June was a high-stakes game on the cybersecurity chessboard for healthcare organizations. Major technology providers like Progress MOVEit and SolarWinds found themselves in check due to critical software vulnerabilities. Meanwhile, threat groups like Black Basta made bold moves, and new phishing schemes targeting Cisco Webex users emerged as unexpected gambits.

Read on to discover more about these threats and the strategic moves healthcare organizations must make to protect their sensitive data and maintain operational control.


New MOVEit flaws

Throughout June, multiple vulnerabilities in Progress MOVEit were exploited, causing significant security concerns for healthcare organizations. Threat actors have been exploiting two critical flaws—an SFTP vulnerability in MOVEit Gateway and an authentication bypass in MOVEit Transfer—resulting in unauthorized access and potential data exfiltration.

These vulnerabilities are particularly alarming for healthcare providers who rely on MOVEit for secure file transfers. With these flaws, attackers can manipulate data, steal Personally Identifiable Information (PII), deploy malware, and potentially disrupt lifesaving technology by taking control of network devices.

Security experts warn that these vulnerabilities are being widely targeted due to their ease of exploitation. To prevent compromise, all MOVEit Transfer and MOVEit Gateway users should update to the latest versions immediately.

For additional information and detailed remediation steps, please refer to our MOVEit threat bulletin.


SolarWinds Serv-U vulnerability

A high-severity vulnerability in SolarWinds Serv-U was actively exploited last month, putting healthcare systems at risk. Healthcare organizations are particularly vulnerable to such exploits due to the sensitivity of patient data and the critical need for data availability.

The flaw allows attackers to read files from the underlying operating system, bypassing security checks via a simple GET request to the root directory. This vulnerability can lead to unauthorized data access and lateral movement within the network, potentially compromising patient records and operational integrity.

Users should upgrade SolarWinds Serv-U to version 15.4.2 HF2 to reduce these risks.

For more insights and recommendations, reference our SolarWinds threat bulletin.


Cisco Webex malware attacks

In June, a new threat emerged targeting Cisco Webex Meetings App users leveraging HijackLoader malware. First identified in 2023, HijackLoader malware has evolved with advanced features to bypass security measures like Windows Defender antivirus.

This recent campaign tricks users into downloading trojanized versions of the app, which come in the form of a malicious .rar archive file disguised as a legitimate Cisco Webex installer. Healthcare organizations face significant risks from this malware. Once deployed, it can steal credentials, execute malicious code, establish persistent connections to command-and-control servers, compromise sensitive patient data, and disrupt critical services.

To keep your systems safe, it’s crucial to closely monitor endpoint detection and response (EDR) alerts and educate users about the risks of downloading unknown software.

For more insights and details, review our Cisco Webex threat bulletin.

 

vCenter Server vulnerabilities

Three new critical vulnerabilities were discovered in vCenter Servers. They are particularly concerning for healthcare providers who rely on these servers to manage virtual machines.

By exploiting these flaws, attackers can take control of systems, access protected patient data, and compromise vital network functions, severely impacting patient care.

To mitigate your risk, check and quickly update the vCenter Server to a fixed version. However, it’s important to note that older vCenter versions 6.5 and 6.7 remain untested for vulnerabilities.

Get more detailed information, details on affected versions, and remediation steps in our vCenter Servers threat bulletin.

 

Black Basta and CVE-2024-26169

While already on the radar of US agencies, the Black Basta group garnered even more attention in June when they confirmed their involvement in the high-profile Ascension ransomware attack. After the attack, Symantec researchers discovered that Black Basta exploited a critical Elevation of Privilege vulnerability (CVE-2024-26169) in the Windows Error Reporting Service.

Initially overlooked as a minor risk, this flaw has become a formidable threat, allowing attackers to gain system-level access and administrative control through shell interfaces. Capitalizing on this vulnerability, they launched widespread ransomware assaults, affecting over 500 organizations across the United States, Canada, Japan, the United Kingdom, Australia, and New Zealand.

Despite a patch being released in March 2024, the urgency to apply these updates has never been more critical to safeguard against this escalating threat. For additional details, check out the Black Basta threat bulletin.

 

Critical Check Point VPN exploit

A known vulnerability in Check Point’s Secure Gateway products caught the attention of both threat actors and CISA.

This flaw allows attackers to access sensitive information on Internet-connected Gateways with remote access VPN or mobile access enabled, potentially enabling hackers to gain administrative privileges and move laterally within the network.

With over 13,800 devices globally at risk, CISA added this vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to remediate it by June 20, 2024. A successful cyberattack could compromise patient care, lead to data theft, and pose other serious risks.

For further details and guidance on managing this threat, see our Check Point threat bulletin.

 

Staying ahead of cyber threats

In the complex game of cybersecurity, staying informed and taking immediate action to patch vulnerabilities are key moves that healthcare providers must make to protect sensitive data and maintain patient trust.

To stay several moves ahead of adversaries, watch our on-demand webinar on the three stages of healthcare SOC maturity and how to advance through them.