HC3 Warns Healthcare Sector Regarding Risk of Zero-day Attacks

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has given the healthcare and public health industry an alert regarding a surge in financially driven zero-day attacks, setting out mitigation techniques that ought to be followed to decrease risk to a low and acceptable level.

A zero-day attack exploits a vulnerability for which there is no patch yet. The vulnerabilities are known as zero-day since the developer has not released a patch yet to resolve the flaw.

Zero-day attacks are attacks that a threat actor has launched using a weaponized exploit for a zero-day vulnerability. Zero-day vulnerabilities are used in attacks on all industry fields and are not just a challenge for the healthcare market. As an example, in 2010, exploits were created for four zero-day vulnerabilities in the “Stuxnet” attack on the Iranian nuclear program, which prompted Iranian centrifuges to self-destruct to interrupt Iran’s nuclear program.

Lately, in 2017, a zero-day vulnerability was taken advantage of to deliver the Dridex banking Trojan. Although it would typically be required for a person to take more actions after opening a malicious email attachment to download malware, by including a zero-day vulnerability exploit the cybercriminals are able to install the Dridex banking Trojan if a person merely opened an infected file attachment.

The very nature of zero-day vulnerabilities suggests it isn’t possible to remove risk completely, as software developers ought to create patches to correct the vulnerabilities, however, techniques can be used to minimize the possibilities for zero-day vulnerabilities to be leveraged.

The number of identified zero-day vulnerability exploits increased more than double between 2019 and 2021. This is partly because of the high price of exploits for zero-day vulnerabilities. The cost spent for working exploits increased by over 1,150% from 2018 to 2021. Though the market for zero-day exploits was restricted to a few groups with lots of money, there are now a lot of threat actors with substantial resources that are ready to pay because they know they could get their money back a number of times over by utilizing the exploits during attacks. At this point, a zero-day vulnerability exploit may be worth over $1 million.

Zero-day attacks particularly performed against the healthcare segment are very possible. In August this year, a zero-day vulnerability called PwnedPiper was discovered in the pneumatic tube systems utilized in hospitals to transfer biological samples and medicines. The vulnerability was discovered in the control panel, which will permit unsigned firmware updates to be employed. An attacker could take advantage of the vulnerability and seize control of the system and release ransomware.

In August 2020, four zero-day vulnerabilities were found that compromised OpenClinic patients’ test findings. Unauthenticated attackers can successfully obtain files that contain sensitive files from the medical test directory, which includes medical test data.

The best protection against zero-day vulnerabilities is to apply the patch immediately, however, patching is frequently slow, particularly in healthcare. A 2019 survey carried out by the Ponemon Institute showed that it took an average of 97 days to use, test, and deploy a patch for a zero-day vulnerability after the release of the patch.

The recommendation of HC3 is to “patch quickly, patch regularly, patch totally.” HC3 gives up-to-date data on actively exploited zero-days and the ready patches to correct zero-day vulnerabilities. HC3 additionally recommends employing a web-application firewall to assess incoming traffic and remove malicious input, since this can stop threat actors from getting access to vulnerable systems. It is likewise recommended to utilize runtime application self-protection (RASP) agents, which are inside applications’ runtime and can identify an anomalous pattern. Segmenting networks is likewise highly recommended.

The TLP: WHITE Zero-Day Threat Brief may be downloaded here.

13 Siemens Nucleus RTOS TCP/IP Stack Vulnerabilities Identified in Medical Devices

13 vulnerabilities were discovered in the Siemens Nucleus RTOS TCP/IP stack that threat actors can potentially exploit remotely to carry out arbitrary code execution, do a denial-of-service attack, and acquire sensitive data.

The vulnerabilities, referred to as NUCLEUS:13, are found to have an affect on the TCP/IP stack and linked FTP and TFTP services of the (Nucleus NET) of the Nucleus Real-Time Operating System (RTOS). This networking component is utilized in numerous safety-critical devices. The healthcare sector has medical devices that use Nucleus for example patient monitors and anesthesia machines.

One of the critical vulnerabilities that have a CVSS v3 severity score of 9.8 out of 10 could permit remote code execution. Ten high severity vulnerabilities have CVSS scores between 7.1 and 8.8. Two medium-severity vulnerabilities have CVSS scores of 5.3 and 6.5.

Forescout Research Labs’ security researchers identified the vulnerabilities. Researchers at Medigate provided them with assistance.

These Nucleus RTOS products are affected by the vulnerabilities:

  • Nucleus NET: All versions
  • Capital VSTAR: All versions
  • Nucleus Source Code: All versions
  • Nucleus ReadyStart v4: All versions before v4.1.1
  • Nucleus ReadyStart v3: All versions before v2017.02.4

Determining where a vulnerable code is utilized is a problem. The researchers tried to calculate the effect of the vulnerabilities according to facts gathered from the official nucleus site, the Forescout device cloud, and the Shodan search engine. Healthcare is the most severely impacted sector. There were 2,233 vulnerable healthcare devices identified as vulnerable. There were 1,066 government devices, 348 retail devices, 326 financial devices, and 317 manufacturing devices identified as vulnerable. In other industry sectors, 1,176 vulnerable devices were found. The use of the vulnerable devices is as follows: 76% for creating automation, 13% in operational technology, 5% IoT, 4% for networking, and 2% were computers operating on Nucleus.

The report about the vulnerabilities was submitted to Siemens as required in the responsible disclosure guidelines. Siemens already released patches to correct all the vulnerabilities that were discovered. Siemens stated a number of the vulnerabilities were discovered and resolved in earlier versions released, however, no CVEs were given.

Using patches to correct the vulnerabilities could be difficult, particularly for embedded devices as well as devices with a mission-critical nature, like devices employed in healthcare services.

In case it’s not possible to apply the patches, Forescout and Siemens suggest employing mitigating measures to minimize the opportunity for exploitation of the vulnerabilities. Siemens advises securing network access to vulnerable devices with best-suited mechanisms and making sure the devices are used in protected IT areas that were set up according to Siemens’ operational instructions.

Forescout has introduced an open-source script with active fingerprinting to identify devices using Nucleus for purposes of discovery and inventory. After locating the devices, Forescout suggests implementing segmentation controls and doing appropriate network hygiene, such as limiting external communication paths and separating or controlling vulnerable devices in a certain place until eventually they could be patched.

Additionally, progressive patches offered by vendors of impacted devices ought to be supervised and all network traffic should be inspected for malicious traffic. A remediation plan must be created for all vulnerable property that balances business continuity demands with risk.

Philips MRI Solutions Found With 3 Medium Severity Vulnerabilities

There were three medium severity vulnerabilities found in Philips MRI products, which an unauthorized person can exploit to be able to run the software program, alter the device settings, access and update files, and export information, which include protected health information (PHI), to an untrusted location.

