/ en Tue, 29 Apr 2025 03:13:24 -0500 Mon, 10 Jan 22 14:52:16 -0600 /hc3-sector-alert/2022-01-10-hc3-monthly-cybersecurity-vulnerability-bulletin-december-news-interest <div class="container row"> <div class="row"> <div class="col-md-8"> <p>Monthly Cybersecurity Vulnerability Bulletin highlighting news of interest to the health care sector. View the detailed report below. </p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>National Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Mon, 10 Jan 2022 14:52:16 -0600 HC3 Sector Alert /hc3-sector-alert/2021-12-13-hc3-tlp-white-alert-hillrom-welch-allyn-cardiology-products <div class="container row"> <div class="row"> <div class="col-md-8"> <h3 class="Default"><span><span><span>Executive Summary </span></span></span></h3> <p class="Default"><span><span><span><span><span>On December 9, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Controls Systems Medical Advisory (ICSMA) detailing a vulnerability in multiple Hillrom Welch Allyn cardiology products. An attacker could exploit this vulnerability to take control of an affected system. </span></span></span></span></span></p> <p class="Default"><span><span><span><span><span>CISA encourages technicians and administrators to review the advisory for more information and recommended mitigations. </span></span></span></span></span></p> <h3 class="Default"><span><span><span>Report </span></span></span></h3> <p class="Default"><span><span><span><span><span>ICS Medical Advisory (ICSMA-21-343-01) Hillrom Welch Allyn Cardio Products </span></span></span></span></span></p> <p class="Default"><span><span><span><span><span><span>https://www.cisa.gov/uscert/ics/advisories/icsma-21-343-01 </span></span></span></span></span></span></p> <h3 class="Default"><span><span><span>Impact to HPH Sector</span></span></span></h3> <p class="Default"><span><span><span><span><span>This high-severity vulnerability (CVSS v3 base score of 8.1) impacts organizations in the healthcare and public health (HPH) sector worldwide. The remotely exploitable vulnerability could enable an attacker to access privileged accounts without a password and seize control of the devices. </span></span></span></span></span></p> <p class="Default"><span><span><span><span><span>The following Hillrom cardiology products, when configured to use SSO, are affected: </span></span></span></span></span></p> <p class="Default"><span><span><span><span><span>- Welch Allyn Q-Stress Cardiac Stress Testing System: Versions 6.0.0 through 6.3.1 </span></span></span></span></span></p> <p class="Default"><span><span><span><span><span>- Welch Allyn X-Scribe Cardiac Stress Testing System: Versions 5.01 through 6.3.1 </span></span></span></span></span></p> <p class="Default"><span><span><span><span><span>- Welch Allyn Diagnostic Cardiology Suite: Version 2.1.0 </span></span></span></span></span></p> <p class="Default"><span><span><span><span><span>- Welch Allyn Vision Express: Versions 6.1.0 through 6.4.0 </span></span></span></span></span></p> <p class="Default"><span><span><span><span><span>- Welch Allyn H-Scribe Holter Analysis System: Versions 5.01 through 6.4.0 </span></span></span></span></span></p> <p class="Default"><span><span><span><span><span>- Welch Allyn R-Scribe Resting ECG System: Versions 5.01 through 7.0.0 </span></span></span></span></span></p> <p class="Default"><span><span><span><span><span>- Welch Allyn Connex Cardio: Versions 1.0.0 through 1.1.1 </span></span></span></span></span></p> <h3 class="Default"><span><span><span>References </span></span></span></h3> <p class="Default"><span><span><span><span><span>High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products </span></span></span></span></span><span><span><span><span><span><span>https://www.hipaajournal.com/high-severity-authentication-bug-identified-in-hillrom-welch-allyn-cardio-products/ </span></span></span></span></span></span></p> <p class="Default"><span><span><span><span><span>Zero-day vulnerability in Hillrom cardiology devices could allow attackers full control </span></span></span></span></span><span><span><span><span><span><span>https://portswigger.net/daily-swig/zero-day-vulnerability-in-hillrom-cardiology-devices-could-allow-attackers-full-control </span></span></span></span></span></span></p> <h3 class="Default"><span><span><span>Contact Information </span></span></span></h3> <p><span><span><span><span><span><span>If you have any additional questions, please contact us at <span>HC3@hhs.gov</span>.