SANS NewsBites

Cyberattacks Disrupt Hospital Services; US Legislators Propose Healthcare Cybersecurity Bill

October 1, 2024  |  Volume XXVI - Issue #75

Top of the News


2024-09-30

Texas Hospital Forced to Divert Ambulances Following Ransomware Attack

The University Medical Center (UMC) Health System in Lubbock, Texas, has confirmed that they have been experiencing an IT outage due to a ransomware attack. While all UMC Health facilities are open, they are 'temporarily divert[ing] incoming emergency and non-emergency patients via ambulance to nearby health facilities until this issue is resolved.' UMC is a level 1 trauma center; the nearest level 1 trauma center is 400 miles away.

Editor's Note

It has been obvious since the Morris Worm that the rogues simply cannot know enough about the environment to predict the consequences of their activity. However, when they target healthcare it should be obvious that those consequences will threaten life and limb.

William Hugh Murray
William Hugh Murray

While UMC isn't releasing a full-service restoration date, they are now diverting only a few patients. They are reaching out to patients with scheduled appointments to advise them on the modified procedures and what to expect. As if the stakes aren't already high enough, UMC Children's Hospital is a Pediatric Level 2 Trauma Center with the region's only verified burn center for children.

Lee Neely
Lee Neely

2024-09-28

Kuwait Health Ministry Suffers Cyberattack

Kuwait's Health Ministry announced on Wednesday, September 25, that it had suffered a cyberattack. The incident has disrupted services at several hospitals and has also affected the Health Ministry's website and the country's Sahel healthcare app. Critical services, including The Kuwait Cancer Control center and the systems that manages the national health insurance system the expatriate check-up system, have been restored from backups.

Editor's Note

The actions taken by Kuwait are consistent with recovery from a ransomware attack as well as catching up on delinquent patching. At this point, the majority of systems are back on-line. One hopes they also took steps to prevent recurrence, which include more proactive application of security updates.

Lee Neely
Lee Neely

2024-09-26

US Senate Healthcare Bill

Two US Senators have introduced legislation that would require hospitals and other organizations in the healthcare sector to implement minimum cybersecurity standards and undergo annual independent audits. The Health Infrastructure Security and Accountability Act would allocate $1.3 billion to the Department of Health and Human Services (HHS) to support these efforts and establish meaningful consequences for organizations that do not meet established standards.

Editor's Note

Hospitals have been a primary target for ransomware. These attacks have endangered lives, and affected the quality of care. Let's hope this effort will succeed where HIPAA did not.

Johannes Ullrich
Johannes Ullrich

With the ongoing plethora of healthcare ransomware attacks, the industry needs help raising the bar. One hopes the proposed funding to accompany this legislation will help seed those efforts. The bill applies to healthcare providers, health plans, clearinghouses and business associates. It adds stress tests and annual audits for accountability, as well as removing caps on fines HHS can dole out. If passed, the legislation will go into effect two years after enactment. Supporting regulations will be in place at most 18 months after enactment with supporting standards from NIST.

Lee Neely
Lee Neely

While establishing a mandatory minimum baseline for cybersecurity is a good thing, extra baggage comes with this Senate bill. For starters there exist viable alternatives to the Healthcare Cyber Performance Goals (HPH CPGs). States have already enacted laws that reference NIST CSF, ISO 27001, CIS Critical Security Controls, and other regulatory frameworks as part of incentivizing implementation of a cybersecurity program; why not allow those to be included in the minimum baseline? Many in the healthcare sector have already implemented one of those frameworks and are actively measuring compliance. The bill also creates another 'cottage industry' to conduct the annual audit, an unnecessary cost to the organization. Why not include self assessment as part of the annual audit, like the revamped CMMC does? The 'C-suite' would be just as accountable with a self assessment should there be a cyber breach. Finally, what happens once the funding associated with this bill is exhausted?

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2024-09-30

Microsoft Details Changes Made to Problematic Copilot+ Recall Feature

Microsoft has added some security and privacy features to the controversial Recall feature on Copilot+ machines. The initial version of Recall, announced in late May of this year, was on by default. It took screenshots of everything users did on the machines and stored that information, unencrypted, on disk. The revised version of Recall, announced on Friday, September 27, will be off by default (opt-in) and will include the option to delete the feature from the machine's operating system.

