HC3 Reveals Information on BlackCat and Royal Ransomware Campaigns

The Health Sector Cybersecurity Coordination Center (HC3) has provided threat information on two advanced and aggressive ransomware groups, the Blackcat and Royal. Both present a considerable risk to the healthcare and public health (HPH) sector.

From 2021 to the beginning of 2022, the Conti ransomware-as-a-service (RaaS) operation dominated the ransomware threat landscape; nevertheless, the operation was shut down in 2022. Although the Conti RaaS does not operate using that name now, the group members remain active although are scattered throughout a number of smaller semi-independent and independent ransomware groups. These small ransomware operations are more flexible, more difficult to monitor and get less attention from the police authorities.

The BlackCat ransomware group, also called AlphaV, was initially discovered in November 2021 and is thought to be the replacement to Darkside/BlackMatter ransomware. The BlackCat admin is thought to be a previous member of the well-known REvil threat gang. The BlackCat RaaS operation uses triple extortion, engaging in data theft, encryption of files, and denial of service (DDoS) attacks. The group exposes the stolen data on its data leak website and launches DDoS attacks if it does not receive ransom payments. The group mainly attacks companies in the United States.

In contrast to a number of ransomware operations that encourage attacking the healthcare industry, BlackCat’s operating rules forbid affiliates to attacks hospitals, medical organizations, and ambulance providers, though pharmaceutical firms and private clinics aren’t restricted. HC3 has cautioned that although there are operating guidelines, they aren’t absolute, and ransomware groups that have equally forbidden attacks on healthcare companies have not done so in past times. Although the operation is considerably smaller compared to Conti, the group has performed a lot of attacks, including on 60 companies in the initial 4 months of its operation.

Royal is a new ransomware group that was first seen executing attacks in the beginning of 2022. The group is likewise thought to involve ex – Conti members. At first, Royal utilized an encryptor similar to BlackCat’s, then used its own encryptor on September 2022. Royal is currently the ransomware operation that is most active, having overtaken Lockbit. Royal uses double extortion strategies including stealing data, encrypting files and threatening to post stolen information when no ransom is paid. Just like Conti, Royal is regarded to perform callback phishing attacks to acquire preliminary access to systems. Callback phishing begins with a harmless email that contains a phone number, and social engineering techniques are employed to persuade the victim to contact the supplied number and give access to their device. The Royal group is likewise identified to carry out attacks utilizing an encryptor that disguises as healthcare patient information software stored on legit-looking software download websites. As opposed to BlackCat, the healthcare sector is not restricted, and a number of attacks were done on healthcare companies. As a result, Royal presents a considerable threat to the HPH industry

HC3 provided comprehensive data for system defenders on the tactics, techniques, and procedures employed by the two operations, together with Indicators of Compromise (IoCs), Yara regulations, and proposed mitigations.

Healthcare Providers Cannot Evaluate and Mitigate Supply Chain Risks

Healthcare providers could have numerous cybersecurity procedures ready to protect their systems and stop direct attacks by threat actors. However, substantial challenges are encountered when protecting the supply chain. Healthcare providers employ vendors to deliver services that can’t be managed in-house, and although they deliver essential services they likewise generate risks that must be efficiently handled. Vendors frequently need privileged access to systems to execute their work, meaning an attack on a vendor could enable a threat actor to acquire access to a healthcare provider’s system via the backdoor.

Cybercriminals are more and more attacking healthcare vendors considering that they are a significantly vulnerable part of the supply chain. In 2022, a lot of the biggest healthcare data breaches documented had vendors involved.

  • Shields Health Care Group, a medical imaging services provider to over 50 healthcare centers, encountered a breach involving over 2 million records,
  • Professional Finance Company, a debt collection service provider to healthcare providers, encountered a breach impacting a lot of its clients and compromised the information of 1.91 million individuals.
  • Eye Care Leaders, an electronic medical record vendor, suffered an attack that impacted around 41 eye care companies and over 3.6 million patients.
  • Though efforts must keep going to protect healthcare systems from direct attacks, prompt action is necessary to protect the supply chain.

A new survey carried out by the Ponemon Institute for the Healthcare and Public Health Sector Coordinating Councils (HSCC) looked into the present status of supply chain risk in medical care and affirmed that quite a lot must be completed, with numerous healthcare providers discovered to experience substantial difficulties in acquiring their supply chains. The survey was performed on 400 U.S. healthcare companies, affirmed that there is still substantial potential and budget breaks between big and modest healthcare companies with regards to managing and lowering supply chain threat, yet companies of different sizes are faltering at the essentials of supply chain risk supervision.

To correctly measure and deal with risks, healthcare companies need to have a complete listing of all vendors that they utilize. The survey showed that just 20% of the 400 surveyed companies had a complete listing of all of their vendors, with smaller healthcare companies being three times more likely to be without inventory whatsoever. One popular strategy undertaken by healthcare companies is to concentrate their supply chain risk administration plans on new vendors while they are onboarded, yet they are unsuccessful in evaluating and handling risk for their present vendors, which was the scenario for nearly half (46%) of surveyed companies. 35% of surveyed companies weren’t considering supplier risks associated with patient results, with smaller healthcare companies 2 times as likely to have this difference than bigger companies. Only 41% of companies had incorporated their cyber risk plans with their purchasing and contracting teams. Smaller healthcare companies lack budgetary resources to correctly handle supply chain danger, with 57% of smaller companies having supply chain risk management funds of $500,000 or much less, as opposed to 5% of big companies that got supply chain risk management finances of around $1 million to $5 million.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) comprises supply chain risk management procedures that could – and ought to – be followed – yet doing this can be a problem for small- and medium-sized healthcare companies. To make supply chain risk management easier, the HSCC has customized this reference and created a free toolkit (HICSCRiM), particularly for small to medium-sized healthcare companies which normally have more minimal resources for taking care of supply chain danger.

Ed Gaudet, CEO, and Founder of Censinet as well as HSCC Supply Chain Cybersecurity Task Group member said the healthcare supply chain group is under a growing amount of pressure to move immediately while dealing with a lot of risks throughout the purchase process. Because cyberattacks just like ransomware come to be more advanced, this survey emphasizes the immediate requirement for automation and useful risk ideas to help supply chain frontrunners efficiently handle inventory, fraudulence, cyber risk, and supplier redundancy.

HPH Sector Cautioned Regarding Clop Ransomware-as-a-Service Operation

The Health Sector Cybersecurity Coordination Center (HC3) has provided details about the Clop (Cl0p) ransomware-as-a-service operation. The affiliates of this group are identified to be performing attacks on the healthcare and public health (HPH) sector.

