Information Technology

Ransomware attacks against hospitals are having direct consequences for patient care as a result of the reduced availability of systems and services when cyber criminals encrypt networks. According to a survey of healthcare organisations, ransomware attacks have resulted in patients being kept in hospital longer, delays in tests and procedures – and, most disturbingly of all, an increase in patient deaths. 

ZDNet Recommends

The research into the impact ransomware has on hospitals and patient care was conducted by The Ponemon Institute think tank and cybersecurity company Censinet. SEE: A winning strategy for cybersecurity (ZDNet special report)  Ransomware is a major cybersecurity issue for all industries, but attacks against healthcare have a huge impact because of the potential consequences for patient care. If a retailer or a supermarket is compromised with ransomware, customers can often go elsewhere for their products – but in the case of hospitals, that’s not really an option. It’s why targeting hospitals has become a lucrative business for criminal ransomware operations – the nature of healthcare and the requirement for constant access to systems means that, in many cases, the victim will give in and pay the ransom demand for a decryption key. The results of the survey, based on answers from 597 IT and IT security professionals working in healthcare, paint a picture of hospitals struggling to protect against and deal with the fallout from ransomware attacks – and all of this at a time when healthcare has been feeling the strain of the coronavirus pandemic. 

Just over a third (36%) of respondents at hospitals affected by a ransomware attack saw an increase in complications for patients following medical procedures, while seven in 10 saw delays in procedures and tests resulting in what’s described as “poor outcomes”. Seven in 10 patients also had a longer stay at the hospital due to the ongoing consequences of a ransomware attack. One in five respondents who worked at a hospital that had been hit by ransomware said the incident lead to an increase in deaths. Official reporting that examines the direct impact of ransomware on patient mortality is opaque at best. In September last year, it was reported that a patient at a German hospital died after the facility was hit by a ransomware attack as they were being transferred to another hospital. Police launched an investigation into the death to determine if the cyber criminals who launched the ransomware attack were responsible for the patient death. However, they came to the conclusion that the patient was in such poor health condition that it was still likely they would have died.

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

While healthcare is a tempting target for ransomware because of the critical nature of the industry, funding issues around cybersecurity don’t help. Hospital budgets are often stretched, meaning that investment in IT infrastructure and cybersecurity can end up low down the priority list.  SEE: A cloud company asked security researchers to look over its systems. Here’s what they foundThis can lead to cybersecurity issues like failing to patch known vulnerabilities or updating operating systems to the latest version becoming big problems, both of which can be exploited by cyber criminals to launch ransomware attacks.  Budgets are tight, but if healthcare organisations can invest in the technology and security staff required to help discover and fix vulnerabilities in endpoints and networks, it can go a long way to helping to keep hospitals – and patients – safe from the impact of cyberattacks. “Our findings correlated increasing cyberattacks, especially ransomware, with negative effects on patient care, exacerbated by the impact of COVID on healthcare providers,” said Larry Ponemon, chairman and founder of the Ponemon Institute. MORE ON CYBERSECURITY More

Telegram-powered bots are being utilized to steal the one-time passwords required in two-factor authentication (2FA) security. 

On Wednesday, researchers from Intel 471 said that they have seen an “uptick” in the number of these services provided in the web’s underground, and over the past few months, it appears the variety of 2FA circumvention solutions is expanding — with bots becoming a firm favorite.  Two-factor authentication (2FA) can take the form of one-time password (OTP) tokens, codes, links, biometric markers, or by tapping a physical dongle to confirm an account owner’s identity. Most often, 2FA tokens are sent through a text message to a handset or an email address.  While 2FA can improve upon the use of passwords alone to protect our accounts, threat actors were quick to develop methods to intercept OTP, such as through malware or social engineering.  According to Intel 471, since June, a number of 2FA-circumventing services are abusing the Telegram messaging service. Telegram is either being used to create and manage bots or as a ‘customer support’ channel host for cybercriminals running these types of operations.  “In these support channels, users often share their success while using the bot, often walking away with thousands of dollars from victim accounts,” the researchers say.  The Telegram bots are being used to automatically call would-be victims in phishing attempts, to send messages claiming to be from a bank, and to otherwise try and lure victims into handing over OTP codes. Other bots are targeting social media users in phishing and SIM-swap attack attempts. 

