ISA is committed to keeping the security community up to date with the latest cybersecurity news.
Reminder to apply “Zerologon” patch
The urgency to patch Microsoft Windows Server vulnerability CVE-2020-1472 – dubbed “Zerologon” – has heightened, as the bug has now been exploited “in the wild”.
All current versions of Windows are exposed to this critical privilege-escalation bug in the Netlogon Remote Protocol remote procedure call (RPC) for domain controllers. With a specially crafted payload (specifically, a strategically placed string of zeroes in Netlogon messages that can change the domain controller’s password stored in the Active Directory), attackers can seize control of the domain controller and spoof the identity of any computer account on the network. From there, the attackers can easily move laterally to take control of systems, pull data, or drop malware throughout the network. With the recent release of a proof-of-concept exploit for the bug, attackers wasted no time in crafting real-world attacks on unpatched systems. Exposure to potential ransomware and/or data exfiltration attack is significant.
A rare “two-phase” patch was released for the bug back in August 2020. The first phase disabled the legacy RPC call that was being exploited, and started the enforcement of secure RPC on domain controllers, supported Windows systems and trust accounts. The next phase, tentatively scheduled for release in February 2021, will require all Windows and non-Windows devices to use secure RPC with the Netlogon secure channel (or allow access by explicitly adding a group policy exception for the non-compliant device as a workaround).
The Canadian Centre for Cybersecurity issued an alert providing additional background, sample indicators of compromise (IOCs) and a call for all affected organizations to patch immediately. American, Australian, and Indian governmental cybersecurity authorities have followed suit, issuing mandatory orders for federal agencies to act right away. All companies using Windows domain controllers are strongly encouraged to assess their exposure to this bug and implement a patching or remediation strategy as soon as possible.
Universal Health Services suffers major cyber attack
Universal Health Sciences, a network of nearly 400 hospitals and healthcare facilities throughout the United States and the United Kingdom, has suffered a serious ransomware attack. According to their press release, UHS “experienced an information technology security incident in the early morning hours of September 27, 2020”. The incident appears to have started with systems in the company’s home state of Pennsylvania, but quickly spread to locations in California, Florida, and Arizona. Eventually, all 250 U.S.-based facilities operated by UHS were affected directly or indirectly by the attack.
Screenshots taken by anonymous UHS staff appear to confirm that the ransomware involved is called Ryuk, a ransomware variant that has been used in a number of other large-scale attacks on the healthcare sector in recent years. The UHS incident – one of the biggest-ever cyber attacks on healthcare – is just the latest.
UHS conceded that, “while this matter may result in temporary disruptions to certain aspects of our clinical and financial operations, our acute care and behavioral health facilities are utilizing their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.” There is no indication that patient or staff data was accessed during the attack, according to the statement.
By all accounts, UHS appeared to have a credible incident response plan in place. Their statement to the media came only two days after the initial incident, and indicates that UHS is “working diligently with its security partners to restore its information technology operations as quickly as possible”. According to a staff member quoted on CNN, they proactively shut down some systems to “to protect the network when they detected the attack and they’re working using these downtime protocols to maintain clinical operations in a safe way while they slowly bring systems back up online”. And they have implemented their business continuity plan, involving tracking charts and patient data by hand.
The health sector has always been a top area for cyber attack, but the COVID-19 pandemic has made hospitals, research labs, pharmaceutical companies, and healthcare providers even more of a target than ever before. Earlier in September, the Ashtabula County Medical Center (a large Cleveland, Ohio-based hospital) was knocked offline for over a week by a cyberattack, forcing it to postpone all elective procedures. Further, companies researching COVID-19 tests and vaccines suffered September attacks as well: eResearchTechnology (conducting vaccine trials), IQVIA (also involved in COVID-19 vaccine work) and Bristol Myers Squibb (the leader of an alliance working on a fast COVID-19 test) were each hit by ransomware demands. By some accounts, there have now been 53 significant U.S. health care provider or health care systems affected by ransomware in the first nine months of 2020.
October is Cybersecurity Awareness Month
ISA has joined organizations around the world in celebrating and promoting National Cybersecurity Awareness Month. We’ve published an extensive catalogue of resources, activities, and events happening this month.