Information Technology

Image: Asha Barbaschow/ZDNet
Optus is looking for a cleaner delineation on when it needs to send a notice under Australia’s Telecommunications Sector Security Reforms (TSSR) after noting it accounted for half the notices sent so far under the regime.
Under the TSSR, carriers need to “do their best” to protect their networks from unauthorised access or interference for the purpose of security, with carriers to notify the government of any changes to their services, systems, or equipment that could have a “material adverse effect” on their ability to comply with this duty.
In a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) which is reviewing the TSSR, Optus noted that over the two-year period to June 30, the Critical Infrastructure Centre received 66 notifications in total, which meant it completed half the notices.
“Optus has reviewed the TSSR status of well over 150 projects and proposed changes over the last two years and submitted formal TSSR notifications for 36 of them,” it said.
“The time for the resolution of these notifications has varied between 30 days to eight months.”
The telco said this meant the regime was not operating as intended due to telcos each coming up with their own notification thresholds and interpretations. Consequently, the TSSR is simultaneously at risk of under-notification and over-notification.
“This uncertainty means that it is highly unlikely that providers are implementing the rules in the same way within their organisations, creating an unequal playing field for providers,” it said.

“Due to the confidential nature of the TSSR notifications, it is difficult for providers to engage in detailed industry discussions on this topic to ensure a consistent application of the rules.
“If the TSSR notification provisions are retained, Optus recommends that a clearer notification threshold be developed and adopted to remove ambiguity, limit compliance risk, and create an easy ‘bright line’ to guide decision-making for providers.”
Optus said the TSSR has created “substantial uncertainty and regulatory risk” for its investments over the past two years, as well as cost added time, cost, and complexity. This is despite the telco shifting the time of notification to different times during the lifecycle of projects and, instead of resolving the risks, merely exchanging different types of risk.
“It is unclear if security outcomes have been improved commensurately,” the telco said.
The telco added that with the government introducing its recent critical infrastructure Bill — new legislation that introduces a positive security obligation, cybersecurity requirements such as mandatory incident reporting and vulnerability testing on operators of critical infrastructure — which could have possible overlap with TSSR obligations, it has asked for companies deemed to run critical telco infrastructure operators to be exempt from TSSR notifications.
The main result of the TSSR thus far has been the banning of Huawei from 5G deployments in Australia. It was a decision that Optus said changed its market position, investment strategy, customer outcomes, and network design and capability.
“Decisions made by government and the Critical Infrastructure Centre under the regime have had a significant effect on Optus,” it said.
Also providing a submission to the PJCIS was the subject of the ban, Huawei, which repeated many of the arguments the vendor has previously made.
“The politicisation of the TSSR legislation has isolated Australia from the world’s best technology and innovation, it will delay the rollout of future networks and curb competition forcing price hikes of 20-40% for operators and Australian consumers,” Huawei said.
“This extra 5G deployment cost has already been confirmed by comments from executives at TPG, Vodafone and Optus.
“One Australian carrier has advised Huawei it now costs 50% more to build out a mobile base station site, forcing them to scale back their 5G targets.”
Much of the submission questioned why Huawei was banned due to being a Chinese vendor, while Ericsson and Nokia were left untouched despite having manufacturing capacity in the Middle Kingdom.
“If the ‘risk’ is China, then how is it that Ericsson and Nokia can still manufacture, compile software, and work in partnership with the Chinese government for building 5G technology and then deliver those products into the Australian 5G networks with no independent testing?” it said.
“In fact the TSSR legislation permits Telstra and Optus to install 5G equipment made in China by the Ericsson/Panda Electronics joint venture, while the US Department of Defense has listed Panda Electronics as a company that is either owned by or controlled by the People’s Liberation Army.”
Huawei said the Australian government either did not know its competitors were manufacturing in China, or it did not believe they were subject to requests from Beijing, even though the communist government ran the factories.
“Nokia co-owns its Chinese subsidiary, Nokia Shanghai Bell, together with a Chinese state-owned enterprise, China Huaxin, which holds just over 49% of the venture and has the right to nominate its CEO,” Huawei said.
“From 2002 to 2017, the unit’s chairman also acted as the Secretary of the Chinese Communist Party committee within the company (every company of a certain size that does business in China is required to have a Party committee).”
Huawei did not mention its own party committee secretary.
The company also said the Australian ban on it has led to 900 direct job losses, over 1500 subcontractor job losses, and the forgoing of AU$100 million in research.
Elsewhere on Wednesday, China continued to crackdown on Australian trade, this time increasing bans on local timber and meat. Beijing previously clamped down on Australian wine by spiking tariffs and putting import bans on lobsters.
On Tuesday, The Washington Post reported Huawei was testing automated “Uyghur alarms” that send alerts to Chinese authorities when Uyghurs are detected via its camera systems.
The Washington Post said a document it saw from Huawei’s website was removed by the company after comment was sought. Huawei reportedly said it was “simply a test” and not a product.
Last week, The Wall Street Journal reported the US was discussing a deal with Huawei to allow its CFO Meng Wanzhou to leave Canada and return to China if she admitted to wrongdoing.
The Canadian ambassador to China reportedly said on Tuesday that two Canadians imprisoned by Beijing soon after Meng was detained in Vancouver were showing resilience.
Last week, Huawei continued to end its sponsorship of Australasian sporting teams, parting ways with the Wellington Phoenix.
Related Coverage More

