TLP White: In this edition of Hacking Healthcare, we discuss the difficulty of implementing one-size-fits-all cybersecurity policy in Europe. We also break down the troubling re-occurrence of Triton malware on critical infrastructure. We then dive into the chaos caused by an irresponsible vulnerability disclosure. Finally, we explore the recent revelation of insecurity in enterprise VPN applications.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.
Welcome back to Hacking Healthcare.
Hot Links –
1. Uneven Implementation Stymies European One-size-fits-all Cybersecurity Approach.
In response to the European Commission’s inquiry into the potential application of a cyber resilience testing framework for European market participants and infrastructures, the financial European Supervisory Authorities (“ESAs”) EBA, EIOPA and ESMA relayed their hesitance in adopting such measures due to the significant differences found in cybersecurity maturity in the sector.
The ESAs noted that while there were clear benefits to the implementation of such policies, the differences in available resources and the varied starting positions of entities would complicate successful implementation in the short term. The ESAs did, however, recommend a push for a multi-stage process and for baseline cyber resilience across sectors depending on their needs and risk profile.[1]
The European Commission also pressed the ESAs to provide insight on improving information and communications technology risk management requirements. On this matter, the ESAs outlined the need to streamline incident reporting frameworks and suggested potentially reformulating how third party service providers are monitored.[2]
2. Safety System Targeting Malware Hits Second Critical Infrastructure Site.
In 2017, FireEye released a concerning report on a previously unseen malware that attacked an unnamed critical infrastructure operator’s safety system.[3] The report stated that, with moderate confidence, the developed malware was likely intended to cause physical damage to potentially shut down the facility and was “consistent with a nation state preparing for an attack.”[4]
Last week, FireEye confirmed that this unwelcome discovery has reappeared, this time infecting a different critical infrastructure facility. The malware known as Triton, notable for its sophistication and for its targeting of Triconex product safety systems, was found to have targeted the new site’s operational technology system.[5] While the FireEye report released last Wednesday lacks full details for security and privacy reasons, it asserted that the intruders “were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment.”[6]
The reappearance of this specialized and sophisticated malware is doubly concerning given FireEye’s statement that they “had never before encountered any of the actor’s custom tools, despite the fact that many of them date to several years before the initial compromise.”[7] This has led some to speculate that only a sophisticated nation state actor would be capable of such activities and that more critical infrastructure sites may unknowingly be infected.
3. Irresponsible Disclosure.
The past few weeks have been a boon to malicious actors wanting to take advantage of WordPress plugins, all thanks to an angry self-described security service provider. In an anonymous post, the security service provider Plugin Vulnerabilities publicly released detailed information on numerous WordPress plugin zero-day vulnerabilities with the apparent intent of causing widespread disruption.[8] It appears the author was unhappy with WordPress support forum moderators and the WordPress patching process generally.
This has resulted in the almost instantaneous exploitation of the vulnerabilities in the wild and the exposure of 160,000 websites to malicious attacks while patches were developed and rolled out.[9] Some of the attack code even seemed to be cut and pasted from the unnecessarily detailed public disclosure.[10]
4. Enterprise VPN Apps Insecure?
From our “Public Service Announcement” department, we highlight that popular enterprise VPN applications from well-known companies like Palo Alto Networks, Pulse Secure, Cisco, and F5 Networks are not secure according to CISA and CERT/CC.[11] In a Vulnerability Note posted last Thursday, CERT/CC stated that “Multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files.… If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.”[12] CERT/CC also notes that users and operators should be aware that the configuration responsible for the insecurity is likely generic to other VPN applications.
At the time of writing, Palo Alto Networks has issued a patch for their GlobalProtect product, Cisco has not released a statement, PulseSecure has published an advisory and has made patches to its Pulse desktop client and Pulse Connect Secure available, and F5 has offered a mitigation measure.[13] Those interested in updates or more technical analysis should consult the CERT/CC Vulnerability Note linked in the endnotes.
Congress –
Tuesday, April 16th:
–No relevant hearings.
Wednesday, April 17th:
–No relevant hearings.
Thursday, April 18th:
–No relevant hearings.
