Five Eyes Intelligence Alliance Warns of Increasing Cyberattacks on Managed Service Providers

The Five Eyes intelligence alliance, which is composed of cybersecurity companies from the U.K., U.S.A., New Zealand, Canada, and Australia, has released a joint advisory warning regarding the growing number of cyberattacks directed at managed service providers (MSPs).

MSPs are interesting targets for cybercriminals and nation-state threat actors. A lot of companies depend on MSPs to provide information and communication technology (ICT) and IT infrastructure services since it is usually less difficult and cheaper than creating the capabilities to take care of those functions internally.

So as to deliver those services, MSPs require reliable connectivity and privileged access to the systems of their customers. Cyber threat actors attack vulnerable MSPs and utilize them as the first access vector to obtain access to the networks of all firms and organizations that they support. It is a lot easier to carry out a cyberattack on a vulnerable MSP and acquire access to the sites of several businesses than to target those organizations directly.

If MSP systems are compromised, it may take a few months before detecting the intrusion. During that time, attackers may do cyber espionage on the MSP and its clients or get ready for other follow-on activities like ransomware attacks.

The Five Eyes agencies give advice for baseline security steps that MSPs and their clients ought to carry out and additionally recommend customers to evaluate their agreements with MSPs to make sure that the contracts indicate that their MSPs should implement the recommended procedures and controls.

Steps must be taken to enhance defenses to stop the initial compromise. Cyber threat actors generally exploit vulnerable devices and Internet-facing services and perform phishing and brute force attacks to obtain a foothold in MSP systems. The Five Eyes agencies encourage MSPs and their users to:

  • Enhance the security of vulnerable devices
  • Secure internet-facing solutions
  • Protect against brute force and password spraying
  • Protect against phishing

It is essential to activate or strengthen monitoring and logging processes to permit intrusions to be quickly discovered. Because attackers may compromise sites for months, all companies must keep their most crucial logs for about six months. The agencies in the alert suggest whether via a detailed security information and event management (SIEM) solution or discrete recording tools, apply and maintain a segregated logging regime to identify threats to sites.

It is essential to secure remote access applications and enforce multi-factor authentication as much as possible and ensure MFA is executed on all accounts that permit access to customer environments. Clients of MSPs ought to make certain that their contracts express that MFA ought to be utilized on accounts that are employed to get access to their systems.

The Five Eyes agencies additionally advise

  • Handling internal architecture threats and segregating internal networks
  • Deprecating outdated accounts and facilities
  • Using the principle of least privilege
  • Implementing software updates and patches quickly
  • Creating and executing incident response and recovery plans
  • Backing up systems and information on a regular basis and evaluating backups
  • Understanding and proactively controlling supply chain risk
  • Handling account authentication and authorization
  • Promoting transparency

MSPs and their consumers will have unique environments, therefore the advice must be utilized as appropriate according to their particular security needs and rules.

HC3 Reveals Trends in Ransomware Attacks on the HPH Sector

The tactics, techniques, and procedures (TTPs) utilized by ransomware and other cyber threat actors are continually evolving to avert identification and let the groups carry out more successful attacks. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has assessed and shared the TTPs used in the 1st Q of 2022.

In Q1 of 2022, most of the ransomware attacks on the Healthcare and Public Health Sector (HPH) were carried out by five ransomware-as-a-service groups. The LockBit 2.0 and Conti ransomware groups were responsible for 31% of attacks, followed by SunCrypt (16%), ALPHV/BlackCat, and Hive (11% each). The financially motivated threat groups FIN7 and FIN12 have also altered their activities and have moved to ransomware operations, with FIN7 working with ALPHV and FIN12 substantially involved in attacks on the HPH segment. FIN12’s participation has lowered the timescale for performing attacks from 5 days to 2 days.

Ransomware gangs frequently work with initial access brokers (IABs) that concentrate on getting access to companies’ networks, then sell the access to the ransomware groups. Using IABs helps ransomware gangs focus on making their ransomware variants and operating their RaaS campaigns, which enables them to focus on their TTPs and perform attacks that succeed. HC3 did not observe any transformation in the numbers of IABs working with ransomware groups in Q1 of 2022, with the same numbers observed throughout 2022.

IABs were most often found promoting general VPN/RDP access to the systems of HPH entities on cybercrime discussion boards, which is more than 50 percent of forum advertisements, and about 25% of ads were promoting compromised Citrix/VPN appliances. Organizations broadly implemented remote access solutions to help a remote labor force for the duration of the COVID-19 pandemic, however the rush to deploy meant non-implementation of standard security features, and extensive exploitation of vulnerabilities.

Ransomware gangs are more and more making use of living-of-the-land (LOTL) strategies in their attacks, employing genuine tools that are already accessible in the settings of large firms during ransomware attacks like Task Scheduler, CMD.exe, PowerShell, Sysinternals, MSHTA. The usage of these tools helps the gang’s malicious activities harder to identify.

Tactics consist of using

  • remote access tools such as Atera, AnyDesk, Windows Safe Mode, ManageEngine, ScreenConnect
  • encryption tools like DiskCryptor, and BitLocker
  • file transfer tools such as FileZilla FTP,
  • Microsoft Sysinternals tools for instance Procdump, Dumpert, and PsExec
  • open-source tools like Cobalt Strike, Mimikatz, Process Hacker, AdFind, and MegaSync.

Although the malicious use of these tools is hard to identify by security groups, there are discovery opportunities. HC3 suggests utilizing a behavior-based strategy to detect, for example a Security Information and Event Management (SIEM) tool, which can discover malicious usage of LOTL tools which signature-based recognition tools cannot.

Read the HC3 Ransomware Trends in the HPH Sector Report on this page.  It gives comprehensive information regarding the TTPs utilized by each ransomware operation, which includes the most frequently abused LOTL tools, appropriate ATT&CK strategies, and a long list of mitigations that could be enforced to avoid, find, react to, and recover from ransomware attacks.

CISA Releases Guidance on Sharing Cyber Event Facts

The Cybersecurity and Infrastructure Security Agency (CISA) has lately released a fact sheet about cyber threat facts sharing to help organizations in reporting incidents of cyberattacks, which will enable the agency to minimize present and surfacing cybersecurity threats to critical infrastructure in the U.S.

After the approval of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), a rulemaking process will start to carry out statutory specifications; nevertheless, the fact sheet works as a temporary measure to instruct companies on the voluntary sharing of data concerning cyber-connected events.