Image: Gionee
Four Chinese nationals were sentenced last week to prison sentences for participating in a scheme that planted malware on devices sold by Chinese smartphone maker Gionee.
The scheme involved Xu Li, the legal representative of Shenzhen Zhipu Technology, a Gionee subsidiary tasked with selling the company’s phones, and the trio of Zhu Ying, Jia Zhengqiang, and Pan Qi, the deputy general manager and software engineers for software firm Beijing Baice Technology.
According to court documents published last week by Chinese authorities, the two companies entered into a hidden agreement in late 2018 to create a powerful software development kit (SDK) that would allow the two parties to take control of Gionee smartphones after they were sold to customers.
The SDK was inserted on Gionee smartphones by Shenzhen Zhipu Technology in the form of an update to Story Lock Screen, a screen-locker app that came preinstalled with Gionee devices.
But Chinese officials said the SDK acted like a trojan horse and converted infected devices into bots, allowing the two companies to control customers’ phones.
The two companies used the SDK to deliver ads through a so-called “live pulling” function.
The two companies made $4.26 million from ads
Court documents say that between December 2018 to October 2019, more than 20 million Gionee devices across the world received more than 2.88 billion “pull functions” (ads), generating more than 27.85 million Chinese yuan ($4.26 million) in profit for the two companies.

The entire scheme appears to have come crashing down after a suspected bug started blocking access to some Gionee phone screens, which led the parent company’s support staff to start an investigation, which then led to an official complaint with Chinese authorities.
The four suspects were arrested in November 2019. According to reports from local media, the four didn’t dispute the investigators’ findings and pleaded guilty for reduced sentences.
The quartet received prison sentences ranging from 3 to 3.5 years in prison and fines of 200,000 Chinese yuan ($30,500) each.
Shenzhen Zhipu Technology also received a separate fine of 400,000 Chinese yuan ($61,000).
A Gionee spokesperson did not return emails or phone calls seeking comment on the countries where the malware-laced smartphones were sold. More

The New Zealand government has done what the Australian government should have by implementing the COVID-19 contact tracing framework developed by Apple and Google instead of pushing forward with a problem-riddled app.
From Thursday, the NZ COVID Tracer app will see the addition of Bluetooth tracing, which adopts the Apple/Google Exposure Notification Framework.
“Kiwis deserve a summer break more than ever this year but we cannot take our eye off the ball. The prospect of another outbreak should serve as a rock under our beach towels. That’s no bad thing,” Minister for COVID-19 Response Chris Hipkins said.
When an app user tests positive for COVID-19, they can choose to alert other app users who may have been exposed to the virus. Other app users will then receive an alert if they have been near that app user who tested positive for COVID-19.
The Ministry of Health will not know an individual has received an alert unless that individual chooses to get in touch for information and advice.
“But it’s vitally important that New Zealanders see Bluetooth as an additional tool that will help to speed up contact tracing,” Hipkins said. “We need to continue to scan QR codes wherever we go, and businesses, services, and public transport providers must keep displaying their QR code posters at all alert levels.
“QR codes allow us to create a private record of the places we’ve been, while Bluetooth creates an anonymised record of the people we’ve been near.”