Aguilar discovered inadequate access controls which did not limit access by unauthorized persons (CVE-2021-3083), the software designates an owner who is beyond the designed control sphere (CVE-2021-3085), and sensitive information is exposed to persons who must not be given access (CVE-2021-3084). The three vulnerabilities had an assigned CVSS V3 base rating of 6.2 out of 10.

Secureworks Adversary Group consultant, Michael Aguilar, identified the vulnerabilities. The vulnerabilities have an impact on MRI 3T: Version 5.x.x and Philips MRI 1.5T: Version 5.x.x. Aguilar told Philips about the vulnerabilities and scheduled a patch to be released on October 2022. Meanwhile, Philips advises the implementation of mitigating steps to stop the exploitation of the vulnerabilities.

The mitigations consist of just running the Philips MRI machines based on authorized criteria, making sure physical and logical settings are applied. Only authorized individuals must be permitted to access the location of the MRI machines, and all the information for utilizing the machines furnished by Philips ought to be observed.

Philips did not receive any report of exploitation of the vulnerabilities. There were also no reports of incidents the products had been clinically used in connection with the three vulnerabilities.

Microsoft Alerts of Continuing Attacks by SolarWinds Hackers on Downstream Businesses and Service Providers

The advanced persistent threat (APT) actor Nobelium (also known as Cozy Bear; APT29) that was responsible for the 2020 SolarWinds supply chain attack is attacking managed service providers (MSPs), cloud service providers (CSPs), and other IT service providers, based on the latest advisory from Microsoft.

Instead of executing attacks on a lot of companies and institutions, Nobelium is opting for a compromise-one-to-compromise-many strategy. This can be done since service providers are frequently provided administrative access to the networks of customers to enable them to deliver IT services. Nobelium is seeking to take advantage of that privileged access to execute attacks on downstream organizations and is executing attacks as of May 2021.

Nobelium utilizes a number of strategies to compromise the systems of service providers, such as token theft, phishing and spear-phishing attacks, malware, API abuse, supply chain attacks, and password spraying attacks on accounts utilizing often utilized passwords as well as passwords that were compromised in past data breaches.

As soon as access to service providers’ networks is obtained, Nobelium goes laterally in the cloud then utilizes the trusted access to carry out attacks on downstream organizations utilizing trusted channels for example externally facing VPNs or the special software tools employed by service providers to gain access to customers’ sites.

A few of the attacks carried out by Nobelium were extremely sophisticated and required chaining together artifacts and getting access to several service providers so as to attain their end target.

Microsoft Threat Intelligence Center (MSTIC) has created a number of instructions for companies and downstream businesses to assist with remediation and mitigation.

MSPs and CPSs that depend on elevated privileges to deliver services to their clients were told to confirm and keep track of compliance with Microsoft Partner Center security specifications, which consist of permitting multifactor authentication and implementing conditional access guidelines, using the Secure Application Model Framework, examining activity records and tracking user activities, and taking away assigned administrative privileges that are not used anymore.

All downstream companies that count on service providers having administrative access were instructed to evaluate, review, and lessen access privileges and assigned permissions, such as hardening and tracking all tenant administrator accounts and going over service provider permissions access from local and B2B accounts. They must additionally confirm MFA is enabled and conditional access guidelines are being implemented and routinely examine audit records and settings.

Microsoft has posted complete information on Nobelium’s tactics, techniques, and procedures (TTP) in its advisory to assist IT security teams to prevent, identify, investigate, and minimize attacks.

Notification Issued Regarding Ongoing BlackMatter Ransomware Attacks

The Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert about continuing BlackMatter ransomware attacks.

The group has been executing attacks in the U.S. starting July 2021. It has launched attacks on critical infrastructure entities and two establishments in the U.S. Food and Agriculture Sector. Proof has been acquired that associates the gang to the DarkSide ransomware group that carried out attacks between September 2020 and May 2021. The attack on Colonial Pipeline with the BlackMatter ransomware is possibly a rebrand of the DarkSide campaigns.

Investigations into the attacks have given agencies crucial information regarding the tactics, techniques, and procedures (TTPs) of the group, and an evaluation has been done on a sample of the ransomware in a sandbox environment.

The ransomware gang is well-known to utilize previously compromised credentials to obtain access to the networks of victims, then leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) to gain access to the Active Directory (AD) and find all hosts on the network. The BlackMatter gang deploys ransomware then encrypts the hosts and shared drives remotely as they are found. The group has been known to exfiltrate information and usually demands ransom payments of about $80,000 to $15 million in Monero or Bitcoin.

In the joint notification, the NSA, FBI, and CISA discussed TTPs, provide Snort signatures that may be utilized for discovering the network activity connected with BlackMatter ransomware attacks, and a number of mitigations to minimize the threat of an attack by the gang.

Mitigations consist of:

  1. Employing detection signatures to recognize and obstruct attacks in progress
  2. Utilizing strong passwords resilient to brute force attacks
  3. Using multi-factor authentication to prevent the employment of stolen credentials
  4. Patching and updating systems immediately
  5. Restricting access to resources over networks
  6. Using network segmentation and traversal monitoring
  7. Employing admin disabling tools to support identity and privileged access control
  8. Applying and enforcing backup and restoration guidelines and procedures

CISA and FBI Alert Regarding Increasing Conti Ransomware Attacks

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released an advisory regarding increasing Conti ransomware attacks. CISA and the FBI have seen that Conti ransomware is being utilized in over 400 cyberattacks in America and around the world.

Just like a lot of ransomware groups, the group exfiltrates information from the network of the victims before deploying the Conti ransomware. Ransom demand is sent together with a threat to post the stolen information in case the victim does not pay the ransom. The creators of Conti ransomware manage a ransomware-as-a-service operation, and recruits affiliates to carry out attacks. With this model, affiliates typically get a portion of the ransoms they help make. Conti seems to work somewhat in a different way. Affiliates get paid a salary to carry out attacks.

Various strategies are utilized to obtain access to victims’ systems. A common strategy is to use spear-phishing emails with malicious attachments like Word documents having embedded scripts as malware droppers. Generally, a malware variant like IcedID or TrickBot is downloaded. This allows the attackers to access the victims’ systems. And then, the attackers move laterally inside the breached network, find data of interest, and exfiltrate the information prior to the Conti ransomware payload deployment.

Brute force attacks are frequently used to guess weak credentials of Remote Desktop Protocol (RDP), exploit vulnerabilities in unpatched systems, and use search engine poisoning to make malicious websites show up in the search engine listings giving bogus software. Malware distribution networks like Zloader are utilized, and attacks are carried out after getting credentials by means of vishing or telephone calls.