The sharing of cyber threat facts is an important component of the collective protection against cyber threats and serves to reinforce U.S. cyber defense. The quick sharing of threat data with CISA enables it to give timely alerts and offer help to other companies and entities that can allow them to prevent becoming victims to identical attacks. With access to threat data, CISA can recognize attack patterns that will direct future initiatives to secure the critical infrastructure of the country.

The fact sheet details how companies can help and the types of action and data that ought to be provided. Organizations must monitor attacks, take action to minimize the threat, and then submit a threat report to CISA. CISA has asked for threat data from critical infrastructure operators and
owners and federal, state, territorial, local, and tribal government partners.

CISA would like to get cyber threat data associated with unauthorized system access, DOS attacks lasting over 12 hours, the identification of malicious code inside systems, targeted and frequent systems scans, repeated efforts of unauthorized persons to access systems, email or mobile communications related to phishing attempts or successful phishing attacks, and ransomware attacks on critical infrastructure companies.

CISA stated the information given will enable it to fill critical data gaps, use resources, evaluate trends, give alerts, and create common knowledge of how attackers are targeting U.S. systems and critical infrastructure areas.

BD Reveals 2 Vulnerabilities in its Pyxis, Viper LT, and Rowa Products

Becton, Dickinson and Company (BD) submitted a report about two vulnerabilities found in its BD Pyxis automatic medication dispensing systems, BD Viper LT automatic molecular testing systems, and BD Rowa pouch packaging systems.

The two vulnerabilities are caused by using hard-coded credentials. When exploited, the vulnerabilities can permit an unauthorized person to access, change, and erase sensitive information, which can consist of electronic protected health information (ePHI).

The most critical vulnerability, monitored as CVE-2022-22765, impacts all BD Viper LT system versions beginning 2.0. The vulnerability was given a CVSS severity rating of 8.0 of 10.

BD is fixing the vulnerability at this time and will include the fix in the forthcoming release of the BD Viper LT system Version 4.80 software. Meanwhile, BD has recommended using compensating settings, for instance making sure physical access controls are set up, enabling authorized people only to get system access, not connecting the system to the network wherever possible, and in case it isn’t feasible to remove the system from network access, to employ industry-standard network security guidelines and procedures.

The second vulnerability monitored as CVE-2022-22766, impacts the BD Pyxis selection of products as well as BD Rowa Pouch Packaging Systems. The vulnerability was given a CVSS severity rating of 7.0 of 10. In case exploited, an attacker can get access to the file system and take advantage of software files that can be employed to decrypt software credentials or acquire access to ePHI.

Credentials are managed by BD and customers cannot view or used them to get access or utilize BD Pyxis devices. So to be able to take advantage of the vulnerability, threat actors need to get access to the hardcoded credentials, compromise a facility’s system, and acquire access to each device.

BD stated it is fortifying credential management features in BD Pyxis devices. At the same time, compensating controls may be used on the impacted items. These consist of restricting physical access to approved personnel, firmly managing the BD Pyxis system credentials given to approved users, separating items in a protected VLAN or behind firewalls, and keeping track of and recording network traffic. The Pyxis Security Module for automatic patching and management of virus definition is furnished to all accounts. Users must support their BD support group to make sure to update all patching and virus definitions.

BD wants transparency with its clients and makes product security data, which includes vulnerability disclosures, accessible via the BD Cybersecurity Trust Center. As part of this responsibility, BD published product security notices regarding the usage of hardcoded credentials. Customers or end-users do not use hardcoded credentials directly to acquire access to these systems.

There was no report of vulnerabilities exploitation in clinical environments. BD reported the vulnerabilities to the ISAOs, FDA, and CISA to bring up awareness.

HHS Warns of Potential Threats to the Healthcare Industry

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has given an advisory to the U.S. health sector regarding probable cyber threats that can spillover from the conflict and affect U.S. healthcare providers.

HC3 mentioned the HHS is not aware of any particular threats to the Health and Public Health (HPH) Segment; nonetheless, it is obvious that allies on both sides of the clash have cyber capabilities and there are concerns that there may be cyberattacks on the HPH segment due to the conflict.

HC3 has warned that threats can originate from three sources: Threat actors connected with the Russian government, threat actors associated with the Belarussian government, and cybercriminal groups operating beyond Russia and its nearby states. There is also potential for other cybercriminal gangs to either become involved in the clash or take advantage of the conflict to carry out non-related cyberattacks.

Russia has for many decades been a cyber power on the planet. Going back to the Moonlight Maze attacks on the US Department of Defense in the 1990s, Russian state-sponsored actors were thought to be responsible for some of the most advanced cyberattacks publicly disclosed. Particularly, they are identified to strike adversarial critical infrastructure to further their geopolitical ambitions.

There are additionally very capable cybercriminal groups that operate outside of Russia or have expressed their support for Russia, which include the group behind the Conti Ransomware. The Conti ransomware gang, which is extensively considered to have likewise operated Ryuk ransomware, has extensively targeted the healthcare industry in the U.S. The Conti ransomware group is engaged in big game hunting, multi-stage attacks, and targets managed service providers (MSPs) and their downstream customers. The Conti ransomware gang engages in double and triple extortion, exfiltrating information prior to encryption and then threatens to post the data and alert partners and shareholders when no ransom payment is made.

HC3 thinks that the Conti ransomware group and/or other cybercriminal groups may either participate in the conflict or exploit the conflict for financial benefit. The threat group referred to as UNC1151 is thought to engage in the Belarussian military and has apparently been doing phishing campaigns focused on Ukrainian troops in January, and the Whispergate Wiper was utilized in cyberattacks in Ukraine, which were linked to Belarus.

Whispergate is one of three variants of wiper malware that were recently identified. These variants of wiper malware utilize ransomware as a lure and drop ransom notes that state files were encrypted; nevertheless, the master boot record is destroyed rather than encrypted and there is no way for recovery.

One more wiper called HermeticWiper was employed in attacks in Ukraine beginning February 24, 2022, of which a number of variants have to date been discovered. ESET has lately discovered another wiper which the company named IsaacWiper, is presently investigating.

Although attacks using these malware variants are now targeted in Ukraine, in 2017, NotPetya wiper malware was utilized in targeted attacks in Ukraine and was sent through compromised tax software, yet attacks involving the malware propagated worldwide and affected multiple healthcare companies in the United States.

All companies in the HPH segment are ardently cautioned to follow an increased state of vigilance, do something to boost their defenses, and evaluate CISA guidance on mitigations and enhancing resilience to cyberattacks.