International Hearings/Meetings –
EU –
Tuesday, April 16th:
–European Parliament – Environment, Public Health, and Food Safety Committee
Conferences, Webinars, and Summits –
–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)
https://h-isac.org/hisacevents/health-it-summit-southern-california-2019/
–Increasing OT Security for Life Sciences & Healthcare
<https://h-isac.org/hisacevents/navigator-deloitte-webinar/>
–Peer Sharing ICS Security Workshop – Singapore (4/24/2019)
<https://event.boozallen.com/ICSWorkshopSingapore>
–H-ISAC Cybersecurity Workshop – Huntsville, AL (4/25/19)
<https://h-isac.org/hisacevents/h-isac-workshop-huntsville/>
–H-ISAC Medical Device Security Workshop – Burlington, VT (5/1/19)
<https://h-isac.org/hisacevents/h-isac-md-workshop-vt/>
–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
–HEALTH IT Summit (Florida) – Wesley Chapel, FL (5/21/19-5/22/19)
<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>
–HEALTH IT Summit (Mid-Atlantic) – Philadelphia, PA (6/3/19-6/4/19)
<https://endeavor.swoogo.com/2019-Philadelphia-Health-IT-Summit>
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>
–H-ISAC Healthcare Cybersecurity Workshop- Buffalo, NY (6/18/2019)
<https://h-isac.org/hisacevents/h-isac-cybersecurity-workshop-buffalo-ny/>
–Healthcare Cybersecurity Workshop – London, UK (7/10/19)
<https://h-isac.org/hisacevents/workshop-london/>
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>
–HEALTH IT Summit (California) – Los Angeles, CA (9/19/19-9/20/19)
<https://endeavor.swoogo.com/2019-LosAngeles-Health-IT-Summit>
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
<https://h-isac.org/hisacevents/health-it-summit-northeast/>
–HEALTH IT Summit (Southwest) – Houston, TX (11/14/19-11/15/19)
<https://endeavor.swoogo.com/2019-Dallas-Health-IT-Summit>
–Health IT Summit (Northwest) – Seattle, WA (11/19/19-11/20/19)
<https://endeavor.swoogo.com/2019-PacificNorthwest-HITSummit>
–2019 NH-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
–Yahoo tries to settle 3-billion-account data breach with $118 million payout
<https://arstechnica.com/tech-policy/2019/04/yahoo-tries-to-settle-3-billion-account-data-breach-with-118-million-payout/>
–Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords
<https://arstechnica.com/information-technology/2019/04/serious-flaws-leave-wpa3-vulnerable-to-hacks-that-steal-wi-fi-passwords/>
–Two Thirds of Hotel Sites Leak Guest Booking Info to Third-Parties
<https://www.bleepingcomputer.com/news/security/two-thirds-of-hotel-sites-leak-guest-booking-info-to-third-parties/>
–Tax Fraud and ID Theft Services Getting Cheaper on the Dark Web
<https://www.bleepingcomputer.com/news/security/tax-fraud-and-id-theft-services-getting-cheaper-on-the-dark-web/>
—Why bug bounty firms want to be penetration testing companies
https://www.cyberscoop.com/bug-bounty-pen-testing-hackerone-synack-bugcrowd/
—Pregnancy club Bounty UK fined £400,000 by data protection regulator
<https://www.healthcareitnews.com/news/pregnancy-club-bounty-uk-fined-400000-data-protection-regulator>
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1]https://eba.europa.eu/documents/10180/2551996/JC+2019+25+%28Joint+ESAs+Advice+on+a+coherent+cyber+resilience+testing+framework%29.pdf/d229589f-a855-45f2-ad5a-411792792e60
[2] https://www.finextra.com/newsarticle/33670/european-regulators-advise-against-one-size-fits-all-cybersecurity-policy
[3] https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
[4] ibid
[5] https://arstechnica.com/information-technology/2019/04/mysterious-safety-tampering-malware-infects-a-2nd-critical-infrastructure-site/
[6] https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html
[7] ibid
[8] https://www.pluginvulnerabilities.com/
[9] https://arstechnica.com/information-technology/2019/04/a-security-researcher-with-a-grudge-is-dropping-web-0days-on-innocent-users/
[10] ibid
[11] https://www.us-cert.gov/ncas/current-activity/2019/04/12/Vulnerability-Multiple-VPN-Applications
[12] https://www.kb.cert.org/vuls/id/192371/
[13] https://www.bleepingcomputer.com/news/security/multiple-enterprise-vpn-apps-allow-attackers-to-bypass-authentication/