Category: Cybersecurity News

The County Manager’s Office of Ramsey County, MN sent notifications to 8,700 clients of its Family Health Division about unauthorized persons that potentially accessed some of their personal information because of a ransomware attack on Netgain Technology LLC, one of its vendors.

Netgain Technology LLC located in St. Cloud is Ramsey County’s provider of technology solutions such as an application that the Family Health Division uses for documenting home sessions. Threat actors possibly viewed and downloaded data within the application prior to ransomware deployment. The information in the application included names, birth dates, addresses, dates of service, telephone numbers, account numbers, medical information, medical insurance details, and, the Social Security numbers of selected individuals.

It would seem that the motive behind the ransomware attack was to extort money from Netgain. There was no intention of getting access to personal information; nonetheless, the possibility of unauthorized access or data theft cannot be ruled out.

Ramsey County was advised regarding the ransomware attack on December 2, 2020 and immediately stopped using the services and program of Netgain and followed backup processes. The company had reported the ransomware attack to the respective authorities and implemented measures to fortify security to prevent other attacks.

Ransomware Attack at Crisp Regional Health Services

A January 27, 2020 ransomware attack on Crisp Regional Health Services in Cordele, GA led to the taking down of selected systems by the provider. The ransomware attack affected the hospital’s telephone system. Workers were forced to use radios to facilitate internal communications. Patients and their family members had to use social media to get in touch with each other during the time that the telephone system was unavailable.

Crisp Regional Health Services quickly took steps to secure the information and regulate the attack. Third-party cybersecurity professionals helped investigate the attack and find out the extent of the breach, as well as the likelihood that the attackers accessed or exfiltrated patient data.

Crisp Regional Health Services’ community relations and foundation Director Brooke Marshall mentioned that the attack did not jeopardize workflow, nor compromised patient care.

The investigation is still ongoing and more information will be announced when it is available.

Vaccine Scheduling Application Vulnerability Allowed People to Skip Queue and Get Vaccination Appointments

Michigan-based Beaumont Health experienced a breach last January 30/31 that affected its Epic COVID-19 vaccine scheduling system. An unauthorized person who exploited a vulnerability in the system publicly made known an unauthorized method of making a reservation. 2,700 people were able to book COVID-19 vaccination appointments using this unauthorized method.

Beaumont Health advised Epic concerning the breach on January 31, 2020 and together they dealt with the issue. The vaccination schedules of the 2,700 persons who made unauthorized reservations were canceled. People who fulfilled the eligibility requirements and made legit COVID-19 vaccination appointments were not affected.

Epic further made an announcement that the breach had not allowed any unauthorized person to access patient medical records.

All through 2020, the healthcare sector provided health care to patients battling with COVID-19, at the same time, it had to manage growing numbers of cyberattacks because cybercriminals increased their activities.

Lately, VMware Carbon Black carried out a retrospective evaluation of the status of healthcare cybersecurity in 2020 that showed the degree to which the healthcare sector was attacked by cybercriminals, how attacks succeeded, and what must be done by healthcare companies to avoid cyberattacks this 2021.

VMware Carbon Black examined information from attacks on its healthcare clients in 2020 and discovered 239.4 million cyberattack attempts in 2020, which translates to 816 cyberattack attempts per endpoint on average. That shows an increase of 9,851% from 2019.

With the pandemic, cyberattacks on healthcare companies increased. From January to February 2020, cyberattacks on healthcare clients were 51% higher and continued to go up all through the year, the peak was from September to October when attacks had an 87% month-over-month increase. The big surge in attacks happened in the fall because of greater ransomware activity as the Ryuk ransomware gang particularly increased attacks on the healthcare community.

Attacks were done to get access to healthcare information for identity theft and fraudulence. Stolen information was sold on darknet marketplaces, however, the greatest threat was from ransomware. The effect of ransomware was mainly assisted by affiliates. A lot of ransomware groups offer ransomware-as-a-service (RaaS), so ransomware deployment is easily accessible to many cybercriminals who formerly had no resources to execute the attacks. The huge potential rewards for doing attacks have attracted a lot of people into ransomware distribution. Cybercriminals are additionally hiring insiders that could give them access to networks in exchange for paying big amounts of money or a percentage of ransoms earned.

Double extortion strategies have likewise been broadly used by ransomware gangs to boost the probability of victims paying, so as to avert the publicity of the stolen information instead of just getting the keys to restoring encrypted files. A great deal of the stolen information is being sold on dark websites, particularly stolen protected health information (PHI) and COVID-19 test result information.

In 2020, numerous threat actors had partnered and shared resources and swap strategies, with access to systems being given to other threat groups to perform their own attacks. The venture between threat groups is growing and threat actors are finding new ways to gain access to systems in order to deploy their malicious payloads.

The increasing attacks throughout 2020 would likely not slow down in 2021. Actually, the attacks will likely keep on increasing.

VMWare Carbon Black gave three recommendations for CISOs to make sure that they remain one step in advance of attackers. The majority of AV solutions simply emphasize the delivery step. For greater protection healthcare companies must deploy next-generation antivirus software that safeguards against each stage of ransomware attacks, starting from delivery to distribution to encryption. Endpoint protection software must be selected that could be quickly scaled and deployed to secure new users, at the same time maintain data protection, compliance, and security procedures.

Finally, healthcare CISOs must be proactive and deal with vulnerabilities well prior to exploitation. This means IT tracking applications must be deployed that offer complete visibility into devices that link to the system. This is going to let CISOs to monitor configuration drift and immediately remediate problems and make sure all gadgets are patched and secured.

The National Security Agency (NSA) has published guidance to assist organizations in removing weak encryption protocols that threat actors are presently taking advantage of to decrypt sensitive information.

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols were designed to have safeguarded channels employing authentication and encryption to make sure the protection of sensitive data between a server and a consumer. The algorithms employed by these protocols to encrypt information have since been made current to enhance the power of encryption, nevertheless obsolete protocol settings remain utilized. Attackers are creating new attacks and actively employing them to take advantage of authentication and weak encryption protocols to decrypt and get access to sensitive data.