HHS Increases Awareness of Threats to Electronic Health Record Systems

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center has given a threat alert warning about the threats relevant to electronic health record systems, which are normally attacked by cyber threat actors.

Cyberattacks on EHRs may be really rewarding for cyber threat actors. EHRs normally comprise all the records necessary for various types of fraudulence, which include names, dates of birth, addresses, government and state ID, Social Security numbers, health information, and health insurance details. No other database has such a large selection of data. The details covered in the systems have a big price on the black market and may be effortlessly bought by cybercriminals who are known for identity theft, tax, and insurance fraudulence. Malware, and particularly ransomware, cause considerable danger to EHRs. Ransomware could be utilized to encrypt EHR information to prevent access, which brings about issues to medical services and produces patient safety problems, which raises the chances of the ransom being compensated. Phishing attacks to obtain access to the credentials essential to access EHRs are likewise well-known.

A cybersecurity tactic ought to be made to secure against malware and ransomware attacks. Malware and ransomware attacks frequently start off with phishing emails, therefore email security alternatives ought to be enforced, and end-users need to acquire training to help them distinguish phishing emails plus other email threats. Providing the workforce with regular security awareness training may increase resistance to cyberattacks that aim at workers, who are weak links in the safety chain. Attacks on Remote Desktop Protocol (RDP) are likewise popular. Consider employing a VPN solution to avoid exposing RDP. Threat actors usually take advantage of unpatched vulnerabilities, thus it is important to patch immediately and to prioritize patching to tackle critical vulnerabilities first, specifically vulnerabilities that are identified to have been taken advantage of in cyberattacks. The Cybersecurity and Infrastructure Security Agency (CISA) has a Known Exploited Vulnerabilities Catalog that could advise IT, security teams, on putting patching efforts first.

Numerous healthcare companies encrypt EHR files. Encryption secures data files while it is copied between on-site users and external cloud software, nevertheless, there can be blind spots in encryption that may be used by threat actors to keep away from being seen while they implement their attack. Cloud providers are currently usually employed by healthcare institutions, such as cloud-hosted EHRs. All information sent to cloud services needs to be adequately safeguarded to stick to HIPAA. Cloud access security broker solutions can be helpful regarding this.

Steps should be taken to avert attacks by outside cyber threat actors, however, there are at the same time internal threats to EHR records. Healthcare personnel are given access to EHRs and could readily abuse that access to see or steal patient information. Personnel must get training on internal guidelines with regards to EHR use and data access and how HIPAA discourages the unauthorized accessing of information. The sanctions policy ought to be spelled out together with the likelihood for criminal charges for unauthorized access of medical data. Administrative guidelines must be applied to make it challenging for staff to access information without authorization and policies for EHR must be enforced.

There ought to be monitoring of physical and system access, audits must be continually done to distinguish unauthorized access, and device and media management must be put in place to stop the unauthorized replicating of EHR data. An endpoint hardening strategy must additionally be established that comprises a number of layers of security on all endpoints. The strategy will furthermore make certain that any breach is noticed and contained before attackers may acquire access to EHRs and patient files.

Healthcare companies must participate in threat hunting to discover threat actors who have bypassed the protection perimeter and gained access to endpoints. Penetration testers need to be utilized for ‘Red Team’ activities involving the tradecraft of hackers to discover and exploit vulnerabilities. Cybersecurity experts ought to also be involved in the Blue Team, which is occupied with directing the IT security team on developments to avoid sophisticated cyberattacks.

There are appreciable advantages that are derived from EHRs, however, risks to information should be appropriately managed. The HHS advises healthcare leaders to modify their goals from prevention to the formation of a proactive readiness plan to fully fully grasp vulnerabilities in their EHRs and then use a framework that will be useful at identifying and preventing attacks.

Prompt Patching Required to Fix Critical SAP Vulnerabilities

The German business software firm SAP has launched patches to correct a set of critical vulnerabilities that impact SAP applications that utilize the SAP Internet Communications Manager (ICM). Researchers at Onapsis Research Labs identified the vulnerabilities, which were called the vulnerabilities ICMAD (Internet Communications Manager Advanced Desync). All three vulnerabilities can be exploited to gain remote code execution, which would permit remote attackers to fully breach vulnerable SAP programs.

The vulnerabilities have an effect on the following SAP software:

SAP NetWeaver AS ABAP
SAP Web Dispatcher
SAP Content Server 7.53
ABAP Platform
SAP NetWeaver AS Java

The vulnerabilities may be taken advantage of to steal victim sessions and credentials in plain text, modify the behavior of programs, acquire PHI and sensitive business data, and cause denial-of-service. CVE-2022-22536 is the most severe vulnerability of the three and was given the maximum CVSS severity score of 10/10. Onapsis stated that an unauthenticated attacker could quickly exploit the vulnerability on SAP programs in the default configuration by sending a request via the frequently exposed HTTP(S) service.

Whenever business software allows HTTP(S) access, the most frequent configuration is for an HTTP(S) proxy to be sitting between clients and the backend SAP system, and this setting permits the vulnerability to be exploited. The second vulnerability, tracked as CVE-2022-22532 (CVSS 8.1) may also be exploited in this configuration, and also in the absence of proxies. The third vulnerability monitored as CVE-2022-22533 (No CVSS score yet) could likewise result in remote code execution.

The vulnerabilities were discovered while studying HTTP smuggling strategies, which the researchers learned may be leveraged utilizing requests that closely reflect genuine HTTP requests. Therefore, these attacks will be hard for security teams to identify. Additionally, the vulnerabilities are really easy to exploit.

SAP applications are substantially utilized by businesses, which include the healthcare sector. When vulnerabilities are found, hackers can quickly exploit them to obtain access to programs to steal information or cripple business systems. Quite often, the first exploits of SAP vulnerabilities happen within 72 hours of releasing patches.

SAP applications are employed to manage business processes and in healthcare, the applications frequently consist of protected health information (PHI). Vulnerabilities in SAP software could for that reason be exploited to steal patient information.

SAP and Onapsis have advised all companies employing vulnerable SAP applications to use the patches right away to avoid exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has additionally issued an alert regarding the vulnerabilities urging prompt patching. Firms need to prioritize patching affected systems that are open to untrusted networks, like the Internet. Onapsis has introduced a free, open-source scanning tool that businesses can use to discover if they are prone to ICMAD exploits.