Clop ransomware was initially discovered in February 2019 and it replaced the CryptoMix ransomware. The group is very active and was seemingly not affected when six operators of the ransomware were arrested in 2021. Their activity proceeded regardless of the arrests. The Clop ransomware group was active all through 2022. There was one month wherein the group carried out attacks on 21 companies. The group usually attacks organizations with a yearly income above $10 million. It had demanded large ransom payments even if the attacks were done on smaller healthcare providers like doctors’ and dentists’ practices with earnings above $5 million.

The group employs double extortion strategies and steals sensitive information before file encryption and demands a ransom payment to stop publishing the stolen information and to get the keys for file decryption. Some attacks associated with the group just involved stealing of data and extortion. The group pushes through with its threats to post stolen information if it doesn’t receive the ransom payment, just like the attack on the pharmaceutical company ExecuPharm. The group’s leak site published the stolen emails, financial information, documents, and database files of the company.

The group works together with some other cybercriminal groups, which include the financially-driven threat group monitored as FIN11. A threat group connected to the Clop ransomware group was responsible for a string of attacks that took advantage of a vulnerability in the Accellion File Transfer Appliance (FTA) last December 2020. A number of healthcare providers were impacted and had their sensitive information exposed.

The tactics, techniques, and procedures employed by the Clop ransomware group affiliates are extremely diverse and are continuously changing. First access was initially acquired to victims’ systems by means of phishing, credential abuse, remote desktop compromise, and the exploitation of unpatched vulnerabilities. At the end of 2022, a number of attacks were carried out utilizing TrueBot malware to acquire preliminary access to systems.

The group knows healthcare IT systems and workflows very well which has aided the threat actor in successfully launching attacks on the HPH sector many times. In 2022, the group purportedly began having issues getting ransom payments which resulted in using different tactics. Intercepted communications among ransomware group members showed it had begun attacking medical practices that provide telehealth consultations. With these attacks, the affiliates sign up online as new patients and ask for telehealth services. They then send emails prior to their appointments and attach
files of medical images that have malicious code, hoping that the practices will open the files before the set appointments.

The Clop ransomware group is remarkably capable, well-financed, and prolific, and is known to present a considerable threat to the HPH industry.

Ransomware Groups Use New Strategies for Attacking Victims to Increase Odds of Payment

Ransomware is still one of the most critical threats faced by the healthcare sector. Attacks can be extremely expensive to deal with, they can bring about substantial disruption to business functions, and can endanger patient safety. Ransomware groups are continuously altering their tactics, techniques, and procedures to get preliminary access to systems, avert security options, and easily recover without paying the ransom, and with a lot more victims not paying the ransom demand, ransomware groups have began adopting more aggressive strategies to force victims into paying the ransom.

Targeting Telemedicine Providers

Various strategies are utilized to obtain access to healthcare systems, which include remote access technologies like Remote Desktop Protocol (RDP) and VPNs and taking advantage of unpatched vulnerabilities, along with phishing a top attack vector. One of the newest phishing strategies used is to attack healthcare companies that provide telemedicine solutions, particularly those providing consultation services to patients online. The threat actor impersonates a new patient and gives the healthcare company a decoy file that resembles the their health records. The ransomware group presumes that before the consultation, the physician is going to open the file to look at the patient’s information. Doing so will install malware and give the threat actor access to the device.

One of the major issues for ransomware groups is getting compensated. When ransomware use was just starting, recovery of encrypted files require payment. Organizations that adopted guidelines for data backups could restore their files without making ransom payments. To boost the likelihood of getting payment, ransomware groups engaged in double extortion strategies. Sensitive information is exfiltrated before encrypting files and the attacker issues threats to leak the information when the ransom demand is not paid. Even when there are backups, payment is usually given to stop the exposure of stolen information. Nevertheless, this strategy is not very successful now. According to Coveware’s report, fewer victims are giving ransom payments even if data is compromised.

Using Triple Extortion Tactics

A number of ransomware groups have began utilizing triple extortion tactics to increase pressure on victims to pay. This tactic had been used in a number of attacks on healthcare companies. Triple extortion has different types, for example, getting in touch with patients using the contact details in the stolen files to attempt to extort money from them. The REvil ransomware group, now presumed to be behind the BlackCat ransomware, began contacting the victims’ clients or the press, informing them about the attack. Several groups have likewise performed Distributed Denial of Service (DDoS) attacks on affected entities that won’t pay up. LockBit began demanding payment to give back the stolen information besides getting the decryptor and to avert the leak of data.

A recent report by Brian Krebs of Krebs on Security talks about another new tactic discovered by Alex Holden, founder of the cybersecurity company Hold Security. This tactic is being used by Clop and Venus, two ransomware operations that target healthcare companies.

The Clop ransomware group used a tactic for attacking healthcare companies, which sends malicious files masked as ultrasound photos to doctors and nurses. This gang is one of those that started targeting healthcare companies that provide online consultation services. One successful attack involved a patient with cirrhosis of the liver requesting for a web consultation. The attacker chose cirrhosis of the liver because it would be very likely that a physician would need an ultrasound scan and other medical tests to diagnose the condition and the records can be attached to the email.

Framing Executives for Insider Trading

Holden also described a new method tried by the Venus gang to compel victims to pay the ransom. They are trying to frame officers of public firms by modifying email inboxes to look like the officers were engaging in insider trading. One attack proved successful. The group inserted messages that talked about plans to buy and sell big volumes of the company’s stock depending on non-public data.

Holden cited one of the blackmail messages created by the Venus gang. The message to the CEO states that it imitated its correspondence with a trading insider who gives the financial reports of the firms by which its victim purportedly trades in the stock market. This practice is obviously a criminal offense as per the US federal legislation and violators could be sentenced to about 20 years imprisonment.

Holden mentioned that implanting communications into inboxes is hard however it is likely for a ransomware actor that has access to Outlook .pst files, which an attacker would probably have in case they breached the victims’ system. Holden stated the implanting of email messages may not withstand forensic evaluation, however, it may still be sufficient to result in a scandal and reputation loss, which might be sufficient to force the victim to pay the ransom.

HPH Sector Cautioned of Lorenz Ransomware Group

The healthcare and public health sector (HPH) is cautioned about the threat of ransomware attacks executed by the Lorenz threat group, which has carried out a number of attacks in the U.S. over the last two years, without any indication that attacks are lessening.