</span></span></span></span></span></span></p> <p><span><span><span><span><span><span>View detailed report below. </span></span></span></span></span></span></p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Mon, 13 Dec 2021 11:44:15 -0600 HC3 Sector Alert /hc3-sector-alert/2021-11-12-hc3-tlp-white-sector-alert-chinese-cyberespionage-campaign-targets <h2>Executive Summary</h2> <p>Multiple cybersecurity organizations recently shared information regarding a suspected Chinese cyberespionage campaign targeting organizations in multiple industries, including healthcare, by exploiting a critical vulnerability in a common password management product. This activity began as early as September 17, 2021, and there are patches, mitigations, and workarounds available to detect and mitigate this threat.</p> <h3>Report</h3> <p>On November 7, 2021, researchers at Palo Alto Networks Unit 42 shared details of a targeted attack campaign beginning around September 17, 2021, with scans against vulnerable Zoho ManageEngine ADSelfService Plus servers. After gaining initial access, the attackers attempt to deliver multiple malware families, including Godzilla webshells, NGLite trojan, and the KdcSponge information stealer. ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. The researchers stated that the campaign has already resulted in the compromise of at least nine organizations worldwide from critical sectors including healthcare. Initial attribution analysis conducted by Unit 42 indicated that APT27 was behind this cyber espionage campaign which exploits a critical vulnerability (CVE-2021-40539) in ManageEngine. The researchers believe that the group targeted at least 370 Zoho ManageEngine servers in the United States alone and there are over 11,000 internet-exposed servers running the vulnerable Zoho software.</p> <p>APT27 is a Chinese threat group that is also known by various private cybersecurity industry partners as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse. APT27 engages in cyber operations where the goal is intellectual property theft, usually focusing on the data that make a particular organization competitive within its field. APT27 threat actors are not known for using original zero-day exploits, but they may leverage those exploits once they have been made public, as in this case, with exploitation attempts beginning about 10 days later.</p> <p>The next day, on November 8, 2021, the Microsoft Threat Intelligence Center (MSTIC) shared additional information related to this threat activity, attributing the campaign with high confidence to DEV-0322, the temporary designation for a threat group operating out of China, based on observed infrastructure, victimology, tactics, and procedures. MSTIC first observed the latest DEV-0322 campaign on September 22, 2021, with activity against targets that appear to be in the Defense Industrial Base, higher education, consulting services, and information technology sectors. Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network. View the entire report below. </p> Fri, 12 Nov 2021 17:11:45 -0600 HC3 Sector Alert /hc3-sector-alert/2021-11-12-hc3-tlp-white-alert-forescout-nucleus-tcpip-stack-vulnerability-amplify <h2>Executive Summary</h2> <div class="container row"> <div class="row"> <div class="col-md-8"> <p>Cybersecurity researchers at Forescout have identified 13 vulnerabilities that impact millions of Internet-connected hospital devices. Several of these vulnerabilities have been categorized as high or critical. The research includes associated patches. HC3 recommends healthcare organizations analyze their infrastructure for vulnerable devices and apply patches in a timely manner.