Healthcare Cybersecurity Risks in 2022

The healthcare industry will continually deal with a substantial selection of threats. Ransomware attacks and data breaches remain very rampant. In 2021, healthcare data breach reporting recorded a rate of around 2 each day, and although there was a decrease in the number of ransomware attacks in comparison to 2020, ransomware continues to be a significant threat with a number of ransomware gangs actively targeting the healthcare industry.

In the 4th Q, 2021 Healthcare Cybersecurity Bulletin , published on January 21, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) notified of a number of continuing cyberattack trends that are likely to carry on in Quarter 1 of 2022.

Ransomware

Law enforcement institutions in the United States and Europe have heightened their initiatives to bring the operators of ransomware operations and their affiliates to justice, with those campaigns resulting in the arrests of key members of various ransomware groups. This year, in an unusual act of cooperation between the U.S. and Russia, 14 suspected members of the infamous REvil ransomware gang have been apprehended. The elevated pressure on ransomware groups has helped to control attacks, however, there continue to be many ransomware gangs in operation, many of which were actively attacking the healthcare industry.

Emsisoft logged 68 ransomware attacks on healthcare providers in 2021, which is a decline from the 80 healthcare companies attacked in 2020; nevertheless, there were additionally a number of attacks on business associates that have affected several healthcare companies. Based on a current FinCEN report, there are a minimum of 68 active ransomware operations, and the 10 leading ransomware groups in 2021 made over $5.2 billion in ransom payments. Ransomware will remain a dilemma for the healthcare market in 2022, therefore it is essential to adhere to industry best practices to prepare for, avoid, and recover from ransomware attacks to make sure patient safety.

Apache Log4J

The vulnerabilities discovered in the Apache Log4J logging library, which was first made known to the public in the latter part of November 2021, continue to create problems for healthcare institutions. A proof-of-concept exploit was introduced in December 2021, and a number of threat actors were exploiting the vulnerabilities. HC3 gave a threat report on January 20, 2021, cautioning about the threat of exploitation of the 6 vulnerabilities and recommended mitigations that ought to be enforced right away to minimize the danger of exploitation.

Emotet Botnet

Emotet malware at first appeared in 2014 and was broadly employed in attacks on healthcare companies. Devices infected with the Emotet Trojan are put into the botnet, and access to those gadgets is sold to other threat gangs, frequently bringing about ransomware attacks. The botnet was taken out in January 2021, which is a component of the reason why there is a decline in ransomware attacks; nonetheless, the botnet is right now being rebuilt with greater resilience to takedown efforts and currently has various new capabilities. Emotet is most likely to present a substantial threat to the healthcare market in 2022 thus it is crucial to do something to enhance defenses. Emotet is mainly distributed through phishing emails, and so healthcare institutions must utilize robust email security steps and make certain they offer security awareness training to the employees.

Vulnerabilities

Vulnerabilities in information systems can be exploited to obtain access to healthcare networks and sensitive data. It is crucial for healthcare providers to be on top of patching and to utilize software updates immediately. Patching must be prioritized, with the vulnerabilities stated in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog dealt with first, together with any critical vulnerabilities in software programs, operating systems, and firmware.

Log4j Version Three Released to Resolve High Severity DoS Vulnerability

The original vulnerability identified in Log4j (CVE-2021-44228) that shocked the world because of its seriousness, simplicity of exploitation, and the magnitude to which it affects software and cloud solutions, isn’t just the vulnerability existing in the Java-based logging utility.

Following the release of version 2.15.0 to correct the vulnerability, it was confirmed that version 2.15.0 continued to be vulnerable in particular non-default configurations because of an unfinished patch. The latest vulnerability is monitored as CVE-2021-45046 and was resolved in version 2.16.0 of Log4j. At first, the low severity vulnerability was given a CVSS score of 3.7; but, the severity score has gone up to critical (CVSS 9.0), considering that while this vulnerability was documented as a denial-of-service bug at first, it was eventually established that it can be taken advantage of to permit data exfiltration as well as remote code execution.

As per Apache, “If the logging configuration utilizes a non-default Pattern Layout having a Context Lookup (for instance, $${ctx:loginId}), attackers that can control the Thread Context Map (MDC) input information could create malicious input data that consists of a recursive lookup, leading to a StackOverflowError that may shut down the process.

Apache highly recommended that companies need to upgrade once more to version 2.16.0 to avoid the exploitation of the latest vulnerability; nevertheless, another vulnerability has already been discovered, which is monitored as CVE-2021-45105. The new vulnerability is a DoS bug with a CVSS score of 7.5 (high severity) and impacts all versions of Log4j including 2.0-beta9 up to 2.16.0.

Based on the Apache Software Foundation (ASF), Apache Log4j2 from versions 2.0-alpha1 up to 2.16.0 failed to secure uncontrolled recursion from self-referential queries. If the logging settings utilize a non-default Pattern Layout having a Context Lookup (for instance, $${ctx:loginId}), attackers that can control the Thread Context Map input information could create malicious input information that includes a recursive query, causing a StackOverflowError that is going to shut down the process.

CVE-2021-45105 is already resolved in version 2.17.0, which is the 3rd version of Log4j that will be available in 10 days. More details on the Log4j vulnerabilities along with the most recent updates are available on this page.

SonicWall Proposes Speedy Software Upgrade to Resolve Critical Vulnerabilities in SMA 100 Series Appliances

SonicWall has introduced new software for its Secure Mobile Access (SMA) 100 series remote access appliances that resolves 8 vulnerabilities consisting of two critical and four high-severity vulnerabilities.

Threat actors are taking advantage of vulnerabilities in SonicWall appliances in past times in ransomware attacks. Though there are no identified incidents of exploiting the most current batch of vulnerabilities in the wild at the moment, there is a huge risk of these vulnerabilities being used in case the firmware is not updated on time. The SMA 100 series appliances affected by the vulnerabilities include the SonicWall SMA 210, 200, 410, 400, and 500v secure access gateway items.

The most critical vulnerabilities are buffer overflow problems which an unauthenticated attacker may take advantage of remotely to implement code on unsecured devices. These are

  • CVE-2021-20045 has a CVSS score of 9.4. It covers a number of unauthenticated file explorer heap-dependent and stack-based buffer overflow issues.
  • CVE-2021-20038 has a CVSS score of 9.8. It is an unauthenticated stack-based buffer overflow vulnerability

The 4 high severity vulnerabilities are the following:

  • CVE-2021-20041 has a CVSS score of 7.5. It is an unauthenticated CPU exhaustion vulnerability.
  • CVE-2021-20043 has a CVSS score of 8.8. It is a heap-dependent buffer overflow vulnerability that permits remote code execution. But an attacker should be authenticated.
  • CVE-2021-20044 has a CVSS score of 7.2. It is a post-authentication remote code execution vulnerability.
  • CVE-2021-20039 has a CVSS score of 7.2. It is an authenticated command injection vulnerability.