Lorenz ransomware is man-operated and is used after the attackers have acquired access to systems and have extracted data. As soon as access to the system is obtained, the group is well-known to personalize its executable code and customize it for every targeted company. The Lorenz actors keep persistent and carry out substantial reconnaissance over a lengthy time frame prior to implementing ransomware to encrypt files. The group does double extortion tactics, where sensitive information is exfiltrated before encrypting files and ransom demands are given to stop the selling or posting of that records, besides payment being demanded to acquire the keys for file decryption.

Numerous ransomware threat actors steal information and threaten to post the stolen records on a data leak webpage in case the ransom is not settled. The procedure utilized by Lorenz is fairly unique. In case after trying to demand the victim to pay the ransom and it is not actually coming, the group tries to peddle the stolen information to other threat actors and rivals. When the ransom stays unpaid, Lorenz posts password-protected archives that contain the stolen information on its data leak site. If the group is not able to profit from the stolen information, the passwords for the archives are then posted, which enables anybody to get access to and download the stolen information. There were instances where the group kept access to victims’ systems and offered that access to some different threat actors.

Lorenz does big game hunting, most often attacking big companies, with the ransom demands usually about $500,000 to $700,000. There were no identified attacks on non-business targets, and most victims are English-speaking. As opposed to the majority of other ransomware groups, fairly little is understood regarding this group. The group utilizes methods to obtain preliminary access to victims’ systems like phishing, breaching remote access technologies for instance RDP and VPNs, taking advantage of unpatched vulnerabilities in program and OS systems, and executing attacks on managed service providers (MSPs), and then switching to target MSP customers.

The Health Sector Cybersecurity Coordination Center (HC3) Analyst Note includes references, Indicators of Compromise, and other resources that may be employed by system defenders to boost their security versus Lorenz ransomware attacks.

Feds Warns the HPH Sector Concerning Aggressive Hive Ransomware Group

The Hive ransomware-as-a-service (RaaS) operation initially appeared in June 2021 and has strongly attacked the health and public health sector (HPH) and do so until now. Between June 2021 and November 2022, the group executed attacks on over 1,300 institutions around the world, generating ransom payments of over $100 million.

Some of the affected organizations in the HPH sector are the public health system in Costa Rica, Lake Charles Memorial Health System, Memorial Health System, Partnership HealthPlan of California, Missouri Delta Medical Center, Hendry Regional Medical Center, and Southwell. The most recent attack this month, Lake Charles Memorial Health System, is still recovering. The attacks endanger patient safety and have compelled hospitals to reroute ambulances, postpone surgeries, delay consultations, and close urgent care facilities.

Last November 17, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Federal Bureau of Investigation (FBI) published a joint advisory to the HPH sector telling about the danger of attacks and shared Indicators of Compromise (IoCs) and information on the tactics, techniques, and procedures (TTPs) utilized by the group, together with suggested mitigations for preventing, identifying, and mitigating attacks.

Hive has advanced capabilities, uses double extortion tactics, and publicly posts stolen information on its leak website when victims do not give ransom payment. The group is known to attack victims again if they attempted to bounce back without giving ransom payment. As a RaaS operation, the group recruits affiliates to carry out attacks for the group in exchange for a portion of the ransom payments they make. Affiliates are known to have the skills needed for getting access to victims’ systems.

The most popular methods utilized for preliminary access are taking advantage of Remote Desktop Protocol (RDP) vulnerabilities and other remote network connection systems, exploiting Virtual Private Networks (VPNs), performing phishing attacks using malicious attachments, and taking advantage of unpatched vulnerabilities, such as the Microsoft Exchange Server vulnerabilities CVE-2021-31207, CVE-2021-34523, CVE-2021-34473 and CVE-2020-12812 vulnerability to gain access to FortiOS servers.

As soon as access to systems has been acquired, the group determines operations associated with backups, antivirus/anti-spyware, and file extraction, and stops those procedures. Volume shadow copy services are halted and all current shadow copies are erased, and Windows event records are removed, especially the System, Security, and Application records. Before encryption, virus definitions are deleted and all parts of Windows Defender and other usual antivirus applications are deactivated in the system registry, and sensitive information is exfiltrated making use of Rclone and Mega.nz, the cloud storage service. The group runs live chat support to interact with victims and has likewise been recognized to get in touch with victims by telephone and email to talk about payment. Ransom demands could be sizeable, which range from thousands to millions of dollars.

Healthcare providers are advised to see the shared security advisory, keep track of their systems utilizing the given IoCs, solidify defenses versus the determined TTPs, and apply the suggested mitigations.

Increased Risks in Using Connected Devices in Healthcare

Hospitals use an increasing number of connected devices. Although connected devices can enhance performance, security, and patient results, they also considerably elevated the attack surface. A lot of these devices do not have the right security features or the correct configuration.

A new Microsoft-sponsored research study conducted by the Ponemon Institute regarding the present state of IoT/OT cybersecurity showed that 65% of companies have weak security in their IoT/OT devices and 50% have experienced more attacks involving their IoT/OT devices. 88% of the respondents mentioned that their IoT devices are accessible online, and 51% have OT gadgets accessible online. More cybercriminals are attacking these gadgets because they have a weak spot that can be exploited easily. Malicious actors use malware and ransomware to get initial access to targeted devices.

In 2020, Forescout reviewed the kinds of devices employed in enterprise systems to find out which present the greatest threat, and this November
released the latest version of the report. The majority of devices that were regarded as high risk stay on the updated listing, and consist of programmable logic controllers (PLCs), networking tools, VoIP, and IP cameras. Hypervisors and human-machine interfaces (HMIs) are included this year.

Nearly all of the riskiest gadgets are listed because they are often exposed online or crucial to business functions, and they all have vulnerabilities. All companies depend on a mix of IT, IoT, and OT. Healthcare companies likewise depend on IoMT devices. So virtually all companies face an increasing attack surface because they have at least one form of risky device hooked up to their network.

A lot of the devices are hard to patch and maintain, therefore vulnerabilities aren’t resolved immediately. IoMT devices are dangerous since they can give access to internal systems and can include important patient data, and attacks on these gadgets can impact healthcare delivery and patient security. There were attacks on hospitals that resulted in the deactivation of fetal monitors. In 2020, a number of attacks were executed on radiation information systems.

Medical imaging devices like DICOM workstations, imaging devices, nuclear medicine systems, and PACS can have highly sensitive patient information. They likewise frequently use legacy IT OS and have considerable network capacity for the quick sharing of medical imaging information, typically utilizing the DICOM standard for sharing data files. DICOM wasn’t created thinking about security, and although DICOM does allow encryption of transmitted data, encryption configuration depends on the individual healthcare organization. Encryption isn’t turned on in lots of hospitals, which suggests that medical images are sent in plain text and can quickly be intercepted and made to contain malware. Patient monitors are likewise one of the most unsecured IoMT devices because they typically converse utilizing unencrypted protocols, meaning communications can be quickly intercepted and meddled with. Tampering can block the receipt of alerts.

