Change Healthcare Impacts Providers; More Fortinet Exploits and Ivanti Flaws

The attack is being felt nationwide. HHS has issued $2.5 billion in advance Medicaid and Medicare action payments, which providers will need to reconcile later, so providers can continue to operate. HHS is insisting insurance companies do the same for providers. The good news is that Change Healthcare is paying 95% of their insurance health insurance claims. Here is a clear example of third-party provider outage risk. Make sure you are capturing the risk of service interruptions from your third parties and options, if any, mitigate them, note you may need to accept more than you think.

The cyberattack on Change Healthcare continues to highlight 1) the dependency on 3rd party service providers; 2) the unintended consequences of vendor consolidation; and 3) its impact on healthcare operations. For one and three internal workarounds can be established. Unfortunately, to reduce vendor consolidation (via merger and acquisition), the government will have to weigh in.

Luckily, only few FortiClient EMS systems appear to be exposed to the internet. But with an exploit available, this vulnerability could also be used for lateral movement after a network is breached. Access to this software will allow attackers to reach managed systems and it will make it more difficult to evict an attacker.

No surprised looks, researchers released a POC exploit for CVE-2023-48788, SQL Injection flaw, last Thursday. You know that means is a race condition between your application of the update and successful exploitation. The vulnerability is being targeted to gain access to corporate networks to facilitate ransomware attacks and/or corporate espionage campaigns.

With tax filing in the US being almost entirely electronic, the cybercriminals are taking advantage of the weakest link in the chain: you. They target your identity, financial accounts and passwords in hopes of tricking you into giving them information and/or access needed to grab your refund. Your primary mitigations are phishing awareness training and enabling MFA on all your accounts. Don't forget to secure your state tax account if you have one.

While this report focuses on the US tax season, the adversary also builds campaigns for other important dates. The stats tell us that the average click rate for a phishing email is 18%; for targeted email, the number goes up to 53%. Why not focus on patch and configuration management vice trying to sus out malicious email?

Having used GitHub's Copilot as a coding aid, AutoFix looks like it may become a very useful tool to avoid many of the basic oversights that sneak in when coding. Looking forward to testing it.

Cross-site scripting is a huge target as making sure your code is sanitizing all inputs is hard, let alone going back and working all the code in your app, not just the part with an identified weakness. This tool looks at multiple files in your app to discover repeated issues, and you could, in theory, fix them consistently with one click. More importantly, IMO, this could dramatically cut the time it takes to do the needed security checks. I would start evaluating this sooner than later, assume attack tool counterpart is out, or nearly out.

Just before the March Microsoft Vulnerability Tuesday patch release, Microsoft released a progress update on the first four months of their “Secure Future Initiative.” The first two accomplishments said 86% of Azure code and over 1 billion lines of code overall were now being analyzed for vulnerabilities using the GitHub CodeQL tool. Microsoft has to move to faster than monthly patch release and bad updates are a major impediment to ever convinces CIOs to move forward with expecting all software to do what cloud software and browsers already do – patch critical vulnerabilities nearly continuously. I’d like to see Microsoft put out a lessons learned how this memory leak made into the released update.

If you've not applied the March security update to your DC's (KB5035857) to your DCs, hold off. This affects Windows Server 2022, 2019, 2016 and 2012 R2. Expect the updated patch in the next week. While you're waiting you can focus on browser and iOS/iPadOS updates.

Oddly, nobody is trying to claim this assumed ransomware attack as theirs. Radiant is currently deep in their forensics, response and restoration process. They state they don't expect this incident to materially impact the company's financial conditions.

Two phrases in the 8-K filing worth noting 1) …initial stages of a cybersecurity incident…; and 2) …as of the date of this filing, the incident has not had a material impact on the company’s overall operations. The words businesses use in cybersecurity disclosures matter. It’s been three months since the SEC cyber disclosure rules took effect, and we still have little additional insight into cyber incidents. For all the brouhaha about the rule changes, little has actually changed.