Editor's Note

The changes Microsoft made look solid and address most of the complaints people had with respect to the original implementation. Even better, the feature will be "opt-in" and uninstallable.

Johannes Ullrich
Johannes Ullrich

A responsible action by Microsoft given their recent security gaffes. Opt-in should always be the default: let the user decide what information is to be shared.

Curtis Dukes
Curtis Dukes

Microsoft is attempting to recover and regroup with Recall, adding security, opt-in, and regular re-validation of opt-in status. Recall is now encrypting sensitive information using the system's TPM chip which is tied to the user's Windows Hello Enhanced Sign-In Identity and can only be accessed in a secure VBS Enclave which should prevent other users from accessing this information. Even so, read the Windows Blog on Recall security before enabling it.

Lee Neely
Lee Neely

2024-09-25

US Legislators, Judges, and Agencies Circle AI Security Policy and Resources

The US Senate and House of Representatives are considering bills that would direct federal agencies to study and begin regulating AI in the interest of cybersecurity. Both bills primarily address the National Institute of Standards and Technology (NIST) and the National Vulnerability Database (NVD), calling for AI vulnerability tracking, as well as consultation with other agencies and industrial and civil organizations to set up standard definitions and reporting guidelines. Conversely, these bills straddle a US Supreme Court ruling that diminishes agencies] ability to interpret definitions and statutes in federal court - a dissenting Justice cited AI as a potential policy struggle for Congress without the authority of expert agencies. 2023's Executive Order on 'Safe, Secure, and Trustworthy Artificial Intelligence' also leans on NIST in collaboration with other agencies to 'develop standards, tools, and tests to help ensure that AI systems are safe, secure, and trustworthy.' The House bill stipulates that its directives are 'subject to the availability of appropriations;' the introducing representatives are 'actively exploring solutions' to ensure NIST and NVD are adequately supported.

Editor's Note

Developing capabilities to identify flaws related to AI aligns with the directive of the 2023 Executive Order, and NIST is the right place to own the task. The tasking must come with adequate funding or we're going to wind up with another gap, much like what happened when they suspended enriching vulnerability information in February.

Lee Neely
Lee Neely

Is it likely that AI products are going to be of higher quality or more vulnerability-free than other less complicated and more transparent IT products?

William Hugh Murray
William Hugh Murray

2024-09-27

Meta Fined ~91 Million for Plaintext Password Storage

An inquiry launched in 2019 by the Irish Data Protection Commission (DPC) has concluded Meta must pay ~91 million (approximately $101.3 million) for storing millions of user passwords in plaintext. DPC found that Meta infringed four articles of the GDPR: failure to document the breach, failure to properly notify DPC, failure to 'ensure appropriate security,' and failure to meet the level of risk to users with appropriate protection. Meta had reported 'some user passwords' had been stored 'inadvertently' without encryption; contemporary investigation by Brian Krebs estimated "2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords," including credentials dating back to 2012.

Editor's Note

FB failed its cybersecurity 101 test - storing passwords in plaintext. What's surprising is the lack of cybersecurity culture where none of the thousands of software engineers thought it a problem storing passwords in plaintext. While I usually hate that companies are fined by government as it usually gets passed along to the consumer, in this case it's appropriate.

Curtis Dukes
Curtis Dukes

If you're storing passwords, make sure that they are not in plain text. Ideally use a strong salted hash (Bcrypt, SHA512, PBKDF2, etc.), don't create your own. While Meta took action to notify users and correct passwords stored in the clear, if you've not changed your Meta (Facebook) password since before 2019, you should look into that, as well as enabling 2FA on that account.

Lee Neely
Lee Neely

2024-09-26

HPE Patches Critical Flaws in Aruba Access Points

Hewlett Packard Enterprise has released fixes to address three CVEs that affect HPE Aruba Access points running AOS-8 and AOS-10. All three vulnerabilities (CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507) are critical command injection issues. The current NVD descriptions of the flaws are identical: 'Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system.' The vulnerabilities also affect certain end-of-life software versions; these are listed in the HPE advisory. Users are urged update and/or upgrade to fixed versions.