What is important to handling risk is to know how the attack surface is expanding and to perform a thorough risk evaluation to know where the vulnerabilities can be found. Those risks can subsequently be put through a risk management process and be minimized to a low and suitable level.

Patch to Fix Critical OpenSLL Vulnerability Will Be Available on November 1, 2022

There is an alert given to the healthcare and public health industry concerning a critical vulnerability identified in the OpenSSL software library. Most operating systems and apps use OpenSLL, an open-source cryptographic library, for employing Transport Layer Security for safe Web communications, which include linking to websites and web apps.

The OpenSSL project team states the vulnerability impacts OpenSSL versions 3.0 to 3.0.6, however, doesn’t impact LibreSSL or OpenSSL 1.1.1.
There is no disclosure concerning information about the actual nature of the vulnerability yet to control the chance of exploitation. More details regarding the vulnerability are likely to be available together with the patch, which is going to be used in OpenSLL version 3.0.7. Presently, there is no CVE code assigned yet.

Although the OpenSLL project team has announced the vulnerabilities previously, critical vulnerabilities are unusual. A critical vulnerability impacts typical configurations and is most likely to be exploited. In 2014, OpenSLL found a critical vulnerability referred to as Heartbleed, which can be exploited to acquire encryption keys or passwords. The vulnerability made it possible for anybody online to view the memory of systems that utilized unsecured OpenSLL versions. Threat actors quickly exploited the bug to spy on communications, steal information directly from services and end users, and double as services and end users. Since OpenSLL is so greatly utilized, the intensity of this kind of vulnerability is huge. Patching each case where OpenSSL was used can take a long time.

The Health Sector Cybersecurity Coordination Center (HC3) discussed in a cybersecurity warning the likely attempt of threat actors to greatly exploit the vulnerability and states that exploitation could start soon following the release of the patch. Cybercriminal and nation-state threat actors are likely to quickly commence reverse engineering the patch the moment it is introduced to find out the technical information of the vulnerability to enable the creation of an exploit.

HC3 is telling all HPH sector companies to look at this vulnerability as the top priority and make sure the patch is employed quickly. To ensure that happens, it is going to be required to find all cases where OpenSSL is employed. OpenSSL Project team states the patch is going to be available on November 1, 2022 from 13:00 to 1700 UTC.

On November 1, 2022, the OpenSSL Project affirmed that the two vulnerabilities are high-severity instead of critical, however quick patching is still highly recommended to go into remote code execution.

Government Warns Healthcare Providers Concerning Daixin Team Extortion and Ransomware Attacks

Daixin team is a fairly new data extortion and ransomware group. It is active in attacking U.S. healthcare providers. The Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Federal Bureau of Investigation (FBI) issued a warning regarding the Daixin team.

Daixin Team initially came out in June 2022. The group mainly engaged in data extortion and ransomware attacks targeting companies in the health and public health sector (HPH). Because of its attacks, data were encrypted, electronic health records access were blocked, and provision of healthcare services were disrupted resulting in postposed appointments, diagnostics, and imaging. The #StopRansomware: Daixin Team alert shared the identified tactics, techniques, and procedures that the Daixin team uses, the indicators of Compromise (IoCs) and a number of recommended mitigations to prevent these attacks.

Daixin Team acquires access to medical systems, performs reconnaissance, and identifies and extracts data of interest, which it uses for extortion of money from victims. The group warns the victims not to communicate with ransomware remediation agencies. In case there’s no response within 5 days after the attack, the attacker threatens to expose the stolen information to the public.

It is known that Daixin Team acquire access to the systems of victims by taking advantage of vulnerabilities in VPN servers, usually utilizing compromised VPN information for accounts without an enabled multi-factor authentication. In a number of attacks, the group has acquired VPN information by means of phishing emails having malicious attachments. As soon as access is acquired, they proceed laterally inside networks utilizing Secure Shell (SSH) and Remote Desktop Protocol (RDP), elevate privileges by means of credential disposal and pass the hash, extract information – such as utilizing tools like Rclone and Ngrok – then set up their ransomware payload, that is considered to be dependent on publicly-introduced Babuk Locker ransomware code.

In certain cases, privileged accounts had been used to access the VMware vCenter Server, and reset passwords for ESXi server accounts. Then, SSH had been used to link to the ESXi servers, where the attackers deployed the ransomware.

The FBI, the HHS and CISA have provided the following mitigations to guide healthcare providers to be safe against Daixin Team attacks:

  • Patching immediately and updating software regularly
  • Using phishing-proof multi-factor authentication
  • Protecting or deactivating Remote Desktop Protocol
  • Disabling SSH and network device management interfaces including
  • Winbox, Telnet, and HTTP for wide area networks (WANs)
  • Encrypting passwords
  • Using and implementing multi-layer network segmentation
  • Restricting access to information via public key infrastructure and digital certificates to validate linking to devices
  • Using encryption to protect ePHI at collection points
  • Strict HIPAA Security Rule compliance with regard to ePHI

LifeBridge Health to Pay $9.5 Million to Settle 2016 Data Breach Claims

LifeBridge Health Inc. has decided to negotiate a class action lawsuit to settle claims of patients impacted by a data breach it discovered in 2018. The full value of the settlement deal is $9.475 million, including $800,000 in funding to pay for claims of class members.

In March 2018, LifeBridge Health found a malware infection that allowed unauthorized persons to get access to a server hosting its patient registration, electronic health records, and billing systems. Based on the breach investigation, the preliminary attack happened 18 months earlier in September 2016. LifeBridge Health exposed the breach in May 2018, and the healthcare company confirmed the potential compromise of 582,174 patients’ data. The compromised data included names, birth dates, addresses, diagnoses, prescribed medicines, clinical and treatment data, insurance information, and several Social Security numbers.

The law company Murphy, Falcon & Murphy, filed the legal action – Johnson, et al. v. LifeBridge Health, Inc. in the Circuit Court for Baltimore City, MD, on behalf of patients impacted by the occurrence. The two patients referred to in the lawsuit, Darlene Johnson and Jahima Scott, stated that their identities may have been compromised because of the breach, as the two claimed they were affected by credit card fraud soon after the occurrence of the data breach.

