Healthcare Cybersecurity Threats: August 2023

Vulnerabilities from two very different IT manufacturers and device types were notable threats in August. They serve as a reminder that continuous patch management and replacement of End of Life (EOL) technology is fundamental to cybersecurity.  

The severity of these vulnerabilities should not be underestimated, as both allow significant access to the network and enable threat actors to employ Living off the Land attacks. Let’s delve into the details of these threats and recommendations for mitigation. 

Dell’s hardcoded encryption key 

A default encryption password was discovered in Dell’s Compellent Integration Tools for VMware (CITV), allowing attackers to access and extract the vCenter administrator credentials used for integrations. The implications of this vulnerability could be severe, potentially compromising VMware environments and even entire hospital networks.  

Dell Compellent, an enterprise storage system line that reached its end of life in 2019, provides software support for integration with VMware vCenter. For successful integration, VMware vCenter credentials need to be stored in the encrypted configuration file of the Dell program. 

What heightens the concern is that the CITV uses a hardcoded AES encryption key to encrypt and decrypt CITV configuration files. These files contain vCenter administrator credentials, making them a prime target for threat actors who can decrypt them. 

Affected Products / Versions 

• Dell Compellent SC4020 
• Dell Storage SC8000
• Dell Compellent Series 40 
• Dell Storage SCv2000 
• Dell Storage SCv2020 
• Dell Storage SCv2080 
• Dell Storage SC5020
• Dell Storage SC5020F 
• Dell Storage SC7020 
• Dell Storage SC7020F 
• Dell Storage SC9000 
• Dell Storage SCv3000 
• Dell Storage SCv3020 

CVEs 

• CVE-2023-39250 

Recommendations 

• Change the default root password of all current appliances using Compellent DSITV and restart the system 
• Ensure the default root password of all new appliances using Compellent DSITV is changed 
• Add an organizational policy to remind users to change the default password on any new installs
  
  

Vulnerabilities in Barracuda’s ESG

On August 23rd, the FBI released a Flash Bulletin highlighting a security concern with Barracuda Network’s Email Security Gateway (ESG) appliance. Threat actors, believed to be affiliated with Chinese cyber groups, have exploited this vulnerability, delivering various harmful payloads to compromised systems. Notably, they’ve leveraged initial access to the ESG as a stepping stone to infiltrate broader network systems of their victims. 

Healthcare organizations, in particular, are at heightened risk due to this exploitation of Barracuda’s ESG appliances. Alarmingly, even patched systems remain vulnerable to malicious payload insertions. The vulnerability, CVE-2023-2868, is a remote command injection flaw affecting Barracuda ESG versions 5.1.3.001-9.2.0.006. It gives threat actors the ability to send uniquely structured TAR file attachments to an email address connected to an ESG appliance. Once received, the malicious file triggers a command injection into the ESG, leading to unauthorized system command execution within the system. 

Affected Products / Versions 

• Barracuda Email Security Gateway appliances 

CVEs 

• CVE-2023-2868 

Recommendations 

• Remove all ESG appliances and check for outgoing connections using the list of indicators provided by law enforcement 
• Review email logs to identify the initial point of exposure 
• Revoke and rotate all domain-based and local credentials that were on the ESG at the time of compromise 
• Revoke and reissue all certificates that were on the ESG at the time of compromise 
• Monitor the entire network for the use of credentials that were on the ESG at the time of compromise 
• Review network logs for signs of data exfiltration and lateral movement 
• Capture a forensic image of the appliance and conduct a forensic analysis 

In addition to the recommendations above, CISA recently issued a malware analysis of Barracuda backdoors due to the attacks on its devices.  

Wake-up calls from August’s cyber threats

These vulnerabilities are not isolated incidents but symptoms of a bigger issue that healthcare IT professionals must address. Continuous patch management and the replacement of EOL technology are not just best practices; they are necessities in today’s threat environment.  

To learn more about what drives these attacks and how to mitigate them, check out our webinar, New Era in Healthcare Cybersecurity.