More than 87 million. That’s the estimated number of patient records that have been compromised as of the end of October 2023, according to data gathered from the Office for Civil Rights (OCR). That’s a 55 percent year-over-year increase from 2022.
Throughout the month of October, threat actors increasingly exploited vulnerabilities and used nefarious tactics that put patient records at risk.
Threats to PHI data from Progress WS_FTP Server vulnerability
Progress Software, the maker of MOVEit, has a vulnerability in their WS_FTP Server software. WS_FTP Server and MOVEit are file transfer programs that move large images or multiple files through and across networks. When these programs are compromised, threat actors gain access to large amounts of protected health information (PHI) data.
It’s worth noting that the WS_FTP flaw has a common vulnerability scoring system (CVSS) rating of 10, the highest severity rating possible.
These vulnerabilities affected WS_FTP Server prior to versions 8.7.4 and 8.8.2.
CVEs
- CVE-2023-40044
- CVE-2023-42657
- CVE-2023-40045
- CVE-2023-40046
- CVE-2023-40047
- CVE-2023-40048
- CVE-2022-27665
- CVE-2023-40049
Recommendations
- Upgrade to a patched release using the full installer (Note: there will be an outage to the system while the upgrade is running)
- Use this Huntress article to help you confirm the WS_FTP version in use
- Ensure upgrades are performed on all WS_FTP servers in the environment
- If you’re using the Ad Hoc Transfer module in the WS_FTP Server and are not able to update to a fixed version, consider disabling or removing the module
- Expand scope to departments responsible for large file transfers, possibly images
- Consider checking equipment not generally on your radar, such as critical devices, and investigate these areas for older versions of file transfer software
Exploit in NetScaler ADC and Gateway impacts life-saving technology
Citrix NetScaler ADC and Gateway reported a vulnerability that allows bad actors to hijack active sessions, bypass multi-factor authentication (MFA), plant backdoors, and steal credentials.
Based on the permissions of the overtaken account, a hacker could gain additional credentials and move laterally around the network, accessing additional resources. They could also use the additional information to construct more exploits that would result in network instability and limit the use of life-saving technology.
Products and versions affected:
This vulnerability impacts the device if the Citrix NetScaler ADC or Gateway is configured as a gateway, VPN Virtual Server, ICA, Proxy, CVPN, RDP proxy, or AAA virtual server.
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC and NetScaler Gateway 12.1 (currently end-of-life)
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
CVE
- CVE-2023-4966
Recommendations
- Upgrade appliances to the newest version
- After upgrading, terminate all active and persistent sessions (per appliance)
- Restrict ingress IP addresses if unable to patch immediately
- Change credentials on any impacted devices
- If an appliance restoration is required using a backup image, the image configuration should be reviewed to ensure that there is no evidence of backdoors
- If web application firewalls or other platforms that capture URL requests are deployed in front of NetScaler device(s), review available logs for an abnormal amount of web requests originating from suspicious IP addresses
- NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL) and Citrix urges its customers to upgrade their appliances to one of the supported versions that address the vulnerabilities
Uncertainty and caution surround Okta’s customer support system breach
On October 20th, Okta confirmed a security breach within its customer support system that impacted 184 customers. Some organizations using Okta may not have received a notification because it’s unlikely they were impacted by it, but caution is still advised.
This announcement came after a discovery by Beyond Trust on October 2nd, where an attacker attempted to exploit their in-house administrator account using a valid Okta session cookie. This attempt had previously been reported to Okta, but the full extent of the intrusion was not immediately apparent.
Earlier signs of trouble included an incident at 1Password on October 18th, followed by Cloudflare reporting suspicious activity on their Okta instance two days later. Despite these warning signs, the official acknowledgment from Okta only arrived once Beyond Trust pursued its initial findings.
The cyber risk for Okta’s clients in the wake of this compromise remains uncertain. The incident raises concerns about the possibility of sophisticated social engineering attacks, particularly those involving multi-factor authentication (MFA) bypasses. Attackers who gain knowledge of the specific MFA tools a client uses can craft more convincing and targeted attacks.
Specific versions have not been reported as impacted by this breach as it pertains to a compromise of Okta’s network.
CVEs
- No specific CVE’s are known at this time
Recommendations
- Enable MFA or 2-factor authentication on Okta and throughout the network
- Immediately reset all Okta admin credentials and terminate active sessions
- Check for third-party IDP federation configurations, ensure each IDP is recognized, SAML certificates are intact (verify fingerprints), the JWKS endpoint is correct, and user JIT creation settings are unmodified
- Check for third-party IDP routing configurations and confirm no modification to user inclusion groups, IP ranges, or device platforms.
- Check for any new account creations performed via Admin API or Console; if any new account is created, guarantee proper change management documentation is associated with them
- Check for new API key issuance for both existing accounts and new accounts
- Check delegated authentication settings, and this should remain off if you are not using an on-premises Active Directory or LDAP server
- Check for Okta support impersonation events in your event log, and the event name is “user.session.impersonation.initiate”
- Add policy controls in Okta to restrict access to the admin console
- Consider adjusting Okta’s global session policy to issue an MFA challenge at every sign-on, which will prevent attackers with a stolen cookie from accessing the main dashboard
- Limit the length of Okta sessions and take other steps to reduce the window during which a stolen cookie can be used
- Be aware that admin API actions authenticated via session cookie are only covered by the Global Session Policy, which is often less restrictive than other policies
- Require robust hardware MFA for all Okta admins to prevent token hijacking via attacker-in-the-middle phishing
- Restrict the use of highly privileged accounts
- Implement and enforce least privilege permissions
- Apply dedicated access policies for administrative users and monitor and investigate anomalous use of functions reserved for privileged users
October’s cyber attacks emphasize hijacking risks
The Okta and NetScaler incidents in particular highlight the risks associated with hijacking accounts and bypassing MFA. These attack methods can grant malicious actors broad, high-level access to the system, allowing them to quickly move throughout the network, steal data, create additional vulnerabilities, or leave malware
These October incidents also underscore the importance of patching, proper user policy access, and penetration testing.
To learn how to proactively identify vulnerabilities in your environment and use the findings to prevent future attacks, check out our on-demand webinar, Rethinking Penetration Testing in the Face of Rising Healthcare Breaches.