The lawsuit claimed class members were exposed to considerable harm and that their personal data and PHI were in the possession of identity thieves, placing them at an instant and continuing risk of identity theft and fraud. The plaintiffs claimed to have encountered monetary deficits, had financial transactions rejected, encountered problems with their email accounts, bogus accounts were generated under their names, and their identities were employed to submit fake claims for unemployment gains and COVID-19 catastrophe small business funding.

The lawsuit claimed LifeBridge Health was at fault for failing to stick to fundamental security procedures, which violated a number of privacy protection regulations in Maryland, which includes the Maryland Personal Data Protection Act, Maryland Social Security Number Privacy Act, and Maryland Consumer Protection Act.

LifeBridge Health didn’t acknowledge any wrongdoing and didn’t take responsibility for the attack, however, it opted to resolve the lawsuit to keep additional legal expenses minimal and the uncertainness of a court trial. Based on the conditions of the negotiation, LifeBridge Health has consented to produce $800,000 in funding to take care of claims from class members and will spend $7.9 million in extra security measures to avoid other data breaches, such as data encryption, network tracking, security awareness program, resource tracking, and multi-factor authentication. The remaining $775,000 of the overall settlement amount is going to take care of the legal expenses.

Class members are eligible to file claims for compensation of ordinary and incredible deficits, which include around 3 hours of lost time and $20 per hour, and an additional 2 hours if they experienced remarkable losses. Claims for regular losses of around $250 for every class member may be filed to pay for bank charges, credit tracking, credit freeze, communication, and other expenses, and a declaration may be filed for remarkable losses as much as $5,000.

A final approval hearing is set for October 26, 2022. Claims should be published by February 1, 2023.

Vulnerability Identified in BD Totalys MultiProcessor

The Cybersecurity and Infrastructure Security Agency (CISA) has released a medical alert concerning a recently identified vulnerability that impacts the BD Totalys MultiProcessor, which hospitals and laboratories use for testing clinical tissue samples.

The vulnerability is because of using hard-coded credentials, which may enable an attacker to have access to a vulnerable Totalys MultiProcessor to view, change, or erase sensitive information, which includes personally identifiable information (PII) and protected health information (PHI).

An attacker cannot exploit the vulnerability remotely. To be able to exploit the vulnerability, a malicious actor must have physical access to a BD Totalys MultiProcessor or system access. If there are extra security controls, these must be bypassed.

The vulnerability, monitored as CVE-2022-40263, impacts all BD Totalys MultiProcessor versions which include versions before v1.70, and was given a medium CVSS severity score of 6.6 out of 10.

BD discovered the vulnerability and reported it to CISA following its responsible disclosure policy. According to BD, the vulnerability will be fixed in the next v1.71 software launch, which is anticipated to be accessible to end users in Q4 of 2022. For the time being, BD has recommended mitigations to stop vulnerability exploitation.

End users must be sure there are physical access controls set up to restrict access to the BD Totalys MultiProcessor to authorized persons only. In case the device should be linked to a network, industry-standard security guidelines and procedures must be adopted.

During the release of the alert, there were no known cases of vulnerability exploitation or exploits in the wild.

Vulnerability Found in Medtronic MiniMed 600 Series Insulin Pumps

The Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released an alert in regards to a lately uncovered vulnerability that impacts a number of Medtronic insulin pumps. A malicious actor can exploit the vulnerability to change patients’ insulin dosages, causing excessive or inadequate insulin delivery.

The vulnerability impacts the Medtronic NGP 600 Series Insulin Pumps along with their accessory parts listed below:

  • MiniMed 620G: MMT-1710
  • MiniMed 640G: MMT-1711, MMT-1712, MMT-1751, MMT-1752
  • MiniMed 630G: MMT-1715, MMT-1754, MMT-1755
  • MiniMed 670G: MMT-1740, MMT-1741, MMT-1742, MMT-1760, MMT-1762, MMT-1762, MMT-1780, MMT-1781, MMT-1782

The vulnerability is present in the communication program utilized by the pump system to match with other system parts. A threat actor successfully exploiting the vulnerability could slow down or end insulin delivery or bring about an unintentional insulin bolus. A threat actor cannot exploit the vulnerability remotely yet could control it if close to the wireless signal accessibility to the patient and system. The medium severity vulnerability is monitored as CVE-2022-32537 and was given an assigned CVSS severity report of 4.8 out of 10.

Sophisticated technical expertise is necessary to manipulate the vulnerability. The vulnerability could be exploited if the pump is being matched with other system parts, and the attacker should be close to the pump, which restricts the possibilities for exploitation. The FDA states it does not know of any instances of exploiting the vulnerability.

Medtronic has released an immediate medical device correction alert concerning the vulnerability and has advised all end users of the impacted insulin pumps to do something to stop vulnerability exploitation. In their default settings, the vulnerability affects all of the Medtronic NGP 600 Series Insulin Pumps listed above.

To avoid exploitation, Medtronic asks all end users to deactivate the Remote Bolus function on the pump when switched on, and users must not

connect devices in public. End users are encouraged to maintain their pumps and related system parts under their control all the time, to be mindful of pump notices, alarms, and warnings, to remove the USB device from the computer whenever it isn’t being utilized to download pump information, and do not verify remote connection requests or any type of other distant actions except if they are individually started or were started by their care partner.

More details on mitigations are available in Medtronic’s important healthcare device correction notification.

FBI Alerts Healthcare Providers Regarding the Risks of Unpatched and Obsolete Medical Devices

The Federal Bureau of Investigation (FBI) has released a private sector notification regarding the increasing number of vulnerabilities in healthcare devices. In case medical devices aren’t quickly patched and are using outdated software, malicious actors can exploit vulnerabilities and obtain access to sensitive patient information or the systems the medical devices link to. With access to the system, threat actors may carry out attacks that negatively affect the operations of healthcare establishments. Medical devices are usually utilized to support patients with slight to serious health conditions. Attacks on those healthcare devices could result in severe hurt to patients and even cause the loss of life.

The FBI states that vulnerabilities in medical devices mainly originate from device hardware structure and device software administration. If healthcare devices are run in the standard settings, that usually gives threat actors a chance to take advantage of vulnerabilities. Devices with personalized software may be hard to patch, usually needing specialized processes, which could delay updates and vulnerabilities stay unaddressed for much longer, increasing the odds of taking advantage of the vulnerabilities.

Medical devices were created to carry out special functions, however, security was by no means a concern since the devices were not regarded as a security risk. These devices are vulnerable and in case exposed to the Web could give threat actors a fast way to acquire access to the devices, change their features, or utilize them as a springboard to start an attack on a company.