Two medium-severity vulnerabilities were likewise resolved:

  • CVE-2021-20042 has a CVSS score of 6.3. It is an unauthenticated ‘confused deputy’ vulnerability.
  • CVE-2021-20040 has a CVSS score of 6.5. It is an unauthenticated file upload path traversal vulnerability.

The software update is available at MySonicWall.com and ought to be used without delay to avert exploitation. SonicWall states no temporary mitigations could be applied to stop the exploitation of the vulnerabilities.

HC3 Warns Healthcare Sector Regarding Risk of Zero-day Attacks

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has given the healthcare and public health industry an alert regarding a surge in financially driven zero-day attacks, setting out mitigation techniques that ought to be followed to decrease risk to a low and acceptable level.

A zero-day attack exploits a vulnerability for which there is no patch yet. The vulnerabilities are known as zero-day since the developer has not released a patch yet to resolve the flaw.

Zero-day attacks are attacks that a threat actor has launched using a weaponized exploit for a zero-day vulnerability. Zero-day vulnerabilities are used in attacks on all industry fields and are not just a challenge for the healthcare market. As an example, in 2010, exploits were created for four zero-day vulnerabilities in the “Stuxnet” attack on the Iranian nuclear program, which prompted Iranian centrifuges to self-destruct to interrupt Iran’s nuclear program.

Lately, in 2017, a zero-day vulnerability was taken advantage of to deliver the Dridex banking Trojan. Although it would typically be required for a person to take more actions after opening a malicious email attachment to download malware, by including a zero-day vulnerability exploit the cybercriminals are able to install the Dridex banking Trojan if a person merely opened an infected file attachment.

The very nature of zero-day vulnerabilities suggests it isn’t possible to remove risk completely, as software developers ought to create patches to correct the vulnerabilities, however, techniques can be used to minimize the possibilities for zero-day vulnerabilities to be leveraged.

The number of identified zero-day vulnerability exploits increased more than double between 2019 and 2021. This is partly because of the high price of exploits for zero-day vulnerabilities. The cost spent for working exploits increased by over 1,150% from 2018 to 2021. Though the market for zero-day exploits was restricted to a few groups with lots of money, there are now a lot of threat actors with substantial resources that are ready to pay because they know they could get their money back a number of times over by utilizing the exploits during attacks. At this point, a zero-day vulnerability exploit may be worth over $1 million.

Zero-day attacks particularly performed against the healthcare segment are very possible. In August this year, a zero-day vulnerability called PwnedPiper was discovered in the pneumatic tube systems utilized in hospitals to transfer biological samples and medicines. The vulnerability was discovered in the control panel, which will permit unsigned firmware updates to be employed. An attacker could take advantage of the vulnerability and seize control of the system and release ransomware.

In August 2020, four zero-day vulnerabilities were found that compromised OpenClinic patients’ test findings. Unauthenticated attackers can successfully obtain files that contain sensitive files from the medical test directory, which includes medical test data.

The best protection against zero-day vulnerabilities is to apply the patch immediately, however, patching is frequently slow, particularly in healthcare. A 2019 survey carried out by the Ponemon Institute showed that it took an average of 97 days to use, test, and deploy a patch for a zero-day vulnerability after the release of the patch.

The recommendation of HC3 is to “patch quickly, patch regularly, patch totally.” HC3 gives up-to-date data on actively exploited zero-days and the ready patches to correct zero-day vulnerabilities. HC3 additionally recommends employing a web-application firewall to assess incoming traffic and remove malicious input, since this can stop threat actors from getting access to vulnerable systems. It is likewise recommended to utilize runtime application self-protection (RASP) agents, which are inside applications’ runtime and can identify an anomalous pattern. Segmenting networks is likewise highly recommended.

The TLP: WHITE Zero-Day Threat Brief may be downloaded here.

13 Siemens Nucleus RTOS TCP/IP Stack Vulnerabilities Identified in Medical Devices

13 vulnerabilities were discovered in the Siemens Nucleus RTOS TCP/IP stack that threat actors can potentially exploit remotely to carry out arbitrary code execution, do a denial-of-service attack, and acquire sensitive data.

The vulnerabilities, referred to as NUCLEUS:13, are found to have an affect on the TCP/IP stack and linked FTP and TFTP services of the (Nucleus NET) of the Nucleus Real-Time Operating System (RTOS). This networking component is utilized in numerous safety-critical devices. The healthcare sector has medical devices that use Nucleus for example patient monitors and anesthesia machines.

One of the critical vulnerabilities that have a CVSS v3 severity score of 9.8 out of 10 could permit remote code execution. Ten high severity vulnerabilities have CVSS scores between 7.1 and 8.8. Two medium-severity vulnerabilities have CVSS scores of 5.3 and 6.5.

Forescout Research Labs’ security researchers identified the vulnerabilities. Researchers at Medigate provided them with assistance.

These Nucleus RTOS products are affected by the vulnerabilities:

  • Nucleus NET: All versions
  • Capital VSTAR: All versions
  • Nucleus Source Code: All versions
  • Nucleus ReadyStart v4: All versions before v4.1.1
  • Nucleus ReadyStart v3: All versions before v2017.02.4

Determining where a vulnerable code is utilized is a problem. The researchers tried to calculate the effect of the vulnerabilities according to facts gathered from the official nucleus site, the Forescout device cloud, and the Shodan search engine. Healthcare is the most severely impacted sector. There were 2,233 vulnerable healthcare devices identified as vulnerable. There were 1,066 government devices, 348 retail devices, 326 financial devices, and 317 manufacturing devices identified as vulnerable. In other industry sectors, 1,176 vulnerable devices were found. The use of the vulnerable devices is as follows: 76% for creating automation, 13% in operational technology, 5% IoT, 4% for networking, and 2% were computers operating on Nucleus.

The report about the vulnerabilities was submitted to Siemens as required in the responsible disclosure guidelines. Siemens already released patches to correct all the vulnerabilities that were discovered. Siemens stated a number of the vulnerabilities were discovered and resolved in earlier versions released, however, no CVEs were given.

Using patches to correct the vulnerabilities could be difficult, particularly for embedded devices as well as devices with a mission-critical nature, like devices employed in healthcare services.