Editor's Note

All three vulnerabilities have a CVSS score of 9.8. Make sure that you're running a supported/patched version of AOS-10 or Instant AOS-8. Then for AOS-10 restrict access to UDP port 8211 and enable cluster-security if you're on Instant AOS-8

Lee Neely
Lee Neely

2024-09-30

Threat Actors Breach Systems of German Defense Contractor

Cyber threat actors with ties to North Korea's government have allegedly broken into the network of German air defense system manufacturer Diehl Defence. According to Der Spiegel, the hackers gained access to Diehl's network through a spear phishing attack with a malicious PDF attachment that purported to be job offers from US defense contractors. Mandiant investigated the incident and found that the threat actors had conducted reconnaissance prior to the attack.

Editor's Note

The attack is attributed to the Kimsuky APT, aka APT43, Velvet Chollima, Emerald Street, TA406 and Black Banshee which focuses on intelligence gathering, including support for the North Korean Government's nuclear and strategic efforts. Spear phishing attacks with a jacked-up PDF, as was used here, are tricky to protect against. On top of that, the attackers leveraged a legitimate login server to capture credentials. The good news is we can do more than advising not to click. Make sure that you've got in-line attachment checking, MFA to help mitigate credential harvesting, and if possible protective DNS.

Lee Neely
Lee Neely

2024-09-30

SEC Changes Individual With Stealing Data and Using it to Conduct Financial Trades

The US Securities and Exchange Commission (SEC) has filed civil charges against a UK citizen for allegedly breaking into computer networks at five US companies and stealing privileged corporate earnings information that he later used to his advantage when conducting financial trades. Robert B. Westbrook allegedly reset account passwords for senior executives at the targeted companies. Westbrook is charged with violating antifraud provisions of the Securities Exchange Act of 1934. The SEC is seeking civil penalties, the return of the ill-gotten gains with interest, and enjoining Westbrook from future violations of the law.

Editor's Note

Seriously, if you're a publicly traded company, this is a great example of why you want to implement strong MFA and possibly DLP types of measures to prevent misuse of proprietary information. The businesses appeared to get lucky in that he didn't leverage information obtained with their competitors or for extortion.

Lee Neely
Lee Neely

A modern day take on the classic movie, 'Wall Street.' In the movie, Bud Fox and his mentor Gordon Gekko use illegally obtained insider information to manipulate the stock market and corporate world. As in the movie, greed eventually takes over and you trip up and get caught.

Curtis Dukes
Curtis Dukes

2024-09-26

Texas City is Dealing with a Ransomware Attack

With the help of the FBI, the city of Richardson, Texas is managing the aftermath of a ransomware attack. On Wednesday, September 25, the city disclosed that 'an external party temporarily gained access to the City's servers and attempted to encrypt data files within the network.' While the damage was contained 'to a small number of files,' the city took the precautionary measure of shutting down internal access to their servers. Richardson is replacing affected equipment and restoring systems from backups.

Editor's Note

The city, which has 120,000 residents, is working to rapidly restore services first, and secondly working to determine what data were exfiltrated. Richardson continues to post status updates as well as providing a 24-hour response center backup number as the primary number was suffering intermittent outages. They have also engaged the FBI and notified DHS. They are progressing rapidly, and it may be worth taking a look to see if you can emulate their success.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

CUPS Vulnerability

https://isc.sans.edu/diary/Patch+for+Critical+CUPS+vulnerability+Dont+Panic/31302

DNS And Big Chinese Firewall

https://www.assetnote.io/resources/research/insecurity-through-censorship-vulnerabilities-caused-by-the-great-firewall

https://isc.sans.edu/diary/Are+You+Piratebay+thepiratebayorg+Resolving+to+Various+Hosts/19175

Tool Update: mac-robber.py, le-hex-to-ip.py

https://isc.sans.edu/diary/Tool+update+macrobberpy+and+lehextoippy/31310

Singapore Class

https://jbu.me/singapore

Detecting Ransomware in Windows Event Logs

https://blogs.jpcert.or.jp/en/2024/09/windows.html

Ransomware Attacks Expanding to Hybrid Cloud Environments

https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/

Update on Recall Security and Privacy Architecture

https://blogs.windows.com/windowsexperience/2024/09/27/update-on-recall-security-and-privacy-architecture/

Progress WhatsUp Gold Update

https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024?popup=true&overview

PHP Updates

https://www.php.net/ChangeLog-8.php#8.1.30

HPE Aruba Networking Vulnerabilities

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04712en_us&docLocale=en_US