A two-year-old vulnerability in Microsoft Outlook is being exploited by hackers in targeted attacks on U.S. government networks.

U.S. Cyber Command has issued a warning about vulnerability CVE-2017-1174, which is being actively exploited to install remote access Trojans and other forms of malware.  U.S. Cyber Command strongly recommends patching the vulnerability immediately to prevent exploitation.

The flaw is a sandbox escape vulnerability which can be exploited if the attacker has the user’s outlook credentials, which could be obtained via a phishing attack or other means. The attacker could then change the user’s home page to a page with embedded code that downloads and executes malware when Outlook is opened.

U.S. Cyber Command made no mention of the threat actors believed to be behind the attacks, although security researchers at Palo Alto Networks, FireEye, Chronicale, and others have linked the attacks to the Iran-backed cyberespionage group APT33.

APT33 has been exploiting this vulnerability for at least a year, but instead of using phishing, the group conducts brute force attacks using commonly used passwords. A typical attack will see multiple accounts targeted. When multiple passwords have been guessed, the Outlook vulnerability is exploited, and malware is downloaded on multiple devices on the network.

While there have been attacks on U.S. entities in the past, the group has been most active in the Middle East. The rise in attacks on American targets is believed to be linked to the escalating tensions between the two countries.

The U.S. Cyber Command warning on Twitter comes just a few days after the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, issued a warning on Twitter about Iran-backed threat groups conducting attacks using wiper malware. That warning was issued following an increase in cyberattacks on U.S. businesses and government entities by threat actors with links to Iran.

Symantec also issued a warning about an increase in attacks by the threat group APT33 in March this year, in which an exploit for a vulnerability in WinRAR was being used.

APT33, also known as Shamoon, was discovered to have links to Iran by FireEye researchers in 2017. The group is believed to have conducted a range of cyberattacks throughout the Middle East. The largest ever cyberattack in the Middle East, on oil firm Saudi Aramco in 2012, involved wiper malware called Shamoon. While the malware shares the name with the threat group, APT33 has not been confirmed as being involved in the attacks, although it is suspected by many.

Brandon Levene, head of applied intelligence at Chronicle, analyzed malware samples released by U.S. Cyber Command and found several similarities between the latest attacks and Shamoon malware campaigns in 2016. The latter leveraged a vulnerability and executed a PowerShell script to download the Pupy remote access Trojan and there are code similarities in the downloaders used in the latest attacks.

Levene also analyzed three malicious tools that were used in the recent attacks. The tools had different purposes but would have allowed the attackers to interact with a server they have compromised and conduct a range of different malicious activities. APT33 has used similar tools in attacks in the past to remotely execute code on compromised devices. FireEye’s Andrew Thompson also attributed the latest attacks to the threat group APT33.

With the U.S. stepping up its cyber offensive against Iran and as tensions continue to rise, retaliatory attacks on U.S. targets are likely to continue.

The post U.S. Cyber Command Warns of Active Exploitation of 2017 Outlook Vulnerability appeared first on HIPAA Journal.

Follow Us

A two-year-old vulnerability in Microsoft Outlook is being exploited by hackers in targeted attacks on U.S. government networks.

U.S. Cyber Command has issued a warning about vulnerability CVE-2017-1174, which is being actively exploited to install remote access Trojans and other forms of malware.  U.S. Cyber Command strongly recommends patching the vulnerability immediately to prevent exploitation.

The flaw is a sandbox escape vulnerability which can be exploited if the attacker has the user’s outlook credentials, which could be obtained via a phishing attack or other means. The attacker could then change the user’s home page to a page with embedded code that downloads and executes malware when Outlook is opened.

U.S. Cyber Command made no mention of the threat actors believed to be behind the attacks, although security researchers at Palo Alto Networks, FireEye, Chronicale, and others have linked the attacks to the Iran-backed cyberespionage group APT33.

APT33 has been exploiting this vulnerability for at least a year, but instead of using phishing, the group conducts brute force attacks using commonly used passwords. A typical attack will see multiple accounts targeted. When multiple passwords have been guessed, the Outlook vulnerability is exploited, and malware is downloaded on multiple devices on the network.

While there have been attacks on U.S. entities in the past, the group has been most active in the Middle East. The rise in attacks on American targets is believed to be linked to the escalating tensions between the two countries.