CISA and the FBI have noticed legit penetration testing tools being utilized to identify cameras, routers, and network-linked storage gadgets that have web interfaces that may be brute-forced. They also noticed the use of legit remote monitoring and management software and remote desktop software as backdoors to retain persistence on the network of victims. The attackers make use of tools like Windows Sysinternals and Mimikatz to elevate privileges and make a lateral movement.

Vulnerabilities identified to be taken advantage of are PrintNightmare (CVE-2021-34527), ZeroLogon (CVE-2020-1472), and the vulnerabilities in Microsoft Windows Server Message Block which the WannaCry ransomware attacks exploited in 2017.

Considering that various strategies, techniques, and procedures are utilized to obtain access to the network of victims, not only one mitigation can be enforced to avoid attacks. CISA and the FBI propose using these mitigations to boost defenses versus Conti ransomware attacks:

  • Employ multi-factor authentication
  • Segment network and filter traffic
  • Check for vulnerabilities and update software
  • Get rid of unnecessary software and implement controls
  • Use endpoint and detection response solutions
  • Restrict resource access over the network, particularly by limiting RDP
  • Make user accounts secure
  • Back up critical data, store backups offline and test the copy to see if file recovery is achievable

Researchers Found Easy to Exploit Vulnerabilities in Drug Infusion Pumps

McAfee Advanced Threat Research (ATR) Researchers, along with the medical device cybersecurity company Culinda, have found 5 earlier unreported vulnerabilities in two popular B. Braun drug infusion pumps models.

The devices are employed internationally in hospitals for treating adult and pediatric patients and systemize the distribution of medicines and nutrients to patients. They are particularly helpful for making sure of a controlled supply of crucial medicine doses.

An unauthenticated attacker could exploit the vulnerabilities in the B. Braun infusion pumps to alter the settings of the infusion pumps as they are in a standby setting, which can bring about an unexpected dose of medicines being provided when the device is utilized, possibly causing hurt to a patient.

McAfee notified B.Braun about the vulnerabilities in the B. Braun SpaceStation and the B. Braun Infusomat Space Large Volume Pump on January 11, 2021, and advised safety measures that ought to be put in place to avoid the exploitation of the vulnerabilities. In May 2021, B.Braun released data for clients and informed the Health Information Sharing & Analysis Center (H-ISAC) concerning the vulnerabilities and proposed mitigations. The vulnerabilities impact infusion pumps operating older B.Braun software versions; nevertheless, the researchers revealed that “vulnerable versions of software program remain extensively used throughout medical facilities and stay in danger of exploitation.

Safety measures were integrated into the infusion pumps to keep attackers from altering dosages as the pumps are functional, therefore an attacker cannot alter dosages while they are being given. The vulnerabilities can nevertheless be taken advantage of as the pumps are on standby or idle, so modifications may be made to the device function in between infusions.

There were no documented incidents of the vulnerabilities in these or other drug infusion pumps being taken advantage of in the wild, however, this is a credible attack case and one that can very easily be taken advantage of to bring about harm to patients. The most recent B.Braun software version obstructs the preliminary network vector of the attack chain, however, the vulnerabilities were not completely addressed. An attacker can find one more way to obtain access to the system to which the devices link and take advantage of the vulnerabilities. Considering the number of ransomware attacks reported in the last few months, getting access to healthcare systems is not showing to be a big problem for lots of threat actors.

Until a detailed suite of patches is made and efficiently followed by B. Braun clients, medical facilities ought to actively give these threats particular focus, and stick to the mitigations and compensating controls offered by B. Braun Medical Inc. in their synchronized vulnerability disclosure records.

The researchers think that a lot of other medical devices may have vulnerabilities that can be taken advantage of to cause problems to patients. Medical devices are created to make sure of patient safety, and safety measures are enforced to make sure patient safety is not put in danger; nevertheless, it is typical for cybersecurity protections to be provided less concern in the course of the design phase. Additionally, when security vulnerabilities are identified in medical devices, patching is expensive. The devices are closely controlled, therefore it isn’t just a case of issuing a patch or instantly upgrading the devices as would happen with a web browser for example. Patches should be completely examined, the devices should be shut down as updates are implemented, and the patches and updates must be completely tested. A lot of devices still continue to utilize older versions of software programs and firmware.

For the moment, ransomware attacks are a bigger problem in the medical field, however at some point, these sites will be secured against this type of ransomware attack and malicious threat actors will try to find other lower-hanging fruits, mentioned the researchers. Considering the lifetime of medical devices and the issues associated with their upgrades, it is essential to begin planning today for tomorrow’s dangers. Hopefully, this research can help provide consciousness to this area that has been ignored for a long time.

CISA Gives an Alert About Blackberry’s QNX Vulnerability Impacting Critical Infrastructure

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has released a security advisory concerning a vulnerability impacting Blackberry’s QNX Real-Time Operating System (RTOS), which is widely utilized by critical infrastructure companies and impacts several consumers, health, and manufacturing systems.

The vulnerability is included in the 25 vulnerabilities that are collectively called BadAlloc, which impact several IoT and OT systems. The vulnerabilities are memory allocation integer overflow or wraparound problems in memory allocation features utilized in embedded software development kits (SDKs), real-time operating systems (RTOS), and C standard library (libc) applications.

On August 17, 2021, Blackberry reported that CVE-2021-22156, one of the BadAlloc vulnerabilities, affected its QNX products. A remote attacker could exploit the vulnerability and cause a denial-of-service issue, or possibly get remote code execution, with the second effect possibly enabling an attacker to seize control of very sensitive systems.

The vulnerability impacts the C runtime library’s calloc() function in several BlackBerry QNX merchandise. According to CISA, an attacker could exploit this vulnerability if he/she has command over the variables to a calloc() function call and the capability to regulate what memory is utilized following the allocation. An attacker that has network access can remotely exploit this vulnerability when the vulnerable item is operating and the impacted device is accessible online.

The vulnerability impacts all BlackBerry applications which depend on the C runtime library, such as medical equipment that integrate BlackBerry QNX software program.

CISA is strongly urging all critical infrastructure companies and other businesses that create, sustain, support, or utilize the impacted QNX-based systems to implement the patch immediately to avoid exploitation of the vulnerability. CISA states that installing software upgrades for RTOS often may call for getting the device to support or to an off-site place for physical substitution of integrated memory.