The FBI mentions new research that indicates 53% of network-linked medical devices and other IoT devices employed in hospitals possess identified critical vulnerabilities that were not resolved, with about 33% of healthcare IoT devices getting a critical vulnerability that can impact the technical functionality or operation of healthcare devices. These devices comprise pacemakers, mobile cardiac telemetry, insulin pumps, intrathecal pain pumps, and intracardiac defibrillators.

A study suggests medical devices have typically 6.2 vulnerabilities for each device. Over 40% of medical devices that hit their end-of-life do not get security patches and program updates to fix vulnerabilities, and frequently stay used in spite of the security risks

Unpatched and obsolete medical devices present cyberattack potentials, therefore it is essential that vulnerabilities are dealt with and risk is minimized to a low and acceptable degree. The FBI provides a number of suggestions for enhancing the safety of medical devices:

  • Make sure endpoint protection steps are enforced such as antivirus applications and endpoint detection and response (XDR) solutions.
  • Apply encryption for sensitive information
  • Modify all default passwords and use difficult, unique passwords, and restrict the number of sign-ins for every user
  • Make sure a detailed listing is kept of all devices, which includes the patching status, software program version, and any vendor-created software parts utilized by the devices
  • Create a plan for updating medical and IoT devices before their end-of-life
  • Make certain vulnerabilities are immediately patched on all medical devices
  • Perform scheduled vulnerability tests before adding any new device to the operating program
  • Teach employees to help offset human threats, such as teaching workers how to determine and report risks, the attacks that target staff members like social engineering and phishing attacks, and put banners to emails that come from external sources.

The FBI notification – Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities – and the complete suggestions for mitigating vulnerabilities are available on this page.
.

Information About Risks of IoT in Healthcare and Security Recommendations

The Health Sector Cybersecurity Coordination Center (HC3) has posted a security notification cautioning the healthcare and public health industry regarding the risks related to Internet of Things (IoT) devices as well as suggestions for strengthening IoT devices’ security.

The Internet of Things (IoT) pertains to physical gadgets that have the functionality to swap data or link to other gadgets online. Presently, there are approximately 7 billion gadgets that are linked via IoT. The use of IoT devices is likely to grow to 20 billion devices globally by 2025. These gadgets have sensors that gather data and connect online and consist of a broad range of “smart” appliances like TVs, washing machines, Amazon Echo devices, doorbell cameras, wearable devices, and voice controllers. IoT devices are employed in industrial fields and a lot of medical devices employ IoT. Although there were significant improvements in IoT technology nowadays to make the technology less expensive and readily available, the primary architectural levels have mostly stayed the same and there is increasing concern that the devices can give a quick access point into healthcare systems.

The Threat of Cyberattacks Taking Advantage of Weak IoT Security

There is increasing concern about the safety of IoT and the threat of cyberattacks taking advantage of IoT vulnerabilities. These attacks can be launched as distributed Denial of Service (DDoS) attacks, which send massive traffic to IoT networks to avert communications. Threat actors target IoT devices to include them to botnets for performing massive DDoS attacks on web apps.

Man-in-the-middle attacks may happen, where bad actors bug on legit communications and steal sensitive information or tinker with communications. As with software programs, bad actors may identify vulnerabilities that could be exploited to acquire unauthorized access to the gadgets. In the healthcare sector, IoT medical devices may be accessed, the capabilities of the devices altered to harm patients, or sensitive patient data can be stolen.

Although it is a common security practice to alter all devices’ default passwords, IoT devices usually keep factory configurations, which include default passwords. Therefore, devices become at risk of brute force attacks, which can allow threat actors to access the systems connected to the devices.

When IoT devices aren’t physically secured, they can be meddled with or installed with malware. The software on the devices could be hijacked by forcing updates and doctored software, malware, or malicious drivers will be downloaded.

How to Reduce Threat from IoT Devices in Healthcare

The high percentage of usage of IoT devices in healthcare has increased the attack surface significantly, providing threat actors a bigger selection of devices to attack to obtain access to healthcare systems. In case healthcare companies have a flat system, where IoT devices, standard IT devices, and operational technology (OT) are all on a similar network, getting access to an IoT device can enable a threat actor to move side to side and gain access to all devices linked to the network. This is a big security threat, particularly with the comparably insufficient security on IoT devices.

One important action to take to enhance security is to have network segmentation to lessen the attack surface. Network segmentation requires dividing the network into zones or subnetworks. This can minimize congestion and restrict failures. It also confines lateral movement. Whenever a compromise of an IoT device happens, it cannot be employed for accessing other areas of the network.

HC3 recommended the following actions to reduce the threat from IoT devices:

  • Modify default configurations – Default configurations on routers must be modified together with the privacy and security configurations on every IoT device.
  • Do not use Universal Plug and Play (UPnP) – UPnP can make office equipment susceptible to cyberattacks.
  • Use strong passwords – Default passwords ought to be modified, and a unique, strong password must be employed for every device to minimize the chance of brute force attacks.
  • All software programs and firmware must be updated. The most recent releases offer fixes for active exploits and vulnerabilities.
  • Follow zero trust – Follow the zero trust principle. This means nothing is inherently trustworthy, even when it is inside the network. Restrict access to resources to a few people who need access to carry out their job responsibilities.

HC3 Notification on Increasing Web Application Attacks on Healthcare Providers

The Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HC3) has published data to help healthcare providers be secured from web application attacks.

Recently, web applications are well-accepted in health care and are used on electronic medical record systems, patient portals, booking systems, accessing test data, patient monitoring, inventory management, dental CAD systems, online pharmacies, etc. These applications are utilized using a regular internet browser, however, unlike most websites, the user must authenticate in order to utilize the application.

Financially motivated cyber threat actors and state-sponsored Advanced Persistent Threat (APT) actors perform web application attacks intended for various nefarious activities. More attacks exploit vulnerabilities in web applications. According to the 2022 Verizon Data Breach Investigations Report, web application attacks are presently the major healthcare attack vector.

Web application attacks usually aim for web-facing web servers and usually exploit stolen credentials to access the app or exploit vulnerabilities in the application or root structure. Web application attacks include path traversal, SQL injection (SQLi), cross-site request forgery (CSRF), cross-site scripting (XSS), XML external entity (XXE), and local file inclusion. Attackers, like those utilizing ransomware, could access sensitive data, access applications and systems for surveillance, or perform extortion. The Scripps Health ransomware attack in May 2021 involved a web app attack as the initial attack vector. Because of the attack, the EHR system and patient website were inaccessible for several weeks.

