/ en Sun, 15 Jun 2025 13:10:30 -0500 Fri, 06 Jun 25 15:15:37 -0500 /h-isac-white-reports/2025-06-06-h-isac-tlp-white-hacking-healthcare-weekly-blog-june-6-2025 <div class="container row"><div class="row"><div class="col-md-8"><p>This week, Health-ISAC®'s Hacking Healthcare® examines where things stand several months into the Trump Administration's term regarding healthcare and cybersecurity. This edition of Hacking Healthcare will recap some of the significant developments from the beginning of Trump’s term to Thursday’s confirmation hearings, and then will assess what we might expect to see happen next.</p><p>View the detailed report below.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Fri, 06 Jun 2025 15:15:37 -0500 H-ISAC: White Reports /h-isac-white-reports/2025-05-29-h-isac-tlp-white-brazilian-critical-infrastructure-threat-landscape <p>Monthly Geopolitical Deep Dive: <strong>May</strong> <strong>2025</strong></p><p>This report, published once a month, is an in-depth analysis of a geopolitical trend whose cascading consequences adversely impact the healthcare sector. This report is a joint endeavor between RANE and Health-ISAC. The guidance and insight within are designed to help members navigate particularly complex geopolitical developments with healthcare-specific analysis and mitigation strategies. </p><p>View the detailed reports below. </p> Thu, 29 May 2025 11:56:18 -0500 H-ISAC: White Reports /h-isac-white-reports/2025-05-29-brazilian-critical-infrastructure-threat-landscape-and-implications-healthcare-organizations <h2>Key Judgements </h2><ul><li>Fragmented care between rural and urban clinical environments has led to heightened risks of violence toward health sector employees. Brazilian centralized healthcare access requires large data stores, which threat actors have often targeted.</li><li>Nation-state actors and financially-motivated criminals pose espionage, data breach and extortion risks: Brazilian critical infrastructure organizations face a broad array of cyber threats, including sophisticated foreign state-sponsored threats, as well as growing nonstate cybercriminal (and hacktivist) campaigns, which elevate a range of monetary and operational risks, including for healthcare entities.</li><li>Petty criminals and organized criminal groups occasionally threaten critical services: Copper cable thefts are pervasive and sporadically result in blackouts or disruption to traffic light systems, while organized criminal groups damage or prevent maintenance of water stations and telecommunication antennas in low-income areas they control, posing operational risks to healthcare service providers in these regions.</li><li>Protest activity and labor action will likely pick up ahead of 2026 elections: Brazil’s polarized political and social environments will fuel recurring protests and strikes over the coming 18months, opening the door to sporadic violent and/or disruptive incidents.</li><li>Terrorism risks will remain low, although isolated plots will persist: While Brazil has not recorded terrorist incidents in recent decades, police have thwarted multiple plots in recent years, highlighting underlying risks of religiously- or politically-motivated attacks.</li><li>Increasingly frequent extreme weather events threaten to disrupt transportation and utilities: Intense droughts have become more frequent and will threaten hydroelectric power generation and water transportation, while heavy rains will result in flash floods and landslides, causing significant damage to urban and road infrastructure.</li></ul><p>View the detailed report below.</p> Thu, 29 May 2025 11:39:07 -0500 H-ISAC: White Reports <div class="container row"><div class="row"><div class="col-md-8"><p>The information provided in the report is pulled from threat actor data leak sites ‘as is,’ meaning, it is shared as it has been posted by the threat group. They have been known to make mistakes, have typos, mis-name victims, or use other language aside from the victim name. The report shares the information ‘as is’ and neither the source of the report, nor our team, goes to the individual sites to verify the information, though it can be (and we sometimes do) cross-referenced with other reporting sources. Neither the originator of the report, nor our team, is in direct discussion w/ the threat actors. There are cyber threat intelligence firms that do engage in cybercrime forums and can provide additional perspectives of victims and ongoing discussions occurring in those forums.