The following lists the vulnerable products and versions of Blackberry’s QNX Real-Time Operating System (RTOS):

  • Model QNX SDP version 6.5.0SP1, 6.5.0, 6.4.1, 6.4.0
  • Model QNX Momentics version 6.3.0SP3, 6.3.0SP2, 6.3.0SP1, 6.3.0, 6.2.1b, 6.2.1, 6.2.1A, 6.2.0
  • Model QNX Momentics Development Suite version 6.3.2
  • Model QNX Realtime Platform version 6.1.0a, 6.1.0, 6.0.0a, 6.0.0
  • Model QNX Development Kit (Self-hosted) version 6.0.0, 6.1.0
  • Model QNX Cross Development Kit version 6.0.0, 6.1.0
  • Model QNX Neutrino RTOS Safe Kernel version 1.0
  • Model QNX Neutrino RTOS for Medical Devices version 1.0, 1.1
  • Model QNX Neutrino RTOS Certified Plus version 1.0
  • Model QNX CAR Development Platform version 2.0RR
  • Model QNX OS for Automotive Safety version 1.0
  • Model QNX OS for Safety version 1.0, 1.0.1
  • Model QNX Neutrino Secure Kernel version 6.4.0, 6.5.0

CISA recommends the following mitigations:

  • Makers of products that integrate vulnerable versions ought to get in touch with BlackBerry to get the patch.
  • Makers of products who create unique RTOS software versions must get in touch with BlackBerry to get the patch code. Take note: in certain cases, manufacturers might have to create and test the software patches on their own.
  • End-users of safety-critical systems ought to get in touch with the maker of their product to get a patch. In case there is no patch available, users must use the manufacturer’s suggested mitigation steps until there is a patch available.
  • In case it isn’t possible to use the patch, or the patch is not yet available, CISA suggests making sure that only ports and protocols utilized by RTOS apps can be accessed while others are blocked.

CISA Issues Guidance for MSPs and SMBs on Strengthening Security Defenses

Cybercriminals usually target Managed Service Providers (MSPs) because MSPs have privileged access to their clients’ systems. Therefore, one cyber attack on one MSP will allow the attacker to get access to several systems, if not all of the MSP’s clients.

The latest Kaseya supply chain attack demonstrated just how critical this kind of attack could be. An REvil ransomware affiliate acquired access to Kaseya systems, and through which accessed the systems of approximately 60 of its customers (mostly MSPs) and encrypted the data therein. Through those MSP clients, ransomware affected about 1,500 downstream companies.

Small- and mid-sized companies usually don’t have employees to handle their own IT systems or may not have the expertise or hardware to keep sensitive data and manage sensitive operations. Many use MSPs to offer that needed expertise. It is usually more economical for SMBs to scale and manage their networks using MSPs instead of handling their resources on their own.

Outsourcing IT or security capabilities to an MSP presents risks, which SMBs must mitigate. MSPs additionally must have safety measures to block unauthorized access to their networks and to control the harm that may affect their clients in case there is a breach of their perimeter defenses.

On July 14, 2021, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) released guidance to assist MSPs and SMBs in strengthening their defenses to enhance resilience to cyberattacks and to control the damage brought about in case an attack succeeds.

The CISA Insights report gives mitigations and hardening advice for MSPs and SMBs, pointing out vital steps to take to secure MSP network resources and those of their clients to minimize the risk of successful attacks.

The CISA Insights: Guidance for Managed Service Providers (MSPs) and Small- and Mid-sized Businesses guidance document can be downloaded on this page.

Critical Vulnerabilities Identified in MesaLabs Lab Temperature Monitoring System

Stephen Yackey of Securifera identified five vulnerabilities in the continuous monitoring system of MesaLabs AmegaView, which is utilized in hospital laboratories, forensics labs, and biotech firms. Two critical command injection vulnerabilities are given CVSS severity scores of 9.9 and 10 out of 10. Both vulnerabilities affect the AmegaView Versions 3.0 and prior versions.

The vulnerabilities include the following:

Vulnerability CVE-2021-27447 is given a CVSS 10/10. It is caused by the wrong neutralization of special elements utilized in a command that can enable an attacker to execute arbitrary code.

Vulnerability CVE-2021-27449 is given a CVSS 9.9/10. It is caused by the wrong neutralization of special elements utilized in a command that could allow an attacker to execute web server commands.

Vulnerability CVE-2021-27445 is given a CVSS 7.8/10. It is a result of insecure file permissions that enable an attacker to lift privileges on the device.

Vulnerability CVE-2021-27451 is given a CVSS 7.3/10. It is a result of the wrong authentication due to the passcodes produced by an easily reversible algorithm that could allow an attacker to acquire access to the device.

Vulnerability CVE-2021-27453 is given a CVSS 7.3/10. It is an authentication bypass issue that could enable an attacker to acquire web app access.

There are currently no public exploits that particularly target these vulnerabilities. Given that AmegaView is near its end-of-life this year, MesaLabs has made the decision not to produce any patches to address the vulnerabilities. Instead, all customers using the vulnerable devices are advised to obtain a current Viewpoint software that is compatible with AmegaView systems.

If this cannot be carried out, or if it is, it is suggested to determine vulnerable products secured by firewalls and to segregate them from the system and ensure they aren’t accessible on the internet. If remote access is required, Virtual Private Networks (VPNs) must be utilized for access, and VPNs must be the newest version.

Before taking on any new safety actions, an impact and risk analysis should be performed.

Active Exploitation of Critical VMWare VCenter Software Vulnerability

Cyber actors are actively exploiting a critical remote code execution vulnerability identified in VMware vCenter Server and VMware Cloud Foundation to get complete command of unpatched systems. VMWare announced vulnerability CVE-2021-21985 in late May and released a patch to resolve the vulnerability on May 25, 2021.

The Cybersecurity and Infrastructure Security Agency (CISA) lately released an advisory cautioning all end users of VMware vCenter Server and VMware Cloud Foundation about the vulnerability being an interesting target for cyber attackers and the high probability of exploitation. There is already a reputable proof-of-concept exploit for the vulnerability available in the public domain.

Thousands of vulnerable vCenter servers that can be accessed online are prone to attack. Several security researchers are conducting mass scanning for VMware vSphere hosts prone to RCE attacks and have noted the scanning for vulnerability of honeypots set up with unsecured versions of VMware vCenter Server.

Currently, the Department of Health and Human Services’ Office for Civil Rights published a cyber alert repeating the great importance of applying the patches to the vulnerability, conveying that CISA discovered a number of agencies that haven’t employed the patch yet and are prone to cyber attack.

VMWare explained that a malicious actor having network access to port 443 could take advantage of this problem to execute commands without restriction on the root operating system hosting the vCenter Server.

Security researcher Kevin Beaumont mentioned about the infection of his honeypot with a web shell following the expolitation of the vulnerability. “vCenter, which is a virtualization management software program can be hacked to control the virtualization layer (e.g., VMware ESXi)- allowing access prior to the OS layer (as well as security controls). This is a critical vulnerability, therefore businesses need to patch or limit the vCenter servier access to authorized administrators only.

In case it’s not possible to implement the patches right away, there are steps that can be done to work around the problem and lower the possibility of exploitation. These workarounds ought to be carried out without delay.