In case it’s not possible to apply the patches, Forescout and Siemens suggest employing mitigating measures to minimize the opportunity for exploitation of the vulnerabilities. Siemens advises securing network access to vulnerable devices with best-suited mechanisms and making sure the devices are used in protected IT areas that were set up according to Siemens’ operational instructions.

Forescout has introduced an open-source script with active fingerprinting to identify devices using Nucleus for purposes of discovery and inventory. After locating the devices, Forescout suggests implementing segmentation controls and doing appropriate network hygiene, such as limiting external communication paths and separating or controlling vulnerable devices in a certain place until eventually they could be patched.

Additionally, progressive patches offered by vendors of impacted devices ought to be supervised and all network traffic should be inspected for malicious traffic. A remediation plan must be created for all vulnerable property that balances business continuity demands with risk.

Philips MRI Solutions Found With 3 Medium Severity Vulnerabilities

There were three medium severity vulnerabilities found in Philips MRI products, which an unauthorized person can exploit to be able to run the software program, alter the device settings, access and update files, and export information, which include protected health information (PHI), to an untrusted location.

Aguilar discovered inadequate access controls which did not limit access by unauthorized persons (CVE-2021-3083), the software designates an owner who is beyond the designed control sphere (CVE-2021-3085), and sensitive information is exposed to persons who must not be given access (CVE-2021-3084). The three vulnerabilities had an assigned CVSS V3 base rating of 6.2 out of 10.

Secureworks Adversary Group consultant, Michael Aguilar, identified the vulnerabilities. The vulnerabilities have an impact on MRI 3T: Version 5.x.x and Philips MRI 1.5T: Version 5.x.x. Aguilar told Philips about the vulnerabilities and scheduled a patch to be released on October 2022. Meanwhile, Philips advises the implementation of mitigating steps to stop the exploitation of the vulnerabilities.

The mitigations consist of just running the Philips MRI machines based on authorized criteria, making sure physical and logical settings are applied. Only authorized individuals must be permitted to access the location of the MRI machines, and all the information for utilizing the machines furnished by Philips ought to be observed.

Philips did not receive any report of exploitation of the vulnerabilities. There were also no reports of incidents the products had been clinically used in connection with the three vulnerabilities.

Microsoft Alerts of Continuing Attacks by SolarWinds Hackers on Downstream Businesses and Service Providers

The advanced persistent threat (APT) actor Nobelium (also known as Cozy Bear; APT29) that was responsible for the 2020 SolarWinds supply chain attack is attacking managed service providers (MSPs), cloud service providers (CSPs), and other IT service providers, based on the latest advisory from Microsoft.

Instead of executing attacks on a lot of companies and institutions, Nobelium is opting for a compromise-one-to-compromise-many strategy. This can be done since service providers are frequently provided administrative access to the networks of customers to enable them to deliver IT services. Nobelium is seeking to take advantage of that privileged access to execute attacks on downstream organizations and is executing attacks as of May 2021.

Nobelium utilizes a number of strategies to compromise the systems of service providers, such as token theft, phishing and spear-phishing attacks, malware, API abuse, supply chain attacks, and password spraying attacks on accounts utilizing often utilized passwords as well as passwords that were compromised in past data breaches.

As soon as access to service providers’ networks is obtained, Nobelium goes laterally in the cloud then utilizes the trusted access to carry out attacks on downstream organizations utilizing trusted channels for example externally facing VPNs or the special software tools employed by service providers to gain access to customers’ sites.

A few of the attacks carried out by Nobelium were extremely sophisticated and required chaining together artifacts and getting access to several service providers so as to attain their end target.

Microsoft Threat Intelligence Center (MSTIC) has created a number of instructions for companies and downstream businesses to assist with remediation and mitigation.

MSPs and CPSs that depend on elevated privileges to deliver services to their clients were told to confirm and keep track of compliance with Microsoft Partner Center security specifications, which consist of permitting multifactor authentication and implementing conditional access guidelines, using the Secure Application Model Framework, examining activity records and tracking user activities, and taking away assigned administrative privileges that are not used anymore.

All downstream companies that count on service providers having administrative access were instructed to evaluate, review, and lessen access privileges and assigned permissions, such as hardening and tracking all tenant administrator accounts and going over service provider permissions access from local and B2B accounts. They must additionally confirm MFA is enabled and conditional access guidelines are being implemented and routinely examine audit records and settings.

Microsoft has posted complete information on Nobelium’s tactics, techniques, and procedures (TTP) in its advisory to assist IT security teams to prevent, identify, investigate, and minimize attacks.

Notification Issued Regarding Ongoing BlackMatter Ransomware Attacks

The Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert about continuing BlackMatter ransomware attacks.

The group has been executing attacks in the U.S. starting July 2021. It has launched attacks on critical infrastructure entities and two establishments in the U.S. Food and Agriculture Sector. Proof has been acquired that associates the gang to the DarkSide ransomware group that carried out attacks between September 2020 and May 2021. The attack on Colonial Pipeline with the BlackMatter ransomware is possibly a rebrand of the DarkSide campaigns.

Investigations into the attacks have given agencies crucial information regarding the tactics, techniques, and procedures (TTPs) of the group, and an evaluation has been done on a sample of the ransomware in a sandbox environment.

The ransomware gang is well-known to utilize previously compromised credentials to obtain access to the networks of victims, then leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) to gain access to the Active Directory (AD) and find all hosts on the network. The BlackMatter gang deploys ransomware then encrypts the hosts and shared drives remotely as they are found. The group has been known to exfiltrate information and usually demands ransom payments of about $80,000 to $15 million in Monero or Bitcoin.

In the joint notification, the NSA, FBI, and CISA discussed TTPs, provide Snort signatures that may be utilized for discovering the network activity connected with BlackMatter ransomware attacks, and a number of mitigations to minimize the threat of an attack by the gang.

Mitigations consist of:

  1. Employing detection signatures to recognize and obstruct attacks in progress
  2. Utilizing strong passwords resilient to brute force attacks
  3. Using multi-factor authentication to prevent the employment of stolen credentials
  4. Patching and updating systems immediately
  5. Restricting access to resources over networks
  6. Using network segmentation and traversal monitoring
  7. Employing admin disabling tools to support identity and privileged access control
  8. Applying and enforcing backup and restoration guidelines and procedures

CISA and FBI Alert Regarding Increasing Conti Ransomware Attacks

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released an advisory regarding increasing Conti ransomware attacks. CISA and the FBI have seen that Conti ransomware is being utilized in over 400 cyberattacks in America and around the world.