The NSA makes clear that many products using obsolete cipher suites, TLS versions, and key exchange methods were updated, however, implementations were not often followed and continued usage of these outdated TLS configurations pose a heightened risk of attack. Usage of obsolete protocols presents a wrong sense of protection, because even though data transmissions are secured, the degree of security given is not enough to avoid decryption of data by nation state actors and other threat actors.

The latest NSA guidance points out how to detect out-of-date TLS and SSL settings, exchange them with the newest, more risk-free versions, and prohibit out-of-date cipher suites, key exchange methods and TLS versions.

The guidance is largely focused on cybersecurity frontrunners in the Department of Defense (DoD), Defense Industrial Base (DIB), and National Security System (NSS), even so, it may be utilized by every network user and operator to be able to better safeguard sensitive data.

The NSA advises replacing SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 and just employing TLS 1.2 or TLS 1.3. The guidance provided specific data on the applications, network signatures, and server settings needed to just enable strong encryption protocol settings.

Outdated configurations give attackers access to sensitive operational traffic via various methods, like passive decryption and changing of traffic via man-in-the-middle attacks. To assist system administrators in fixing the components of their network, NSA designed a number of server settings and network signatures to go along with the report that are offered on the NSA Cybersecurity Github.

Upgrading TLS configurations will make certain that government services and business establishments have more powerful encryption and authentication and can better safeguard sensitive data.

The Cybersecurity and Infrastructure Security Agency (CISA) gave a warning regarding the active exploitation of the SolarWinds Orion IT monitoring and management software by sophisticated hackers.

It is believed that the ongoing cyberattack is the work of a very sophisticated nation state hacking group. It’s the same group that created a Trojanized version of the Orion software used for downloading a backdoor known as SUNBURST into customers’ systems.

About 18,000 customers had been affected by the supply chain attack because of having downloaded the Trojanized version of the Orion software as well as the SUNBURST backdoor. Big public and private companies and government institutions are using SolarWinds Orion.

The U.S. military, State Department, the Pentagon, the National Security Agency and NASA are SolarWinds customers. 425 of the 500 biggest publicly traded U.S. companies use SolarWinds  products. There have been attacks on the US Treasury, the Department of Homeland Security, and the US National Telecommunications and Information Administration (NTIA).

The cybersecurity firm FireEye first detected the attacks. The attacks began in spring 2020 with the launching of the malicious versions of the Orion software. The malware is elusive so it’s been so long before a threat is detected. According to FireEye, the malware hides its network traffic in the Orion Improvement Program (OIP) protocol and keeps reconnaissance results in valid plugin configuration files so it could mix in with valid SolarWinds activity. After the installation of the backdoor, the attackers could move sideways and perform data theft.

President and CEO of SolarWinds Kevin Thompson said that the vulnerability is thought to be the work of a nation-state group attacking a very-sophisticated, targeted, and manual supply chain.

The hackers accessed SolarWinds’ software development set up and put in the backdoor code into the library of the SolarWinds Orion Platform software versions 2019.4 HF 5 up to 2020.2.1 HF 1, which were available in March 2020 to June 2020.

CISA’s Emergency Directive ordered all federal civilian bureaus to work quickly to prevent any ongoing attack by removing or disconnecting SolarWinds Orion products, versions 2019.4 up to 2020.2.1 HF1, from their systems. The bureaus likewise prevented the Windows host OS from linking to the enterprise domain.

All SolarWinds clients were instructed to upgrade their Orion software to Orion Platform version 2020.2.1 HF 1. And later use the available second hotfix,  2020.2.1 HF 2  to replace the compromised part and do other extra security improvements.

If immediate upgrade is impossible, SolarWinds provided guidelines for keeping the Orion Platform secure. Organizations must likewise check for any indication of compromise by means of the antivirus engines, where the signatures of the backdoor are added. Microsoft has stated that detection of the backdoor is now possible with all its antivirus products so users should run a full scan.

SolarWinds, FireEye, the FBI, and the intelligence community are working together to watch  the attacks. SolarWinds and Microsoft are also working to take out an attack vector that causes the compromise of Microsoft Office 365 productivity solutions.

It is still uncertain which group is doing the attack; but according to the Washington Post, the Russian nation state hacking group APT29 (Cozy Bear) is responsible for the attack. A Kremlin spokesperson said Russia is not involved with the attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) gave an alert regarding the active exploitation of SolarWinds Orion IT monitoring and management software by sophisticated hackers. It is believed that the group behind the cyberattack is the highly sophisticated, elusive, nation-state hacking group that created a Trojanized version of the Orion software. That software program was used to deploy a backdoor into the systems of customers known as SUNBURST.

The supply chain attack has affected about 18,000 customers, who have downloaded the Trojanized version of SolarWinds Orion as well as the SUNBURST backdoor. Big  public and private companies and government departments use SolarWinds Orion.

Among the users of SolarWinds are the five branches of the U.S. military, the State Department, the Pentagon, the National Security Agency and NASA. There are also about 425 big publicly traded U.S. firms that use its solutions. Organizations that have been under cyberattack include the US National Telecommunications and Information Administration (NTIA), the US Treasury, and Department of Homeland Security. The cybersecurity firm FireEye that first detected the cyberattack was also attacked.

The attacks began with the introduction of the first malicious versions of the Orion software last spring 2020. It is believed that the hackers were present in the breached  networks since then. It took so long to identify the threat because the malware is elusive. According to FireEye, the malware covers up its network traffic as the Orion Improvement Program (OIP) protocol and keeps reconnaissance results within legitimate plugin configuration files enabling it to merge with valid SolarWinds activity. As soon as the backdoor is installed, the attackers move laterally and perform data theft.

The hackers obtained access to the software development environment of SolarWinds and put the backdoor code in the library of SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, which were released from March 2020 up to June 2020.