The U.S. Cyber Command warning on Twitter comes just a few days after the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, issued a warning on Twitter about Iran-backed threat groups conducting attacks using wiper malware. That warning was issued following an increase in cyberattacks on U.S. businesses and government entities by threat actors with links to Iran.

Symantec also issued a warning about an increase in attacks by the threat group APT33 in March this year, in which an exploit for a vulnerability in WinRAR was being used.

APT33, also known as Shamoon, was discovered to have links to Iran by FireEye researchers in 2017. The group is believed to have conducted a range of cyberattacks throughout the Middle East. The largest ever cyberattack in the Middle East, on oil firm Saudi Aramco in 2012, involved wiper malware called Shamoon. While the malware shares the name with the threat group, APT33 has not been confirmed as being involved in the attacks, although it is suspected by many.

Brandon Levene, head of applied intelligence at Chronicle, analyzed malware samples released by U.S. Cyber Command and found several similarities between the latest attacks and Shamoon malware campaigns in 2016. The latter leveraged a vulnerability and executed a PowerShell script to download the Pupy remote access Trojan and there are code similarities in the downloaders used in the latest attacks.

Levene also analyzed three malicious tools that were used in the recent attacks. The tools had different purposes but would have allowed the attackers to interact with a server they have compromised and conduct a range of different malicious activities. APT33 has used similar tools in attacks in the past to remotely execute code on compromised devices. FireEye’s Andrew Thompson also attributed the latest attacks to the threat group APT33.

With the U.S. stepping up its cyber offensive against Iran and as tensions continue to rise, retaliatory attacks on U.S. targets are likely to continue.

The post U.S. Cyber Command Warns of Active Exploitation of 2017 Outlook Vulnerability appeared first on HIPAA Journal.

Follow Us

A two-year-old vulnerability in Microsoft Outlook is being exploited by hackers in targeted attacks on U.S. government networks.

U.S. Cyber Command has issued a warning about vulnerability CVE-2017-1174, which is being actively exploited to install remote access Trojans and other forms of malware.  U.S. Cyber Command strongly recommends patching the vulnerability immediately to prevent exploitation.

The flaw is a sandbox escape vulnerability which can be exploited if the attacker has the user’s outlook credentials, which could be obtained via a phishing attack or other means. The attacker could then change the user’s home page to a page with embedded code that downloads and executes malware when Outlook is opened.

U.S. Cyber Command made no mention of the threat actors believed to be behind the attacks, although security researchers at Palo Alto Networks, FireEye, Chronicale, and others have linked the attacks to the Iran-backed cyberespionage group APT33.

APT33 has been exploiting this vulnerability for at least a year, but instead of using phishing, the group conducts brute force attacks using commonly used passwords. A typical attack will see multiple accounts targeted. When multiple passwords have been guessed, the Outlook vulnerability is exploited, and malware is downloaded on multiple devices on the network.

While there have been attacks on U.S. entities in the past, the group has been most active in the Middle East. The rise in attacks on American targets is believed to be linked to the escalating tensions between the two countries.

The U.S. Cyber Command warning on Twitter comes just a few days after the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, issued a warning on Twitter about Iran-backed threat groups conducting attacks using wiper malware. That warning was issued following an increase in cyberattacks on U.S. businesses and government entities by threat actors with links to Iran.

Symantec also issued a warning about an increase in attacks by the threat group APT33 in March this year, in which an exploit for a vulnerability in WinRAR was being used.

APT33, also known as Shamoon, was discovered to have links to Iran by FireEye researchers in 2017. The group is believed to have conducted a range of cyberattacks throughout the Middle East. The largest ever cyberattack in the Middle East, on oil firm Saudi Aramco in 2012, involved wiper malware called Shamoon. While the malware shares the name with the threat group, APT33 has not been confirmed as being involved in the attacks, although it is suspected by many.

Brandon Levene, head of applied intelligence at Chronicle, analyzed malware samples released by U.S. Cyber Command and found several similarities between the latest attacks and Shamoon malware campaigns in 2016. The latter leveraged a vulnerability and executed a PowerShell script to download the Pupy remote access Trojan and there are code similarities in the downloaders used in the latest attacks.

Levene also analyzed three malicious tools that were used in the recent attacks. The tools had different purposes but would have allowed the attackers to interact with a server they have compromised and conduct a range of different malicious activities. APT33 has used similar tools in attacks in the past to remotely execute code on compromised devices. FireEye’s Andrew Thompson also attributed the latest attacks to the threat group APT33.

