Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
U.S. and U.K. cybersecurity warn of top 12 security flaws targeted by Russian hackers
In new guidance jointly published by top cybersecurity agencies from the U.S. and the U.K., businesses are encouraged to prioritize the top 12 security flaws being actively targeted and exploited by Russian-backed threat actors.
The U.K. advisory from the NCSC entitled “Further TTPs associated with SVR cyber actors” outlines the tactics, techniques and procedures (TTPs) employed by the Russian Foreign Intelligence Service (SVR) in their recent cyber attack campaigns. Meanwhile in the U.S., the CISA has released a fact sheet entitled “Russian SVR Activities Related to SolarWinds Compromise” that provides summaries of three key joint publications that focus on SVR activities related to the SolarWinds Orion supply chain compromise in December 2020.
CISA “strongly encourages users and administrators to review the joint advisory as well as the other two advisories summarized on the fact sheet for mitigation strategies to aid organizations in securing their networks against Russian SVR activity,” in the release.
The SVR allegedly sponsors threat actors known variously by such colourful names as Advanced Persistent Threat 29 (APT29), The Dukes, Cozy Bear, and Yttrium. They target organizations that “align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time–bound targeting; for example COVID-19 vaccine targeting in 2020,” according the NCSC bulletin.
The key dozen flaws under attack are highlighted below. Only two of the vulnerabilities are less than six months old: the fact that they are still prime targets for attack suggests that some organizations are still not placing the appropriate priority on keeping current with critical infrastructure patches and upgrades.
– CVE-2018-13379: Fortinet FortiGate VPN
– CVE-2019-9670: Synacor Zimbra Collaboration Suite (ZCS) (currently simply known as Zimbra Collaboration)
– CVE-2019-11510: Pulse Secure Pulse Connect Secure VPN
– CVE-2019-19781: Citrix Application Delivery Controller and Gateway
– CVE-2020-4006: VMware Workspace ONE Access
– CVE-2019-1653: Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers
– CVE-2019-2725: Oracle WebLogic Server
– CVE-2019-7609: Kibana for Elasticsearch
– CVE-2020-5902: F5 BIG-IP
– CVE-2020-14882: Oracle WebLogic Server
– CVE-2021-21972: VMware vSphere
– CVE-2021-26855: Microsoft Exchange Server
San Diego’s Scripps Health network under suspected ransomware attack
Over a week after a suspected ransomware attack disrupted their facilities, the Scripps Health network website is still out of service, advising only that “Scripps.org will be back soon. The Scripps Health website is currently unavailable due to a network outage.”
The incident has forced the organization to switch to emergency methods for providing patient care operations, and suspend operation of many of its internal systems and its online patient services portal. Non-essential appointments are being postponed; many cases are being re-routed to other facilities. According to several sources, the facility was not even able to provide radiation treatments to its cancer patients until the required equipment was returned to service on May 7.
Scripps is coming under increasing fire for their lack of communications around the incident. A week after the first service disruptions, there is still no official word on the type of attack, the motivation behind it, any potential data disclosures, what – if any – ransom is involved, etc. Scripps has made no further statements since the onset of the incident, and their last statement on their Facebook account was on May 2; although they have been encouraging patients with specific enquiries to “direct message” their concerns.
The California Department of Public Health, the regulator for healthcare in the state, has characterized the incident as multiple “ransomware attacks” in a statement to local news outlets. Despite the disruption, the CDPH appears to be satisfied that the hospital is adequately operational, observing that they would intervene if the facility was unable to “[care] for patients using appropriate emergency protocols in inpatient areas of the hospital.”
Channel 7, the local NBC affiliate in the San Diego, is providing an extensive chronology focusing on the human impacts of the attack.
The $3.1–billion (USD), not-for-profit healthcare provider, in operation for nearly 100 years, operates four hospitals on five campuses (including four emergency rooms and three urgent care centres), with 15,000 employees, over 3,000 affiliated physicians, and more than 2,000 volunteers.
Belgium’s Internet Infrastructure Suffers DDoS Attack
Belnet, one of the largest and longest-established Internet service providers in Belgium has restored its service after suffering a massive distributed denial of service (DDoS) attack on May 4. The attack affected all 200 institutions connected to the ISP, cutting off Internet access to Belgium’s Parliament, and numerous government, public, scientific educational, and law enforcement agencies.
In a statement on their French language website, Belnet advised that they had brought the situation under control the same day; however, though service was restored to the Belnet network and website on May 4, the attack had ongoing consequences: some customers were unable to connect to their websites and online services as late as May 7.
The attack saturated the entire Belnet network, and appears to have been part of a widespread, coordinated assault on the Belgian infrastructure, as other Belgian ISPs were affected by the DDoS. As Belgium is the headquarters of the European Union, there is speculation that the attacks were politically motivated. However, Dirk Haex, Technical & co-General Director at Belnet, cautioned against jumping to conclusions: “We cannot expect to know tomorrow who is behind it. It is a very complex analysis that has to be done,” he advised, concluding that “it is far too early to make any statements about this”.
Haex reassured customers about individual impacts: “At this point there is no indication that cybercriminals have infiltrated the network of any of the institutions or organizations affected, as it appears the attack was aimed solely at saturating networks to disrupt traffic.“
Belnet is providing regular status updates and information on their online status page.
Incident Response 360 just days away
On Wednesday, May 12, ISA Cybersecurity is hosting Incident Response 360, a virtual panel discussion featuring an all-star lineup of experts that will provide a 360-degree view of incident response to a cybersecurity attack on a business. Register today to hear from legal, insurance, communications, and cybersecurity experts on the best practices and emerging trends in cyber attack management. A Q&A will follow the discussion, so come ready to engage and learn.
When: Wednesday, May 12, 11 a.m. to 12:30 p.m.
Who: Panelist bios https://marketing.isacybersecurity.com/meet-the-panelists-2021-05-12
Registration Page:
https://isacybersecurity.zoom.us/webinar/register/5416172158032/WN_W8QHj8ttRj-pZKh8zGoAHQ