Distributed Denial of Service attacks on web applications could be conducted to deny app access. As per Comcast Business reports, the healthcare sector had the most web app DDoS attacks in 2021, with attacks rising due to the COVID-19 pandemic, supply of vaccines, and launching of schools. DDoS attacks are usually performed as a smokescreen. When IT teams try to resolve the DDoS attack, their distracted focus permits the use of malware on the system. DDoS attacks are also carried out by hacktivists. Boston Children’s Hospital experienced a serious DDoS attack in April 2014 in connection with a child custody issue. Because of the attack, the appointment booking system, fundraising site, and patient portal became inaccessible.

As in all software-based applications, web apps may have vulnerabilities that threat actors can exploit remotely to access the programs, the root system, or databases. When creating web apps, it is vital to follow web app security rules and create applications that function as needed when attacked, and steer clear of accessing resources with potential malicious agents. Safe development measures can help to prevent the inclusion of vulnerabilities. Safety precautions should be employed throughout the whole software development lifecycle to be sure design-level flaws and implementation-level problems are sorted out.

HC3 has recommended the following mitigations to ward off web app attacks and deal with the potential damage:

  • Use of firewalls to block malicious web traffic
  • Secure development testing
  • Automatic vulnerability tracking and security testing
  • CAPTCHA and login restrictions
  • Sign in log
  • Validation of compromised credentials
  • Multifactor authentication

Advisory Concerning the MedusaLocker Ransomware Issued by FinCEN, FBI, and CISA

The Federal Bureau of Investigation (FBI), Department of the Treasury, the Financial Crimes Enforcement Network (FinCEN), and Cybersecurity and Infrastructure Security Agency (CISA) have published a joint cybersecurity alert concerning the MedusaLocker ransomware.

The MedusaLocker threat group is found to run as a ransomware-as-a-service operation and utilizes affiliates to perform the attacks for around 55 – 60% of the ransom payments they bring in. MedusaLocker was earliest discovered in September 2019 and employed for attacking a vast array of targets in America.

Upon gaining access to victims’ networks, a batch file is utilized to implement a PowerShell script that distributes MedusaLocker all over the system. This is realized by modifying the EnableLinkedConnections value in the corrupted machine’s registry, which then permits the infected machine to identify linked hosts and networks through Internet Control Message Protocol (ICMP) and find shared storage using Server Message Block (SMB) Protocol.

MedusaLocker is going to stop the security, accounting, and forensic software program, reboot the machine using safe mode to keep the security application from sensing the ransomware, and then encrypt the data files. All files are encrypted besides those that are vital to the operation of the victims’ products. Typically, the ransomware also erases local backups and shadow copies and deactivates start-up recovery solutions.

Various vectors are utilized to get first access to systems, such as phishing and spam email strategies, with a few campaigns getting the ransomware payload directly connected to emails; nonetheless, definitely, the most typical way of attack is taking advantage of vulnerable Remote Desktop Protocol (RDP) controls.

Indicators of Compromise (IoCs) propagated as well as IP addresses, email addresses, Bitcoin wallet addresses, and TOR addresses are well-known to be employed by the group. Numerous mitigations were advised, the most crucial of which are to firstly remediate identified vulnerabilities, permit and utilize multifactor authentication, and offer training to personnel to guide them to identify and steer clear of attempts of phishing.

HC3 Cautions Healthcare Industry Concerning Increasing Threat from Emotet Malware

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has released an alert to the healthcare industry concerning the risk from Emotet malware. Emotet was initially discovered in 2014 and was originally a banking Trojan; nonetheless, the malware is now updated and includes new features. Besides working as a banking Trojan, the malware has a dropper for sending other variants of malware and is provided to other cybercriminal organizations as an infrastructure-as-a-service (IaaS) model. Attackers use Emotet to send a selection of malware variants such as IcedID, Qbot, Trickbot, Azorult, and ransomware payloads like BitPaymer and Ryuk.

As per Europol, Emotet is the most threatening malware variant worldwide infecting one in five companies. Information from Malwarebytes shows that 80% of malware attacks at healthcare companies used Trojans, most commonly Emotet. Europol thinks that Emotet is the most harmful malware used today.

In late 2020, an international law enforcement operation targeted the MUMMY SPIDER threat group, which operates Emotet. Several cybersecurity organizations from Canada, the U.S., and Europe were successful in taking down the Emotet infrastructure in January 2021 and eradicating the disabled malware from affected systems in April 2021.

Although Emotet activity was halted, not long after the MUMMY SPIDER started restoring the botnet. Last November 2021, security experts identified new Emotet activity when the botnet was being rebuilt. As per HC3, the current command-and-control infrastructure of Emotet contains 246 systems (and increasing), and the updated malware has an improved dropper and different loader. The number of attacked devices is increasing at an unbelievable rate.

Emotet malware is mostly transported via email, in most cases through malicious Office attachments or links that go to unsecure websites where the payload is downloaded. Sometimes, Emotet is also delivered through brute force attacks and when exploiting vulnerabilities. According to Proofpoint, the tactics, techniques, and procedures (TTPs) were updated and new means of delivery are being tested, such as emails with links to OneDrive. These new strategies are being tested in small campaigns to check their success and may be used in bigger campaigns. Proofpoint additionally states that the threat group could have altered tactics and may keep on doing more restricted attacks on chosen targets.

Emotet can hijack email threats, self-propagate, and inserts a duplicate of itself into the emails that are mailed to contacts. This means of distribution is very useful, as the emails circulating the malware are from popular and trustworthy sources, which raises the odds of the attachments being viewed. In January, malware was discovered distributing Cobalt Strike onto attacked systems.

The best strategy to block attacks is to employ layered protection. HC3 has given an evaluation of the malware and the TTPs being used for sending the malware in the threat alert. There are also recommended consulting government resources and proposed mitigations.

Attackers Can Exploit Zero Day Microsoft Office Vulnerability with Macros Disabled

Microsoft has published a security notification and has presented a workaround to stop a zero-day vulnerability found in the Microsoft Windows Support Diagnostic Tool (MSDT) from being taken advantage of.

The vulnerability is being tracked as CVE-2022-30190 and has been referred to as Follina by security researchers. As reported by Microsoft, there is a remote code execution vulnerability when MSDT is called utilizing the URL protocol from a calling application like Word.

During the weekend, security researcher nao_sec discovered a Word document that was using remote templates to carry out PowerShell commands on selected systems via the MS-MSDT URL protocol system. In a new blog post, security expert Kevin Beaumont stated that Microsoft Defender does not see the documents as malicious, and detection using antivirus tools is poor because the documents used to exploit the vulnerability do not include any malicious code. Instead, they take advantage of remote templates to obtain an HTML file from a remote server, enabling an attacker to execute malicious PowerShell commands.

