/ en Thu, 01 May 2025 19:31:15 -0500 Thu, 20 Jan 22 15:18:11 -0600 /hc3-analyst-note/2022-01-20-hc3-tlp-white-threat-briefing-log4j-vulnerabilities-and-health-sector <p><strong>Agenda</strong></p> <ul> <li>Introduction/Overview</li> <li>Logging Libraries/Frameworks</li> <li>Apache Log4J</li> <li>Timeline of Major Events</li> <li>Timeline of Exploitation</li> <li>Geographic Distribution of Exploitation</li> <li> Log4J Vulnerabilities</li> <li>Exploitation Details</li> <li>Patching and Remediation</li> <li>Conclusions</li> <li>References</li> </ul> Thu, 20 Jan 2022 15:18:11 -0600 HC3 Analyst Note /hc3-analyst-note/2022-01-06-hc3-tlp-white-analyst-note-mespinozagoldburlapcyborg-spider-january-6 <h3>Executive Summary</h3> <p>Mespinioza (also known as GOLD BURLAP and CYBORG SPIDER) is a cybercriminal group who operates PYSA ransomware, among other cyber weapons, and have been active since 2018. They have a history of targeting many industries, including healthcare, and continue to develop their capabilities and increase their targeting frequency.</p> <h3>Report</h3> <p>Mespinoza (also known as GOLD BURLAP and CYBORG SPIDER) is a financially-motivated cybercriminal group i<a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf" target="_blank">nitially observed engaging in cyberattacks in October 2018</a>. They developed and operated their own ransomware variant (PYSA), which after undergoing several updates, began encrypting victim files with the .pysa extension in December 2019. They also regularly use a number of other tools including ADRecon, Advanced Port Scanner, DNSGo RAT, Mimikatz, PEASS and PowerShell Empire. By the end of 2020, Intel471 considered them to be a “rising power” and as of November 2021, they are known to have accumulated at least 190 global victims via ransomware attacks alone. PYSA is cross-platform ransomware and versions are developed in both the C++ and Python languages.</p> <p>Mespinoza operates a leak site called, “Pysa’s Partners”, which it uses to leverage “name and shame” tactics to apply additional pressure to compel victims to pay ransoms. Mespinoza is not known to operate as ransomware as a service (RaaS). The top five countries targeted by Pysa are the US, UK, Canada, Spain, and Brazil. Figure 1 depicts their total global targeting, with the color corresponding to the number of victims in each country (scale at bottom):</p> <p>View the detailed report below. </p> <p> </p> Thu, 06 Jan 2022 12:01:20 -0600 HC3 Analyst Note /h-isac-reports/2021-09-23-hc3-tlp-white-analyst-note-braktooth-vulnerabilities-september-23-2021 <div class="container row"> <div class="row"> <div class="col-md-8"> <h2>Executive Summary</h2> <p>The BrakTooth vulnerabilities came on the radar in August 31, 2021, after being discovered by the ASSET (Automated Systems Security) Research Group at the Singapore University of Technology and Design (SUTD). It is described as a new family of security vulnerabilities found in commercial Bluetooth Classic stacks for various System-on-Chips (SoC). BrakTooth, uses the Bluetooth Classic (BR/EDR) protocol and affects millions of Bluetooth-enabled devices that are manufactured by Intel, Qualcomm, Texas Instruments, Infineon (Cypress), Zhuhai Jieli Technology, and Silicon Labs.<br /> This is a concern to the US Healthcare industry because Bluetooth devices are used in various essential roles and tampering with these devices could result in adverse consequences.</p> <h2>Report</h2> <p>BrakTooth vulnerabilities pose a threat to Healthcare and Public Health (HPH) sector because researchers say that the risk associated with the BrakTooth set of security flaws ranges from denial-of-service (DoS) by crashing the device firmware, or a deadlock condition where Bluetooth communication is no longer possible, to arbitrary code. This is a new family of security vulnerabilities, affecting Bluetooth stacks implemented on system-on-a-chip (SoC) circuits.</p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Thu, 23 Sep 2021 16:28:59 -0500 HC3 Analyst Note /hc3-analyst-note/2021-08-06-hc3-tlp-white-analyst-note-ransomware-attack-covid-19-vaccination <div class="container row"> <div class="row"> <div class="col-md-8"> <h2>Executive Summary</h2> <p>On August 1, 2021, the Lazio region in Italy suffered a ransomware attack which impacted the region’s COVID-19 vaccination registration portal, thereby halting new vaccination appointments for days. A new, temporary website came online on August 5, 2021 with the original site expected to relaunch on Monday, August 9, 2021. While most media outlets are reporting that RansomEXX ransomware was responsible for the attack, an Italian security researcher claimed to have evidence that LockBit2.0 was also involved. A terrorism investigation in Italy has been opened as a result of the attack.