</p><p>View the detailed report below.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Wed, 07 May 2025 14:28:02 -0500 H-ISAC: White Reports /2025-04-03-h-isac-tlp-white-threat-bulletin-ivanti-connect-secure-vulnerability-actively-exploited-china-nexus-group <div class="container row"><div class="row"><div class="col-md-8"><p>On April 3, 2025, Ivanti released a <a href="https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforums.ivanti.com%2Fs%2Farticle%2FApril-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457%3Flanguage%3Den_US&data=05%7C02%7Cdsamuels%40aha.org%7C7647d718a4864ab4a43c08dd72e1b884%7Cb9119340beb74e5e84b23cc18f7b36a6%7C0%7C0%7C638793035997807744%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=eBvIsCGHz%2BSUjUti1SNx3h4HahWVPPLpgZWpU%2Fbm9o8%3D&reserved=0" target="_blank">security advisory</a> regarding the active exploitation of a critical security flaw affecting vulnerable Ivanti Connect Secure, Pulse Connect Secure, Policy Secure, and ZTA gateway products.</p><p>The vulnerability, tracked as CVE-2025-22457, has a CVSS critical score of 9.0 and is a stack-based buffer overflow flaw impacting Ivanti Connect Secure (22.7R2.5 and prior), Pulse Connect Secure (9.1R18.9 and prior) which reached end-of-support as of December 31, 2024, Ivanti Policy Secure (22.7R1.3 and prior), and ZTA Gateways (22.8R2 and prior).</p><p>Successful exploitation of the security flaw allows remote unauthenticated threat actors to gain remote code execution capabilities on vulnerable instances.</p><p>VIew the detailed report below.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Thu, 03 Apr 2025 15:40:09 -0500 H-ISAC: White Reports /h-isac-white-reports/2025-04-01-h-isac-tlp-white-critical-crushftp-flaw-actively-exploited-poc-exploit-code-available <div class="container row"><div class="row"><div class="col-md-8"><p>A critical vulnerability, tracked as CVE-2025-2825, affecting CrushFTP is actively being exploited following the release of proof-of-concept exploit code.</p><p>The vulnerability is an authentication bypass flaw that allows remote threat actors to gain unauthenticated access to infrastructure running unpatched CrushFTP v10 or v11 software exposed on the Internet over HTTP(S).</p><p>According to the monitoring platform Shadowserver, targeted exploitation attempts against CrushFTP were observed approximately a week after the vulnerability was disclosed.</p><p>The discovery by Shadowserver, in which over 1,500 flawed instances were exposed online, highlights the speed at which threat actors begin attempted exploitation attacks against vulnerable products or services. This is evident in how quickly the vulnerability was targeted after a write-up containing technical details about CVE-2025-2825 and proof-of-concept exploit code was <a href="https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprojectdiscovery.io%2Fblog%2Fcrushftp-authentication-bypass&data=05%7C02%7Cdsamuels%40aha.org%7C97a2df25e0f5434e260008dd714fd533%7Cb9119340beb74e5e84b23cc18f7b36a6%7C0%7C0%7C638791309945298747%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=MpJdJaaZXOehQ10Wl7NMi53TeArCPS0AD3AlHnF2SfQ%3D&reserved=0" target="_blank">released</a>.</p><p>Health-ISAC provides this information for situational awareness and encourages users to <a href="https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.crushftp.com%2Fcrush11wiki%2FWiki.jsp%3Fpage%3DUpdate&data=05%7C02%7Cdsamuels%40aha.org%7C97a2df25e0f5434e260008dd714fd533%7Cb9119340beb74e5e84b23cc18f7b36a6%7C0%7C0%7C638791309945323190%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=cM1VUGrfNzKjYr%2F1%2B2X1slFgXkENv%2FUkM%2FZl52Zf0hY%3D&reserved=0" target="_blank">upgrade</a> affected CrushFTP versions immediately, as threat actors have exhibited high interest in exploiting vulnerable file transfer products.