiProxy version 7.2.4 or above
  • FortiProxy version 7.0.10 or above

The post Immediate Patching Recommended for Critical Fortinet FortiOS & FortiProxy Vulnerability appeared first on HIPAA Journal.

Ransomware Attack Triggers Multiple Lawsuits Against Harvard Pilgrim Healthcare & Point32Health

Posted by Steve Alder

Harvard Pilgrim Health Care and its parent company, Point32Health, are facing multiple class action lawsuits after hackers gained access to the protected health information (PHI) of more than 2.5 million individuals in an April 2023 ransomware attack.

Point32Health is the second largest insurer in Massachusetts and serves more than 2.4 million customers. Point32Health was formed following the merger of Harvard Pilgrim Health Care and Tufts Health Plan in 2021. According to Point32Health, hackers gained access to Harvard Pilgrim’s systems on March 28, 2023, and maintained access to those systems until April 17, 2023, when the intrusion was detected and blocked. The attack was detected when ransomware was used to encrypt and prevent access to files. The forensic investigation confirmed the affected systems contained PHI such as names, addresses, phone numbers, birthdates, health insurance account information, Social Security numbers, provider taxpayer ID numbers, and clinical information and that information was in the files exfiltrated from its systems. Credit monitoring and identity theft protection services have been offered to affected individuals at no cost for 2 years. Progress has been made in recovering from the attack over the past 7 weeks; however, the IT systems that support the Harvard Pilgrim Health Care commercial and Medicare Advantage Stride health plans have yet to be brought back online and Point32Health expects the recovery process to take a few more weeks.

At least 4 lawsuits have now been filed in the U.S. District Court for the District of Massachusetts in response to the attack that claim the Massachusetts health insurer failed to implement reasonable cybersecurity measures to ensure the confidentiality of members’ information. One of the lawsuits – Salerno Gonzalez v. Harvard Pilgrim Health Care Inc. et al – was filed on behalf of Harvard Pilgrim Health Care member, Valeria Salerno Gonzales. The 4-count lawsuit alleges the defendants “intentionally, willfully, recklessly, or negligently” maintained the sensitive data of customers and, as a result of the grossly negligent actions of the defendants, hackers were able to gain access to and steal the sensitive data of plan members. The lawsuit alleges the plaintiff and class members have been placed at imminent risk of harm and face an ongoing risk of identity theft and fraud. The lawsuit alleges negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment.

Another lawsuit – Tracie Wilson v. Harvard Pilgrim Health Care, Inc. and Point32Health, Inc. was filed on behalf of Harvard Pilgrim Health Care plan member, Tracie Wilson. The 4-count lawsuit makes similar claims and alleges violations of the HIPAA Security Rule. The lawsuit also takes issue with the time it took the defendants to detect and report the breach. The delay in detection and notification meant the plaintiff and class members were unaware that their sensitive data had been stolen and that they needed to take action to protect against identity theft and fraud. The plaintiff claims to have had an increase in spam texts and phone calls following the data breach and has and will continue to spend considerable time and effort monitoring her accounts to protect against identity theft. She also claims she has experienced anxiety, sleep disruption, stress, fear, and frustration due to the data breach.

The lawsuits seek class action status, a jury trial, damages, declaratory and other equitable relief, and injunctive relief, and call for an order from the courts to prevent the defendants from engaging in further deceptive practices and to require them to implement reasonable security measures and adhere to FTC guidelines.

The post Ransomware Attack Triggers Multiple Lawsuits Against Harvard Pilgrim Healthcare & Point32Health appeared first on HIPAA Journal.