In order to create a bot, there is a basic level of programming required — but nothing in comparison to developing custom malware, for example. What makes matters worse is that in the same way as traditional botnets, the Telegram bots can be leased out — and once the phone number of an intended victim is submitted, attacks can begin with only a few clicks.  The researchers cited two particular bots of interest; SMSRanger and BloodOTPbot.  SMSRanger’s interface and command setup are similar to the Slack collaboration platform and it can be used to target particular services including PayPal, Apple Pay, and Google Play. BloodOTPbot is an SMS-based bot that can also be used to generate automatic calls that impersonate bank staff. 
Intel 471
“The bots show that some forms of two-factor authentication can have their own security risks,” Intel 471 commented. “While SMS- and phone-call-based OTP services are better than nothing, criminals have found ways to socially engineer their way around the safeguards.”In April, Check Point Research disclosed the existence of a Remote Access Trojan (RAT) dubbed ToxicEye that abuses the Telegram platform, leveraging the communications service within its command-and-control (C2) infrastructure.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has recommended for the Bill that would provide government with step-in powers whenever an organisation suffers from a cyber attack to be swiftly passed.”The committee received compelling evidence that the complexity and frequency of cyber attacks on critical infrastructure is increasing globally. Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure,” committee chair Senator James Paterson said.The Bill in question, the Security Legislation Amendment (Critical Infrastructure) Bill 2020, as currently drafted seeks to provide government with powers to step in and provide “assistance” to entities in response to significant cyber attacks on Australian systems, create enhanced cybersecurity obligations for those entities most important to the nations, and introduce sector-specific positive security obligations (PSO) for critical infrastructure entities.The PJCIS noted in an advisory report [PDF], however, that only portions of the Bill that focus on government assistance mechanisms and mandatory notification requirements should be passed, with the “less urgent” aspects of the Bill to be introduced under a second, separate Bill following further consultation.The PJCIS believes this two-step approach would enable the quick passage of laws to counter looming threats against Australia’s critical infrastructure, while giving businesses and government additional time to co-design a regulatory framework that provide long-term security for the country’s critical infrastructure.Along with this main recommendation, the advisory provided other recommendations detailing how the Bill should be split.The powers that the PJCIS wants to see passed immediately are the government assistance mechanisms, colloquially termed as “last resort” powers, which entail giving government powers to direct an entity to gather information, undertake an action, or authorise the Australian Signals Directorate (ASD) to intervene against cyber attacks. This also includes the proposal for software to be installed that the Department of Home Affairs claims would aid providers in dealing with threats.

It also wants one of the PSOs in the current Bill, which seeks to require organisations to formally notify government if they experienced a cyber attack, to be immediately passed.While the PJCIS supports the introduction of the “last resort” powers, tech giants operating in Australia, such as Amazon Web Services, Cisco, Microsoft, and Salesforce, have all taken issue with them, saying more clarity is needed regarding how and when those powers can be exercised.Meanwhile, Google believes the assistance mechanisms would only provide more problems.”I do not believe that there is a situation where installing ASD software on our networks or our systems, especially in the heat of an incident, is actually going to cause anything except more problems, and it’s not going to help the solution and it’s not going to help the problem at hand,” Google threat analysis group director Shane Huntley said in July.    “The committee acknowledges that affected entities will still have reservations with the enablement of the assistance measures, especially within the technology sector. However, the committee recognises that the potential threat faced to critical infrastructure assets is too great to stall introduction of these essential measures for any longer,” the committee wrote in response to those concerns.Among the less urgent powers that the PJCIS would like to see introduced in a later Bill are the enhanced cybersecurity obligations and remaining PSOs in the current Bill. These PSOs are adopting and maintaining an all-hazards critical infrastructure risk management program, and providing ownership and operational information to the Register of Critical Infrastructure Asset.The PJCIS said this second Bill should be drafted through consultation with industry.Since the Bill’s introduction into Parliament at the end of last year, the Department of Home Affairs has repeatedly requested for it to be rushed through, saying the sector-specific rules could be nutted out later.MORE ON THE BILL More