CISA gave an Emergency Directive instructing all federal civilian agencies to block attacks by quickly disconnecting from networks or shutting down SolarWinds Orion software versions 2019.4 through 2020.2.1 HF1. The agencies were also told not to “(re)connect the Windows host OS to the company domain.

All clients need to make prompt upgrades of their SolarWinds Orion software to Orion Platform version 2020.2.1 HF 1. The second hotfix – 2020.2.1 HF 2 – will be available soon to replace the vulnerable component and apply additional security improvements.

If unable to quickly upgrade, follow the guidelines provided by SolarWinds to protect the Orion Platform. Companies must monitor for indicators of compromise. Microsoft already added the signatures of the backdoor to its antivirus products (other antivirus software too) to enable detection of the backdoor. Running a full scan is highly recommended.

SolarWinds, FireEye, the FBI, and the intelligence community are working together to look into the attacks. SolarWinds and Microsoft are also trying to get rid of an attack vector that results in the breach of targeted Microsoft Office 365 productivity products.

It is still uncertain which group is really behind the attack; but the Washington Post reported that some sources stated the Russian nation-state hacking group APT29 (Cozy Bear) conducted the attack but a spokesperson for the Kremlin denied it.

GBMC HealthCare based in Towson, MD announced a ransomware attack that occurred on December 6, 2020 resulting in the shutdown of its computer systems. The healthcare organization now operates under EHR downtime procedures while it mitigates the attack. GBMC HealthCare had a plan for such a case and had processes set up to make sure that it could continue to provide patient care while minimizing disruption.

GBMC Healthcare continues to provide patients with safe and effective care. Its emergency section did not cease receiving patients; but, certain elective treatments scheduled for December 7 were postponed. GMBC is doing all it can to bring systems back online and recover the encrypted data. The incident is already reported to law enforcement who is looking into the attack. The Egregor ransomware gang has stated it is responsible for the attack.

Golden Gate Regional Center Ransomware Attack Impacts 11,315 Individuals

Golden Gate Regional Center in San Francisco, Marin, and San Mateo counties in California provides services to persons with developmental disabilities. On September 23, 2020, it noticed suspicious activity on its computer networks. The investigation showed that the attacker exfiltrated the protected health information (PHI) of 11,315 people from its systems before deploying the ransomware.

Information stolen in the attack only included names, service codes/descriptions, vendor/service provider names/numbers, GGRC client identification numbers, month or year of service, and cost data associated with the services given. No evidence was found that indicates the misuse of any stolen data. Affected persons received notification by mail in November. Breach victims received free identity theft protection services.

Stolen Data from Dyras Dental Dumped

Dyras Dental based in Lansing, MI has encountered a ransomware attack that used the Egregor ransomware. This attack is not yet verified by the dental service provider. Databreaches.net identified a dump of information stolen in the attack on September 24, 2020. It attempted to contact Dyras Dental, however, there was no response from the provider. Databreaches.net reported the incident to the Department of Health and Human Services’ Office for Civil Rights since it would seem that it was not yet reported and patients did not get any notification letter regarding the theft of their PHI.

As per Databreaches.net, the dumped information contained more than 100 files with data such as insurance billing details, voicemail recordings that contain PHI and employee W-2 statements.

Fairchild Medical Center based in Yreka, CA, began sending notifications to some patients about the potential access of some of their protected health information (PHI) by unauthorized individuals online.

In July 2020, a third-party security company informed Fairchild Medical Center regarding a misconfigured server, which made it accessible over the web. With the help of third-party computer specialists, the medical center learned that unauthorized people may have gotten access to patient information.

The server held medical images with patient names, birth dates, exam identification numbers, patient identification numbers, names of ordering provider, and dates of exam. The misconfiguration happened on December 16, 2015 and was only corrected on July 31, 2020. A third-party security firm verified the security of the server after making necessary changes.

A forensic investigation couldn’t ensure whether unauthorized persons accessed patient data when the server was accessible, but the possibility couldn’t be excluded.

Mismailing Incident Reported by Harvard Pilgrim Health Care

Harvard Pilgrim Health Care is sending a notification to 8,022 persons regarding a software error in its enrollment data management system. The error caused the association of a person’s mailing address with another address connected to the health plan of that person. Because of the error, a number of mailings were misdirected to the address of a subscriber of the individual’s health plan or to a previous address. Harvard Pilgrim Health Care traced back the problem to an error that happened in 2013.

The types of information that may have been breached varied from mailing to mailing and possibly included the name of the member, ID number, birth date, telephone number, provider names, service dates, treatment details, deductibles, charges for services, co-pay amount, and co-insurance data associated to healthcare coverage.

The problem has now been solved and the procedure of system updates has been evaluated and enhanced. Affected people were instructed to verify their Activity Summaries and to submit a report on any dubious entries to Harvard Pilgrim right away.

Indian Health Council Inc Encounters Ransomware Attack

A ransomware attack on Indian Health Council Inc. based in Valley Center, CA occurred in September 2020 resulting in file encryption that possibly impacted patients’ PHI. Indian Health Council knew about the cyberattack on September 22, 2020 and hired independent computer forensic professionals to assist with the investigation.

An evaluation of the files the attacker had access to revealed that some had patient data included like names, dates of birth, health data, and health insurance details and, for certain persons, data about medical conditions, treatment, or diagnosis details.

Following the ransomware attack, Indian Health Council Inc changed passwords and strengthened security to avoid other attacks. It also enforced additional measures or controls like remote access and multi-factor authentication.

All patients affected by the breach already received notification. The breach report filed with the Office for Civil Rights indicates that the attack potentially impacted 5,769 people.

A ransomware attack on US Fertility (USF) on September 14, 2020 impacted parts of its computer networks and included systems where sensitive protected health information (PHI) is located. US Fertility is the biggest network of fertility centers throughout the United States, operating 55 clinics in 10 states. About 50 percent of its clinics are identified to have been impacted by the attack.

