2021 Weeks 32-40 Security Roundup

-

 

Summary

Let me apologize for the long delay right upfront.  First, we had a round of Covid in the household in a person who is immune-compromised.  Next, I started a new semester in college and the workload was far greater than I expected.  Lastly, this is the start of the budget year for us and I had several projects that have demanded almost every second of my work time.  I hope to get back to weekly updates by November.

Lots of news that covers:  health care, education, infrastructure, and SLTT governments around the world.  Since I am hitting the length limitations of Blogger, I will simply invite you to read and try and get caught up yourself. 


News

UC San Diego Health sued over breach

In what is becoming a growing trend UC San Diego Health is being sued for failure to have proper data protection protocols.  The suit is citing breach of contract, negligence, and violating California consumer and medical privacy laws.  Specifically, the suit alleges failure to adequately train employees on how to avoid phishing and implementation reasonable security practices.  


Swisslog Healthcare warns of security vulnerability

Swisslog Healthcare says more than 3000 pneumatic tube systems used its Tranlogic PTS platform which has 9 vulnerabilities some of which can allow the takeover of the systems.  Swisslog has started patching these and users of the system are encouraged to update and keep an eye out for future updates.

Olympus hit with a cyber attack

Medical technology company Olympus was forced to take down all systems in the Americas due to a cyber attack.  They are not giving any specifics.  It should be mentioned that Olympus's European, Middle East, and African operations were attacked in September.  

San Juan Regional Medical hacked

San Juan Regional Medical Center in Farmington New Mexico announced a data breach of patient records.  The breach occurred on September 8 of 2020.  The hospital is contacting patients whose data was accessed.

Fertility Clinic data breach

Quest Diagnostics has announced a data breach after an August ransomware attack.  Health and financial information of about 359,999 ReproSource patients (a Quest-owned entity).  ReproSource began notifying victims on September 24th.

Healthcare cybersecurity is growing as a discipline

HelpNetSecurity brings us a review of the current state of healthcare cybersecurity.  They point out while there is no direct link to patients deaths due to breaches in the US there have been situations where it was a contributing factor and deaths have occurred in other countries.  I personally think this is going to be a large growth industry in the coming years around the world.

FDA gives guidance on cyber disclosure

The U.S. Food and Drug Administration (FDA) has issued a best practices guide to informing customers of medical devices about cyber security flaws.  The goal of this document is to help the industry give "Clear, actionable communications" to promote public health.  This is not a requirement, but simply communication with suggestions to help guide the conversation.

Guideline

Port of Houston targeted by Nation-State hackers

Unnamed nation-state hackers attempted to breach ManageEngine ADSelfService Plus used by the Port of Houston to gain access to critical systems.  It is believed that the attack was unsuccessful.  As yet, there is very little about who was behind the attack or what exact methods were used.

Siemens and Schneider Electric release patches

More and more entities are jumping on the patch Tuesday bandwagon.  Siemens and Schneider Electric released more than 50 patches the week of October 11th.  

Johnson Controls exacqVision vulnerable

Tenable announced they discovered 2 security flaws in the exacqVision web service used in Exacq products.  In one attack, if the service is using passthrough accounts, an attacker can steal those credentials to use them on the server.  The other attack allows the server to be crashed by specifically crafted data packets.  Both of these attacks can be launched from the internet.

Critical flaws in Honeywell Experion PKS and ACE controllers

CISA released an advisory on several security vulnerabilities in controllers that could lead to DoS or remote code execution.  The CVE's are:
  • CVE-2021-38397 (CVSS score: 10.0) - Unrestricted Upload of File with Dangerous Type
  • CVE-2021-38395 (CVSS score: 9.1) - Improper Neutralization of Special Elements in Output Used by a Downstream Component
  • CVE-2021-38399 (CVSS score: 7.5) - Relative Path Traversal

Advisory:


US authorities warn of ongoing attacks against water systems

A joint advisory was released outlining the persistence of attacks against U.S. water infrastructure systems.  They point out that this is in line with the increase of attacks against all infrastructure computer systems seen in the US.  

Indian Government releases power cybersecurity guidelines

The Indian government has released guidelines for creating a secure cyber ecosystem for power providers.  Of note, it requires purchasing products from 'trusted sources' and 'trusted products' highlighting the growing concern about supply-chain attacks.

TSA to strengthen cyber regulations

The Transportation Security Administration will introduce regulations that compel rail and air operators to improve cybersecurity.  Some of those requirements include naming a chief cyber official, disclosing hacks to government agencies (I suspect CISA), and having recovery plans for attacks.  

Education cyber security report card

The education sector is seeing more attacks but seems to be lagging in its response rate to vulnerabilities.  It seems that threat actors have taken advantage of COVID and the remote learning environments it spaned to launch coordinated attacks.