</p> <h2>Report</h2> <p>Between Saturday night, July 31, 2021, and Sunday morning, August 1, 2021, the Lazio region in Italy suffered a RansomEXX ransomware attack that disabled the region's IT systems, including the COVID-19 vaccination registration portal. Furthermore, an Italian security researcher <a href="https://twitter.com/JAMESWT_MHT/status/1422652277467328517">claimed to have evidence</a> that the attack may have also involved LockBit 2.0 ransomware. While the Tweet has since been deleted, a screenshot was obtained (see below). The system was shut down during incident response to allow for internal verification following the attack and to avoid further infection. The LockBit 2.0 ransomware gang is <a href="https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/">actively recruiting corporate insiders</a> to help them breach and encrypt networks, according to BleepingComputer.</p> <p>The Lazio region of Italy is the second most populated region of Italy and includes the country's capital, Rome. President of the Lazio Region, Nicola Zingaretti, said that a <a href="https://www.reuters.com/article/italy-hack/prosecutors-probe-terrorism-among-reasons-behind-italy-region-hacking-sources-idINL8N2PA5N7">terrorism investigation</a> had been opened as a result of the attack, stating that, while the perpetrators were still unidentified, the attack likely came from abroad.</p> <p>According to the Councilor for Health of Lazio, Alessio D’Amato, the attack <a href="https://www.punto-informatico.it/regione-lazio-attacco-ransomexx-lockbit-2-0/">likely began</a> after administrator credentials of an employee of LazioCrea (the company that manages the computer network of the region) were compromised and obtained by the threat actors, thereby allowing the attackers to log on to the LazioCrea VPN and deploy ransomware on the regional CED network.</p> <p>Chuck Everette, director of cybersecurity advocacy at cybersecurity company Deep Instinct Ltd., <a href="https://siliconangle.com/2021/08/03/italian-vaccine-booking-site-taken-offline-ransomware-attack/">stated that</a> “the attack on Lazio’s vaccine portal appears to be part of a supply chain attack and is therefore not an isolated incident. As this attack is part of a wider campaign, it should be the cause of further concern for other government agencies and healthcare organizations across the world.”</p> <p>While the ransomware attack reportedly encrypted almost every file in the datacenter, officials stated that vaccinations would continue as normal for those who had already booked an appointment with new vaccine bookings to be suspended for the next few days following the incident. On August 3, 2021, the Lazio Region stated on Twitter that the services for booking vaccination appointments would be restored <a href="https://twitter.com/RegioneLazio/status/1422558361845964802">within 72 hours</a>, by Friday, August 6, 2021. On August 5, 2021, the president of the Lazio region stated that the vaccination appointments had <a href="https://www.thelocal.it/20210805/italys-lazio-region-resumes-covid-vaccine-bookings-after-hack/">resumed with a new website</a> at prenotavaccino-covid.regione.lazio.it, while a temporary version of the original site for vaccine appointments would reportedly launch on Monday, August 9, 2021.</p> <p>The RansomEXX ransomware-as-a-service (RaaS) operation, previously known as Defray777, has been active since 2018 but came to fame in 2020 after attacks on major organizations, including the Texas Department of Transportation. RansomEXX started as a Windows variant, but a Linux variant was discovered in January 2021. The ransomware is usually delivered as a secondary in-memory payload without ever touching the disk, which makes it harder to detect and highly evasive. In February 2021, RansomEXX ransomware hit the French health insurance company Mutuelle Nationale des Hospitaliers (MNH), severely disrupting the company's operations.</p> <p>View the entire report below. </p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Fri, 06 Aug 2021 17:19:46 -0500 HC3 Analyst Note /hc3-analyst-note/2021-07-08-hc3-tlp-white-analyst-note-overview-phobos-ransomware-july-7-2021 <h2>Overview of Phobos Ransomware</h2> <div class="container row"> <div class="row"> <div class="col-md-8"> <h3>Executive Summary</h3> <p>Phobos ransomware first surfaced in late 2017 with many researchers quickly discovering links between Phobos and the Dharma and CrySiS ransomware variants. The Phobos ransomware operators are known to primarily target small- to medium-sized businesses (including healthcare entities such as hospitals) and typically demand lower ransom amounts compared to other ransomware families. Phobos proved to be one of the most prevalent ransomware families throughout 2019 and 2020. The capabilities of Phobos ransomware continue to evolve, with new variants making the ransomware more difficult to detect, identified as recently as April 2021. Basic mitigations include securing Remote Desktop Protocol (RDP), strong password and account lockout policies, enforcing multi-factor authentication, enforcing virtual private networks, disaster recovery strategies, and keeping software updated.