Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Mitigating IoT and IoHT Risk
A new report from Forescout (discussed in more detail below) offers three top tips to reducing the risk of compromise of your IoT and IoHT devices, based on their observations in the field:
- the prevalence of legacy versions of Windows and critical vulnerabilities in many IOT and IoHT devices means that you should upgrade, replace, or isolate these devices to the greatest extent practical;
- ensure that all devices have endpoint protection in place, and that you have a way of preventing non-compliant devices from connecting to the network; and
- ensure that unnecessary or insecure protocols and services are turned off and devices are segmented on separate virtual networks.
Report: Forescout names the “Riskiest Connected Devices in 2023”
On July 13, security firm Forescout released a new report outlining “the riskiest devices in enterprise networks in 2023 that it has been tracking on organizations’ networks since 2020.”
The “Riskiest Connected Devices in 2023” report explains that healthcare is the industry with the greatest number of smart devices at risk, followed by the retail and manufacturing sectors. “Devices in healthcare are more likely to have dangerous ports, such as Telnet, SSH and RDP open. Almost 10% of devices in healthcare still have Telnet ports open, compared to 3-4% of devices in other verticals,” according to the report.
The report revealed that the riskiest IoMT devices are healthcare workstations, including DICOM workstations, specialized workstations for radiology, imaging devices, patient monitors, and blood glucose monitors.
The riskiest devices in the broader IoT category were found to be IP cameras, printers, VoIP components, network attached storage (NAS) devices, and out-of-band management (OOBM) appliances.
Patch Alert: SonicWall issues patches GMS/Analytics products
On July 12, SonicWall issued an urgent security notice regarding 15 vulnerabilities in their GMS/Analytics product suite. The set of 15 security vulnerabilities “includes four (4) vulnerabilities with a CVSSv3 rating of CRITICAL, that allows an attacker to bypass authentication and could potentially result in exposure of sensitive information to an unauthorized actor,” according to advisory SNWLID-2023-0010.
Researchers at SonicWall have advised that there are no known exploits of the vulnerabilities in the wild, but urge all customers to patch as soon as possible. Aside from patching, there are no available workarounds for the issues.
Patch alert: Fortinet issues patches for FortiOS and FortiProxy 7.x
On July 11, Fortinet issued a PSIRT advisory warning customers of a “stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy [that] may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.”
CISA published its own warning about the issue, directing users to the Fortinet resources.
The critical vulnerability affects the following releases
- FortiOS version 7.0.0 through 7.0.10 and 7.2.0 through 7.2.3
- FortiProxy version 7.0.0 through 7.0.9 and 7.2.0 through 7.2.2
According to the advisory, current production releases of FortiOS and FortiProxy already resolve the issue. Older versions of the operating systems are not affected.
If immediate patching is not possible, Fortinet has also documented a workaround, recommending that users “disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode.”
Municipality under cyber attack: NC town hit by ransomware
The Town of Cornelius, North Carolina has been hit by a suspected ransomware attack. In a July 11 press release, officials warned that “some services provided by the Town may be temporarily unavailable or delayed,” a situation that has run into the weekend. According to a local news report on July 14, “all on-site devices have been disconnected, including the landline, internet and servers. The Technology Operations Dept. is still in the process of scanning systems.”
A July 12 report in local broadcast media explained that the system shutdown “means town employees can’t access what’s essentially a ‘storage database,’ including critical data and documents to do their jobs. They also cannot access computers or landlines on site. However, the town did say they have backups and are able to work in different ways. The town’s website and emails are also still up and running.”
There has been no statement regarding ransom demands. The press release suggested that the initial exploit was “caused by ransomware located on a Town device,” but expressed optimism that the threat was detected early, containing the damage.
Colorado university joins list of MOVEit victims
Colorado State University (CSU) has revealed that they were victims of the global MOVEit third-party cyber attack. In a July 11 announcement, CSU advised that the school is still investigating the scope of the incident, but warned “that the data breach may involve data for some current employees and students, as well as former employees and students dating back to at least 2021.” The school has set up a dedicated web page to provide updates.
CSU, located in Fort Collins, Colorado (about an hour’s drive north of Denver) joins a growing list of MOVEit victims around the world, estimated to have hit 340 as of July 15. Recently disclosed victims include Canadian gold miner Barrick Gold Corp., hotel chain Radisson, American financial institution 1st Source Bank, and Dutch GPS company TomTom.
On May 27, the Cl0p ransomware gang exploited a zero-day vulnerability in the Progress Software’s MOVEit file transfer software, stealing data private and sensitive information from hundreds of customers who use MOVEit. The number of individuals affected around the world is believed to be in the multiple millions.