</p> <h3>Report</h3> <p>New Critical Vulnerabilities Found on Nucleus TCP/IP Stack<br /> <a href="https://www.forescout.com/blog/new-critical-vulnerabilities-found-on-nucleus-tcp-ip-stack/" target="_blank">https://www.forescout.com/blog/new-critical-vulnerabilities-found-on-nucleus-tcp-ip-stack/</a></p> <h3>Impact to HPH Sector</h3> <p>These 13 newly disclosed vulnerabilities in Nucleus Net TCP/IP stacks, dubbed Nucleus:13, could allow attackers to launch denial-of-service (DoS) attacks to disrupt medical equipment and patient monitors. Some of them allow for information leakage (both patient and technical data related to the operations of the vulnerable device) as well as remote code execution, which would allow an attacker to potentially take control of a compromised device. View the entire report below. </p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Fri, 12 Nov 2021 16:54:37 -0600 HC3 Sector Alert /hc3-sector-alert/2021-10-27-hhs-ocio-hc3-nov-4-cybersecurity-threat-briefing-cobalt-strike-vs <div class="container row"> <div class="row"> <div class="col-md-8"> <p class="MsoPlainText"><span><span>Greetings,</span></span></p> <p class="MsoPlainText"><span><span>The U.S. Department of Health and Human Services’ (HHS) Office of the Chief Information Officer (OCIO) Health Sector Cybersecurity Coordination Center (HC3) invites you to join us for the first of our bi-monthly cybersecurity threat briefings in November. The topic will be "Cobalt Strike vs the Health Sector".  This initiative will provide actionable information on health sector cybersecurity threats and mitigations. HC3 analysts will present relevant cybersecurity topics, engage in discussions with participants on current threats, and highlight best practices and mitigation tactics. </span></span></p> <p class="MsoPlainText"><span><span>Follow the link below to quickly and easily register for the briefing.</span></span></p> <p class="MsoPlainText"><span><span> Briefing Topic: “Cobalt Strike vs the Health Sector”</span></span></p> <p class="MsoPlainText"><span><span> Time: 1PM Eastern Time</span></span></p> <p class="MsoPlainText"><span><span> Briefing Logistics:</span></span></p> <p class="MsoPlainText"><span><span>Briefings will be conducted via WebEx teleconference (see link below). Each briefing may last approximately 30-40 minutes depending on the topic, with time reserved for questions and discussion.</span></span></p> <p class="MsoPlainText"><span><span> Briefing Format</span></span></p> <ul> <li class="MsoPlainText"><span><span>Upon entry into the WebEx, a short questionnaire and other information will be shared (this will be displayed five minutes prior to the briefing start time)</span></span></li> <li class="MsoPlainText"><span><span>To ensure a smooth presentation, participant phone lines will be muted upon entering the meeting</span></span></li> <li class="MsoPlainText"><span><span>Questions from attendees will be held until the end of the briefing.</span></span></li> </ul> <p class="MsoPlainText"><span><span>Questions: For more information regarding the monthly briefings, or for general questions, please email HC3@hhs.gov.</span></span></p> <p class="MsoPlainText"><span><span>Webinar Information:</span></span></p> <p class="MsoPlainText"><span><span>Event address for attendees: <a href="https://hhs.webex.com/hhs/onstage/g.php?MTID=eaa3900113729b6eefba1fe1eec05539f">https://hhs.webex.com/hhs/onstage/g.php?MTID=eaa3900113729b6eefba1fe1eec05539f</a></span></span></p> <p class="MsoPlainText"><span><span>Audio Connection: </span></span></p> <p class="MsoPlainText"><span><span>To receive a call back, provide your phone number when you join the event, or call the number below and enter the access code.</span></span></p> <p class="MsoPlainText"><span><span>US Toll</span></span></p> <p class="MsoPlainText"><span><span>+1-415-527-5035</span></span></p> <p class="MsoPlainText"><span><span>Regards, </span></span></p> <p class="MsoPlainText"><span><span>The HHS OCIO HC3 Team</span></span></p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Wed, 27 Oct 2021 15:46:32 -0500 HC3 Sector Alert /hc3-sector-alert/2021-10-26-hc3-tlp-white-healthcare-cybersecurity-bulletin-october-26-2021 <div class="container row"> <div class="row"> <div class="col-md-8"> <h3>Executive Summary</h3> <p>In the third quarter of 2021, HC3 observed a continuation of ongoing trends with regards to cyber threats to the healthcare and public health community. Ransomware attacks were as prevalent as ever and ransomware operators continued to evolve their techniques for increasing extortion pressure and maximizing their payday. This was reflected in a number of industry reports included in this bulletin, as well as in internal HC3 data. Data breaches continued to plague healthcare, often combined with ransomware attacks. Vulnerabilities in software and hardware platforms, some ubiquitous and some specific to healthcare, continued to keep the attack surface of healthcare organizations wide open. View the entire report below.