The majority of email attacks that utilize attachments for delivering malware require that macros are enabled; nonetheless, the vulnerability may be exploited although macros are disabled. The vulnerability is leveraged when the file attachment is opened. Beaumont additionally revealed that zero-click exploitation can be done whenever an RTF file is utilized, as the vulnerability could be exploited with no need to open the document through Explorer’s preview tab.

Microsoft mentioned when an attacker successfully exploits the vulnerability, malicious code may be implemented with the privileges of the calling program. It would enable an attacker to install programs, view, modify, remove data, or create new accounts in the context permitted by the user’s rights. The vulnerability could be exploited in all Office versions starting 2013, which include the current version of Office 365.

The vulnerability was at first reported to Microsoft in April and the vulnerability was given a high severity CVSS score of 7.8 out of 10 since Microsoft did not take into account the Follina vulnerability to be critical. Microsoft has already given a workaround and instruction 
that requires deactivating the MSDT URL Protocol until eventually, a patch is available. Quick action is needed to avoid the exploitation of the vulnerability. Vulnerabilities that may be taken advantage of using Office are quickly used by threat actors, particularly when they could be exploited with macros deactivated.

Various threat actors are identified to be exploiting the vulnerability, such as the Chinese threat actor TA413, as per Proofpoint. Palo Alto Networks Unit 42 team stated that according to the quantity of publicly available information, the simplicity of use, and the great effectiveness of this exploit, Palo Alto Networks highly proposes sticking to Microsoft’s guidance to safeguard your enterprise until a patch is released to correct the problem.

CISA Includes 75 Vulnerabilities in the Known Exploited Vulnerability Catalog

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) included 75 additional vulnerabilities in the Known Exploited Vulnerability Catalog. This catalog is a listing of vulnerabilities identified in software programs and operating systems that are found to have been taken advantage of in real-world attacks. The catalog currently contains 737 vulnerabilities.

The most recent inclusions were added in three groups: 21 on Tuesday, 20 on Wednesday, and 34 on Thursday. As per the Binding Operational Directive (BOD) 22-01, every Federal Civilian Executive Branch (FCEB) agency must search for the vulnerabilities and make certain to apply the patches or mitigate the vulnerabilities in a period of two weeks.

Almost all the vulnerabilities included in the list last week aren’t new vulnerabilities. In many instances, patches were launched to deal with the vulnerabilities a few years ago and in certain instances, the vulnerabilities were openly revealed 12 years back. A few of the vulnerabilities have an effect on items that have already reached their end-of-life, for instance, Virtual System/Server Administrator (VSA), Adobe Flash Player, InfoSphere BigInsights and Microsoft Silverlight. In case those solutions continue to be installed or used, the products must be removed or disconnected.

The latest vulnerabilities consist of CVE-2022-20821, a Cisco IOS XR open port vulnerability, and CVE-2021-30883, a memory corruption vulnerability identified in several Apple products, and two vulnerabilities found in the Android Kernel: CVE-2021-1048, a use-after-free vulnerability, and CVE-2021-0920, a race condition vulnerability.

The vulnerabilities have an effect on items from these companies: Adobe, Apple, Android, Artifex, Cisco, IBM, Google, Kaseya, Linux, Microsoft, Meta Platforms, Mozilla, QNAP, Oracle, Red Hat, and WebKitGTK.

Although BOD 22-01 is just applicable to FCEB agencies, CISA urges all companies to minimize their exposure to cyberattacks by making sure to remediate the vulnerabilities included in the Known Exploited Vulnerability Catalog in a prompt manner in accordance with their vulnerability management tactics.

CISA Gives Emergency Directive to Fix Vulnerable VMWare Products

The Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive to all federal bureaus, necessitating them to do something to deal with two vulnerabilities in selected VMware products that are potentially quickly taken advantage of in the wild, and two earlier vulnerabilities in VMWare that were unveiled in April which are being taken advantage of by several threat actors, such as the Advanced Persistent Threat (APT) actors.

The most recent vulnerabilities, monitored as CVE-2022-22973 (high severity) and CVE-2022-22972 (critical), and the two vulnerabilities identified in April impact five VMWare products:

  • VMware Workspace ONE Access (Access) Appliance
  • VMware vRealize Automation (vRA)
  • vRealize Suite Lifecycle Manager
  • VMware Identity Manager (vIDM) Appliance
  • VMware Cloud Foundation

CVE-2022-22972 is a vulnerability involving authentication bypass impacting VMware Workspace ONE Access, Identity Manager, and vRealize Automation that has an effect on users of local domains. When a malicious actor gets network access to the UI, the vulnerability may be taken advantage of to acquire admin access with no authentication. The vulnerability was given a CVSS severity rating of 9.8 of 10.

CVE-2022-22973 is a vulnerability involving local privilege escalation in VMware Workspace ONE Access and Identity Manager having a CVSS severity rating of 7.8. When a malicious actor got local access, the vulnerability may be taken advantage of to elevate privileges to root. The two vulnerabilities likewise impact vRealize Suite Lifecycle Manager and VMware Cloud Foundation.

The two vulnerabilities identified to have been taken advantage of in the wild are monitored as CVE 2022-22960 (high severity) and CVE 2022-22954 (critical). CISA states the two vulnerabilities were taken advantage of in real-world attacks, independently and together, by several threat actors.

CVE 2022-22954 is a code injection vulnerability having a CVSS rating of 9.8 that impacts VMware Workspace ONE Access and Identity Manager products. Taking advantage of the vulnerability enables threat actors to activate server-side template injection that could result in remote code execution. CVE 2022-22960 involves an inappropriate privilege management problem having a CVSS rating of 7.8 that impacts VMware Workspace ONE Access, Identity Manager, and vRealize Automation products, and enables threat actors to elevate privileges to root.

In a single attack, a threat actor having system access to the web interface took advantage of CVE 2022-22954 to perform a shell command as a VMWare user, then took advantage of the second vulnerability to elevate privileges to root. Right after taking advantage of the two vulnerabilities, the threat actor can move sideways to other networks, elevate permissions, and erase records. In a different situation, a threat actor used the Dingo-J-spy web shell right after taking advantage of the vulnerabilities. The two April vulnerabilities’ exploits were created by reverse-engineering the patches launched by VMWare. At this time patches were launched to fix the most recent two vulnerabilities, in the same way, quick exploitation of the vulnerabilities in the wild may be needed.

Although the emergency directive is merely applicable to Federal bureaus, all companies that are utilizing vulnerable VMWare products ought to patch right away or carry out the advised mitigations. The due dates for Federal organizations to finish the needed activities are May 23 to 24, 2022.