US Fertility reacted promptly to the attack and confirmed the encryption of data on several of its servers and workstations linked to its website. Those systems were taken off the internet right away while investigating the attack. Third-party security and computer forensic professionals came in to help investigate the incident and retrieve data on the impacted workstations and servers. According to USF, it was able to fix all impacted devices and had them connected again to the system on September 20, 2020. USF has reported the attack to federal law enforcement and is helping with the continuing investigation.

After the completion of the forensic investigation, USF confirmed that the attackers stole data. On August 12, 2020, the attackers first acquired access to the network and continued to access it possibly until September 14, 2020 when USF discovered the attack. A review of the system to identify all the files the attackers had access to was concluded on November 13.

USF stated that the unidentified threat actors potentially accessed files that contain names, addresses, birth dates, Social Security numbers and
MPI numbers. The types of information compromised differed from one person to another. The majority of patients had not exposed their Social Security numbers.

Although USF confirmed that there was data theft, no report of PHI misuse was received. Nevertheless, USF notified the affected persons to keep an eye on their accounts and submit a report if they suspect any misuse of protected health information.

USF already took the following steps to strengthen security after the ransomware attack:

• strengthened its firewall
• improved tracking of networking activities
• provided additional training to employees regarding computer security
• data safety, and identifying phishing emails

Hendrick Health EHR Downtime As a Result of Ransomware Attack

The IT and EHR systems of Hendrick Health in Texas were taken offline to address the threat of a cyberattack. The ransomware attack on November 9, 2020 affected some Hendrick Health’s clinics and the main campus medical center. The ransomware attack did not impact Hendrick Health’s medical center in the South and Brownwood.

Hendrick Health reported that despite the cyberattack, patient care was not affected. The medical center continued to offer inpatient services; although, a few patients had to be diverted to other campuses to receive medical care. There were also some changes made to the schedule of outpatient services.

Hendrick Health is working round the clock to fix all its systems. In the meantime, medical center staff had to record patient data manually using pen and paper.

PHI of 28,000 Dental Patients Potentially Compromised

The protected health information (PHI) of 23,000 patients of First Impressions Orthodontics is potentially compromised due to a September 28, 2020 ransomware attack.

First Impressions Orthodontics creates data backups regularly and keeps it safe. So patient data may be brought back without having to pay the ransom. Aside from the 23,000 First Impressions Orthodontics patients, the breach also impacted 5,000 Kids First Dentistry & Orthodontics patients
who go to First Impressions Orthodontics to get their x-rays.

The types of data possibly breached included names, addresses, email addresses, phone numbers, Social Security numbers, dental files, dental x-rays, service charge amounts, dental insurance numbers, and payments made for services. Compromised x-ray images contained patients’ names, birth dates, and insurance details.

First Impressions Orthodontics sent notifications to the affected persons to comply with the requirement of the HIPAA breach notification rules. Though no evidence shows that data was accessed, stolen, or misused, as a safety measure, affected patients received complimentary two-years credit monitoring and identity theft protection services.

Before the 2019 Novel Coronavirus pandemic, a lot of companies granted their employees to work from home on some weeks. With COVID-19, the way people work dramatically changed. National lockdowns forced employers to speedily change working tactics and permitted practically all their employees to work from home.

Even when the lockdowns were removed, a lot of employees went on working from home. The new work from home setup is regarded by many people as the new normal now. Remote working has produced a lot of challenges, particularly for cybersecurity because it is more difficult for organizations to stop, identify, and restrict cyberattacks when most of the employees are doing remote work.

Ponemon Institute conducted a new survey on behalf of Keeper Security to examine the cybersecurity obstacles of teleworking and assess how organizations have taken cybersecurity strategies to tackle the threats of teleworking. 2,215 IT and IT security experts participated in the survey.

One of the important discoveries from the survey is a significant reduction in the effectiveness of an organization’s security posture because of remote working. 71% of the participants rated their security defenses as very or highly effective prior to the pandemic. Only 44% rated their defenses as highly effective during the COVID pandemic.

The survey revealed a number of reasons for the observed drop in the effectiveness of those security defenses. When people work on-site, there are physical security measures that prevent equipment and data theft. 47% of survey participants said that employees’ homes lack physical security.

71% of IT experts stated that remote employees were additional risks to the data breach of an organization. 57% stated that remote employees are a primary target for cybercriminals trying to take advantage of vulnerabilities.

Remote employees must use business-critical applications. 59% of the survey participants said that remote access to those apps is higher at this time of the pandemic. Normally, organizations have got 51 business-critical apps and employees remotely access 56% of those apps.

56% of respondents said that the response time to a cyberattack is longer during the pandemic. The problem is 42% of respondents claimed they lack understanding of the proper way to protect against cyberattacks with lots of remote employees.

A big increase in using personal devices is observed because of the pandemic, and BYOD systems have lowered the security posture of organizations. 67% of survey participants stated that during the pandemic, remote employees were utilizing personal devices like mobile phones, which are mostly vulnerable devices.

If intrusion detection systems were effective in an office-based setup, it’s less effective with teleworking. 51% of respondents claimed that their intrusion detection systems stopped an exploit or malware infection during the pandemic. 61% stated they suffered a cyberattack using phishing and social engineering tactics during the pandemic.

In spite of the threat of cyberattacks, 31% of companies said they have no multi-factor authentication in place for remote workers. Just 43% offer security awareness training to deal with the problems of remote working. Just 47% are keeping track of their systems 24/7. Below 50% of respondents safeguard company-owned devices with updated anti-virus, gadget encryption, and firewalls. When these security problems are not dealt with, organizations will be at a far higher risk of encountering a cyberattack that could end up with a costly data breach. The complete details of the survey are on this page.

Vulnerabilities in SpaceCom and Battery Pack SP with Wi-Fi

There were 11 vulnerabilities found in SpaceCom Patient Data Management System (in PC or USB memory stick} and Battery Pack with WiFi. These products are employed to hook up external devices for the purpose of documenting information.

The vulnerabilities were found in SpaceCom, software program Versions U61 and prior versions as well as Battery pack with Wi-Fi, software Versions U61 and prior versions.