Just like a lot of ransomware groups, the group exfiltrates information from the network of the victims before deploying the Conti ransomware. Ransom demand is sent together with a threat to post the stolen information in case the victim does not pay the ransom. The creators of Conti ransomware manage a ransomware-as-a-service operation, and recruits affiliates to carry out attacks. With this model, affiliates typically get a portion of the ransoms they help make. Conti seems to work somewhat in a different way. Affiliates get paid a salary to carry out attacks.

Various strategies are utilized to obtain access to victims’ systems. A common strategy is to use spear-phishing emails with malicious attachments like Word documents having embedded scripts as malware droppers. Generally, a malware variant like IcedID or TrickBot is downloaded. This allows the attackers to access the victims’ systems. And then, the attackers move laterally inside the breached network, find data of interest, and exfiltrate the information prior to the Conti ransomware payload deployment.

Brute force attacks are frequently used to guess weak credentials of Remote Desktop Protocol (RDP), exploit vulnerabilities in unpatched systems, and use search engine poisoning to make malicious websites show up in the search engine listings giving bogus software. Malware distribution networks like Zloader are utilized, and attacks are carried out after getting credentials by means of vishing or telephone calls.

CISA and the FBI have noticed legit penetration testing tools being utilized to identify cameras, routers, and network-linked storage gadgets that have web interfaces that may be brute-forced. They also noticed the use of legit remote monitoring and management software and remote desktop software as backdoors to retain persistence on the network of victims. The attackers make use of tools like Windows Sysinternals and Mimikatz to elevate privileges and make a lateral movement.

Vulnerabilities identified to be taken advantage of are PrintNightmare (CVE-2021-34527), ZeroLogon (CVE-2020-1472), and the vulnerabilities in Microsoft Windows Server Message Block which the WannaCry ransomware attacks exploited in 2017.

Considering that various strategies, techniques, and procedures are utilized to obtain access to the network of victims, not only one mitigation can be enforced to avoid attacks. CISA and the FBI propose using these mitigations to boost defenses versus Conti ransomware attacks:

  • Employ multi-factor authentication
  • Segment network and filter traffic
  • Check for vulnerabilities and update software
  • Get rid of unnecessary software and implement controls
  • Use endpoint and detection response solutions
  • Restrict resource access over the network, particularly by limiting RDP
  • Make user accounts secure
  • Back up critical data, store backups offline and test the copy to see if file recovery is achievable

Researchers Found Easy to Exploit Vulnerabilities in Drug Infusion Pumps

McAfee Advanced Threat Research (ATR) Researchers, along with the medical device cybersecurity company Culinda, have found 5 earlier unreported vulnerabilities in two popular B. Braun drug infusion pumps models.

The devices are employed internationally in hospitals for treating adult and pediatric patients and systemize the distribution of medicines and nutrients to patients. They are particularly helpful for making sure of a controlled supply of crucial medicine doses.

An unauthenticated attacker could exploit the vulnerabilities in the B. Braun infusion pumps to alter the settings of the infusion pumps as they are in a standby setting, which can bring about an unexpected dose of medicines being provided when the device is utilized, possibly causing hurt to a patient.

McAfee notified B.Braun about the vulnerabilities in the B. Braun SpaceStation and the B. Braun Infusomat Space Large Volume Pump on January 11, 2021, and advised safety measures that ought to be put in place to avoid the exploitation of the vulnerabilities. In May 2021, B.Braun released data for clients and informed the Health Information Sharing & Analysis Center (H-ISAC) concerning the vulnerabilities and proposed mitigations. The vulnerabilities impact infusion pumps operating older B.Braun software versions; nevertheless, the researchers revealed that “vulnerable versions of software program remain extensively used throughout medical facilities and stay in danger of exploitation.

Safety measures were integrated into the infusion pumps to keep attackers from altering dosages as the pumps are functional, therefore an attacker cannot alter dosages while they are being given. The vulnerabilities can nevertheless be taken advantage of as the pumps are on standby or idle, so modifications may be made to the device function in between infusions.

There were no documented incidents of the vulnerabilities in these or other drug infusion pumps being taken advantage of in the wild, however, this is a credible attack case and one that can very easily be taken advantage of to bring about harm to patients. The most recent B.Braun software version obstructs the preliminary network vector of the attack chain, however, the vulnerabilities were not completely addressed. An attacker can find one more way to obtain access to the system to which the devices link and take advantage of the vulnerabilities. Considering the number of ransomware attacks reported in the last few months, getting access to healthcare systems is not showing to be a big problem for lots of threat actors.

Until a detailed suite of patches is made and efficiently followed by B. Braun clients, medical facilities ought to actively give these threats particular focus, and stick to the mitigations and compensating controls offered by B. Braun Medical Inc. in their synchronized vulnerability disclosure records.

The researchers think that a lot of other medical devices may have vulnerabilities that can be taken advantage of to cause problems to patients. Medical devices are created to make sure of patient safety, and safety measures are enforced to make sure patient safety is not put in danger; nevertheless, it is typical for cybersecurity protections to be provided less concern in the course of the design phase. Additionally, when security vulnerabilities are identified in medical devices, patching is expensive. The devices are closely controlled, therefore it isn’t just a case of issuing a patch or instantly upgrading the devices as would happen with a web browser for example. Patches should be completely examined, the devices should be shut down as updates are implemented, and the patches and updates must be completely tested. A lot of devices still continue to utilize older versions of software programs and firmware.

For the moment, ransomware attacks are a bigger problem in the medical field, however at some point, these sites will be secured against this type of ransomware attack and malicious threat actors will try to find other lower-hanging fruits, mentioned the researchers. Considering the lifetime of medical devices and the issues associated with their upgrades, it is essential to begin planning today for tomorrow’s dangers. Hopefully, this research can help provide consciousness to this area that has been ignored for a long time.

CISA Gives an Alert About Blackberry’s QNX Vulnerability Impacting Critical Infrastructure

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has released a security advisory concerning a vulnerability impacting Blackberry’s QNX Real-Time Operating System (RTOS), which is widely utilized by critical infrastructure companies and impacts several consumers, health, and manufacturing systems.

The vulnerability is included in the 25 vulnerabilities that are collectively called BadAlloc, which impact several IoT and OT systems. The vulnerabilities are memory allocation integer overflow or wraparound problems in memory allocation features utilized in embedded software development kits (SDKs), real-time operating systems (RTOS), and C standard library (libc) applications.

