In July, cybercriminals increasingly targeted Linux systems and exploited new zero-day vulnerabilities in Citrix solutions. While threat actors never cease looking for new vulnerabilities to exploit, it’s worth noting that this surge in cyber activity aligns with the industry trend of retiring software products in the Fall. Both Windows and Google have products nearing their end-of-life (EoL) status, introducing potential vulnerabilities that require prompt attention.
Crippling attacks targeting Linux systems
A report from the Palo Alto Networks Unit 42™ research team reveals that from December 2022 to May 2023, there was a 50% increase in malicious files targeting Linux systems. High-profile groups like Cl0p, Hive, and Blackcat are producing ransomware and malware tailored for Linux, including REvil, Tycoon, QNAPcrypt, and Darkside.
While Linux’s proactive open-source community has traditionally patched flaws swiftly, ensuring its reputation for security, the rising cybersecurity threats challenge this stance. It’s vital to intensify patching and hardening efforts for Unix/Linux systems. Neglecting their security could lead to severe consequences.
Impacts on healthcare organizations
Many vital systems, like those in hospitals, run on Linux. If hit with a ransomware attack, essential services necessary for patient care can be disrupted. And depending on the preparedness of the response team, recovery could take weeks or even months. Such attacks can tarnish the organization’s reputation, expose sensitive patient data, and lead to extortion attempts by the attackers.
Recommendations
Users of Linux-based operating systems are instructed to:
- Scan *nix systems using credentialed scans – commonly provided in the form of SSH credentials
- Patch and upgrade Linux operating systems identified as vulnerable
- Check Linux/Unix system configurations for default or weak passwords to include root users
- Disable booting from external sources
- Enable SELinux in the ‘/etc/selinux/config’ file
- Update repositories and applications
- Avoid using unencrypted protocols on any operating system
- Encrypt data transfers
- Disable root login and unwanted services / assign complex passwords for root users
- Closed unused ports
- Operating systems in the minority, such as Linux, should be treated like the majority, such as Microsoft
Citrix ADC and Gateway Appliances zero-days
On July 18, 2023, Citrix published a security bulletin announcing fixes for three new vulnerabilities. These are new vulnerabilities and should not be confused with vulnerabilities reported with the same Citrix systems by Fortified in May 2023.
The new vulnerabilities allow for remote code execution, privilege escalation to root administrator, and cross site scripting. Successful attacks could allow for data exfiltration or ransomware deployment, compromising Patient Health Information (PHI) and patient care, or downtime of systems.
Cloud Software Group is urging customers to upgrade affected systems as soon as possible, as these vulnerabilities are being actively exploited by threat actors. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action, though confirmation with the vendor is recommended.
Affected products/versions
NetScaler ADC and NetScaler Gateway version 12.1 are now (EoL) and vulnerable.
- NetScaler ADC and NetScaler Gateway 1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
- CVE-2023-3519: Unauthenticated remote code execution
- CVE-2023-3467: Allows for privilege escalation to root administrator (nsroot)
- CVE-2023-3466: Reflected XSS vulnerability
- CVE-2023-3519 is known to be actively exploited by threat actors
Recommendations
- Review all Citrix ADC and Gateways to ensure they are running the latest firmware versions
- Include Citrix appliances in routine VTM scanning efforts with proper credentials applied
- Review all accounts with access to Citrix resources and disable those accounts where access is not necessary
- Consider a reinforcing policy that allows disabling and restriction of user accounts not actively using these resources for a time (30-90 days is common)
Google Chrome sunsetting old windows systems
Google Chrome/Edge is ending support for Windows 7, Windows 8/8.1, Windows Server 2012, and Windows 2012 R2. If left unmitigated, Google Chrome’s existence on out-of-date Operating Systems opens up a wide threat landscape for attackers. Many health systems have those OSs in their environments, which could lead to security threats like compromised data, compatibility issues, low performance, and stolen passwords.
Google will require Windows 10 or later, or Windows Server 2016 or later to keep Google Chrome up to date. Due to this, Chrome 109 is the last version of Chrome that will support those older OSs. To ease customer transitions, Google will issue critical severity security fixes and fixes for bugs for Chrome 109 on these OSs until October 10, 2023.
This decision by Google also affects Chromium-based Edge. Microsoft Edge browser version 109 and WebView2 Runtime version 109 will be the last respective versions for the same listed OSs. Edge will receive critical security fixes and fixes for known exploit bugs until October 10, 2023.
Affected products/versions
Google Chrome/Edge on the below Operating Systems
- Windows 7
- Windows 8/8.1
- Windows Server 2012
- Windows Server 2012 R2
Recommendations
It’s imperative to review the various applications used in the hospital as some may be dependent upon a browser version. These changes may also affect the functionality of those applications.
- Upgrade affected OSs
- Remove Chrome and Edge from affected OSs
- Install Firefox ESR on systems where Chrome has sunset
- Re-evaluate the need for browsers and general internet access on machines with EoL Oss
- Installing Mozilla Firefox on Systems that cannot be upgraded as Firefox ESR on Windows 7/8 will continue receiving updates until September 2024
Healthcare is the leading sector for ransomware incidents. If your health system is ever faced with a cyber incident, learn how to navigate it and better protect your network on our-demand webinar, From crisis to recovery: Lessons learned from a hospital’s ransomware attack.