An attacker can exploit the vulnerabilities and compromise the safety of SpaceCom devices. With elevated privileges, an attacker can view sensitive data, upload arbitrary data files, and wirelessly execute code. These are the 11 vulnerabilities:

1. CVE-2020-25158 (CVSS score of 7.6) – Mirrored cross-site scripting (XSS) vulnerability permitting injection of arbitrary HTML or web script into different areas.
2. CVE-2020-25150 (CVSS score of 7.6) -Relative path traversal attack vulnerability permitting an attacker having service user privileges to transfer arbitrary files and implement arbitrary codes.
3. CVE-2020-25162 (CVSS score of 7.5) – Path injection vulnerability enabling unauthenticated persons to view sensitive data and elevate privileges.
4. CVE-2020-25156 (CVSS score of 7.2) – Active debug code that allows attackers with cryptographic material to use the device as root.
5. CVE-2020-25160 (CVSS score of 6.8) -Incorrect access controls that permit extraction and modifying the device’s network settings.
6. CVE-2020-25166 (CVSS score of 6.8) -Incorrect validation of the cryptographic signature of software updates, which enables an attacker to create acceptable firmware updates having arbitrary material that may be utilized to tinker with devices.
7. CVE-2020-16238 (CVSS score of 6.7) – Inappropriate privilege management that allows attackers to control line access to the root Linux system, and to escalate privileges as root user.
8. CVE-2020-25152 (CVSS score of 6.5) -Session fixation vulnerability enabling web session hijacking and elevating privileges.
9. CVE-2020-25154 (CVSS score of 5.4) – Open redirect vulnerability enabling rerouting to malicious web pages.
10. CVE-2020-25164 (CVSS score of 5.1) – uses a one-way hash that permits the retrieval of user login information at the administrative interface.
11. CVE-2020-25168 (CVSS score of 3.3) – using hard-coded credentials to permit command-line access to get into the Wi-Fi module of the device.

Braun already launched updates to fix the vulnerabilities. Users need to acquire an update of the Battery Pack SP with Wi-Fi: Version U62 or more recent version and the SpaceCom: Version U62 or more recent version.

Braun additionally advises users not to make the devices directly accessible from the web and to set up a firewall and separate medical devices from the business connections.

The following persons were responsible for identifying the vulnerabilities: Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH; Julian Suleder, Birk Kauer and Nils Emmerich of ERNW Research GmbH.

Vulnerabilities Discovered in B. Braun OnlineSuite

There were three vulnerabilities found in B. Braun OnlineSuite, which is a clinical IT service for making and delivering drug libraries and handling infusion devices and various medical accessories. If an attacker exploits the vulnerability, it’s possible to increase privileges, upload and download arbitrary data files, and execute code wirelessly.

The most critical vulnerabilities with assigned CVSS v3 base scores of 8.4 to 8.6 out of 10 are the following two vulnerabilities:
1. Vulnerability CVE-2020-25174 is a remote code execution vulnerability that permits an attacker with local access to a vulnerable device to execute code like a high privileged user.
2. Vulnerability CVE-2020-25172 is a relative path traversal vulnerability that permits unauthenticated individuals to upload and downloads of files

The third vulnerability, CVE-2020-25170 is an Excel macro vulnerability found in the export feature and is attributable to the improper handling of multiple input fields, and has an assigned CVSS v3 base score of 6.9.

The abovementioned vulnerabilities are present in OnlineSuite AP 3.0 and prior versions. B.Braun has resolved the vulnerabilities in the OnlineSuite Field Service Information AIS06/20 update. Users are therefore urged to get the update without delay.

On September 30, 2020, the SEC (U.S. Securities and Exchange Commission) received the Form 8-K filed by Blackbaud to give more information about the ransomware attack that the company encountered in May 2020. Blackbaud explained that the investigation by the forensic team revealed the possibility that more information was compromised in the attack. The attackers may have viewed the unencrypted fields that were intended for bank account details, usernames, passwords, and Social Security numbers of some clients.

For most of the Blackbaud clients affected by the attack, the data mentioned above were not compromised. The attackers could not read the sensitive information thanks to encryption. Blackbaud mentioned that it had sent notifications to all clients whose sensitive data were potentially exposed and gave them further assistance.

Blackbaud reported in the SEC filing that it had stopped the attackers from completely encrypting some files, but the attackers were able to extract a part of the data from Blackbaud’s cloud before encryption.

Blackbaud previously gave a statement that it gave the attackers their ransom demand so that the stolen data would not be exposed to the public or offered for sale. The attackers confirmed the deletion of the stolen data after receiving the ransom payment. The SEC filing did not state how much Blackbaud paid.

Blackbaud is sure that there was no data posted publicly or further compromised; even so, the risk is typical to paying hackers who stole data and encrypted records. It’s possible that they would not do as they say and kept a copy of the stolen information. Blackbaud is enforcing safety procedures and had engaged a cybersecurity agency to keep an eye on the dark web and the hacking forums for any posting of the stolen data.

On July 16, Blackbaud published notices about the data breach in compliance with the breach notification rules of the HIPAA. Throughout August and September, the number of breaches published on the HHS’ Office for Civil Rights breach portal steadily increased. Approximately 58 US healthcare companies have reported that the breach impacted them and there are more than 3 dozen breaches currently listed on the OCR breach portal.

The worst affected company thus far is Trinity Health. There were 3,320,726 individuals whose protected health information (PHI) was exposed. The PHI of 1,045,270 Inova Health System’s clients and 657,392 Northern Light Health’s clients were likewise affected by the breach. Many other healthcare organizations have stated that the breach affected many of their clients. To date, nearly 10 million individuals were affected.

Blackbaud, the security firms, and the authorities are continually investigating the breach.

Universal Health Services has reported that its 250 hospitals within the United States are in business and trying to get an alleged person to be behind the attack that impacted its systems for 3 weeks. The attack began some time on September 27, 2020. On October 12, UHS has all its systems back online. A notice put up on its website stated the continuation of normal operations in the hospitals after the completion of the back-loading of information.