A working exploit for CVE-2021-22005 — a vulnerability with VMware vCenter — has been released and is reportedly being used by threat actors, according to experts tracking the issue. Last week, VMware warned of a critical vulnerability in the analytics service of vCenter Server and urged users to update their systems as soon as possible. On September 21, VMware said that its vCenter Server is affected by an arbitrary file upload vulnerability in the Analytics service which would allow a malicious actor with network access to exploit this vulnerability to execute code on vCenter Servers. By September 24, VMware had confirmed reports that CVE-2021-22005 was being exploited in the wild and dozens of security researchers online reported mass scanning for vulnerable vCenter Servers and publicly available exploit codes. CISA followed up with its own warning on Friday, writing on Twitter that they expected “widespread exploitation of VMware vCenter Server CVE-2021-22005.” Like VMware, they urged users to upgrade to a fixed version as quickly as possible or apply the temporary workaround provided by VMware. That same day, cybersecurity company Censys released a report showing that there were around 3,264 hosts that are Internet-facing and potentially vulnerable. More than 430 had been patched and 1,369 are either unaffected versions or have the workaround applied.In a statement to ZDNet, VMware reiterated that it has released patches and mitigation guidance to address multiple vulnerabilities affecting VMware vCenter Server 6.5, 6.7 and 7.0. They have also issued a public security advisory. 

“Customer protection is VMware’s top priority, and we strongly recommend that affected customers patch immediately as indicated in the advisory. As a matter of best practice, VMware encourages all customers to apply the latest product updates, security patches and mitigations made available for their specific environment and deploy our products in a security hardened configuration,” the company said. “Customers should also sign-up for VMware’s Security-Announce mailing list to receive new and updated VMware Security Advisories.”Derek Abdine, CTO of Censys, confirmed to ZDNet that they have reliably proven that remote execution is possible and easy to do. “I can confirm in-the-wild exploitation now. It looks like it’s related to the second vulnerability that is part of CVE-2021-22005. I haven’t seen evidence of exploitation using the hyper/send endpoint (the other part of CVE-2021-22005), but that endpoint is slightly less viable because it has a prerequisite condition. The /datapp endpoint is more concerning as there are no prerequisites and it is thought to exist on more versions of vCenter,” Abdine explained. “Also, internal exposure is still a big deal. There are quite a number of these externally facing, but that should not be the norm. Many organizations have private VMware clusters, and this issue will still present a significant risk to them if an attacker is able to leverage the exploit internally.”Will Dormann, vulnerability analyst at the CERT/CC, also confirmed on Twitter that the exploit for CVE-2021-22005 is now fully public. A map of where all VMware vCenter hosts accessible via the Internet are located. 
Censys
Hosts from Hong Kong, Vietnam, the Netherlands, Japan, Singapore and other countries across the globe continue to scan for the vulnerability, according to Bad Packets.Abdine noted that while a patch has been available for days, there is a “patch saturation” phenomenon where patching never really reaches 100%. “For example, 5 days after the Atlassian Confluence blog post went out, we only saw a drop of 30% on total exposed vulnerable confluence services. When the Western Digital My Book Live issue came up recently, we observed the same thing even in the consumer space (versus enterprise software for Confluence/VMware),” Abdine said.”I think there are still plenty of hosts out there that are a concern. Greynoise.io and Bad Packets are both seeing opportunistic scanning that some are calling mass exploitation. However, from what I can tell so far, whoever is running these requests that are captured by Greynoise and Bad Packets are simply lifting URLs from community research (by Censys and @testanull on Twitter) and attempting to hit the URLs for those without full working knowledge of how to achieve execution.” Now that an exploit has been released, Abdine added that the “floodgates opened,” allowing any attacker with lower technical skills to perform mass exploitation.”So all in all, I don’t think we’re out of the woods yet — and again, it’s very common to run VMware clusters in internal datacenters that are only accessible via company VPNs. Virtual machines should continue to run. However, the operations and management you get with vCenter will absolutely be affected while the upgrade takes place, and may likely impact operations for organizations regularly using vCenter,” Abdine said. John Bambenek, principal threat hunter at Netenrich, told ZDNet that remote code execution as root on these types of devices is pretty significant. Almost every organization operates virtual machines and if a threat actor has root access, they could ransom every machine in that environment or steal the data on those virtual machines with relative ease, Bambenek said. Other experts, like Digital Shadows threat intelligence team lead Alec Alvarado, noted that threat actors follow the news as much as security researchers. Alvarado echoed what Abdine said, explaining that less sophisticated actors now have a chance to take advantage of the vulnerability thanks to the proof of concept. But for Bud Broomhead, CEO at Viakoo, the situation boiled down to patch management. “Managing patches manually leaves an organization at risk due to the slow (or non-existent) nature of the process, leaving an organization vulnerable,” Broomhead said.  More

