Latest Cybersecurity News 2021-05-10 Edition

Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news

U.S. and U.K. cybersecurity warn of top 12 security flaws targeted by Russian hackers 

In new guidance jointly published by top cybersecurity agencies from the U.S. and the U.K., businesses are encouraged to prioritize the top 12 security flaws being actively targeted and exploited by Russian-backed threat actors 

The U.K. advisory from the NCSC entitled “Further TTPs associated with SVR cyber actors”  outlines the tactics, techniques and procedures (TTPs) employed by the Russian Foreign Intelligence Service (SVR) in their recent cyber attack campaigns. Meanwhile in the U.S., the CISA has released a fact sheet entitled “Russian SVR Activities Related to SolarWinds Compromise” that provides summaries of three key joint publications that focus on SVR activities related to the SolarWinds Orion supply chain compromise in December 2020. 

CISA “strongly encourages users and administrators to review the joint advisory as well as the other two advisories summarized on the fact sheet for mitigation strategies to aid organizations in securing their networks against Russian SVR activity,” in the release. 

The SVR allegedly sponsors threat actors known variously by such colourful names as Advanced Persistent Threat 29 (APT29), The Dukes, Cozy Bear, and Yttrium. They target organizations that “align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more timebound targeting; for example COVID-19 vaccine targeting in 2020,” according the NCSC bulletin. 

The key dozen flaws under attack are highlighted below. Only two of the vulnerabilities are less than six months old: the fact that they are still prime targets for attack suggests that some  organizations are still not placing the appropriate priority on keeping current with critical infrastructure patches and upgrades.  

CVE-2018-13379: Fortinet FortiGate VPN 

CVE-2019-9670: Synacor Zimbra Collaboration Suite (ZCS) (currently simply known as Zimbra Collaboration) 

CVE-2019-11510: Pulse Secure Pulse Connect Secure VPN 

CVE-2019-19781: Citrix Application Delivery Controller and Gateway 

CVE-2020-4006: VMware Workspace ONE Access 

CVE-2019-1653: Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers 

CVE-2019-2725: Oracle WebLogic Server 

CVE-2019-7609: Kibana for Elasticsearch 

CVE-2020-5902: F5 BIG-IP 

CVE-2020-14882: Oracle WebLogic Server 

CVE-2021-21972: VMware vSphere 

CVE-2021-26855: Microsoft Exchange Server

hand going to push update button on screen

San Diego’s Scripps Health network under suspected  ransomware attack 

Over a week after a suspected ransomware attack disrupted their facilities, the Scripps Health network website is still out of service, advising only that “Scripps.org will be back soonThe Scripps Health website is currently unavailable due to a network outage. 

The incident has forced the organization to switch to emergency methods for providing patient care operations, and suspend operation of many of its internal systems and its online patient services portalNon-essential appointments are being postponed; many cases are being re-routed to other facilities. According to several sources, the facility was not even able to provide radiation treatments to its cancer patients until the required equipment was returned to service on May 7. 

Scripps is coming under increasing fire for their lack of communications around the incident. A week after the first service disruptions, there is still no official word on the type of attack, the motivation behind it, any potential data disclosures, what – if any – ransom is involved, etc. Scripps has made no further statements since the onset of the incident, and their last statement on their Facebook account was on May 2; although they have been encouraging patients with specific enquiries to “direct message” their concerns. 

The California Department of Public Health, the regulator for healthcare in the state, has characterized the incident as multiple “ransomware attacks” in a statement to local news outletsDespite the disruption, the CDPH appears to be satisfied that the hospital is adequately operational, observing that they would intervene if the facility was unable to “[care] for patients using appropriate emergency protocols in inpatient areas of the hospital.” 

Channel 7, the local NBC affiliate in the San Diego, is providing an extensive chronology focusing on the human impacts of the attack.  

The $3.1billion (USD), not-for-profit healthcare provider, in operation for nearly 100 years, operates four hospitals on five campuses (including four emergency rooms and three urgent care centres), with 15,000 employees, over 3,000 affiliated physicians, and more than 2,000 volunteers. 

person typing on laptop with stethoscope on table beside it

Belgium’s Internet Infrastructure Suffers DDoS Attack 

Belnet, one of the largest and longest-established Internet service providers in Belgium has restored its service after suffering a massive distributed denial of service (DDoS) attack on May 4. The attack affected all 200 institutions connected to the ISP, cutting off Internet access to Belgium’s Parliament, and numerous government, public, scientific educational, and law enforcement agencies. 

In a statement on their French language website, Belnet advised that they had brought the situation under control the same day; however, though service was restored to the Belnet network and website on May 4, the attack had ongoing consequences: some customers were unable to connect to their websites and online services as late as May 7. 

The attack saturated the entire Belnet network, and appears to have been part of a widespread, coordinated assault on the Belgian infrastructure, as other Belgian ISPs were affected by the DDoSAs Belgium is the headquarters of the European Union, there is speculation that the attacks were politically motivated. However, Dirk HaexTechnical & co-General Director at Belnet, cautioned against jumping to conclusions: “We cannot expect to know tomorrow who is behind it. It is a very complex analysis that has to be done,” he advised, concluding that “it is far too early to make any statements about this”. 

Haex reassured customers about individual impacts: At this point there is no indication that cybercriminals have infiltrated the network of any of the institutions or organizations affected, as it appears the attack was aimed solely at saturating networks to disrupt traffic. 

Belnet is providing regular status updates and information on their online status page. 

hooded person staring at tablet and background has the words "DoS attack"

Incident Response 360 just days away 

On Wednesday, May 12, ISA Cybersecurity is hosting Incident Response 360, a virtual panel discussion featuring an all-star lineup of experts that will provide a 360-degree view of incident response to a cybersecurity attack on a business. Register today to hear from legal, insurance, communications, and cybersecurity experts on the best practices and emerging trends in cyber attack management. A Q&A will follow the discussion, so come ready to engage and learn. 

When: Wednesday, May 12, 11 a.m. to 12:30 p.m. 

Who: Panelist bios https://marketing.isacybersecurity.com/meet-the-panelists-2021-05-12  

Registration Page:
https://isacybersecurity.zoom.us/webinar/register/5416172158032/WN_W8QHj8ttRj-pZKh8zGoAHQ  

NEWSLETTER

Get exclusively curated cyber insights and news in your inbox

Related Posts

Contact Us Today

SUBSCRIBE

Get monthly proprietary, curated updates on the latest cyber news.

SUBSCRIBE

Get monthly proprietary, curated updates on the latest cyber news.