</p> <h3>Report</h3> <p>At its inception in 2017, Phobos was being distributed by the Dharma ransomware operators. Phobos likely served as an insurance policy for malicious campaigns, providing affiliates with a second option for conducting attacks should Dharma end up being decrypted, according to ZDNet. In 2019, researchers at Malwarebytes concluded that there were significant similarities between Phobos and Dharma ransomware, suggesting the same developers were responsible for their creation. Phobos also contains elements of CrySiS ransomware (which is also related to Dharma) with anti-virus software often detecting Phobos as CrySiS. Phobos has served as the foundation for later variants, including Eking, discovered in October 2020, and Fair, detected in March 2021. In this most recent variant, developers added new fileless and evasive techniques.</p> <p>Given the considerable effort by the ransomware developers to add new defense evasion capabilities and footprint reduction in the <a href="https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware">recent Fair variant of Phobos ransomware</a>, researchers suggest that the operators behind Phobos are likely more focused on cyber espionage while attempting to increase their foothold in enterprise businesses. In one case, the threat actors maintained persistence in a company’s network for eight months while remaining undetected. One of the more significant recent updates to Phobos ransomware is a lower scope of encryption in which the Phobos developers removed the UAC requirement to maintain medium integrity. This means no encryption of privileged folders, which leads to a lower footprint. While there are fewer files to encrypt, Phobos’s developers did not want to compromise on files with open handles, which most likely will have a significant impact on the victims. Additionally, in December 2020, <a href="https://www.trendmicro.com/vinfo/my/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware">researchers discovered</a> a variant of Agent Tesla (aka Negasteal) that used the paste site "hastebin[.]com" for the fileless delivery of the CrySiS ransomware. CrySiS and Dharma are both known to be related to Phobos ransomware. There is also a clear indication that Phobos ransomware targets servers versus workstations as some of the malware’s commands are only relevant to servers.</p> <p>Like Dharma, Phobos ransom notes do not demand a specific amount, but rather instruct victims to email the Ransomware as a Service operators to discuss pricing. Sources differ on the average ransomware payment for Phobos, with Coveware placing it at approximately $38,100 as of May 2021, Unit 42 identifying it as $13,955 in 2020, and Advanced Intelligence claiming the average ransom is between $5,000 and $6,000 in Bitcoin. Advanced Intelligence also reports that the ransom amount is increased by $3,000 if the initial ransom demand is ignored. Additionally the average amount of time from reporting to full data recovery of a Phobos Ransomware incident was 16 days compared to an average of 19 days for all ransomware variants, according to Coveware. The recovery period is usually quicker since most victims have small networks with just a few endpoints.</p> <p>Common infection vectors for Phobos ransomware include distribution from malicious attachments via phishing, open and poorly secured Remote Desktop Protocol (RDP) connections, brute force techniques to obtain RDP credentials, leveraging stolen or illegally purchased RDP credentials, common security misconfigurations, and via insecure connections on ports 338 and 3389, which are legitimate protocols used to access servers remotely.</p> <p>Palo Alto Networks has observed Phobos ransomware attacks on victims in various industries including healthcare, with the threat actors mainly targeting small- to medium-sized businesses. In September 2019, an attack by the Dharma/CrySiS ransomware on a hospital in Texas resulted in the encryption of many of the hospital's records containing patient information and medical data. In June 2019, at least four hospitals in Romania were hit by ransomware in attacks the Romanian Intelligence Service said it suspected were launched by Chinese hackers. A further investigation carried out by specialists from CERT-RO, Cyberint, and Bitdefender indicated that the hospitals were attacked with Maoloa and Phobos ransomware. View the entire report below. </p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Thu, 08 