When systems were not available, physicians had to use pen and paper to be able to keep on offering treatment for patients and, in certain areas, patients had to be taken to substitute facilities to get treatment.

The health system revealed that a malware attack caused the security breach and the power down of its network; nevertheless, a number of insiders went to Reddit to speak up their concerns and said that this was a ransomware attack. Based on the information shared by those insiders, the attack looked like it involved Ryuk ransomware. The Ryuk ransomware gang are well-known to exfiltrate data files prior to deploying the ransomware; but, UHS said that there is no evidence found to show that the attackers accessed, copied or misused employee or patient data.

Sen. Mark Warner, D-VA sent a letter to the UHS Chairman and CEO Alan Miller to obtain responses to some questions regarding the attack and the security measures that were integrated to avoid and reduce the severity of a ransomware or malware attack. In his letter, Sen. Warner mentioned his major concerns regarding the security of the United Health Services’ digital medical data and breakdown of clinical healthcare functions whenever there is a cyber attack.

UHS, as one of the largest hospital operators in the United States, provides patient care to more than 3.5 million individuals each year throughout its 250 hospitals. Considering all the resources of a Fortune 500 organization that gets more than $11 billion in annual income, it is expected that the UHS’s cybersecurity posture is powerful enough to hinder major disruptions to health care treatments.

Sen. Warner asked if UHS had segmented its system to avert the horizontal movement of attackers so that a breach won’t spread to affect all facilities. Sen. Warner additionally inquired whether clinical medical equipment was separated from management systems and networks to make certain that those gadgets won’t be disrupted in the event of a cyberattack.

In light of the posts made by the UHS insiders, Sen. Warner questioned if there was any ransom payment made by UHS to decrypt files, whether any patient information became inaccessible because of the attack, and if the hackers downloaded any medical information from UHS managed facilities.

Sen. Warner is looking for answers to those and other issues concerning the UHS cybersecurity procedures in the next 2 weeks.

Former Mayo Clinic Employee Accessed Medical Records of 1,600 Patients Without Legit Work Reason

Mayo Clinic began sending notifications to over 1,600 patients that a former staff accessed some of their protected health information (PHI) with no authorization.

Mayo Clinic announced on August 5, 2020 that a licensed medical professional had viewed the data files of patients even though there was no valid reason. The staff was finishing his/her employment with Mayo Clinic when the provider discovered the privacy breach. The person is not working at Mayo Clinic any longer.

It is not known what is the reason for viewing the healthcare data and Mayo Clinic didn’t reveal the time when the privacy breach happened. Mayo Clinic mentioned that the records access was of restricted length of time and there is no proof found that suggests the employee printed or retained any information.

The potentially exposed data included names, birth dates, demographic data, medical record numbers, medical images, and clinical notes. There was no financial information or Social Security numbers viewed by the staff. Mayo Clinic has filed a report of the unauthorized data access to the FBI and the Rochester Police Department. Investigation of the security breach is now ongoing.

Mayo Clinic stated that the delayed sending of notifications was due to the lengthy investigation into the privacy breach. Affected persons already received notifications, however, the nature of data exposed indicates there’s no action necessary associated with the breach.

Insider Breach at UMMA Community Clinic

The Los Angeles University Muslim Medical Association (UMMA) Community Clinic learned that an ex-employee transmitted a secured file with patients’ PHI to a private email account. UMMA discovered the incident on July 1, 2020, after two days the file was emailed.

UMMA has acquired written affirmation from the ex-employee that the file was properly deleted and UMMA doesn’t know of any other data exposures or misuse.

UMMA has put in place more policies and procedures to avoid the same privacy breaches later on. It is presently obvious how many people have been impacted or the types of protected health information included in the secured document.

Attempted Ransomware Attack at AAA Ambulance Service

AAA Ambulance Service in Mississippi is informing patients regarding an attempted ransomware attack that happened sometime on July 1, 2020. Immediate action was undertaken to stop data encryption. An internal investigation was started to find out the magnitude of the data breach. With the help of third-party computer forensics specialists, AAA Ambulance Service established on August 26, 2020 the potential access or exfiltration of patient data by the attackers before the ransomware deployment.

The types of information likely exposed include patients’ names along with at least one of these data: driver’s license number, Social Security number, birth date, financial account number, diagnosis data, treatment details, patient account number, medication details, medical record number and/or medical insurance details.

There is no evidence found that suggests the misuse of patient data. However, as a safety precaution, impacted persons were offered free credit monitoring services. AAA Ambulance Service is employing more safety measures to avoid the same breaches later on.

After a period of dormancy from February 2020 to July 2020, the Emotet botnet is now back and started spam runs sending the Emotet Trojan. From August 2020, attacks on local and state governments have gone up, compelling the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to give a cybersecurity warning for all industry fields.

The Emotet botnet started again its activity in July by using a huge phishing campaign sending messages along with malicious Word attachments and URLs. From then on, several spam runs were carried out which usually include over 500,000 emails. The Emotet Trojan is a harmful banking Trojan that is utilized as a downloader of other kinds of malware, remarkably the Qbot and TrickBot Trojans. The secondary payloads consequently send other malware payloads, such as Ryuk and Conti ransomware.

One infected device can quickly cause more infections throughout the network. Emotet infections of other devices happen in a worm-like manner, producing numerous copies of itself that are written to shared drives. Emotet likewise brute forces credentials and sends duplicates of itself through email. Emotet could hijack authentic email threads and put in malicious files. Considering that the emails seem like they were delivered by identified contacts in reply to earlier sent emails, there is a greater possibility of the email attachments being clicked to read.

The Trojan is constantly changing employing dynamic link libraries and frequently has new abilities included. The abilities of the Trojan make it hard to get rid of them from systems. The Trojan may be eliminated from infected systems, however, they could easily be reinfected with other infected units on the network.