Threat Actor Actively Exploiting Pulse Connect Secure Vulnerabilities Including New Zero-Day Vulnerability

A recent alert from the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) stated that at least one threat group is exploiting vulnerabilities found in Ivanti’s Pulse Connect Secure products. Although there is no official attribution, a number of security researchers had linked the threat actor with China. Targets of attacks included government, defense, financial, and critical infrastructure agencies.

FireEye has been monitoring the malicious activity and states that about 12 malware families have been involved in cyberattacks taking advantage of the vulnerabilities beginning August 2020. These attacks involved the mining of credentials to permit lateral movement inside victim networks and using scripts and replacing files to gain persistence.

A number of entities have already confirmed that they suffered attacks after they detected malicious activity with the Pulse Connect Secure Integrity Tool. Access to Pulse Connect Secure appliance was acquired by exploiting several vulnerabilities such as three vulnerabilities that were disclosed in 2019 and 2020 and one lately spotted zero-day vulnerability. Patches were already available for a few months to resolve the first three vulnerabilities – CVE-2020-8260, CVE-2019-11510, and CVE-2020-8243; nevertheless, a patch has yet to be accessible to fix the lately exposed zero-day vulnerability – CVE-2021-22893.

The CVE-2021-2893 authentication bypass vulnerability has gotten the highest CVSS vulnerability severity score of 10/10. Ivanti released a security warning regarding the new vulnerability on April 20, 2021. An unauthenticated attacker exploiting the vulnerability can remotely execute arbitrary code within the Pulse Connect Secure Gateway. The vulnerability is thought to be exploitable by transmitting a specially designed HTTP request to an unsecured device, though this is not yet confirmed by Ivanti. The vulnerability impacts Pulse Connect Secure 9.0R3 and higher versions.

There is one threat group taking advantage of the vulnerabilities and placing web shells in vulnerable Pulse Secure VPN appliances. Because of the web shells, the threat group will be able to avoid authentication as well as multi-factor authentication controls, login passwords and obtain persistent access to the appliance even after the application of patches.

Ivanti and CISA firmly recommend all users of the unsecured Pulse Connect Secure devices to use the patches right away to avoid exploitation and to implement the mitigations recently released by Ivanti to minimize the risk of exploitation of the CVE-2021-22893 vulnerability until the release of a patch. The workaround involves removing two Pulse Connect Secure capabilities – Windows File Share Browser and Pulse Secure Collaboration – which could be realized by importing the workaround – 2104.xml file. A patch is predicted to be introduced to resolve the CVE-2021-22893 in May 2021.

Because patching can’t block unauthorized access in case the vulnerabilities have been exploited, CISA ardently recommends utilizing the Pulse Connect Secure Integrity Tool to see whether the vulnerabilities were already exploited.

CISA has given an emergency directive requiring all federal institutions to list all instances of Pulse Connect Secure virtual and hardware appliances, deploy and run the Pulse Connect Secure Integrity Tool to find malicious activity, and implement the mitigation against CVE-2021-22893. The actions should be taken by 5 pm Eastern Daylight Time on April 23, 2021.

COVID-19 Vaccine Cold Chain Still Targeted by Threat Groups

An up-to-date IBM Security X-Force report reveals that advanced persistent threat groups still target the COVID-19 vaccine cold chain all over the world. X-Force analysts published a December 2020 report warning about cyber criminals’ campaign on the COVID-19 cold chain to get access to vaccine data. There remains a big risk to the supply and storage of the COVID vaccine.

There are currently around 350 logistics partners active in the cold chain to make certain that vaccines are distributed and stored in cold environments. Since the initial published report concerning cold chain phishing attacks, the IBM X-Force researchers have found other 50 email message records associated with spear-phishing campaigns and recorded 44 institutions in 14 countries throughout Africa, Asia, the Americas and Europe.

The targeted organizations offer services such as the transport, warehousing, storage, and delivery of COVID-19 vaccines. The majority of targeted institutions are associated with healthcare, transport, IT and electronic devices including companies in biomedical research, medical manufacturing, and pharmaceutical and hygiene suppliers.

Threat actors, viewed as backed by nation-states, have expanded their campaigns and are employing spear-phishing email for stealing account records of CEOs, global sales representatives, purchasing managers, Human Resource officials, administrators of plant engineering and others to obtain privileged information of national Advance Market Commitment (AMC) talks connected to the buying of vaccines, schedules for delivery, information on the transit of vaccines through countries and territories, World Trade Organization (WTO) trade facilitation agreements, export rules and international property rights, technical vaccine information, and other sensitive facts.

The threat group liable for this threat campaign seems to have a full understanding of the vaccine cold chain. The email communications used in the spear-phishing campaign look like coming from an account manager from Haier Biomedical, a Chinese biomedical company that is the number one cold chain provider worldwide.

The emails request price quotations for service contracts regarding the Cold Chain Equipment Optimization Platform (CCEOP) program and reference products for instance an ice-lined fridge and solar-powered vaccine fridge from Haier Biomedical. The email communications furthermore explore firms linked to petrochemical production and the manufacturing of solar panels that fits in with those merchandises, and the language used in the message indicates the educational background of the sender that is falsified in the signature.

The emails have malicious HTML attachments that are accessed locally, which the user accesses by first providing their login credentials. In the event that credentials are provided, they are obtained and duplicated in the attacker’s command and control server.

The researchers stated that even though prior reporting revealed direct targeting of supranational organizations, the energy and IT sectors in six nations around the world, it is thought that this development is based on the identified attack pattern, and the campaign is still a purposive and calculated threat.

Considering the vaccine nationalism and global competition for vaccine access, attacks that impact the cold chain were inescapable. Though researchers did not associate the campaign with any criminal gang, there is a good chance that this operation is supported by a nation-state.

If the cold chain is disturbed it could bring about slowdowns in moving the vaccines or can impact the circumstances required to securely transfer and store vaccines, which can make the vaccines hazardous or not effective. IBM outlined the Indicators of Compromise in its document 
to help organizations in keeping the COVID-19 cold chain safe against attacks.

FBI Issues Advisory Regarding Mamba Ransomware

A spike in cyberattacks employing Mamba ransomware prompted the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) to give a flash alert notifying organizations and companies in several sectors regarding the risks of the ransomware.

As opposed to numerous ransomware variants having their own encryption programs, Mamba ransomware has adapted the open-source full disk encryption software DiskCryptor and used it as a weapon. DiskCryptor is a legit encryption tool that’s not malicious and is for that reason unlikely to be identified as such by security solutions.

The FBI has yet to give any information regarding the degree to which the ransomware has been utilized in attacks, which have to date primarily targeted government institutions and transportation, legal agencies, technology, commercial, industrial, manufacturing, construction firms.