Hipkins said combined, they complement the work done by public health units and the National Investigation and Tracing Centre to rapidly identify and isolate close contacts.
“That continues to be the primary method for contact tracing in New Zealand,” he added.
There are currently around 2.4 million registered users of the NZ COVID Tracer app, of which approximately 90% will have phones that are compatible with Bluetooth tracing. 
Being mindful that many New Zealanders are without access to a compatible smartphone, Hipkins said that while no decisions have yet been made on any wider rollout of the proposed contact tracing cards, there is potential for the cards or other wearables to form part of a broader system of interoperable technologies.
“The recent community trial of the cards with the Te Arawa COVID-19 Response Hub has highlighted that a partnership approach to any future rollout of cards or wearables will be essential to increasing community trust and participation with contact tracing technologies,” he said.
The app has been endorsed by the Privacy Commissioner, and the Ministry of Health will release the source code on Friday.
NZ COVID Tracer will update automatically and Bluetooth tracing will be turned off by default.
As of Tuesday, the total number of active cases in New Zealand was 54. The total number of confirmed cases since the pandemic hit the country is 1,729.
Six new cases were found on Tuesday, all of them were returned travellers.
HERE’S MORE More

FireEye, one of the world largest security firms, said today it was hacked and that a “highly sophisticated threat actor” accessed its internal network and stole hacking tools FireEye uses to test the networks of its customers.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

In a press release today, FireEye CEO Kevin Mandia said the threat actor also searched for information related to some of the company’s government customers.
Mandia described the attacker as a “highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.”
“Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” Mandia said in a statement released after markets closed.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” the FireEye top exec added.
“The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus.
“They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
Microsoft confirms nation-state attribution

FireEye said its assessment was confirmed by Microsoft, which the company brought in to help investigate the breach.
The Federal Bureau of Investigation was also notified and is currently assisting the company, a major government contractor.
Because FireEye believes the attackers got their hands on its custom penetration testing tools, the company is now sharing indicators of compromise (IOC) on its GitHub account. These IOCs can help other companies detect if hackers used any of FireEye’s stolen tools to breach their networks.
But despite the gloomy news, FireEye is not the first major security firm that got hacked by a nation-state group. Kaspersky disclosed a similar breach in 2015; RSA Security was also hacked in 2011 by a nation-state actor later linked to China; and Avast got hacked twice, the first time in 2017, and again in 2019.
On Twitter, top executives from security firms Crodwstrike and Dragos showed their support for FireEye and Mandia.

With the Fireeye breach news coming out, it’s important to remember that no one is immune to this. Many security companies have been successfully compromised over the years, including Symantec, Trend, Kaspersky, RSA and Bit9 1/
— Dmitri Alperovitch (@DAlperovitch) December 8, 2020

Going to be a lot of folks that dunk on FireEye for this but from my quick review they found it themselves and self disclosed. Everyone gets breached. Kudos to Kevin and the team for detecting and responding well. https://t.co/CxHM375Jbu
— Robert M. Lee (@RobertMLee) December 8, 2020 More

Microsoft has published today 58 security fixes across 10+ products and services, as part of the company’s monthly batch of security updates, known as Patch Tuesday. 

There’s a smaller number of fixes this December compared with the regular 100+ fixes that Microsoft ships each month, but this doesn’t mean the bugs are less severe.
More than a third of this month’s patches (22) are classified as remote code execution (RCE) vulnerabilities. These are security bugs that need to be addressed right away as they are more easily exploitable, with no user interaction, either via the internet or from across a local network.
This month, we have RCEs in Microsoft products like Windows NTFS, Exchange Server, Microsoft Dynamics, Excel, PowerPoint, SharePoint, Visual Studio, and Hyper-V.
The highest-rated of these bugs, and the ones most likely to come under exploitation, are the RCE bugs impacting Exchange Server (CVE-2020-17143, CVE-2020-17144, CVE-2020-17141, CVE-2020-17117, CVE-2020-17132, and CVE-2020-17142) and SharePoint (CVE-2020-17118 and CVE-2020-17121).
Patching these first is advised, as, through their nature, Exchange and SharePoint systems are regularly connected to the internet and, as a result, are more easily attacked.
Another major bug fixed this month is also a bug in Hyper-V, Microsoft’s virtualization technology, used to host virtual machines. Exploitable via a malicious SMB packet, this bug could allow remote attackers to compromise virtualized sandboxed environments, something that Hyper-V was designed to protect.