Jul 2021 18:29:22 -0500 HC3 Analyst Note /hc3-analyst-note/2021-05-25-hc3-tlp-white-analyst-note-conti-ransomware-may-25-2021 <h2>Executive Summary</h2> <div class="container row"> <div class="row"> <div class="col-md-8"> <p>Conti ransomware has recently been brought back into the spotlight due to its attack on Ireland’s national health system - the Health Service Executive (HSE). Conti leverages many of the tools and techniques common among major ransomware operators such as encryption, double-extortion via the use of a leak site, ransomware-as-a-service partnerships and many of the frequently-successful infection vectors such as phishing and remote desktop protocol (RDP) compromise, among others. One of several recommendations given by Sophos security researchers to protect networks from Conti is to keep regular backups of important and current data on an offline storage device.</p> <h2>Report</h2> <p>On May 14, 2021, Ireland’s HSE shut down “all national and local IT systems” in response to a Conti ransomware attack detected on their networks. The shutdown was an effort to contain the ransomware and “to protect [the systems] from encryption by attackers.” Additionally, all HSE employees were instructed to turn off their computers and not turn on computers that were already powered down.</p> <p>Conti ransomware is ransomware-as-a-service malware that targets victims primarily in North America and Western Europe. According to Sophos, the industries most frequently targeted by Conti are retail, manufacturing, construction, and the public sector but, any sector/industry can be targeted. Conti was found to have one of the biggest market shares of all ransomware operators in the first quarter of 2021 by Coveware. Conti is generally considered a successor to the Ryuk ransomware; however, one significant distinction between the two malwares is Conti ransomware uses the double-extortion technique.</p> <p>The double-extortion technique demands a ransom payment from the victim for the decryption key that will allow the victim to regain access to their encrypted files. If the ransom is not paid, the attackers will leak some or all of the victim’s stolen information on the Conti leaks website—where anyone can download the information. In other instances, the attackers will sell the stolen data to other criminals for their use to further exploit the victim. Conti is known to use the cloud storage provider Mega to store victims’ data.</p> <p>Conti gains access to their victims’ network through various means to include vulnerable firewalls, exposed remote desktop protocol (RDP) services, and phishing user credentials via spam emails. After initial access, Conti uses a two-stage process to infect the victim’s network. The first stage uses a Cobalt Strike DLL “that allocates the memory space needed to decrypt and load meterpreter shellcode into system memory.” After contacting the command-and-control (C2) the second stage occurs when “another Cobalt Strike shellcode loader that contains the reflective DLL loader instructions” is sent to the victim. Conti’s manner of delivery makes it difficult for network defenders to identify it. As Sophos researchers explain, “[b]ecause the reflective loaders deliver the ransomware payload into memory, never writing the ransomware binary to the infected computer’s file system. . ..[t]here is no artifact of the ransomware left behind for even a diligent malware analyst to discover and study.”</p> <p>After infection the ransomware can immediately begin to encrypt the victim’s files (Conti uses a unique AES-256 encryption key per file, which is then encrypted with an RSA-4096 encryption key) while, “at the same time, sequentially attempting to connect to other computers on the same network subnet, in order to spread to nearby machines, using the SMB port.” It can take attackers 15 minutes to move from server to server within a compromised network. Conti takes less than 20 minutes to setup communications with the C2 but even if those communications cannot be established, it can encrypt the victim’s files without C2 instructions. According to researchers at Sophos, because the encryption process can take hours “most targeted ransomware attacks are launched in the middle of the night, over a weekend or on a holiday, when fewer people are watching.” View the entire report below. </p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Tue, 25 May 2021 17:59:11 -0500 HC3 Analyst Note /hc3-analyst-note/2021-04-26-hc3-tlp-white-analyst-note-application-programming-interfaces-and <div class="container row"> <div class="row"> <div class="col-md-8"> <h2>Executive Summary</h2> <p>Application Programming Interfaces (APIs) are a critical component to modern health information technology infrastructures. Due to their role in passing information between resources, they present themselves as an enticing target for attackers to either carry out data breaches or as hop points for further compromise. Understanding how they fit into a healthcare enterprise environment along with the associated security concerns they carry with them is a necessary but not sufficient part of protecting against common threats to healthcare in cyberspace. They are common targets among many threat actors and due to their versatility, they are frequently targeted regardless of the specific goal of the attackers.