A number of techniques are employed to get access to systems to set up the ransomware, which includes exploitation of vulnerabilities in Remote Desktop Protocol (RDP) and other unsecured means of remote access.

Rather than finding particular file extensions to encrypt, Mamba ransomware utilized DiskCryptor to encrypt the whole drives, making all attacked devices unusable. Following encryption, a ransom note is shown that tells the victim that their drive was attacked. It provides an email address for contact, the victim’s ID and Hostname, and an area to put the decryption key to recover the drive.

The Mamba ransomware package comes with a DiskCryptor, which is unpacked and set up. The system is rebooted after about two minutes to accomplish the installation, then the encryption routine begins. A second restart will happen approximately two hours afterward which finishes the encryption step and shows the ransom note.

An attack in progress can be stopped until the second restart. The encryption key and the shutdown time variable are stored in the myConfig.txt file, which can be read until before the second restart. The myConfig.txt can’t be accessed after the second restart and the system will require the decryption key to access files. This gives network defenders a brief opportunity to stop an attack and recover without the need to pay the ransom. A listing of DiskCryptor files is given in the advisory to help network defenders discover attacks in progress. These files ought to be blacklisted when DiskCryptor is not utilized.

The FBI TLP: White Alert also gives mitigations that will help prevent the success of an attack, restrict the effect in case of a successful attack, and make sure that systems may be brought back without paying the ransom demand.

Recommended mitigations consist of:

  • Saving a copy of data and keeping the backups on an air-gapped device.
  • Segmenting sites.
  • Setting up systems to only permitting administrators to install software programs.
  • Patching operating systems, software programs, and firmware immediately.
  • Employing multifactor authentication.
  • Having excellent password hygiene.
  • Deactivating unused remote access/RDP ports and keeping track of access logs.
  • Only utilizing secure networks and using a VPN for remote access.

FBI Gives Warning of Increase in Business Email Compromise Attacks on Local and State Governments

The Federal Bureau of Investigation (FBI) in its March 17, 2021 Private Industry Notification cautioned state, local, tribal, and territorial (SLTT) governments about Business Email Compromise (BEC) scammers. It has been observed that BEC attacks on SLTT government entities increased between 2018 and 2020. Losses as a result of these attacks range from $10,000 to $4 million.

BEC attacks involve acquiring access to an email account and sending messages impersonating the email account holder with the intention to convince the target to make a bogus transaction. The email account is frequently employed to deliver communications to the payroll division to modify employee direct deposit data or to persons authorized to perform wire transfers, to request modifications to bank account data or payment methods.

In 2020, the FBI’s Internet Crime Complaint Center (IC3) received information regarding the report of 19,369 BEC attacks and losses of approximately $1.9 billion. The following are some incidents of BEC scams:

In July 2019, a small city government lost $3 million after being scammed through a spoofed email that looked like it came from a contractor requesting an alteration of their payment method.

In December 2019, the email account of a financial supervisor of a government agency of a US territory was accessed and used to transmit 146 messages to government agencies with instructions regarding financial transactions. A lot of these requests were made via email, and the attacker had intercepted and replied to those messages. In total, $4 million was sent to the account of the scammer.

Besides the financial losses, the attacks hinder the operational functions of SLTT government organizations, cause reputational problems, and can additionally bring about the loss of sensitive information like PII, banking details, and employment information.

BEC scammers can very easily research targets and can find out SLTT operating data and data concerning vendors, suppliers, and contractors from public sources. Obtaining access to the email accounts is easy as the email address of the target can be quickly located, and phishing kits are available cheaply on the darknet for getting credentials.

As soon as an email account is compromised, the attacker copies the writing style of the account owner and often hijacks message threads. The scam can entail several messages where the target is convinced they are conversing with the real account holder when they are speaking with the scammer.

The FBI states that BEC scammers usually target SLTT government entities with insufficient cybersecurity practices and take advantage of SLTT government entities that are not able to give adequate training to the workers. The move to remote working because of the pandemic has additionally made it less complicated for the scammers.

In 2020, CISA performed phishing simulations involving SLTT government entities. Across 152 campaigns having about 40,000 messages, there were approximately 5,500 unique clicks of bogus malicious links. With a click rate of 13.6%, it indicates security awareness training doesn’t teach employees concerning the danger of email-based attacks and highlights the necessity of “defense in depth mitigations.”

The FBI suggests making sure that all workers receive training on security awareness, know about BEC attacks and how to distinguish phishing emails and bogus emails. Employees should be told to properly check email requests for advance payments, alterations to bank account details, or requests for sensitive details. Policies and processes must be carried out that call for any bank account change or transaction request to be validated by telephone utilizing a verified number, not information provided in emails.

Supplemental measures that ought to be considered consist of multi-factor authentication on email accounts, phishing simulations, blocking of automated email forwarding, keeping track of email Exchange servers for configuration alterations, including banners to emails from external sources, and employing email filtering services.

Read about further procedures that may be put in place to avoid and identify BEC attacks in the FBI Alert.

CISA/FBI Give Joint Advisory Regarding Spear Phishing Attacks Spreading TrickBot Malware

The Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have released a joint security advisory concerning TrickBot malware. This malware was first discovered in 2016 and began as a banking Trojan; today, it has many new capabilities and is broadly employed as a malware loader for sending other variants of malware, such as the ransomware Ryuk and Conti.

The CISA/FBI alert states that TrickBot has become a remarkably modular, multi-stage malware that gives its users a complete selection of tools to perform a variety of criminal cyber activities.

In the latter part of 2019, TrickBot overcame the effort of Microsoft and its associates to break up its infrastructure and spam activities circulating the malware shortly restarted, with TrickBot activity spiking in recently. At the beginning of March, Check Point researchers cautioned regarding increasing TrickBot infections right after the arrest of the Emotet botnet. In 2020, TrickBot was the 4th most rampant malware variant and went up to 3rd last January 2021. When the Emotet botnet was interrupted, TrickBot turned out to be the most extensively propagated malware variant and tops the malware index of Check Point for the first time.

The ransomware attack on Universal Healthcare Services involved TrickBot and systems were shut down for a few weeks. TrickBot was employed to obtain access to UHS systems and identify and collect information, then the malware sent the Ryuk ransomware payload. The ransomware attack resulted in $67 million worth of losses to UHS in 2020.

TrickBot is mainly propagated through spear-phishing emails, which are customized for the targeted company. The email messages utilize a mix of malicious file attachments and links to web pages with downloadable malware. In February, the TrickBot gang carried out a massive phishing campaign aimed at the legal and insurance industries that utilized a.zip file attachment that contains malicious JavaScript for sending the malware.

The most recent phishing campaigns make use of phony traffic violation notices as the bait to make recipients click to view a “photo proof” of the traffic violation. When the photo is clicked, a JavaScript file is launched that makes a connection with the command and control (C2) server of the gang then the TrickBot malware is installed in the system of the victim.

