In November, new details emerged about the Okta incident, coinciding with the discovery of critical vulnerabilities in Orthanc software and Windows Defender SmartScreen.

These vulnerabilities pose significant risks to healthcare organizations, their networks, patients, and data. Read on to explore these threats in-depth and how to mitigate them.

Okta’s security breach update

On November 3rd, Okta issued a Root Cause Analysis (RCA) report, providing an update on its October security breach. The company determined that a threat actor had run and downloaded a report that contained the names and email addresses of all Okta customer support system users. This incident impacted all Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers, except those using Okta’s FedRamp High and DoD IL4 environments.

Based on Okta’s update, here are recommendations for how to enhance your security:

Strengthen your authentication
Activate MFA or 2-factor authentication (2FA) on Okta and across your network.

Reset and review credentials
Promptly reset all Okta admin credentials and terminate any active sessions.

Verify Identity Provider (IDP) configurations
 Ensure each IDP is recognized, confirm the integrity of SAML certificates (check fingerprints), verify the correctness of JWKS endpoints, and review settings for “Just in Time” (JIT) user creation.

Audit IDP routing configurations
Check for modifications in user inclusion groups, IP ranges, or device platforms.

Monitor new account creation
Review any new account creations via Admin API or Console, ensuring they have proper documentation.

Check API Key issuance
Investigate new API key issuances for both existing and new accounts.

Review delegated authentication settings
These settings should be off unless using an on-premises Active Directory or LDAP server.

Keep an eye out for impersonation events
Search for “user.session.impersonation.initiate” events in your Okta event log.

Implement access controls
Add policy controls in Okta to limit access to the admin console.

Adjust global session policy
Consider setting MFA challenges for every sign-on to prevent unauthorized access via stolen cookies.

Limit session duration
Reduce the window during which a stolen cookie can be used by shortening Okta session lengths.

Stay aware of policy limitations
Look into your Global Session Policy and the risk of session hijacking bypassing MFA.

Elevate requirements
Require robust hardware MFA for all Okta admins to prevent token hijacking.

Restrict privileged accounts
Limit the use of highly privileged accounts.

Enforce specific use policies
Evaluate administrative users and monitor for unusual activities.

Implement the least privilege principle
Adopt and enforce policies that grant the minimum necessary permissions.

 

Medical imaging risks posed by Orthanc vulnerability

Orthanc, an open-source DICOM server for healthcare and medical research, discovered a high severity vulnerability (CVE-2023-33466) in versions prior to 1.12. Threat actors with access to the Orthanc API have the ability to overwrite files and trigger Remote Code Execution (RCE). This vulnerability is deemed critical due to its potential to impact patient information and quality of care, and cause IT system outages.

Here’s a quick overview:

  • The vulnerability involves a REST API endpoint that allows arbitrary file overwrites. Attackers can use “polyglot files” (files that function in multiple formats) to exploit this flaw. For example, a file that is both a legitimate DICOM file and a malicious Orthanc JSON configuration.
  • This vulnerability is particularly alarming for the healthcare sector, with around 1700 exposed instances found on Shodan, otherwise known as the “search engine for hackers.”

Recommendations to safeguard against the Orthanc vulnerability:

  • Upgrade your Orthanc software immediately to version 1.12.0 or later
  • Strengthen your credentials by replacing default or weak credentials with ones that are strong and unique
  • When external access is enabled (“RemoteAccessAllow” set to “true”), activate “AuthenticationEnabled,” which grants access to users listed in RegisteredUsers exclusively
  • Enable HTTPS encryption to protect medical data and passwords, even within the Intranet
  • If your Orthanc server is accessible via the Internet, position it behind a reverse proxy
  • Keeping RestApiWriteToFileSystemEnabled set to its default false value will ensure that the REST API cannot write to the filesystem

For more detailed information, refer to the guide “Securing Orthanc 19.”

Critical update issued for Windows Defender SmartScreen

SmartScreen is a critical component in Windows 10, 11, and server operating systems. Microsoft’s Patch Tuesday released a critical update for Windows Defender SmartScreen in October addressing a previously exploited zero-day vulnerability. However, a significant number of systems remain unpatched, leaving them at risk.

Remote hackers can bypass SmartScreen’s protective measures without complex strategies or insider credentials, leading users to harmful sites or executing malicious code undetected. For healthcare IT leaders, exploitation of this vulnerability could result in data breaches and disruptions to essential services.

Despite the existence of a patch since November, the persistent exploitation of this vulnerability, compounded by the accessibility of a reverse-engineered Proof of Concept (PoC), underscores the urgent need for immediate action, including:

  • Following your organization’s patch-management policies
  • Updating systems
  • Exercising caution with hyperlinks (common avenue for malicious activities)
  • Verifying links before clicking
  • Implement Endpoint Detection and Response (EDR) coverage with minimal blind spots
  • Educating staff on identifying and handling email phishing attempts
  • An emergency response and business continuity plan are recommended

Here are the products and versions affected by the Windows Defender SmartScreen vulnerability:

Windows Operating Systems:

  • Windows 10
  • Windows 11

Windows Server Versions:

  • Windows Server 2008 (All 32-bit and 64-bit versions)
  • Windows Server 2012
  • Windows Server 2012 (Server Core Installation)
  • Windows Server 2012 R2
  • Windows 2012 R2 (Server Core Installation)
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2019 (Server Core Installation)
  • Windows Server 2022
  • Windows Server 2022 (Server Core Installation)
  • Windows Server 2022, 23H2 Edition (Server Core Installation)

CVE

  • CVE-2023-36025

KB articles:

  • 5032189, 5032190, 5032192, 5032196, 5032197, 5032198, 5032199, 5032202, 5032247, 5032248, 5032249, 5032250, 5032252, 5032254, 5032304

 

Rising phishing risks and building a cyber-smart culture

As the year draws to a close, phishing attempts tend to spike as threat actors try and capitalize on the increased email traffic and reduced staff presence during the holiday season. Recent events, such as the Okta incident, serve as a reminder that data breaches can fuel future phishing campaigns. By educating and empowering your staff to recognize and respond to phishing attacks, you’re taking a critical step to defending your healthcare organization and patient information.

For strategies and insights on how to build a strong cybersecurity culture, check out our on-demand webinar with healthcare vCISO, Don Kelly.