Last month, three new cyber vulnerabilities emerged, posing a significant threat to healthcare organizations. Two were vulnerabilities from unpatched network technologies that, if exploited, could compromise both medical devices and patient care. The third was a new ransomware variant called “3AM” which poses a severe risk to healthcare organizations.
Continue reading to learn more about these emerging attacks and how to address them.
Weaknesses in Cisco Catalyst SD-WAN Manager
Five vulnerabilities were discovered in the Cisco Catalyst SD-WAN Manager, with the most severe offering system access to a remote unauthenticated attacker. Because many healthcare organizations use this technology for cloud and network services, an incident could negatively impact accessibility to life-saving technology and patient care.
In the most severe flaw, improper authentication checks in the SAML allow bad actors to send requests directly to the APIs. An authentication token will be created for application access if a hacker successfully exploits the flaw. The remaining four flaws include:
- An unauthorized configuration rollback
- Disclosure of sensitive information
- An authorization bypass exploit
- A Distributed Denial-of-Service (DDoS) vulnerability
None of these flaws have been reported as being actively exploited, but they should be addressed immediately. Currently, no workarounds are available; remediation by patching is the best action to remove these vulnerabilities.
These vulnerabilities affect all versions of Cisco Catalyst SD-WAN Manager prior to version 20.12, including:
- After testing, upgrade the Cisco Catalyst SD-WAN Manager to version 21.12
- Remove or deny access to unnecessary and potentially vulnerable software
- Use technical controls, such as application-allow listing, to ensure that only authorized software can execute or be accessed
- Consider using the Principle of Least Privilege on all systems and running all software as a non-privileged user
New VMware Aria vulnerabilities
Over the summer, multiple vulnerabilities were reported in the network monitoring tool Aria Operations. Then, on August 29th, two more vulnerabilities were reported, which allowed authentication to be bypassed and permitted hackers to use remote code execution. Once a bad actor accesses the underlying system, they can create ransomware incidents.
Individually, these flaws can potentially cause interruptions to Aria Operations for Networks. However, a hospital’s VMware system may fail if several of these vulnerabilities are exploited and launched simultaneously. Given the pervasive adoption of VMware technologies across healthcare entities, a system failure could critically impede a hospital’s network functionality and ability to deliver patient care.
Products and versions that were affected include:
- Be sure that VMware Aria Operations for Network appliances are using version 6.11
- Verify all VMware products are on a routine update schedule
“3AM” ransomware debuts a new malware family
The 3AM ransomware steals the data and then encrypts it, leaving a ransom note in its wake. The note is often a warning that the stolen information will be sold if the attacker is not paid. In more severe cases, multiple systems or entire networks can become encrypted and unusable, significantly impacting patient care.
Before encrypting files on the infected system, 3AM tries to disable various security and backup software services from companies like Veeam, Acronis, Ivanti, McAfee, or Symantec. The encrypted files have the “.THREEAMTIME” extension, and the ransomware also attempts to erase Volume Shadow copies that could help restore the data. Researchers say that before launching a 3AM ransomware attack, the attacker uses a “gpresult” command to get the policy settings of a specific user on the system.
Symantec’s Threat Hunter Team reports that 3AM is a new ransomware written in Rust that isn’t affiliated with any known malware family. While the discovery of new malware families is common, 3AM warrants amplified scrutiny as it was used by a LockBit affiliate. LockBit and other threat actors often target healthcare organizations, elevating the concern that it may lead to a broader attack.
Indicators of compromise include:
SHA256 file hashes
- 079b99f6601f0f6258f4220438de4e175eb4853649c2d34ada72cce6b1702e22 – LockBit
- 307a1217aac33c4b7a9cd923162439c19483e952c2ceb15aa82a98b46ff8942e – 3AM
- 680677e14e50f526cced739890ed02fc01da275f9db59482d96b96fbc092d2f4 – Cobalt Strike
- 991ee9548b55e5c815cc877af970542312cff79b3ba01a04a469b645c5d880af – Cobalt Strike
- ecbdb9cb442a2c712c6fb8aee0ae68758bc79fa064251bab53b62f9e7156febc – Cobalt Strike
Potential detection strategies
- SIEM – Outbound connections to the known network indicators
- SIEM – “Service stopped” threshold-based detection for known security tools
- SIEM/MDR – Detected use of gpresult command
- MDR – Blacklisting the hashed-known indicators
3AM ransom notes have included opening statements containing “3 am” or “threeam” in the dark web address
Products and versions affected include:
- Various operating systems
- No specific CVEs are associated with ransomware payloads. CVEs specifically refer to vulnerabilities that may be exploited to gain initial and persistent access to victim networks where ransomware like 3AM and others are deployed.
- Ensure adequate backups for critical systems such as servers, domain controllers, and workstations are available and tested
- If immediate backup solutions are infected, consider alternate/off-site backups are available
- Employ endpoint detection and response technologies to detect, prevent, and respond to signs of infection
- Drill incident response playbooks to cement the processes needed to combat such a threat
- Coordinate tabletop exercises to ensure essential incident response tasks, including incident responders’ and leadership’s roles and responsibilities, are thoroughly understood
- Open communication channels with enablers such as Incident Response (IR) firms, cyber insurance, and legal teams to establish relationships before an incident occurs
- Orchestrate and test IR notification and declaration procedures with internal and external IR enablers
Staying ahead of September’s cyber attacks
Threat actors continue to attack healthcare organizations at a record pace in 2023. As demonstrated by two threats this month, patching software and hardware is crucial. In addition to patching, preparing for an attack with your IT team and leadership is a critical step in minimizing the effects of an incident.
October is National Cybersecurity Awareness Month! Stay current on healthcare cybersecurity by checking out our blogs, events, and upcoming webinars.