TrickBot can make a lateral movement through the Server Message Block (SMB) Protocol, copies sensitive information from breached systems, and can do crypto mining as well as host enumeration. TrickBot operators possess a set of tools that span the whole of the MITRE ATT&CK system, from passively or actively collecting data that may be employed to support targeting to attempting to manipulate, disrupt, or damage systems and information, revealed by CISA/FBI.

CISA has created a snort signature for uncovering network activity connected with TrickBot malware. The CISA/FBI advisory likewise specifies cybersecurity guidelines that make it more difficult to have TrickBot installed and will help to strengthen systems against system propagation.

CISA Gives Warning on Active Exploitation of Vulnerabilities in Accellion File Transfer Appliance

The Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity authorities in Singapore, New Zealand, Australia, and the United Kingdom have released a notification for Accellion File Transfer Appliance (FTA) users regarding 4 vulnerabilities that threat actors are actively exploiting to get access to sensitive information.

The Accellion FTA is an old file transfer appliance that is used for sharing big files. Accellion discovered a zero-day vulnerability in the FTA in the middle of December 2020 and introduced a patch to deal with the vulnerability. However, more vulnerabilities were identified since.

The following describes the vulnerabilities being monitored:

  1. CVE-2021-27101 – SQL injection vulnerability via a crafted HOST header
  2. CVE-2021-27102 – Operating system command execution vulnerability via a local web service
  3. CVE-2021-27103 – Server-side request forgery via a crafted POST request
  4. CVE-2021-27104 – Operating system command execution vulnerability via a crafted POST request

The SQL injection flaw (CVE-2021-27011) enables an unauthorized person to execute remote commands on vulnerable devices. An exploit for the vulnerability was coupled with a webshell, with the last mentioned used to receive commands from the attacker and exfiltrate information and clean up logs. Because the clean-up logs are removed, the attacker can steer clear of detection and examination of the attack is hampered.

With the exfiltration of sensitive information, the attacker tries to extort cash from the victim by issuing threats to publicly disclose the stolen information on a ransomware data leak website when no ransom is paid. FireEye/Mandiant have related the attacks to the FIN11 and CL0P ransomware activities, though no ransomware is used by the attackers.

Accellion knew about the attacks that take advantage of the vulnerabilities in January 2021 and less than 100 clients have reported being affected with about 2 dozen of them allegedly sustaining substantial data theft. Kroger has lately announced that a number of pharmacy and little Clinic customers were affected. Centene also experienced a data breach by means of exploiting the vulnerabilities. Other reported victims of the attacks are:

  • Transport for New South Wales in Australia
  • Canadian Aircraft maker Bombardier
  • Reserve Bank of New Zealand
  • Australian financial regulator ASIC
  • Office of the Washington State Auditor
  • The University of Colorado

CISA has given Indicators of Compromise (IoCs) in its cybersecurity advisory (AA21-055A) which Accellion clients can use to know if the vulnerabilities were exploited, as well as be advised as soon as malicious activity is found.

Besides doing an analysis to determine whether the vulnerabilities were exploited, CISA proposes separating systems hosting the software program from the Web and upgrading Accellion FTA to version FTA_9_12_432 or a more recent one. Accellion and CISA additionally suggested switching from this old tool to a more secure file sharing platform. The Accellion FTA’s end-of-life is on April 30, 2021. Accellion suggests using its Kiteworks file sharing platform, which has improved security functions.

100% of Analyzed mHealth Apps Vulnerable to API Attacks

The personally identifiable health information of hundreds of thousands of people is being exposed via the Application Programming Interfaces (APIs) utilized by mobile health (mHealth) applications, as per the latest study released by cybersecurity company Approov.

Ethical hacker and researcher Allissa Knight performed the study to find out how safe well-known mHealth apps are and whether it’s possible to get access to users’ sensitive health information. One of the provisos of the study was she won’t be permitted to identify any of the applications in case vulnerabilities were discovered. She evaluated 30 of the top mHealth apps and found all were prone to API attacks which can permit unauthorized persons to acquire access to the whole patient data, including personally identifiable information (PII) and protected health information (PHI), showing that security problems are systemic.

mHealth apps had been very helpful throughout the COVID-19 pandemic and are now more and more used by hospitals and healthcare firms. As per Pew Research, mHealth apps are now generating much more user activity compared to other mobile device applications like online banking. There are presently an approximated 318,000 mHealth apps available for download from the big app stores.

The 30 mHealth applications analyzed for the research are employed by around 23 million individuals, with each and every app downloaded about 772,619 times from app stores. These applications consist of a wealth of sensitive information, from vital signs records to pathology reports, test results, X-rays and other medical images and, in certain cases, full medical files. The types of information saved in or accessible by means of the apps hold a high price on darknet marketplaces and are often targeted by cybercriminals. The vulnerabilities determined in mHealth apps make it effortless for cybercriminals to obtain access to the data.

There will generally be vulnerabilities in the code. But it’s surprising to find that every app reviewed had hard-coded keys and tokens. All APIs had broken object level authorization (BOLA) vulnerabilities that allow access to patient reports, pathology information, X-rays, and full PHI information in their database.

BOLA vulnerabilities make it possible for a threat actor to replace the ID of a resource with another ID. If the object ID can be directly called in the URI, it opens the endpoint up to ID enumeration that permits an enemy the capability to read stuff that doesn’t belong to them. Exposed references to internal implementation objects could point to nearly anything — a file, directory, database record, or key. In the case of mHealth programs, that could give a threat actor the capacity to download complete medical information and personal data that may be utilized for identity theft.

APIs specify how applications can connect with other programs and systems and are employed for sharing information. Of the 30 mHealth applications examined, 77% contained hard-coded API keys which made them susceptible to attacks that would permit the attacker to intercept data as it is exchanged. In certain instances, those keys have no expiration and 7% of the API keys were used by third-party payment processors that disagree with hard coding the private keys using plain text. Still, the usernames and passwords were hardcoded.

All of the apps didn’t have certificate pinning that is required to avoid attacks. This flaw can be exploited and enable sensitive health and personal information to be intercepted and modified. Half of the tested apps didn’t authenticate requests using tokens, and 27% failed to have code obfuscation protections, which made them prone to reverse engineering.

Knight had the ability to access highly sensitive data throughout the study. 50% of records involved names, addresses, birth dates, Social Security numbers, allergies, prescribed medications, and more sensitive health information. Knight in addition discovered that when access is acquired to one patient’s files, other patient records could likewise be accessed randomly. 50 % of all APIs permitted medical specialists to look at pathology, X-ray, and clinical data of other patients and all API endpoints were identified to be susceptible to BOLA attacks, which granted Knight to see the PHI and PII of patients not included in her clinical account. Knight likewise discovered replay vulnerabilities that allowed her to playback FaceID unlock requests that were days old and take other users’ sessions.