Below are additional details about today’s Microsoft Patch Tuesday and security updates released by other tech companies:
Microsoft’s official Security Update Guide portal lists all security updates in a filterable table.
ZDNet has published this file listing all this month’s security advisories on one single page.
Adobe’s security updates are detailed here.
SAP security updates are available here.
Intel security updates are available here.
VMWare security updates are available here.
Chrome 87 security updates are detailed here.
Android security updates are available here.
Tag
CVE ID
CVE Title
Microsoft Windows DNS
ADV200013
Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver
Azure DevOps
CVE-2020-17145
Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
Azure DevOps
CVE-2020-17135
Azure DevOps Server Spoofing Vulnerability
Azure SDK
CVE-2020-17002
Azure SDK for C Security Feature Bypass Vulnerability
Azure SDK
CVE-2020-16971
Azure SDK for Java Security Feature Bypass Vulnerability
Azure Sphere
CVE-2020-17160
Azure Sphere Security Feature Bypass Vulnerability
Microsoft Dynamics
CVE-2020-17147
Dynamics CRM Webclient Cross-site Scripting Vulnerability
Microsoft Dynamics
CVE-2020-17133
Microsoft Dynamics Business Central/NAV Information Disclosure
Microsoft Dynamics
CVE-2020-17158
Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
Microsoft Dynamics
CVE-2020-17152
Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
Microsoft Edge
CVE-2020-17153
Microsoft Edge for Android Spoofing Vulnerability
Microsoft Edge
CVE-2020-17131
Chakra Scripting Engine Memory Corruption Vulnerability
Microsoft Exchange Server
CVE-2020-17143
Microsoft Exchange Information Disclosure Vulnerability
Microsoft Exchange Server
CVE-2020-17144
Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Exchange Server
CVE-2020-17141
Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Exchange Server
CVE-2020-17117
Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Exchange Server
CVE-2020-17132
Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Exchange Server
CVE-2020-17142
Microsoft Exchange Remote Code Execution Vulnerability
Microsoft Graphics Component
CVE-2020-17137
DirectX Graphics Kernel Elevation of Privilege Vulnerability
Microsoft Graphics Component
CVE-2020-17098
Windows GDI+ Information Disclosure Vulnerability
Microsoft Office
CVE-2020-17130
Microsoft Excel Security Feature Bypass Vulnerability
Microsoft Office
CVE-2020-17128
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-17129
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-17124
Microsoft PowerPoint Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-17123
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-17119
Microsoft Outlook Information Disclosure Vulnerability
Microsoft Office
CVE-2020-17125
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-17127
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office
CVE-2020-17126
Microsoft Excel Information Disclosure Vulnerability
Microsoft Office
CVE-2020-17122
Microsoft Excel Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2020-17115
Microsoft SharePoint Spoofing Vulnerability
Microsoft Office SharePoint
CVE-2020-17120
Microsoft SharePoint Information Disclosure Vulnerability
Microsoft Office SharePoint
CVE-2020-17121
Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2020-17118
Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft Office SharePoint
CVE-2020-17089
Microsoft SharePoint Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-17136
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-16996
Kerberos Security Feature Bypass Vulnerability
Microsoft Windows
CVE-2020-17138
Windows Error Reporting Information Disclosure Vulnerability
Microsoft Windows
CVE-2020-17092
Windows Network Connections Service Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-17139
Windows Overlay Filter Security Feature Bypass Vulnerability
Microsoft Windows
CVE-2020-17103
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Microsoft Windows
CVE-2020-17134
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Visual Studio
CVE-2020-17148
Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
Visual Studio
CVE-2020-17159
Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
Visual Studio
CVE-2020-17156
Visual Studio Remote Code Execution Vulnerability
Visual Studio
CVE-2020-17150
Visual Studio Code Remote Code Execution Vulnerability
Windows Backup Engine
CVE-2020-16960
Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine
CVE-2020-16958
Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine
CVE-2020-16959
Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine
CVE-2020-16961
Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine
CVE-2020-16964
Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine
CVE-2020-16963
Windows Backup Engine Elevation of Privilege Vulnerability
Windows Backup Engine
CVE-2020-16962
Windows Backup Engine Elevation of Privilege Vulnerability
Windows Error Reporting
CVE-2020-17094
Windows Error Reporting Information Disclosure Vulnerability
Windows Hyper-V
CVE-2020-17095
Hyper-V Remote Code Execution Vulnerability
Windows Lock Screen
CVE-2020-17099
Windows Lock Screen Security Feature Bypass Vulnerability
Windows Media
CVE-2020-17097
Windows Digital Media Receiver Elevation of Privilege Vulnerability
Windows SMB
CVE-2020-17096
Windows NTFS Remote Code Execution Vulnerability
Windows SMB
CVE-2020-17140
Windows SMB Information Disclosure Vulnerability More