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Tue, 01 Apr 2025 15:00:21 -0500 H-ISAC: White Reports /h-isac-white-reports/2025-03-26-h-isac-tlp-white-threat-bulletin-critical-authorization-bypass-vulnerability-announced-nextjs <div class="container row"><div class="row"><div class="col-md-8"><p>On March 23, 2025, a critical vulnerability in Next.js middleware was disclosed and tracked as <a href="https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2025-29927&data=05%7C02%7Cdsamuels%40aha.org%7C30579843163d4aa326a808dd6c742b7d%7Cb9119340beb74e5e84b23cc18f7b36a6%7C0%7C0%7C638785968416588204%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=qqIqPID3T3lTDzHMcjw%2BqzsCY2TpW%2BIiLzDublGA9m4%3D&reserved=0" target="_blank">CVE-2025-29927</a>. The vulnerability has a critical CVSS score of 9.1 and allows attackers to bypass authorization checks by adding a specially crafted request header to HTTP requests. </p><p>View the detailed bulletin below.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Wed, 26 Mar 2025 15:07:19 -0500 H-ISAC: White Reports <div class="container row"><div class="row"><div class="col-md-8"><p> </p><p>On March 20, 2025, the Health-ISAC Threat Intelligence Committee (TIC) evaluated the current Cyber Threat Level and collectively decided to maintain the Cyber Threat Level at <strong>Yellow(Elevated)</strong>. </p><p>View the detailed reports below. </p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Mon, 24 Mar 2025 09:17:03 -0500 H-ISAC: White Reports /h-isac-white-reports/2025-03-14-h-isac-tlp-green-hacking-healthcare-weekly-blog-march-14-2025 <div class="container row"><div class="row"><div class="col-md-8"><p>This week, Health-ISAC<sup>®</sup>'s Hacking Healthcare<sup>®</sup> examines a new report from the European Union Agency for Cybersecurity (ENISA) to assess what it says about the cybersecurity maturity and criticality of various sectors in the EU. We break down how the health sector measures up to other sectors and where ENISA thinks there is room for improvement. </p><p>View the detailed blog below.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Fri, 14 Mar 2025 13:50:44 -0500 H-ISAC: White Reports /h-isac-white-reports/2025-03-07-h-isac-tlp-white-vulnerability-bulletin-elastic-patches-critical-kibana-flaw-cve-2025-25015 <div class="container row"><div class="row"><div class="col-md-8"><p>On March 5, 2025, Elastic <a href="https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdiscuss.elastic.co%2Ft%2Fkibana-8-17-3-security-update-esa-2025-06%2F375441&data=05%7C02%7Cdsamuels%40aha.org%7Cb0200f3ecc38421d2a2b08dd5d6bd5ec%7Cb9119340beb74e5e84b23cc18f7b36a6%7C0%7C0%7C638769439933177517%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=FgvkQzMxNEYtqKSRzFhKw1ttNGnJZH3fTKy3oQXOyFI%3D&reserved=0" target="_blank">released</a> a security update to fix a critical vulnerability in Kibana, data visualization dashboard software. The flaw tracked as CVE-2025-25015 has a CVSS score of 9.9, highlighting its criticality.</p><p>Kibana is a data visualization tool for Elasticsearch. Elasticsearch is used in the health sector for medical record search, data management, insights, and threat detection.</p><p>The flaw, CVE-2025-25015, could allow threat actors to send specially crafted files and use specifically crafted HTTP requests to achieve arbitrary code execution. It exists due to prototype pollution and affects all Kibana versions from 8.15.0 to 8.17.3.</p><p>A prototype pollution flaw is a security issue in which threat actors can manipulate JavaScript objects and properties, potentially leading to various security issues, including remote code execution.</p></div><div class="col-md-4"><div><p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p><h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3><h4>National Advisor for Cybersecurity and Risk, AHA</h4><h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4><h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div><div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div></div></div></div></div> Thu, 06 Mar 2025 23:32:32 -0600 H-ISAC: White Reports