The Multi-State Information Sharing & Analysis Center (MS-ISAC) and CISA were gathering information on Emotet attacks and loader downloads when botnet activity started again in July. The EINSTEIN Intrusion Detection System of CISA, which safeguards government, civilian executive branch networks, discovered about 16,000 warnings about Emotet activity beginning in July, which include potentially targeted Emoted attacks on state and local governments. Compromises were also documented in Italy, France, Canada, Japan, the Netherlands and New Zealand.

CISA looks at Emotet as among the most widespread continuing threats. The secondary malware payloads of TrickBot and Qbot are likewise considerable threats, like the ransomware payloads they transmit.

The phishing email messages employed to spread the Emotet loader are different and frequently change. COVID-19 related email messages were utilized this year together with numerous baits focused at companies. The email attachments are usually malicious Word files, though password protected zip files were used as well to avert anti-spam and anti-phishing tools. The email messages usually claim that attachments were produced on mobile gadgets and necessitate the user to allow content (and in that way enable macros) to access the files.

To avoid Emotet malware attacks, MS-ISAC and CISA suggest

• implementing cybersecurity guidelines such as
• implementing protocols to prohibit suspicious attachments and email attachments that can’t be checked by AV solutions for instance password-protected documents.
• using Antivirus software program on all units and configuring updates on auto-pilot
• suspicious IPs must be blacklisted
• use DMARC authentication and multi-factor authentication
• companies must stick to the principle of least privilege, by segmenting and isolating networks and turning off file and printer sharing services (when possible)

The complete list of suggested mitigations is given in the CISA advisory.

Company eResearchTechnology based in Philadelphia that is selling software for clinical trials, such as the clinical trials involving Covid-19 vaccines had a ransomware attack on September 20, 2020. The attack affected a number of its clients, which include at least an organization doing Covid-19 vaccine trials. Because of the attack, some clinical trial researchers had to use pen and paper to monitor their patients. Although there was no risk to patient safety, the attack had an impact on the clinical trials and slowed down the progress.

The attack affected IQVIA, the research institution performing AstraZeneca’s Covid-19 vaccine trial. But there is no certainty yet up to what severity the attack impacted its Covid-19 vaccine trial if any. The ransomware attack also affected Bristol Myers Squibb, the company that is leading the efforts to create a rapid test for the coronavirus. The two companies mentioned that the impact was minimal because they had backup copies that could be utilized to recover data files. IQVIA released an announcement that it wasn’t aware of any confidential information associated with the clinical trials being exfiltrated before the ransomware encrypted the files.

After the attack, eResearchTechnology shut down its computer systems. Third-party cybersecurity specialists helped with the breach investigation and data restoration. The Federal Bureau of Investigation (FBI) also received notification about the attack and is investigating it. Selected systems were offline for about two weeks and were only brought back online on October 2, 2020, reported by the New York Times. The company is expecting to bring back the rest of its systems online in the next couple of days.

There is no information regarding which threat group executed the attack, the ransomware variant used, and if the company paid the ransom demand to get the keys for file decryption.

eResearchTechnology’s software program is widely employed in clinical trials. In 2019, about 75% of all clinical trials that ended in drug approvals utilized the software of eResearchTechnology.

The attack was publicized several days after Universal Health Services encountered an alleged ransomware attack that impacted all of its U.S. zones and had to shut down its systems offline and bring patients to substitute healthcare providers. Statistics from Emsisoft indicate that so far healthcare providers in the USA had at least 53 ransomware attacks in 2020. Those attacks affected over 500 hospitals and clinics.

MU Health Care based in Missouri has encountered a phishing attack that resulted in the breach of a number of employee email accounts from May 4 to May 6, 2020. An investigation of the occurrence showed the compromised email accounts comprised patient data such as names, birth dates, account numbers, medical insurance details, driver’s license numbers and Social Security numbers.

MU Health Care has informed all impacted patients and has provided them free credit monitoring services. Thus far, there are no reports obtained that imply the misuse of any patient information.

The exposed email accounts held the protected health information (PHI) of 5,074 individuals.

Data Leaked After the University Hospital SunCrypt Ransomware Attack

University Hospital is a teaching hospital located in Newark, NJ that has suffered a ransomware attack. The attack in September 2020 involves the SunCrypt ransomware. Before deploying the ransomware, the attackers stole about 48,000 records, a few of which were posted on the attacker’s data leak website.

The number of patients affected by the attack is still uncertain at this point. However, the leaked information did consist of some patient records, such as names, Social Security numbers, dates of birth, driver’s license numbers, and some other information.

The attack seems to have began with a phishing email that led to the download of TrickBot Trojan and the. SunCrypt ransomware was downloaded as a secondary payload.

PHI of 4,806 Individuals Possibly Exposed in UCare Minnesota Phishing Attack

The not-for-profit health plan, UCare Minnesota, has encountered a phishing attack impacting the email accounts of a number of employees. A breach investigation was started upon discovery of suspicious network activity last April 2020. On May 4, 2020, UCare Minnesota established that an unauthorized person accessed selected email accounts. The email accounts were quickly secured and had an evaluation to know if the attackers accessed member data.

UCare Minnesota discovered on September 1, 2020 that the information in the email accounts included these personal records and PHI of 4,806 people: names, medical care provider names, diagnosis details, health insurance ID numbers, and dates of birth.

There is no evidence found that identify indicate the exfiltration or misuse of any data by the persons liable for the attack. UCare Minnesota has re-trained the workers regarding phishing attacks and has fortified email security.

Nebraska Medicine Experiences Cyberatack

Nebraska Medicine has reported that it has encountered a cyberattack that stopped accessibility to its computer networks. The cyberattack happened on September 25, 2020 and caused an outage that prompted substantial information technology system failures.

With no access to crucial IT systems, Nebraska Medicine was compelled to delay consultations for patients with elective operations or had other non-emergent medical concerns. Nebraska Medicine released an announcement on September 24 saying normal procedures would continue “in days”. The urgent room had messages and no ER patients were rerouted to elective techniques or had other non-important health concerns facilities.