</p> <h2>Background – What are APIs and how do they fit into an Enterprise Infrastructure?</h2> <p>Application Programming Interfaces are relatively small software components that serve as a seamless interface allowing two applications or resources to talk to each other. In modern implementations, they are often the intermediary process engine that sits between a user-facing application and a database, cloud, or other resource which provides information or a service. From a developer’s perspective, the API enables separate software platforms to be continuously developed without interruption in their interoperability. APIs are one example of an iterative development methodology which, along with others such as DevOps, DevSecOps and Agile, enable incremental upgrades of application components to be quickly deployed to consumers without having to first submit to the longer quality assurance lifecycles of legacy technologies. APIs allow software applications to work well together even as they are upgraded over time</p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Mon, 26 Apr 2021 00:40:17 -0500 HC3 Analyst Note /hc3-analyst-note/2021-04-21-hc3-tlp-white-analyst-note-active-exploitation-pulse-secure-zero-day <div class="container row"> <div class="row"> <div class="col-md-8"> <p>VPN provider Ivanti Pulse Secure has released mitigations for multiple actively exploited vulnerabilities affecting the Pulse Connect Secure (PCS) SSL VPN appliance, including a new vulnerability tracked as CVE-2021-22893. Because multiple state-sponsored threat actors have been observed exploiting this vulnerability in the wild, the newly discovered vulnerability has been assigned the highest possible severity rating (10/10). Pulse Secure has released mitigations and plans to release a security update in early May. Although Pulse Secure has stated only a small number of customers were the subject of active exploitation of these vulnerabilities, both Pulse Secure and CISA recommend that customers use the recently released Ivanti Pulse Connect Secure Integrity Tool to determine if any systems are impacted. Currently, there is no evidence that these attacks have introduced any backdoors or supply chain compromise. While no Healthcare and Public Health (HPH) Sector entities have been publicly identified as victims, HPH organizations using PCS should act to mitigate these vulnerabilities.</p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Wed, 21 Apr 2021 15:33:05 -0500 HC3 Analyst Note /hc3-analyst-note/2021-04-15-hc3-tlp-white-analyst-note-new-dns-vulnerabilities-impacting-healthcare <div class="container row"> <div class="row"> <div class="col-md-8"> <p>On 12 April 2021, security researchers disclosed a series of medium, high and critical severity DNS vulnerabilities impacting the TCP/IP stacks present in potentially millions of enterprise and consumer devices, with organizations in the healthcare and government sectors impacted most. The flaws could enable threat actors to take affected devices offline or gain control over them. While some patches have been released and mitigations are available, many organizations may encounter hurdles applying the patches where centralized vulnerability management is not an option and many device owners may not even be aware that devices contain these vulnerable TCP/IP stacks.</p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Thu, 15 Apr 2021 16:58:36 -0500 HC3 Analyst Note /hc3-analyst-note/2021-04-13-hc3-tlp-white-analyst-note-vishing-and-phishing-campaigns-targeting-hph <div class="container row"> <div class="row"> <div class="col-md-8"> <p>In late March 2021, security researchers revealed details of a malicious campaign targeting the healthcare and public health (HPH) sector by leveraging call centers to distribute malware to its targets. Numerous campaigns in the past year have successfully leveraged voice-changing software, Voice over IP (VoIP) software, caller ID spoofing, and social engineering techniques to obtain sensitive information or install malware on targeted systems. HC3 assesses that these trends will continue due to previous successful exploitation.</p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>Senior Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Tue, 13 Apr 2021 19:31:04 -0500 HC3 Analyst Note