Voice over Internet Protocol (VoIP) services company Bandwidth.com has confirmed that it was suffering from outages after reports emerged on Monday night that the service was dealing from a DDoS attack. Bandwidth CEO David Morken said in a statement that “a number of critical communications service providers have been targeted by a rolling DDoS attack.”

ZDNet Recommends

“While we have mitigated much intended harm, we know some of you have been significantly impacted by this event. For that I am truly sorry. You trust us with your mission-critical communications. There is nothing this team takes more seriously,” Morken said.  “We are working around the clock to support your teams and minimize the impact of this attack. Our account managers and support teams have been actively reaching out to customers individually to address any issues. We will not rest until we end this incident, and will continue to do all we can to protect against future ones.” In an earlier statement, the company told ZDNet that Bandwidth “has experienced intermittent impacts” to its services. “All our services are currently functioning normally. Our network operations and engineering teams are continuing to monitor the situation and we are actively working with our customers to address any issues. We will post updates to status.bandwidth.com as we have additional information to share,” the company said. Since that statement was shared, the company has updated the status showing partial outages for a number of inbound and outbound calling services. 

Bleeping Computer was the first to report on Monday evening that Bandwidth.com was facing issues because of a distributed denial of service attack, which are routinely targeted at VoIP providers.  The news outlet noted that other VoIP vendors like Accent, RingCentral, Twilio, DialPad and Phone.com were experiencing outages and telling customers that the problems were with an “upstream provider.” On its Cloud Service Status page, Accent said on Tuesday that the “upstream provider continues to acknowledge the DDoS attack has returned to their network however we are seeing a very limited impact to inbound calling for our services.”  “Mitigation steps are being put in place to route inbound phone numbers around the upstream carrier the impact to service grows. We will continue to monitor the situation and update the status as appropriate,” Accent wrote.  A source, who asked to have their name withheld, told ZDNet on Monday that their customers were having major problems with their ported phone numbers and that they could not make any changes like forwarding phones.  The company is a downstream reseller of products hosted by Bandwidth and said they knew of a major telecommunications company that “was in emergency mode” due to the situation with Bandwidth.  Just a few weeks ago, Canada-based VoIP provider VoIP.ms said it was still battling a week-long, massive ransom DDoS attack. The REvil ransomware group demanded a $4.5 million ransom to end the attack.  Recent reports have said DDoS attacks are becoming more frequent, more disruptive and increasingly include ransom demands.  Cloudflare said last month that its system managed to stop the largest reported DDoS attack in July, explaining in a blog post that the attack was 17.2 million requests-per-second, three times larger than any previous one they recorded. More

1Password and Fastmail have announced a new service designed to offer users a way to create email aliases and protect their real email addresses. The “Masked Email” service will allow 1Password users to create and manage secure, unique email aliases directly within the 1Password platform. The feature is designed to help users hide their email addresses from certain apps or services they need to use. 