With the U.S. stepping up its cyber offensive against Iran and as tensions continue to rise, retaliatory attacks on U.S. targets are likely to continue.

The post U.S. Cyber Command Warns of Active Exploitation of 2017 Outlook Vulnerability appeared first on HIPAA Journal.

Follow Us

Alive Hospice in Nashville, TN, a provider of end-of-life care, palliative care, bereavement support and community education in middle Tennessee, has announced that the email account of an employee was subjected to unauthorized access in May 2019.

Around May 6, 2019, suspicious activity was detected in an employee’s email account. The password for the account was immediately changed and an investigation was launched into the cause of the breach.

The investigation revealed the email account was compromised on May 4, 2019 and hackers had access to the email account for a period of two days. Only one email account was compromised. Unauthorized account access was confirmed, but no evidence was found to suggest any patient information was accessed or stolen.

The types of information in emails and email attachments varied from patient to patient and may have included the following types of PHI in addition to a patient’s name: Date of birth, Social Security number, driver’s license number, financial account number, medical history, treatment information, prescription information, treating or referring physician information, medical record number, health insurance information, Medicare or Medicaid number, username/email and password information.

Alive Hospice has conducted a review of its security protections and will be implementing additional safeguards to help prevent further attacks.  Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights but the incident has yet to appear on the OCR breach portal, so it is currently unclear how many individuals have been affected.

Californian Medical Staffing Agency Victim of Phishing Attack

The Roseville, CA-based medical staffing agency Flexcare LLC has discovered it has been the victim of a phishing attack.

The email account of a single employee was temporarily compromised as a result of a response to a phishing email. The agency’s email security system detected unusual activity in the account shortly after the phishing email was received and the account was automatically shut down.

Computer forensic professionals were hired to help analyze the breach and determine whether the attacker gained access to the employee’s email account and whether any PHI had been viewed or copied.

Despite the prompt account shut down, the investigation confirmed that the account had been subjected to unauthorized access. While no evidence of data access or data theft were found, the forensics investigators concluded that during the time that access was possible, patients’ PHI may have been viewed or copied.

A detailed analysis of emails in the compromised account revealed affected patients had their name exposed along with one of more of the following types of PHI: Address, date of birth, driver’s license number, Social Security number, medical information such as vaccination history, drug test results, and annual health questionnaire answers.

Flexcare will be providing employees with further training on email and network security and multi-factor authentication is being implemented. Affected individuals have been offered 12-month free membership to CyberScout credit monitoring and identity theft protection services.

The post Sensitive Data Potentially Compromised in Tennessee Hospice Phishing Attack appeared first on HIPAA Journal.

Follow Us

Akron, Ohio-based Summa Health has discovered an unauthorized individual has gained access to four employee email accounts containing patients’ protected health information (PHI).

Summa Health became aware of the breach on May 1, 2019 and launched an investigation that revealed 2 email accounts had been breached in August 2018, and a further two accounts between March 11, 2019 and March 29, 2019.

All four accounts were immediately secured and a third-party computer forensics firm was hired to determine whether any patient information had been accessed or stolen. The firm found no evidence of data theft or PHI access, although it was not possible to rule out the possibility that patient information was compromised in the breach.

An analysis of the compromised accounts revealed they contained the following types of PHI: Patient names, dates of birth, medical record numbers, patient account numbers, clinical information, and treatment information.

In total, 10,893 patients were affected. A small subset of those patients also had their Social Security numbers and/or driver’s license numbers exposed.

On June 28, 2019, Summa Health submitted two separate breach reports to OCR for the August and March attacks, one affecting 7989 individuals and the other affecting 2,904 individuals.

Complimentary credit monitoring and identity protection services have been offered to patients whose Social Security number or driver’s license number was exposed.

Summa Health will be reinforcing employee training on privacy and security and additional security measures will be implemented to improve email security.

Community Physicians Group Phishing Attack Impacts 5,400 Patients

Siloam Springs, AR-based Community Physicians Group is alerting 5,400 patients that their PHI has been exposed as a result of a phishing attack.

The breach was detected on April 24, 2019 when suspicious activity was identified in an email account. An investigation revealed malicious software had been installed on February 19, 2019 which allowed access to be gained to the email account.

