During the summer months, threat actors often escalate their activities, taking advantage of staffing shortages among IT teams, and leaving many organizations more susceptible to an attack. This trend was particularly evident last month. As June unfolded, healthcare cybersecurity teams found themselves navigating critical network flaws and multiple patching vulnerabilities, including MOVEit, Fortinet, and Barracuda.

MOVEit SQL Injection Zero-Day Vulnerability

In early June, a cyber-attack revealed multiple structured query language (SQL) injection vulnerabilities in Progress Software’s MOVEit Transfer web application. A backdoor uploaded during the attack, human2.asp, allowed hackers to gain unauthorized access to MOVEit databases, download any file within MOVEit, and gain active sessions that allow a credential bypass.

Mass exploitation of these vulnerabilities resulted in extorsion, data theft, and victim sharing. MOVEit customers were instructed to apply patches to a third critical vulnerability in the file transfer software. However, that patch also had vulnerabilities and attackers got into systems.

Users of MOVEit were also instructed to:

  • Delete any instances of the human2.aspx and .cmdline script files
  • Turn off all HTTP/HTTPS traffic to the MOVEit Transfer environment
  • Delete any unauthorized files and accounts
  • Reset service account credentials for affected systems and the MOVEit service account
  • Look for any new MOVEit transfer files created in the C:WindowsTEMP[random] directory with a file extension of [.]cmdline, and any new files created in the C:MOVEitTransferwwwroot directory
  • Apply patches or mitigations to MOVEit environments
  • Examine the c:MOVEitTransferwwwroot folder for any suspicious files created recently, such as human2.aspx or App_Web_[RANDOM].dll files with the same or similar timestamps
  • Retain a copy of all IIS logs and network data volume logs

Affected products/versions

Initially, it was thought that the only Progress MOVEit Transfer Versions affected were (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1)

However, it was discovered that all versions of MOVEit Transfer were affected by the newly discovered vulnerabilities, including MOVEit Cloud.

Common Vulnerabilities and Exposures (CVEs) include:

  • CVE-2023-34362
  • CVE-2023-35036

Patch update

MOVEit maker Progress Software recently published a security bulletin earlier this month (July) that included fixes for three newly discovered vulnerabilities in the file-transfer application. At the time of this writing, there are no known reports of the new vulnerability coming under active exploitation, but given its severity and experience, Progress Software and security practitioners are urging all MOVEit users to install the patch right away.

Personal information at risk

Hackers have found they can achieve the same size payouts or higher just by threatening to release our private information to the world. To date, more than 40 global organizations have reported suffering data losses from MOVEit, including enterprise systems, government agencies, educational systems, and airlines.

Individuals’ personal information has also been compromised in the MOVEit hacks. Data that can be leaked from this exploit will vary in detail and could have far reaching impact on our personal lives. As the list of hacked victims increases, so do chances of identity theft, scams, home invasions, or even complications with employment.

Here are some recommendations for protecting your personal information:

  • Limit the amount of information shared online and change passwords frequently
  • Use a VPN for internet use and keep systems patched
  • Do not provide personal details in response to emails or social media posts
  • Regularly check credit card and billing statements for any unauthorized charges
  • Keep an eye on credit reports and verify that no unauthorized accounts have been opened with leaked information

Threats like MOVEit will provide data leak opportunities for years to come. Develop or continue good cyber habits to prevent your information from becoming available to bad actors in attacks.

Fortinet SSL VPN Firmware

A flaw in all FortiGate SSL VPN appliances allows remote firewall access and exploitation without user credentials. The vulnerability is not currently used but is expected to be weaponized quickly. A fix is available, so we recommend immediately upgrading the firmware on all Fortinet SSL VPN Appliances.

Most Fortinet appliances are configured to allow remote user access through the SSL-VPN component of FortiGate. This pre-authorization vulnerability allows an attacker to bypass authentication and execute code as a privileged user if the latest firmware version has not been installed.

FortiGate users can limit exposure by updating the firmware on vulnerable appliances as soon as possible. There are no current mitigations, although that may change when more details are released. The attack surface of Fortinet appliances has been growing noticeably over the last two to three years, something that should be considered when budgeting for upgrades or future appliances.

Affected products/versions

  • FortiOS versions 7.2.5, 7.0.12, 6.4.13, 6.2.15 and, also in v6.0.17
  • All SSL VPN appliances, even if multifactor authentication is enabled
  • CVE- CVE-2023-27997

Recommendations

  • Upgrade FortiGate devices as soon as possible
  • FortiGate users can check if their devices are vulnerable by using the following command on the CLI: Diagnose sys FortiGuard-service status
  • If the available update doesn’t appear in the device’s dashboard, rebooting it may make it appear. If not, manual download and installation are advised.
  • Review network configurations and firewall rules to ensure that only authorized and trusted users can access the SSL VPN functionalities of FortiGate devices

Barracuda

Customers contacted Barracuda, a provider of cloud-first security solutions, after discovering odd traffic coming from their Email Security Gateway (ESG) appliances. After engaging cybersecurity expert Mandiant, the company discovered a critical remote command vulnerability that had been exploited since October 2022.

The root cause of the vulnerability lies in the incomplete validation of user-supplied .tar files, specifically the filenames contained within the archive. This flaw enables a remote attacker to manipulate file names in a specific manner, thereby executing system commands remotely using Perl’s qx operator with the privileges of the Email Security Gateway product.

To address this issue, Barracuda released a patch on May 30th, which was promptly pushed to all affected devices. Furthermore, a containment script was deployed on the subsequent day to mitigate the incident’s impact.

However, despite these efforts, malware was later detected on a subset of Barracuda appliances, leading to a revision of the company’s recommendation. Barracuda now urgently advises users to replace the affected appliances, irrespective of the installed patch version, due to the persistent existence of a backdoor access point within the devices. In some instances, there were indications of data exfiltration, raising concerns that the underlying firmware may have been irreversibly corrupted.

Impact on healthcare systems

The Barracuda vulnerability poses a severe threat as it can lead to the unauthorized extraction of patients’ electronic protected health information (ePHI) and grant threat actors persistent access to hospital networks.

Affected products/versions

  • Versions 5.1.3.001-9.2.0.006
  • At this time, no other Barracuda products are known to have the malware
  • CVE-2023-2868

Recommendations

  • Review network logs for any of the IOCs and any unknown IPs
  • Rotate any applicable credentials connected to the ESG appliance:
    • Any connected LDAP/AD
    • Barracuda Cloud Control
    • FTP Server
    • SMB
    • Any private TLS certificates
  • Check logs for signs of compromise dating back to at least October 2022 using the network and endpoint indicators in the link below.
  • Discontinue using the compromised ESG appliance and contact Barracuda support (support@barracuda.com) to obtain a new ESG virtual or hardware appliance.
  • Barracuda’s investigation was limited to the ESG product and not the customer’s specific environment. Therefore, impacted customers should review their environments and determine any additional actions they want to take.

These vulnerabilities underscore the urgency around proactive patching efforts to strengthen your overall healthcare cybersecurity posture and prevent a security breach. If your health system is ever faced with a cyber incident, learn how to navigate it and better protect your network on our-demand webinar, From crisis to recovery: Lessons learned from a hospital’s ransomware attack.