Fastmail COO Helen Horstmann-Allen said adding the email alias feature to 1Password lets customers protect their email identity in the same way they protect their passwords. “Together, we built a feature I’m really proud of, with a partner who shares our values for both customer privacy and open standards,” Horstmann-Allen said. By allowing users to generate a unique email address, 1Password customers can protect themselves from the kind of phishing emails that have become all too common. A recent report from Deloitte noted that 91% of all cyberattacks start with a phishing email. Andrew Beyer, browser experience lead at 1Password, said people’s email addresses are entry points to their digital lives, making it essential that they remain in control of how they are used and dispersed. “Working with Fastmail, we’ve developed a way to make creating and filling a unique email address through 1Password as easy as generating passwords are today,” Beyer said. 

Fastmail CEO Bron Gondwana noted that email addresses are effectively a person’s online identity, and if their information is compromised in a data breach, having a randomly generated email address adds a second line of defense “because it can’t be associated with your primary email address, and therefore, your identity.”The companies said the feature is ideal for when someone needs to register for a free Wi-Fi network or sign up for an email newsletter. The email addresses never expire unless you manually remove them, and users can manage their aliases from the Fastmail platform. Users can also pause receiving mail to their email aliases.Troy Hunt, strategic advisor at 1Password and founder of Have I Been Pwned, said it is now known empirically that data breaches happen many times every single day, and the full extent of the problem is larger than anyone can quantify.”My service is now tracking 5 billion email addresses, with each one appearing in an average of 2 data breaches. It’s more important than ever that we protect our privacy, and protecting the primary key to our digital lives — our email address — will have a really positive impact,” Hunt said.  More

The nefarious FinSpy spyware has now been upgraded for deployment within UEFI bootkits.

FinSpy, also known as FinFisher/Wingbird, is surveillanceware that has been detected in the wild since 2011. The software’s Windows desktop-based implants were detected in 2011, and mobile implants were discovered a year later. In 2019, Kasperksy researchers found new, upgraded Android and iOS samples, as well as signs of ongoing infections in Myanmar. The Indonesian government was also connected to the spyware’s use.  At Kaspersky’s Security Analyst Summit (SAS) on Tuesday, researchers Igor Kuznetsov and Georgy Kucherin said that detection rates for Windows FinSpy implants have declined steadily over the past three years. However, the software has now been upgraded with new PC infection vectors.  According to Kaspersky, the malware has moved on from deployment purely through Trojanized installers — normally bundled with legitimate applications — including TeamViewer, VLC, and WinRAR. In 2014, its developers added Master Boot Record (MBR) bootkits, which aim to ensure malicious code is loaded at the earliest possible opportunity on an infected machine.  The researchers say that now, Unified Extensible Firmware Interface (UEFI) bootkits have also been added to FinSpy’s arsenal. The malware will, however, check for the presence of a virtual machine (VM), and if found, only shellcode is delivered, likely in an attempt to avoid reverse engineering attempts. 

UEFI systems are critical to computer systems as they have a hand in loading operating systems. FinSpy is not the only malware to target this machine element, with LoJax and MosaicRegressor also being prime examples. Kucherin did say, however, that the FinSpy bootkit was “not the average we normally see” and all that was necessary to install it was administrator rights. A sample of a UEFI bootkit that loaded FinSpy provided the team with clues to its functionality. The Windows Boot Manager (bootmgfw.efi) was replaced with a malicious variant, and once loaded, two encrypted files were also triggered, a Winlogon Injector and the Trojan’s main loader. FinSpy’s payload is encrypted, and once a user logs on, the loader is injected into winlogon.exe, leading to the decryption and extraction of the Trojan.If a target machine is too old to support UEFI, this does not mean it is safe from infection. Instead, FinSpy will target the system via the MBR. It is possible for the malware to strike 32-bit machines. The spyware is capable of capturing and exfiltrating a wide variety of data from an infected PC, including locally stored media, OS information, browser and virtual private network (VPN) credentials, Microsoft product keys, search history, Wi-Fi passwords, SSL keys, Skype recordings, and more.On mobile, FinSpy will target contact lists, SMS messages, files in memory, email content, and GPS location coordinates. In addition, the malware can monitor Voice over IP (VoIP) communication and is able to rifle through content exchanged via apps including Facebook Messenger, Signal, Skype, WhatsApp, and WeChat.  The macOS version of FinSpy contains only one installer — and the same applies to the Linux version. However, in the latter case, the infection vector used to deliver FinSpy is currently unknown, although it is suspected that physical access may be required.   The latest investigation into FinSpy took eight months. According to Kuznetsov, it is likely the operators “will keep upgrading their infrastructure all of the time” in what will be a “never-ending story.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