</p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Tue, 26 Oct 2021 14:55:31 -0500 HC3 Sector Alert /hc3-sector-alert/2021-10-21-hhs-ocio-hc3-tlp-white-threat-briefing-hive-ransomware-october-21-2021 <div class="container row"> <div class="row"> <div class="col-md-8"> <h3>Agenda</h3> <p>• Hive Ransomware Overview<br /> • Legitimate Applications and Closed Source Code<br /> • Hive Ransomware Attacks<br /> • Hive Ransomware Activity Targeting the U.S. HPH<br /> • Hive Tactics, Techniques, and Procedures (TTPs)<br /> • Mitigations</p> <h3>Overview</h3> <p>First observed in June 2021<br /> • According to the Federal Bureau of Investigation (FBI), it “likely operates as an affiliate-based ransomware”<br /> • Double extortion ransomware<br /> • Human-operated attacks<br /> • Uses legitimate commercial applications<br /> • Utilizes their own closed-source ransomware (complied for both 32-bit and 64-bit machines)<br /> • Possible Russian-speaking actors</p> <p>View the entire report below. </p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Thu, 21 Oct 2021 09:34:28 -0500 HC3 Sector Alert /hc3-sector-alert/2021-10-19-tlp-white-hc3-alert-joint-cisansafbi-blackmatter-ransomware-amplify <div class="container row"> <div class="row"> <div class="col-md-8"> <p><strong>Executive Summary</strong></p> <p>The Cybersecurity & Infrastructure Security Agency (part of the Department of Homeland Security) along with the National Security Agency and Federal Bureau of Investigation released a joint alert on BlackMatter ransomware. The alert acknowledged the BlackMatter group is likely a rebranding of the DarkSide group which, among other targets, is known for launching a ransomware attack which temporarily shut down the Colonial Pipeline in May of 2021. The alert provides technical details including indicators of compromise as well as mitigation and defensive recommendations.</p> <p><strong>Report</strong></p> <p>Alert (AA21-291A) BlackMatter Ransomware<br /> <a href="https://us-cert.cisa.gov/ncas/alerts/aa21-291a" target="_blank">https://us-cert.cisa.gov/ncas/alerts/aa21-291a</a></p> <p><strong>Impact to HPH Sector</strong></p> <p>BlackMatter, as all ransomware operators, poses a significant threat to the healthcare and public health (HPH) sectors. Healthcare provides an enticing target for both extorting ransom demands as well as stealing and selling protected health information (PHI) on the dark web. HC3 recommends health sector organizations take into consideration BlackMatter, as well as other ransomware threats, as they implement and maintain their risk management plans.</p> <p><strong>References</strong></p> <p>FBI, CISA, NSA shares defense tips for BlackMatter ransomware attacks<br /> <a href="https://www.bleepingcomputer.com/news/security/fbi-cisa-nsa-shares-defense-tips-for-blackmatter-ransomware-attacks/" target="_blank">https://www.bleepingcomputer.com/news/security/fbi-cisa-nsa-shares-defense-tips-for-blackmatter-ransomware-attacks/</a></p> <p>CISA, FBI, and NSA warn of BlackMatter attacks on agriculture and other critical infrastructure<br /> <a href="https://therecord.media/cisa-fbi-and-nsa-warn-of-blackmatter-attacks-on-agriculture-and-other-critical-infrastructure/" target="_blank">https://therecord.media/cisa-fbi-and-nsa-warn-of-blackmatter-attacks-on-agriculture-and-other-critical-infrastructure/</a></p> <p>NSA, FBI, CISA Issue Advisory on 'BlackMatter' Ransomware<br /> <a href="https://www.darkreading.com/threat-intelligence/feds-issue-advisory-on-blackmatter-ransomware" target="_blank">https://www.darkreading.com/threat-intelligence/feds-issue-advisory-on-blackmatter-ransomware</a></p> <p>A joint advisory officially associates the notorious ransomware-as-a-service group with the Colonial Pipeline attack.<br /> <a href="https://www.nextgov.com/cybersecurity/2021/10/feds-urge-action-against-blackmatter-ransomware-based-third-party-tip/186189/" target="_blank">https://www.nextgov.com/cybersecurity/2021/10/feds-urge-action-against-blackmatter-ransomware-based-third-party-tip/186189/</a></p> <p><strong>Contact Information</strong><br /> If you have any additional questions, please contact us at <a href="mailto:mailto:HC3@hhs.gov">HC3@hhs.gov</a>.