The email account contained PHI in email attachments. The exposed information was limited to names, medical record numbers, dates of service, and a brief description of the nature of the visit. No Social security numbers, financial information, or other highly sensitive information were exposed.

The malware has now been removed and security has been improved with a new cloud-based anti- malware protection system.

Addison County Home Health & Hospice Email Breach Reported

758 patients of Addison County Home Health & Hospice in Vermont are being notified that some of their PHI has been exposed as a result of a recent email security breach.

The breach was discovered on April 26, 2019 and the investigation revealed unauthorized access to the account was first gained on February 19, 2019.

An analysis of the emails in the account revealed they contained names, clinical information, and for certain patients, medical record numbers and Social Security numbers.

A free 12-month membership to credit monitoring and identity protection services has been offered to individuals whose Social Security number was exposed.

The hospice will be augmenting its technical security controls and further training will be provided to employees to help them identify phishing emails.

The post PHI of 10,893 Summa Health Patients Potentially Compromised in Phishing Attack appeared first on HIPAA Journal.

Follow Us

A medical student is suing Marshall University and Cabell Huntington Hospital over the impermissible disclosure of some of his protected health information (PHI) to a class of students.

The student, who is identified as J.M.A in the lawsuit, claims his x-rays were used as a teaching tool by a professor at Marshall University Joan C. Edwards School of Medicine, but information identifying J.M.A. as the patient had not been removed or redacted from the images.

The matter had been brought to the attention of the university by another faculty member. On April 15, 2018, the dean of the medical school wrote to J.M.A to inform him of the privacy violation. The university was unaware that the professor was using the image as a teaching tool.

J.M.A. claims he has suffered shame, embarrassment, humiliation, and severe anxiety as a direct result of the disclosure of his identity. It is unclear how many people viewed J.M.A’s x-rays and how many of those individuals disclosed what they saw to others.

J.M.A is represented by Troy N. Giatras, Matthew W. Stonestreet, and Phillip A. Childs of The Giatras Law Firm, and is seeking compensatory and punitive damages.

Three motions to dismiss the lawsuit have been submitted by the defendants Cabell Huntington Hospital; Marshall University Joan C. Edwards School of Medicine and Marshall University Board of Governors; and Radiology Inc.

They are seeking to have the case dismissed as it was not filed in the proper venue and because they say the plaintiff failed to state a claim on which relief can be granted.

PHI Exposed in Break in at Pardee UNC Health Care

Pardee UNC Health Care is notifying certain patients that some of their PHI has potentially been compromised during a break in at its facility at 2029 Asheville Hwy, Hendersonville, NC. The break-in was discovered on May 9, 2019. Thieves gained entry to the basement of the building and stole electronic equipment.

No electronic protected health information was exposed as the computers did not have hard drives, but while searching the basement a stack of 590 Federal Drug Testing Custody and Control forms were found. The forms contained names, phone numbers, birth dates, social security numbers, employers’ name, driver’s license numbers, and results of the drug screening test and dated from October 2003 to December 2004.

Officials at Pardee did not find any evidence to suggest information had been viewed or stolen, but the stack of files had been moved to a place where they would have been in full view of the thieves as they entered the basement, so there is a possibility that PHI has been compromised.

All files have now been removed from the basement and are in a secure storage facility. Pardee UNC had previously stored paperwork in several locations. The paperwork has now been retrieved and been moved to a single, secure storage facility.

“We are reviewing existing employee training and record retention protocols and policies and will reinforce and revise as needed, said Jennifer Melia, Compliance & Privacy Officer for Pardee UNC Health Care.

UNC Health Care is offering 12 months of free credit monitoring protection services to affected individuals. It is unclear how many individuals have been affected.

The post Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool appeared first on HIPAA Journal.

Follow Us

A recent study of cybersecurity best practices adopted by large and small healthcare providers has revealed there is a growing gulf between the two. Larger providers are more likely to have mature, sophisticated cybersecurity defenses, while smaller providers are struggling to follow cybersecurity best practices.

For the study, KLAS and CHIME analyzed responses to the 2018 Healthcare’s Most Wanted survey given by around 600 healthcare providers and assessed each to determine whether they were adhering to healthcare cybersecurity best practices.

One of the requirements of the Cybersecurity Act of 2015 was for the Department of Health and Human Services (HHS) to form a task group to develop guidance for healthcare providers to help them manage and mitigate threats to patient data.