While cloud computing services are often touted as more secure than building applications and hosting them in-house, that doesn’t mean those cloud services are without their own flaws. And with hackers increasingly looking to deploy their attacks through the software supply chain, cloud security is back in the spotlight.Cybersecurity researchers found vulnerabilities in the infrastructure of a large software-as-a-service provider which if exploited by an attacker, could’ve been used by cyber criminals as part of a cloud-based supply chain attack. The unspecified SaaS provider invited cybersecurity researchers at Palo Alto Networks to conduct a red team exercise on their development software pipeline in order to identify vulnerabilities in the supply chain.”In just three days, a single Unit 42 researcher discovered critical software development flaws that left the customer vulnerable to an attack similar to those on SolarWinds and Kaseya VSA,” the security company said.At a time when so many businesses are reliant on cloud services, it demonstrates how misconfigurations and vulnerabilities can have a huge impact if not managed properly because of the hundreds or even thousands of companies which are reliant on the infrastructure.SEE: A winning strategy for cybersecurity (ZDNet special report)Initially provided with the limited developer access a contractor would have, the researchers managed to elevate privileges to the extent they were able to gain administrator rights to the wider continuous integration (CI) cloud environment.  

Using this access, researchers examined all of the environment they could and were able to locate and gain access to 26 Identity and Access Management (IAM) keys. Some of these contained hard-coded credentials which provided unauthorised access to additional areas of the cloud environment, which could be exploited to gain administrator access – allowing what should have been an account with limited access gain privileges which open up the whole environment. While the company which had requested penetration testing was able to detect some of the activity researchers engaged in, it was only after administrator access had been gained that this was the case – in the event of a real attack, this would’ve been too late and attackers would have compromised the system.  After the exercise, the researchers worked with the organization’s security operations center, DevOps, and red and blue teams to develop a plan of action to tighten up security with a focus on the early identification of suspicious or malicious operations within their software development pipelineThe researchers knew what they were looking for so were able to easily identify misconfigurations and vulnerabilities to exploit. While this might involve advanced knowledge of these environments and how to exploit them, it’s the sort of thing that specialised attack operations like ransomware gangs or nation-state backed Advanced Persistent Threat Groups (APTs) would also be familiar with – and will actively exploit if they can, as demonstrated by recent incidents. “Successful supply chain attacks are particularly devastating due to the widespread fallout of the attacks, for example potentially thousands of downstream customer environments being compromised. The risk of fallout conditions should mandate the increase of security mechanisms and procedures used to protect the supply chain”, Nathaniel Quist, principal researcher at Unit 42 at Palo Alto Networks told ZDNet. SEE: Cloud security in 2021: A business guide to essential tools and best practicesPart of the reason these environments can be exploited is because they’re complex and can be difficult to secure – it’s understandably not a simple task and vulnerabilities and misconfigurations can snowball to the extent that with patience and the right skills, attackers could exploit access to service providers and leave customers vulnerable to attacks. There are a number of things which can be done to help protect cloud environments from unauthorised access, including providing access to systems and services on a role-based basis. If developer staff don’t need access to access management keys, then there’s no reason they should be able to gain hold of them. “Role-Based Access Controls (RBAC) within the developer roles would have prevented the Unit 42 researchers from accessing all of the developer repositories. Had the client limited developer user accounts to only the repositories required to perform their job, it would have prevented the red team from identifying all of the 26 hardcoded IAM keys,” said Quist. Organisations should also implement security checks and barriers as part of the development lifecycle. Because if this is implemented properly, it might be possible to determine that there’s been unauthorised access to systems, something which could prevent an attack from being sent down the line to customers.In this scenario, there’s still a security issue to deal with, but dealing with it before hundreds or thousands of customers have been affected is a much better way to deal with it. MORE ON CYBERSECURITY More