</p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Tue, 19 Oct 2021 11:12:18 -0500 HC3 Sector Alert /hc3-sector-alert/2021-10-15-tlp-white-hc3-monthly-cybersecurity-vulnerability-bulletin-news <div class="container row"> <div class="row"> <div class="col-md-8"> <p><strong>BrakTooth</strong> - The<a href="https://isc.sans.edu/diary/BrakTooth%3A+Impacts%2C+Implications+and+Next+Steps/27802"> BrakTooth</a> vulnerabilities were first made public on August 31, 2021, after being discovered by the ASSET Research Group. This new family of security vulnerabilities, found in commercial Bluetooth Classic stacks for various System-on-Chips (SoC),uses the Bluetooth Classic (BR/EDR) protocol and affects millions of Bluetooth-enabled devices. BrakTooth vulnerabilities pose a threat to the Healthcare and Public Health (HPH) sector because the risk associated with the BrakTooth set of security flaws ranges from denial-of-service (DoS) by crashing the device firmware, or a deadlock condition where Bluetooth communication is no longer possible, to arbitrary code. It is recommended that Healthcare Delivery Organizations (HDOs), Healthcare Professionals and manufacturers reach out to the ISAC/ISAOs for assistance with responding.</p> <p><strong>Conti Ransomware</strong> - Conti is a ransomware group that has aggressively targeted the healthcare industry, major corporations, and government agencies, particularly those in North America since it was first observed in 2019. During this type of cyber-attack, the threat actor steals sensitive data from compromised networks, encrypts the targeted organizations’ servers and workstations, and threatens to publish the stolen data unless the target pays a ransom. According to the Joint Cybersecurity Advisory from CISA and the FBI, they have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations, at least 16 of which have targeted US healthcare and related organizations. To secure systems against Conti ransomware, CISA/NSA/FBI recommends implementing the recommended mitigations in the <a href="https://us-cert.cisa.gov/sites/default/files/publications/AA21-265A-Conti_Ransomware_TLP_WHITE.pdf">advisory</a>.</p> <p><strong>Hardening Remote Access VPN</strong> - The NSA and CISA issued a joint information sheet providing guidance on hardening Virtual Private Networks (VPNs) services because remote access VPN servers are entry points into protected networks and have become targeted by malicious actors. The healthcare industry uses VPN technologies for telehealth, telemedicine, patient access to records and appointments as well as a variety of other applications. The NSA and CISA advises selecting standards-based VPNs from reputable vendors with a proven track record of quickly remediating vulnerabilities and following best practices in regard to using strong authentication credentials.</p> <p>Compromise can lead to the disruption of healthcare operations and leaking of sensitive health information, including research-related intellectual property as well as protected employee and patient information, leading to a leak of personal health information (PHI) and a potential HIPAA violation. HC3 recommends that healthcare organizations review the NSA/CISA <a href="https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2791320/nsa-cisa-release-guidance-on-selecting-and-hardening-remote-access-vpns/">joint information sheet</a> and take appropriate actions in accordance with their risk management strategy.</p> <p><strong>Medusa TangleBot </strong>– Medusa (AKA TangleBot) is a malware spreading via SMS and is targeting Android mobile users by sending COVID-19 related SMS messages with a malicious link to trick victims into installing <a href="https://www.cloudmark.com/en/blog/mobile/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" target="_blank">Medusa/TangleBot</a> onto their devices then collecting data and installing additional malware. Once the malware infects a device, it can use a multitude of data gathering capabilities, including accessing the victim’s internet, call logs, GPS, and using the victim’s device to spread malware throughout the mobile network. This is concerning if someone in the Healthcare industry’s mobile work device is compromised because once the malware is installed onto a device it can be difficult to detect and remove. Currently, warning messages from Android appear to be the best option available to protect mobile devices from infection. HC3 recommends ensuring enterprise Android device users are made aware of this threat and that everyone only clicks links or download applications(apps) that are reputable.