Isle of Wright schools have a ransomware attack

As schools get back in session we will probably see more of this.  Threat actors have figured out that they can time attacks to pressure a ransom before big events (like school starting for schools or summer travel for oil distribution companies).  In this case, the attack took down almost all educational institutions in the Isle of Wright.  

Allen IDS extortion

Allen ISD, a school district in Texas, didn't pay the ransom so now they are being extorted.  The attackers used the data they collected to send emails to the parents, employees, and students that were victims.  This has been a growing trend and underscores the need for having data at rest encrypted so that if bad actors get access to the data, they can't easily monetize it.

School hacked by former IT employee

One of the conversations I remember between my best friend's dad and me when I first got into computers in the late 70s was to always put in a back door as a method of job assurance.  Now that I am on the data protection side of the game, I admit this is one of my worst fears.  This fear was realized when a fired IT worker breached a school system's computers and, among other things, locked others out of the system.  It appears that he then went on to do the same thing to a company he was working at after this incident.  

Missouri governor tries to prosecute reporter of data leak 

A website run by the state of Missouri exposed SSN's of state teachers in plain text HTML.  The reporter in question discovered the issue and reported it to the state.  The paper he worked for agreed not to publish this information.  The state is still trying to prosecute the reporter and went so far as to label them a criminal hacker.

Several Oklahoma Sheriff web pages defaced

A single hacker seems to be behind the defacement of several websites managed by the company sheriffwebsites.com.  The attacker said they only wished to spread their religious ideology and by Wednesday evening had returned the websites to the hosting company.  They claim the attack was possible due to unpatched software used by the hosting service.

Legislative actions 

U.S. Senate is working on legislation.  Right now no bills have made it out of committee and few are even in a written form in the committees.  They are reaching out and talking with those on the front lines in an attempt to make the legislation more targeted (we can hope).  One of the subjects that is gaining traction is some sort of mandatory reporting for critical infrastructure operators.  

U.S. Senators introduced a bill to require reporting critical infrastructure cyber attacks within 72 hours.  In addition, any business with greater than 50 employees would be required to report any ransomware payments.  The bill requires covered entities to perform a review of options other than paying ransoms.  The agency that will collect these reports is the Cybersecurity and Infrastructure Security Agency (CISA).  

Bill Text



The Australian government has a new set of standalone criminal offenses for Ransomware.  Much like the United States, Australia has been slow to criminalize activities that utilize technology to deprive people and the government of their resources.  Governments around the world should take note and get caught up to the current criminal landscape.

A group of cybersecurity pros is seeking legal protection to report vulnerabilities.  As highlighted by the Missouri case above, often hacking laws are misused to silence the good guys seeking to improve security.  Coroneos is launching a campaign to change the laws worldwide to ensure that researchers will not face prosecution.  I will applaud Oklahoma who recently tweaked its legal wording to protect pen testers from legal ramifications of doing their jobs.

The Netherlands had joined the US, UK, and other EU nations in announcing that they will respond to cyber-attacks in a similar manner to physical attacks.  This includes both cyber and armed military responses.



Location: Oklahoma, USA

Comments

Post a Comment

Popular posts from this blog

2021 Week 11 Security Roundup

-
  Summary This blog is geared towards cybersecurity events that are of interest to State, Local, Tribal, and Territorial (SLTT) governments in the United States of America.  It is hoped that this focus will help SLTT information technology workers and policymakers to get the information relevant to their mission.  If you are in other sectors hopefully there is information you can find useful as well.   News Windows Outlook Vulnerability The 0-Day for Microsoft Exchange Server keeps making news.  Over the course of the week threat actors outside of the Haifum Chinese cyber espionage group started to take advantage of the exploit.  Many new breaches were identified over the weekend as organizations large and small rushed to update vulnerable servers.  From the briefings I have sat through over the last week or so, I can only add my echo to the chorus saying that you should immediately patch your on-premises version of Outlook.  Here are some of the developments that we have seen: ZDNet a
Read more

2021 Week 29 Security Review

-
  Summary Sorry, this was late this week.  I was in training on Friday with the good folks at the LSU Academy of Counter-Terrorist Education.  If you are a Tribal or other American first responder or researcher in the field of terrorism and not taking advantage of their amazing resources, please check them out at  https://www.ncbrt.lsu.edu/ . Not a lot of new things this week.  There was an update from the City of Tulsa and their breach.  We also saw REvil disappear from both the Web and the dark Web.  Lastly, CIS tools are taking the forefront in the defensive posture of the SLTT landscape. News City of Tulsa Oklahoma breach Tulsa, which was breached back in May ( https://yasb2018.blogspot.com/2021/05/2021-week-19-security-roundup.html ), has announced that at least 27 people had their Social Security number accessed.  The city said they have attempted to reach out to those affected.  To date, more than 18,000 files from the hack have been released to the dark web. https://www.securit
Read more