The 405(d) Task Group released the document – Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) – which details 10 cybersecurity principles relevant to healthcare providers of all sizes. These principles must be addressed to ensure cybersecurity risks are reduced to a reasonable and acceptable level.

The principles are:

  • Email protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

KLAS and CHIME assessed the responses against these principles and found large healthcare organizations to be performing well, with mature and sophisticated cybersecurity defenses. Larger healthcare organizations were more proactive and were conducting regular vulnerability scans and application testing, whereas smaller providers were reliant on penetration tests to identify vulnerabilities.

Larger healthcare organizations were more likely to have a dedicated CISO, board-level committees and governance, risk management, compliance committees, and BYOD management, which were often found lacking at smaller organizations.

Smaller providers were less likely to use network segmentation and multi-factor authentication – Two important measures for limiting damage in the event of credentials being compromised. While network access controls had been implemented at virtually all surveyed provider organizations, less than half of smaller providers had implemented network segmentation.

Network segmentation is important for preventing the spread of malware internally and to stop hackers from having full access to the entire network. Without it, a single compromised device could mean the entire network is compromised. Multi-factor authentication is similarly important. In the event of credentials being stolen, in a phishing attack for example, multi-factor authentication should prevent the account from being accessed. Only half of smaller providers had implemented MFA.

There were several positives in the report. Email and endpoint security systems had been implemented at most provider organizations which provide a reasonable level of protection against external threats. The threat from phishing was being addressed through security awareness training and phishing email simulations. 70% of all providers conducted phishing simulations at least every quarter.

Providers are concerned about medical device security and the potential for an attack to cause harm to patients. Most providers have included medical device security in their cybersecurity program, which is supported by strong cybersecurity practices in other areas. Data loss prevention solutions have also been widely adopted, although on-premises DLP solutions have slowed transition to the cloud. Most organizations that use DLP solutions backup data physically rather than using cloud backup services.

Incident response plans have been developed by most providers and most have signed up with information sharing and analysis organizations to participate in threat sharing. It is essential to have a plan in place to ensure a smooth incident response, but that plan must be tested to make sure it works in practice. Only half of organizations conduct an exercise annually to test their incident response plan.

“Today’s security requirements are challenging historical asset management practices, making it increasingly necessary for organizations to establish clear policies that align their IT, information security, healthcare technology management, and procurement teams,” said Steven R. Cagle, CEO of Clearwater, sponsor of the report.

Making improvements to an organization’s cybersecurity posture can be a challenge with too little money and resources often available to address all issues. Consequently, it can be difficult to know where to start. Cagle suggests starting with a comprehensive risk analysis to identify and evaluate all risks. A risk management plan can then be developed to prioritize the most serious vulnerabilities.

Larger healthcare organizations are more likely to use risk management software to support this process and identify the highest risks and optimize deployment of security controls. The result is greater risk reduction for lower costs.

The findings of the KLAS-CHIME study were published in the white paper – How Aligned Are Provider Organizations with the Health Industry Cybersecurity Practices (HICP) Guidelines?

The post Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices appeared first on HIPAA Journal.

Follow Us

Rob Williams grew up on the east coast in VA and NC. He served in the US Marine Corps as an Avionics technician. After leaving the military he began working in Chicago as a Field Engineer for a company that makes electronics manufacturing equipment. In that position he was primarily responsible for deploying IT systems to program and manage the manufacturing automation. He has traveled the world and worked with end users in many countries. After moving to Los Angeles in 2006, he took a position as an IT systems administrator for a shoe and accessory manufacturer. There he was responsible for setting up and maintaining networking, server systems and overseeing desktop help desk technicians. In that role he was able to make considerable changes and improvements to an outdated infrastructure.
When not at the keyboard, Rob enjoys weight lifting, hiking, surfing, snowboarding and radio controlled aircraft

Follow Us

In a world of Information Technology, I provide technical support on hardware or software. I have been supporting desktops, laptops and network devices for over a decade. I like working with computers and networking devices. I am a technical business resource provider, an engineer, an information technologist. I enjoy working with content management systems, CRMS, Web Portals and implementing SEO. From hands-on, remote or web, technology makes my world go round.
When I am not troubleshooting or doing web research, you can find me watching cartoon animation with my children and playing video games, I enjoy playing music and cooking for my family.

Follow Us