One more issue is mHealth applications do not have security procedures baked in. Instead of build security into the apps at the design phase, the apps are created, and security measures are applied later. That can quickly bring about vulnerabilities not being completely addressed.

David Stewart, founder, and CEO of Approov stated the fact that top developers and their company and organizational customers continually fail to recognize that APIs servicing remote clients like mobile applications need a new and focused security paradigm. Since so few organizations use protections for APIs that make sure only authentic mobile app instances could link to backend servers, threat actors exploit these APIs and cause a real problem for vulnerable companies and their patients.

CISA Alert Concerning Hackers Exploiting Poor Cyber Hygiene to Access Cloud Environments

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has given an alert concerning the exploitation of poor cyber hygiene by threat actors to obtain access to business cloud environments. The alert was given after CISA noticed a spike in attacks on companies that have switched to a mostly remote workforce because of the pandemic.

Although the hackers associated with the SolarWinds Orion supply chain attack used a few of the techniques specified in the report, these techniques were not tied up to any particular threat group. Several threat actors are using the techniques to get access to cloud environments and steal sensitive information.

As per the alert, threat actors are employing various methods, techniques, and processes to attack cloud environments. They use phishing attacks, brute force attacks to guess weak passwords, and unpatched vulnerabilities exploitation and exploitation of cloud security practices weaknesses.

Phishing is frequently employed to acquire credentials to remotely access cloud assets and programs. Phishing emails usually consist of links to malicious web pages where credentials are collected. When there’s no multi-factor authentication, the attackers could utilize credentials to access online resources. Phishing emails usually seem to be safe messages and hyperlinks to seemingly legit file hosting account services. The breached email accounts are then utilized to dispatch more phishing emails to other employees within the organization. These phishing emails that were sent internally usually link to files within what seems to be the company’s file hosting service.

There were instances where auto-forwarding protocols were created in the breached email accounts to gather sensitive emails, or to set up search rules to identify and gather sensitive information. “Besides changing current user email rules, the threat actors made new mailbox rules that sent a number of messages obtained by the users (particularly, messages with a number of keywords related to phishing) to the legit users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder to try to avoid legitimate users from seeing the warnings.

Besides employing phishing emails to acquire login information, brute force tactics are employed to speculate weak passwords. In a lot of instances, brute force and phishing attacks were successful but were foiled by multi-factor authentication, which averted the use of stolen credentials; nevertheless, CISA discovered one attack wherein the attacker bypassed multi-factor authentication to obtain access to cloud sources utilizing ‘pass-the-cookie’ techniques. A pass-the-cookie attack entails using a stolen cookie for a previously authenticated session to sign into online solutions or web applications. These attacks could succeed regardless if a company has properly integrated multi-factor authentication.

Threat actors are targeting remote workers utilizing personally owned devices or company-issued devices to connect to their company’s cloud resources. Although companies have enforced security solutions to prohibit these attacks, a lot had become successful due to poor cyber hygiene procedures.

In the notification, CISA specified the following best practices that could be followed to strengthen cyber hygiene and reinforce cloud security configurations to prevent attacks on cloud solutions.

  • Apply for conditional access
  • Review Active Directory logs and unified audit logs for suspicious activity
  • Enforce MFA for all users
  • Review email forwarding guidelines on a regular basis
  • Adhere to guidance on protecting privileged access
  • Resolve client site requests internal to the network
  • IT teams must follow a zero-trust mindset

Specific suggestions were also given to help business organizations protect their M365 environments.

Enterprise companies can read the Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services Analysis Report on this page and carry out the recommendations.

Hidden Backdoor Discovered in 100,000 Zyxel Devices

A vulnerability was discovered in Zyxel products including firewalls, access point (AP) controllers, and VPN gateways that hackers may exploited to obtain remote administrative access to the gadgets. By taking advantage of the vulnerability, hackers could change firewall configurations, permit/reject some traffic, intercept traffic, make new VPN accounts, make internal services accessible to the public, and acquire access to internal systems powering Zyxel products. About 100,000 Zyxel units globally have the vulnerability.

Zyxel company’s networking equipment and its devices are recognizyed by small and medium-sized organizations and are likewise utilized by big businesses and government institutions.

Niels Teusink of the Dutch cybersecurity firm EYE found the vulnerability, monitored as CVE-2020-29583 when he discovered a secret user account in the newest version of Zyxel software (4.60 patch 0). The secret user account, zyfwp, has a hardcoded plain-text password located in one of the product binaries. This hardcoded administrative password was introduced in the newest version of the software.

Teusink had utilized the credentials to logon to vulnerable equipment over SSH and the online interface. considering that the password is hardcoded, device users are unable to modify the password. A hacker can use the credentials to logon remotely and exploit a vulnerable Zyxel unit. Since SSL VPN on these products works on the same port like the cloud interface, numerous users have port 443 of these devices open online.

Zyxel has issued a patch to resolve the vulnerability. Zyxel said that the account was included to permit the organization to give programmed firewall updates to linked access points by FTP.

The vulnerability is found in a number of Zyxel solutions like the Zyxel Advanced Threat Protection (APT) firewall, VPN version 4.60, Unified Security Gateway (USG), USG Flex, and Zyxel AP Controllers NXC2500 and NXC5500 version 6.10.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) gave an notification regarding the vulnerability. The vulnerability was ranked as medium risk for small government entities and small businesses; it was high risk for big and medium-sized government agencies and big and medium-sized businesses.

All end users of the vulnerable products were tols to utilize the patch without delay to protect against exploitation. Even though there are no documented instances of vulnerability exploitation so far, exploitation of the vulnerability is probable.

For the following vulnerable Firewall products, patches were available in December 2020.

  • USG series using firmware ZLD V4.60
  • ATP series using firmware ZLD V4.60
  • USG FLEX series using firmware ZLD V4.60
  • VPN series using firmware ZLD V4.60

For the following affected AP controllers, patches will be accessible on January 8, 2021.

  • NXC2500 using firmware V6.00 through V6.10
  • NXC5500 using firmware V6.00 through V6.10

To offset the threat, MS-ISAC advises the following actions:

  • Implement necessary updates offered by Zyxel to vulnerable systems, right away after suitable testing.
  • Use all software as a user with no admin privileges to reduce the effects of a successful attack.
  • Tell users not to go to un-trusted web pages or clink hyperlinks presented by anonymous or un-trusted sources.
  • Notify and teach users about the threats created by hypertext links included in emails or attachments particularly from un-trusted sources.
  • Follow the Principle of Least Privilege whenever employing all systems and solutions.