GitHub will roll out dependency review, a security assessment for pull requests, in the coming weeks to developers. 
The open source development platform said on Tuesday at the GitHub Universe conference that dependency review is a system designed to help “reviewers and contributors understand dependency changes and their security impact at every pull request” and has been developed to try and prevent vulnerable code from merging with new or updated dependencies by accident. 
Added to the GitHub roadmap this year, the new tool will give developers an overview of which dependencies are added or removed from a project, when they were updated, how many other projects lean on a dependency, and any vulnerability information associated with them. 
See also: The biggest hacks, data breaches of 2020
Dependency review is currently in beta and will become available to public repositories and Advanced Security customers on GitHub Enterprise Cloud, with a rollout expected in the “coming weeks.” The feature will be made available for free to public repositories. 

Example dependency review record
GitHub
GitHub’s current security offerings include a vulnerability advisory database, temporary private fork features to fix bugs before public disclosure, dependabot alerts, and automated pull requests for security updates. 
In 2020, the platform logged 56 million developers and the creation of 60 million new repositories. Over 90% of projects utilize open source components and have almost 700 dependencies on average. 

According to GitHub research, vulnerabilities can go undetected for up to four years in open source software. Although the majority of bugs are the result of human error rather than malice, vulnerabilities in components that could be extensively used by third-party vendors need to be dealt with as quickly as possible — and any means to prevent them from being added to dependencies is valuable. 
CNET: Hackers are going after COVID-19 vaccine’s rollout
The organization also revealed a slew of other changes, including a new build of GitHub Enterprise Server, with release starting December 16. The new GHES 3.0 release candidate will include built-in CI/CD and automation features within GitHub Actions and Packages. 
In addition, GHES 3.0 will allow enterprise customers to automate Advanced Security, including code and secret scanning (in beta), during server deployments. 
GitHub also announced:
Dark mode: Available today under settings
Discussions: Now available for all public repositories
Auto-merge pull requests: Rolling out over the next few weeks, this opt-in setting allows developers to permit automatic pull request mergers once checks have been passed
Environments: Environments will be able to be used with specific secrets to protect apps and packages, starting later this month
Workflow visualization: Action workflows can now be visualized in graphs
Mobile support: A beta version of mobile support for GitHub Enterprise Server is in development.
TechRepublic: Top 5 reasons not to use SMS for multi-factor authentication
In addition, GitHub Sponsors has been expanded from individual funding to investment from businesses. According to the firm, GitHub Sponsors for companies will allow organizations to “invest in the open source developers and projects that they depend on” through GitHub billing. 
Companies including AWS, American Express, Daimler, and Microsoft have already signed up to financially support open source projects. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Harlie Raethel, GE Healthcare
More than 100 models of General Electric Healthcare medical devices come with hidden accounts that use the same default credentials and could be abused by hackers to gain access to medical equipment inside hospitals and clinics.

