ISA is committed to keeping the security community up to date with the latest cybersecurity news.
Colorado Healthcare Facility Hit by Cyberattack
On Tuesday, April 21, Parkview Medical Center, an acute care facility serving Pueblo, Colorado and 14 surrounding counties, was hit by a cyberattack of unreported origin. Over a week after the attack, the medical center’s website is still advising of a network outage, though the website itself appears to be operational.
An official statement from the 370-bed facility was distributed by email to media on Saturday, April 25, and posted to the website a few days later. “Upon learning of the incident, Parkview immediately engaged leading third-party forensic experts to investigate and mitigation is well underway,” according to the release. “Our investigation is ongoing at this time and we will provide updates as more information is verified by the forensics team.”
The attack is another example of the heightened threat to healthcare facilities during the COVID-19 pandemic. The statement acknowledged the challenges at an already difficult time: “While our medical staff continue to work around the clock in response to the ongoing global pandemic, we are doing everything in our power to bring our systems back online as quickly and securely as possible.”
While the nature and scope of the outage remain unclear, the medical center advised in their statement that the level and quality of patient care would not be affected by the attack. A spokesman for the medical center confirmed that the hospital is now using a paper-based patient recording system while the outage is being investigated. “As a regular course of business, Parkview Medical Center frequently trains and prepares for scenarios that result in IT system outages. We are well-prepared and our staff is trained to continue operations while we work to get our regular IT systems back online.”
A statement from Steve Shirley, Parkview’s long-time Vice President Information Technology & Chief Information Officer, will likely come once the situation has been resolved and services return to normal.
WordPress Plugin Vulnerability Affects up to 100,000 Users
WordPress security firm Wordfence has reported a “high severity” vulnerability in the Real-Time Find and Replace plugin, available through the WordPress portal. The plugin allows site designers to dynamically swap out any HTML content on a WordPress-based site with replacement content on a one-off basis. When used as intended, the plugin allows the designer to present a personalized experience to visitors navigating through the website. However, hackers could exploit the feature for more sinister purposes. According to the report, “This flaw could allow any user to inject malicious Javascript anywhere on a site if they could trick a site’s administrator into performing an action, like clicking on a link in a comment or email.”
The developer of the plugin reports over 370,000 all-time downloads, with an active user base of over 100,000. The cross-site scripting vulnerability was reported to the developer on Wednesday, April 22; the bug was confirmed and a security patch was issued the same day. However, according to the traffic reports on the WordPress portal, nearly 2/3 of the active users of the plugin have yet to download and install the latest version.
The flaw affected both the free and premium versions of the plugin. The current version of the plugin is reported as 4.0.2 as of April 30, 2020.
This incident serves as a reminder to monitor patches for your WordPress framework through the WordPress Updates page in the admin console. Also be sure to conduct a regular review of all plugins on your site through the WordPress Plugins page: a complete list of plugin names, versions and statuses is presented here. Consider removing unused or obsolete plugins: ensuring that only active, current plugins are installed can improve the performance of the website, and reduce administrative and support effort.
Recent “Microsoft Teams” Phishing Campaigns Affect up to 50,000 Users
Email security firm Abnormal Security has reported a pair of convincing phishing email campaigns targeting Microsoft Teams users. The emails appear to have been sent to at least 15,000 and up to 50,000 Office 365 users in late April.
According to the report, the first attack blended genuine content from Microsoft and a reputable email marketing firm. However, the real Microsoft Teams login graphic in the email actually linked the user to the hackers’ website, a landing page that spoofed the Microsoft Office login page. Unsuspecting users who clicked on the logo to login ran the risk of having their userid/password credentials harvested by the hackers. The second attack took users to a YouTube video, then through two additional re-directs before arriving on the spoofed login page. The report advised that, in one of the attacks, the sender’s email originated from the domain “sharepointonline-irs.com”, registered on April 14, 2020, and “which is not associated to either Microsoft or the IRS.” It is unclear whether the attacks, launched in separately timed campaigns, came from the same hackers.
The report goes on to warn that the potential exposure extends beyond Microsoft Teams: once credentials are entered on the spoofed site, the hackers could gain access to any Microsoft Office 365 assets associated with the user.
This incident is a reminder of the importance of staying vigilant when receiving unexpected email messages, and making every effort to validate the sender and the destination of any links in the message before clicking. With more people working from home and using sometimes unfamiliar technology due to the COVID-19 pandemic, the risk of falling victim to this type of phishing attack is heightened. Make sure to provide training for staff, and supply reliable support contact information in case questions arise.
Need Help?
ISA can help. With almost three decades of
experience, we are Canada’s leading cybersecurity-focused organization. We are
proud to serve clients both large and small across a diverse range of
industries. We provide our clients with comprehensive counsel on complex,
evolving, and multi-faceted issues related to information security and data
breaches. Each of our Subject Matter Experts bring a wealth of experience to every engagement, and every member of our team of
certified cybersecurity professionals uses a deep understanding of information
security to anticipate and satisfy our clients’ needs.
ISA has deep expertise across enterprise-grade security architecture, engineering, advisory and managed services. ISA partners with our valued customers to deliver excellent outcomes by providing subject matter expertise across network security, application security, endpoint security, cloud security, identity & access management, GRC advisory and a range of security assessment services.