On August 17, 2021, Blackberry reported that CVE-2021-22156, one of the BadAlloc vulnerabilities, affected its QNX products. A remote attacker could exploit the vulnerability and cause a denial-of-service issue, or possibly get remote code execution, with the second effect possibly enabling an attacker to seize control of very sensitive systems.

The vulnerability impacts the C runtime library’s calloc() function in several BlackBerry QNX merchandise. According to CISA, an attacker could exploit this vulnerability if he/she has command over the variables to a calloc() function call and the capability to regulate what memory is utilized following the allocation. An attacker that has network access can remotely exploit this vulnerability when the vulnerable item is operating and the impacted device is accessible online.

The vulnerability impacts all BlackBerry applications which depend on the C runtime library, such as medical equipment that integrate BlackBerry QNX software program.

CISA is strongly urging all critical infrastructure companies and other businesses that create, sustain, support, or utilize the impacted QNX-based systems to implement the patch immediately to avoid exploitation of the vulnerability. CISA states that installing software upgrades for RTOS often may call for getting the device to support or to an off-site place for physical substitution of integrated memory.

The following lists the vulnerable products and versions of Blackberry’s QNX Real-Time Operating System (RTOS):

  • Model QNX SDP version 6.5.0SP1, 6.5.0, 6.4.1, 6.4.0
  • Model QNX Momentics version 6.3.0SP3, 6.3.0SP2, 6.3.0SP1, 6.3.0, 6.2.1b, 6.2.1, 6.2.1A, 6.2.0
  • Model QNX Momentics Development Suite version 6.3.2
  • Model QNX Realtime Platform version 6.1.0a, 6.1.0, 6.0.0a, 6.0.0
  • Model QNX Development Kit (Self-hosted) version 6.0.0, 6.1.0
  • Model QNX Cross Development Kit version 6.0.0, 6.1.0
  • Model QNX Neutrino RTOS Safe Kernel version 1.0
  • Model QNX Neutrino RTOS for Medical Devices version 1.0, 1.1
  • Model QNX Neutrino RTOS Certified Plus version 1.0
  • Model QNX CAR Development Platform version 2.0RR
  • Model QNX OS for Automotive Safety version 1.0
  • Model QNX OS for Safety version 1.0, 1.0.1
  • Model QNX Neutrino Secure Kernel version 6.4.0, 6.5.0

CISA recommends the following mitigations:

  • Makers of products that integrate vulnerable versions ought to get in touch with BlackBerry to get the patch.
  • Makers of products who create unique RTOS software versions must get in touch with BlackBerry to get the patch code. Take note: in certain cases, manufacturers might have to create and test the software patches on their own.
  • End-users of safety-critical systems ought to get in touch with the maker of their product to get a patch. In case there is no patch available, users must use the manufacturer’s suggested mitigation steps until there is a patch available.
  • In case it isn’t possible to use the patch, or the patch is not yet available, CISA suggests making sure that only ports and protocols utilized by RTOS apps can be accessed while others are blocked.

CISA Issues Guidance for MSPs and SMBs on Strengthening Security Defenses

Cybercriminals usually target Managed Service Providers (MSPs) because MSPs have privileged access to their clients’ systems. Therefore, one cyber attack on one MSP will allow the attacker to get access to several systems, if not all of the MSP’s clients.

The latest Kaseya supply chain attack demonstrated just how critical this kind of attack could be. An REvil ransomware affiliate acquired access to Kaseya systems, and through which accessed the systems of approximately 60 of its customers (mostly MSPs) and encrypted the data therein. Through those MSP clients, ransomware affected about 1,500 downstream companies.

Small- and mid-sized companies usually don’t have employees to handle their own IT systems or may not have the expertise or hardware to keep sensitive data and manage sensitive operations. Many use MSPs to offer that needed expertise. It is usually more economical for SMBs to scale and manage their networks using MSPs instead of handling their resources on their own.

Outsourcing IT or security capabilities to an MSP presents risks, which SMBs must mitigate. MSPs additionally must have safety measures to block unauthorized access to their networks and to control the harm that may affect their clients in case there is a breach of their perimeter defenses.

On July 14, 2021, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) released guidance to assist MSPs and SMBs in strengthening their defenses to enhance resilience to cyberattacks and to control the damage brought about in case an attack succeeds.

The CISA Insights report gives mitigations and hardening advice for MSPs and SMBs, pointing out vital steps to take to secure MSP network resources and those of their clients to minimize the risk of successful attacks.

The CISA Insights: Guidance for Managed Service Providers (MSPs) and Small- and Mid-sized Businesses guidance document can be downloaded on this page.

Critical Vulnerabilities Identified in MesaLabs Lab Temperature Monitoring System

Stephen Yackey of Securifera identified five vulnerabilities in the continuous monitoring system of MesaLabs AmegaView, which is utilized in hospital laboratories, forensics labs, and biotech firms. Two critical command injection vulnerabilities are given CVSS severity scores of 9.9 and 10 out of 10. Both vulnerabilities affect the AmegaView Versions 3.0 and prior versions.

The vulnerabilities include the following:

Vulnerability CVE-2021-27447 is given a CVSS 10/10. It is caused by the wrong neutralization of special elements utilized in a command that can enable an attacker to execute arbitrary code.

Vulnerability CVE-2021-27449 is given a CVSS 9.9/10. It is caused by the wrong neutralization of special elements utilized in a command that could allow an attacker to execute web server commands.

Vulnerability CVE-2021-27445 is given a CVSS 7.8/10. It is a result of insecure file permissions that enable an attacker to lift privileges on the device.

Vulnerability CVE-2021-27451 is given a CVSS 7.3/10. It is a result of the wrong authentication due to the passcodes produced by an easily reversible algorithm that could allow an attacker to acquire access to the device.

Vulnerability CVE-2021-27453 is given a CVSS 7.3/10. It is an authentication bypass issue that could enable an attacker to acquire web app access.

There are currently no public exploits that particularly target these vulnerabilities. Given that AmegaView is near its end-of-life this year, MesaLabs has made the decision not to produce any patches to address the vulnerabilities. Instead, all customers using the vulnerable devices are advised to obtain a current Viewpoint software that is compatible with AmegaView systems.

If this cannot be carried out, or if it is, it is suggested to determine vulnerable products secured by firewalls and to segregate them from the system and ensure they aren’t accessible on the internet. If remote access is required, Virtual Private Networks (VPNs) must be utilized for access, and VPNs must be the newest version.

Before taking on any new safety actions, an impact and risk analysis should be performed.