It is not clear if patient records were viewed or stolen, however Nebraska Medicineconfirmed that no patient records had been deleted or destroyed and that all patient information could be reclaimed from backups.

 

The U.S. Department of Veteran Affairs (VA) has encountered a data breach that affected the personal data of about 46,000 veterans.

Hackers obtained access to a web application that the VA Financial Services Center (FSC) used and tried to reroute payments made to community care providers for the veterans’ health care. The attackers used social engineering tactics and exploited authentication protocols to get access to the application and alter bank account details.

When FSC discovered the breach, the payment processing program was taken offline to stop sending any further payments. It is not clear how many payments had been sent prior to the discovery of the cyberattack. It is also not clear if the attack was discovered just in time to stop the fraudulent transfers. The FSC stated the breached payment processing program will continue to be offline until the comprehensive security review of the Office of Information Technology is done.

The primary reason for the cyberattack seems to be the re-routing of payments; nevertheless, the attackers stole the personally identifiable information and Social Security numbers of approximately 46,000 veterans and may use the information for fraudulent activities.

FSC already notified by mail all veterans who had their information potentially exposed in the attack and offered them free credit monitoring services. The veterans also received instructions on what they need to do to monitor and take action against fraudulent use of their data.

The VA’s financial services system is presently having a big update. There were a number of delays, therefore, the undertaking will probably not be complete until 2030. The FTC just released a request for information in search of cybersecurity audit services. The cybersecurity audit is meant to deal with compliance, technique, and sustainment. The audit contractor needs to present a gap analysis on the cybersecurity solutions, processes and controls that the government must use and give recommendations regarding methods to enhance visibility and incident response time that adhere to VA’s best practices.

Utah Pathology Services reported the unauthorized access to an employee’s email account and the attempt of the person to reroute funds from Utah Pathology. The service provider detected the breach promptly and secured the compromised email account. The attempted fraud did not succeed and did not compromise any patient information.

Third-party IT and forensic experts helped with the investigation to determine the magnitude of the breach. The investigation is not yet over, but the investigators have confirmed that the compromised email account contained the personal and protected health information (PHI) of about 112,000 patients.

It seemed that the attacker’s purpose was to redirect funds to an account controlled by the attacker and not to steal patient information. Nevertheless, it cannot be completely certain there was no data theft. Utah Pathology Services is now notifying the affected individuals about the data breach.

Aside from patient names, the compromised email account contained the following information: Gender, birth date, email address, mailing address, telephone number, medical insurance data, internal record numbers, and diagnostic details associated with  pathology services. The Social Security number of some people were also exposed.

To date, there is no evidence found that suggests the misuse of patient data, however, as a safety precaution, Utah Pathology Services offered the affected persons free membership to Cyberscout’s identity monitoring service for 12 months.

The privacy policies of Utah Pathology Services are under review. Additional required security measures will be put in place to avert other breaches later on.

Ransomware Attack on Valley Health Systems

Valley Health Systems suffered a ransomware attack on or around August 22, 2020. This healthcare provider caters to around 75,000 patients living in southeastern Ohio, southern West Virginia, and eastern Kentucky.
In this manual ransomware attack, the attacker exfiltrated data files prior to the encryption and threatened the healthcare provider to pay the ransom, otherwise the data will be published online. Some of the stolen data was published on a leak site.

Valley Health Systems did not stop providing patients with medical services while restoring its systems. A number of systems are still being restored and will be accessible online. Third-party cybersecurity professionals are helping investigate the incident and fast track recovery.

Databreaches.net shared a statement from VHS which mentioned the unfortunate reality that the threat actor disclosed some stolen information. VHS is doing everything to determine which data is at risk to protect patient data. According to Databreaches.net, the attacker used Sodinikibi (REvil) ransomware.

VHS will take action after the complete forensic review. Affected patients will be notified accordingly. The provider already notified the FBI and is fully cooperating with the investigation of the incident.

The HHS’ Office for Civil Rights has not published the breach yet on its website. Hence, the number of affected individuals is still unclear.

Former Nursing Home Employee Accused of Defrauding Residents Out of $25,000

Anna Zur, 39 years old of Franklin Park, IL was a former employee in a nursing home accused of identity theft. She used the accounts of many nursing home residents for paying her bills.

Zur worked in the business office of a nursing care facility and took advantage of her data access rights and sent the personal and financial information of residents to her personal email account. She was charged with identity theft and using the residents’  accounts for buying products and services and paying her bills.

It took the Palos Heights Police Department a year to investigate cases of identity theft and fraud. After which, a warrant was issued for Zur’s arrest. On August 26, 2020, she was taken into custody. Her charges include felony counts of wire fraud and engaging in  financial crimes enterprise. There were 35 cases of identity theft linked to Zur and she was charged with defrauding people in the amount of $25,000.

Patient Data Theft Due to a Ransomware Attack on Ventura Orthopedics

A manual ransomware attack on the healthcare company Ventura Orthopedics in California resulted in the theft of patient information that was published on the internet. Databreaches.net discovered the stolen data while investigating a new data leak site built by Conti-Ryuk ransomware operators. The stolen data was also discovered on a leak site run by the Maze ransomware operators.
The published information included the following patient information: names, birth dates, prescribed medicines, and laboratory test results. About 1,800 files were exposed online.

Ventura Orthopedics did not make any announcement about the ransomware attack as of this writing and the HHS’ Office for Civil Rights breach website has no published information yet. Hence, the number of affected persons is still uncertain at this time.

Magellan Health Ransomware Attack Impacted Comanche County Hospital Authority

Comanche County Hospital reported the compromise of the protected health information (PHI) of 1,112 persons due to a ransomware attack on Magellan Health, its pharmacy benefits vendor, last April 2020.

According to Magellan Health’s investigation, only some benefit plan members’ health data was compromised, which included names, addresses, medical insurance account details, payment, and treatment data. The Social Security numbers or financial data of plan members were not compromised.