</p> <p><strong>New Azure AD Brute Force</strong> - A newly discovered bug in <a href="https://arstechnica.com/information-technology/2021/09/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/" target="_blank">Microsoft Azure's Active Directory</a> implementation enables a single-factor brute-forcing of an Active Directory instance without authentication. Currently there is no available patch for this vulnerability. This vulnerability is expected to impact the health sector due to the fact that Microsoft Active Directory technology is ubiquitous and, as such, is heavily utilized. The nature of this vulnerability allows for compromise with minimal possibility of detection and the lack of a patch makes it further challenging, leaving administrators and network defenders with minimal visibility into an attacker's actions. HC3 recommends healthcare organizations take mitigation actions in accordance with their unique risk posture and continue to monitor for patches or further recommendations.</p> <p>View the entire report below. </p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3>John Riggi</h3> <h5>Senior Advisor for Cybersecurity and Risk, AHA</h5> <p>(E) <a href="mailto:jriggi@aha.org?subject=Cybersecurity%20and%20Risk%20Advisory%20Services%20Query">jriggi@aha.org</a><br /> (O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></p> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/bios/2020-06-12-john-riggi">Biography</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services">Cyber Services</a></div> </div> </div> </div> </div> Fri, 15 Oct 2021 13:24:04 -0500 HC3 Sector Alert /hc3-sector-alert/2021-10-13-hc3-tlp-white-analyst-note-health-sector-ransomware-trends-third <h2>Executive Summary</h2> <div class="container row"> <div class="row"> <div class="col-md-8"> <p>Ransomware remains a major threat to the health sector worldwide, with many healthcare organizations operating legacy technology with limited security resources. Health or medical clinics continue to be the most frequently affected sub-industry by ransomware followed by healthcare industry services and hospitals. The HC3 CTI team assesses that these trends are likely to continue through 2021.</p> <h2>Report</h2> <p>The HC3 conducted a review of ransomware activity tracked for the third quarter (Q3) of 2021 (July 1 to September 30) and derived a few insights. The team was able to identify ten major ransomware groups affecting healthcare organizations as well as the sub-industries within the healthcare sector impacted most by ransomware for Q3 2021. It is important to note that this data is based on a sample of ransomware incidents derived from a variety of sources (including media reports, ransomware blog leak sites, and information shared by federal partners) and that the findings may not encompass all ransomware incidents affecting healthcare entities, as many go unreported.</p> <p>In total 68 ransomware incidents impacting healthcare organizations worldwide occurred during Q3. HC3 found that about 63% of these ransomware incidents impacted the U.S. health sector while 37% impacted healthcare organizations outside the United States. The top countries impacted by these ransomware incidents in the health sector outside the U.S. included France, Brazil, Thailand, Australia, and Italy. In the United States, the states experiencing the most ransomware incidents included California, Florida, Illinois, Michigan, Texas, Arizona, Indiana, Maryland, New York, and Georgia. It is important to note that some states may experience more incidents due to their size and population. View the entire report below. </p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3>John Riggi</h3> <h5>Senior Advisor for Cybersecurity and Risk, AHA</h5> <p>(E) <a href="mailto:jriggi@aha.org?subject=Cybersecurity%20and%20Risk%20Advisory%20Services%20Query">jriggi@aha.org</a><br /> (O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></p> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/bios/2020-06-12-john-riggi">Biography</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services">Cyber Services</a></div> </div> </div> </div> </div> Wed, 13 Oct 2021 15:45:29 -0500 HC3 Sector Alert