Affected devices include the likes of CT scanners, X-Ray machines, and MRI imaging systems, according to CyberMDX, the security firm that discovered the hidden accounts earlier this year.
The accounts, hidden to end-users, are included in the device firmware and are used by GE Healthcare servers to connect to on-premise devices and perform maintenance operations, run system health checks, obtain logs, run updates, and other actions.
CyberMDX says the problem with these accounts is that use the same default credentials and that the credentials are public and can also be found online by threat actors, which can then abuse them to gain access to hospital imaging systems and harvest patient personal data.
GE’s effort to help customers
In an email interview on Monday, GE told ZDNet that they are “not aware of any unauthorized access to data or incident where this potential vulnerability has been exploited in a clinical situation,” however, this doesn’t mean the issue won’t be abused in the future.
To stay ahead of attackers and prevent future intrusions, GE has now embarked on a massive effort to help hospitals and other healthcare providers reconfigure all the devices where these accounts are present.
In a security alert the company plans to publish today, the company will advise customers to contact GE support staff to make an appointment and have GE personnel change the passwords for these hardcoded accounts.

This step is necessary because the accounts are invisible to end-users, and only GE staff can change their credentials.
“We are providing on-site assistance to ensure credentials are changed properly and confirm proper configuration of the product firewall,” a GE Healthcare spokesperson told ZDNet via email.
“A patch is not required to solve this issue,” GE said.
What’s vulnerable
According to CyberMDX, the company discovered hidden accounts that granted access to the following services and features:
FTP (port 21) -used by the modality to obtain executable files from the maintenance server.
SSH (port 22)
Telnet (port 23) -used by the maintenance server to run shell commands on the modality.
REXEC (port 512) -used by the maintenance server to run shell commands on the modality.
The list of vulnerable devices where these accounts are presents includes 104 GE Healthcare device models. The biggest and most well-known GE Healthcare product lines affected by this issue —which CyberMDX has been tracking under the codename of MDHexRay— includes:
Exploiting MDHexRay requires access to a hospital’s network
But according to CyberMDX, the good news is that exploiting any of these default credentials to gain access to a device requires that an attacker have access to a hospital’s internal network.
“We haven’t found cases where the devices were left exposed online,” Elad Luz, Head of Research at CyberMDX, told ZDNet in an email interview.
“Internal network access is required, […] something that unfortunately happens quite commonly, especially recently,” Luz said, referring to the growing number of security breaches and ransomware intrusions reported by healthcare organizations this year. More

Businesses which suffer a successful cyber attack are extremely likely to be targeted by cyber criminals again – even if they’ve taken all the correct steps in the aftermath of the initial attack.
The Crowdstrike Services Cyber Front Lines report uses analysis of real-world cases where the cybersecurity company has been brought in to help combat cyber attacks and it reveals that in over two thirds of of cases where there were outside intrusions onto the network, cyber criminals will attempt to break into the same network within one year.
According to Crowdstrike, 68% of companies encountered another “sophisticated intrusion attempt” within 12 months – although in each of these cases, the second attack was prevented from compromising or otherwise gaining access to the network.
While organisations might feel that if they’re hit by a cyber attack once – whether that’s malware, ransomware, business email compromise, phishing or something else – then they won’t be targeted again, if anything it’s the opposite that’s true.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
Cyber criminals come back probably because they are hoping that an organisation has not learned the lessons of the first attack and has perhaps even left the same vulnerabilities in place that allowed the initial cyber attackers to breach the network.
“It is tempting to think of intrusions as a lightning strike — a blinding flash that is unlikely to strike the same place twice. Unfortunately, intrusion attempts are rarely a one-time event,” said the report.

“Organisations that do not take the opportunity to apply lessons learned and to better prepare for their next encounter with an adversary may well suffer attacks that result in additional data loss, ransom demands, extortion or other monetary losses requiring costly legal fees, response services and perhaps even future business interruption,” the paper added.
It’s recommended that in the aftermath of a breach – once the network is secured with timely security updates, stronger passwords and multi-factor authentication – that organisations take the opportunity to learn from the incident and remain vigilant about what they can do to prevent future attacks and even plan how they’d react to another incident.
One way of doing this is to regularly perform penetration testing to find out where the vulnerabilities are on the network and if defenders can detect the intrusions, particularly when it comes to new kinds of attack or vulnerability.
“Holistic coordination and continued vigilance are key in detecting and stopping sophisticated intrusions,” said Shawn Henry, chief security officer and president of CrowdStrike Services.
“Because of this, we’re seeing a necessary shift from one-off emergency engagements to continuous monitoring and response. This will better enable incident response teams to help customers drastically reduce the average time to detect, investigate and remediate,” he added.
READ MORE ON CYBERSECURITY More