Cyberattacks Target Two Chicago Hospitals; Synergia: Interpol Operation Takes on Cybercrime; AnyDesk Forces Passwords Resets After Data Leak

Lurie Children’s doesn’t currently have an ETA for service restoration. They have implemented contingency plans to provide maximum service to patients, having set up a call center to handle questions and arrange services. Getting a call center to handle customers online quickly should be a priority activity in your BC/DR process, make sure you've got that process nailed down, don't assume any existing phone service will be operating. Keep in mind that despite guidelines from ransomware operators to not target hospitals, ransomware gangs are ignoring those and targeting healthcare organizations, the takeaway being to not depend on usage restrictions from attack service providers to stop the gangs from attacking anyway.

Lee Neely

With the decade old shift to electronic health records and interconnected systems, hospitals administrators now must prioritize cybersecurity. If not, they will continue to be targeted by cybercriminals and separately, held accountable for the data loss. In upcoming budgets, HHS likely will offer financial assistance to smaller hospitals that implement cybersecurity performance goals.

Curtis Dukes

High risk public network facing applications like phone and email should be isolated from mission critical systems like healthcare records.

William Hugh Murray

The operation ran from September through November, which is pretty quick for this broad of a takedown and shows what can be done with broad cooperation. The international cooperation included 60 law enforcement agencies as well as Interpol's gateway partner private sector groups such as Kaspersky, TrendMicro, Shadowserver, Team Cymru and Singapore-based Group-IB. The 30% of servers that weren't taken offline are still under active investigation for their involvement in cybercrime operations. The dismantled infrastructure was used for phishing, banking malware and ransomware attacks.

Lee Neely

Well done to all involved in this operation. Cyber criminals need to realise that the days of operating at low risk on the Internet are no longer around. As this operation demonstrates, law enforcement agencies are becoming more and more proficient and detecting, disrupting, and detaining criminals.

Brian Honan

It will always be a ‘cat-n-mouse’ game between law enforcement and cybercriminals. Expect cybercriminals to modify their TTPs because of the joint law enforcement action. Thankfully, law enforcement is being supported by members of the tech sector to better the odds of success.

Curtis Dukes

Cyber criminals continue to believe that cybercrime has a low risk of investigation, identification, and punishment. It may take many efforts like this over time to change this belief.

William Hugh Murray

AnyDesk could have provided some additional details in their notification. For example, lists of certificates compromised. Attackers may use these certificates later to sign malware. AnyDesk has also failed to provide additional details about which weaknesses the attacker exploited. This is always useful for others to learn. Maybe they will follow up with a better postmortem after their investigation concludes.

Johannes Ullrich

If your cybersecurity program is mature, it may be time to include lost certificates in your threat model. Include signed, malicious code in your offensive operations engagements.

Christopher Elgee

AnyDesk released their statement about this breach on Friday night (European time)/Friday afternoon US time. Communicating to your clients that you have suffered a security breach on a Friday afternoon/evening does not align with the phrase "The integrity and trust in our products is of paramount importance to us and we are taking this situation very seriously" I often say, "you won't be judged for being the victim of a cyber attack, but you will be judged on how you respond to it."

Brian Honan

AnyDesk is a popular target for threat actors as it provides remote control, VPN and file transfer capabilities, often leveraged in the fake Microsoft Support scam which offers to "clean" malware or other bugs off your system, even if you're on macOS. All users of my.anydesk.com need to change their passwords. Both the AnyDesk client and the portal support 2FA via TOTP, while you're rotating your portal password, make sure that you've enabled and configured 2FA. Then see if you can also enable it for your AnyDesk clients.

Lee Neely

The optimum time to reset a password is not after a breach but automatically after its first use. We call this a one-time password, OTP. It is a component of many systems of strong authentication. Strong authentication is an essential and efficient security mechanisms. Many such systems, e.g., Passkeys, are more convenient than passwords and do not rely upon the user to change them.

William Hugh Murray

If you're wondering how to approach a similar situation in your shop, the blog post lays out all things you should consider. From identifying the root cause, failure to rotate a compromised credential, understanding the possible access with those credentials as well as any accounts created, containment, eradication and post-event hardening and improvement. Consider your network architecture and how resistant it is to lateral movement. Consider how to reduce trust based on network, that systems are validating both the user and system are appropriate for the requested connection.

Lee Neely

CVE-2023-6941 has a CVSS score of 7.5; CVE-2023-6943 has a CVSS score of 9.8. While there are no patches, the Mitsubishi bulletin provides guidance on affected products and mitigations. In short, make sure these systems are properly isolated, don't expose them to the Internet, and make sure the system you're using to access them is itself secure (patched, EDR, etc.). Exploiting the flaw would allow the attacker to reprogram your PLCs as well as installing new utilities on your engineering workstations.

Lee Neely

Rust has been making great inroads in the Android space as one of the strongest tools to address memory safety and security issues. This funding should help increase the interoperability with legacy C++ codebases, resulting in both easier and more use in non-Android scenarios.

Lee Neely

Current claims are this is a DoS attack, and they are busy restoring services and forensicating the environment. If the DoS attack is a smoke-screen, this approach will reveal any additional attacks. As the capabilities to launch very disruptive DDoS attacks seems to be perpetually increasing, you may want to setup a regular check/update from your service providers on their protections/capabilities to make sure they are adapting to the evolving threat environment. Also, check-in with any services which didn't offer DDoS protections previously to see if that has changed. Don't forget to check your third-party and outsourced service providers.

Lee Neely

DDoS attacks are mostly a nuisance for organizations and not sustainable. What is concerning is the increase in attacks over the past year. It indicates that large numbers of devices aren’t practicing basic cyber hygiene and have been herded into botnets. Is it time to consider a cyber health check before allowing access to the Internet?

Curtis Dukes

Keep in mind that DoS attacks are used to distract from other more subtle attacks.

William Hugh Murray

The sanctions mean that all property and interests in property of these Iranian officials in the U.S., or that are in control of U.S. persons are blocked and must be reported to the Office of Foreign Assets Control (OFAC). Additionally, any entities with over 50 percent ownership by these officials are also blocked. In essence, all tractions within the U.S. with these assets or entities are prohibited. While this may make things difficult for the Iranian officials, the impact on the threat actors isn't clear, as such you still need to take steps to protect your critical infrastructure. Leverage the Water ISAC for threat intelligence as well as guidance for expertise you can leverage. Consider hiring a friendly assessor, rather than reacting to issues revealed by those threat actors.

Lee Neely

While important to demonstrate American resolve, it is highly unlikely that any of the individuals will be visiting the US or extradition friendly countries any time soon. What is more important is that vendors, where possible, apply ‘secure by design’ principles in future releases of their products.

Curtis Dukes

There really are consequences for unauthorized disclosure of classified information; it's nice to have a current example to reinforce this point. Schulte was able to perform his actions by obtaining admin privileges, as well as granting himself added access. While the role-granting should trigger an alert, this is where regular account and access control reviews are important in case those alerts are missed. Also verify you have active/rapid processes to restrict access when an account holder is sanctioned or otherwise in a questionable state.

Lee Neely