Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Enable automatic patching where possible
Threat actors often focus on the news of critical patch releases to “reverse engineer” attacks on those vulnerabilities, and scan for potential targets. To mitigate your risk, enable automatic software updates whenever possible – this will help ensure that your system gets fixes for vulnerabilities as soon as they are available. If you must patch manually, insist on downloading fixes directly from trusted vendor websites to ensure you are getting the latest and best available version of your software.
Patch alert: Critical VMware authentication bypass bug reported
VMware has released security updates for a critical authentication bypass vulnerability that affects several of its products.
Coded CVE-2022-22972, the bug affects versions of Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation. “The ramifications of this vulnerability are serious. Given the severity of the vulnerability, we strongly recommend immediate action,” according to VMware. Where this is not possible, they have shared interim workarounds to be used on vulnerable systems, recommending that all users be disabled except for one provisioned admin account.
Proof-of-concept exploit programming code has been posted online that demonstrates how threat actors can gain admin privileges to an unpatched system. The proof-of-concept was published by security researchers from Horizon3 early last week. “CVE-2022-22972 is a relatively simple ‘Host’ header manipulation vulnerability. Motivated attackers would not have a hard time developing an exploit for this vulnerability,” according to their report.
The patches also address a related privilege escalation vulnerability, coded CVE-2022-22973.
Verizon report: Employees responsible for 39% of healthcare breaches in 2021
Verizon’s annual Data Breach Investigations Report suggests that healthcare employees are responsible for the most data breaches of any sector analyzed. 39% of healthcare breaches bore signs of employee involvement, in contrast to an average of just 18% across all industries.
The report notes that user error – as opposed to malicious intent – is behind the majority of healthcare incidents, with employees over 2½ times more likely to make an error than intentionally facilitate a breach. Data mis-delivery and device/document loss are the most common employee errors in healthcare, according to the report.
The study revealed that cybersecurity breaches in healthcare hit another all-time high in 2021, with a record volume of patient and staff data compromised. Key healthcare cybersecurity concerns highlighted revolved around the lack of funding, the potential for nation-state attacks, and the rise of new aggressive ransomware groups in 2022.
According to the report, web application attacks accounted for about 30% of healthcare breaches last year. Meanwhile, incidents involving malware or hacking comprised about 26% of breaches, with unintentional actions compromising data security rounded out the top three causes at about 21%.
Verizon’s 2022 Data Breach Investigations Report is based on data collected from organizations that were victims of cyber incidents from November 2020 through October 2021.
Canadian government announces investment in energy sector cyber response playbook
On May 25, The Honourable Jonathan Wilkinson, Canada’s Minister of Natural Resources, announced a $156,514 (CDN$) investment in a cyber attack response playbook widely used by organizations in the energy sector.
“Created by the Canadian consulting engineering firm BBA, the Industrial Automation and Control Systems (IACS) Cyber Security Incident Response Playbook relies on best-industry practices to provide for strong cyber security responses to ensure organizations are prepared to react systematically during times of emergency,” according to the press release.
“Our government is working diligently to ensure the long-term security of critical infrastructure, which includes dealing with current and emerging risks presented by cyber attacks. By applying industry’s knowledge, such as BBA’S IACS playbook, we are supporting the energy sector’s efforts to respond and recover from cyber threats, while protecting Canada’s energy security,” said Wilkinson.
First presented to industry in March 2022, the playbook was designed to advance standards and best practices to help protect critical energy infrastructure, help the sector defend against, and recover from, cyber attacks. The latest version of the playbook is available for free download on BBA’s website.
Microsoft to roll out security defaults to 60 million Azure Active Directory users
On May 25, Microsoft announced that they are rolling out updates that are expected to triple the number of customers using their security defaults in Azure Active Directory (AD). Already used by about 30 million customers, “the rollout will protect an additional 60 million accounts from the most common identity attacks,” according to Alex Weinert, Director of Identity Security at Microsoft.
Microsoft introduced security defaults to tenants created since October 2019, “but tenants created before October 2019 were not included in security defaults and were vulnerable unless they explicitly enabled features like Conditional Access, Identity Protection, and MFA. Many organizations aren’t even aware of these capabilities – or the increasingly dangerous wave of attacks they prevent,” explained the blog post.
Microsoft is planning to start with customers who aren’t using Conditional Access, haven’t used security defaults before, and aren’t actively using legacy authentication clients. Global admins of eligible tenants will be notified through email; starting in late June, admins will receive a prompt to enable the security defaults. Once enabled, all tenants will be prompted to register for MFA, ideally using the Microsoft Authenticator app.
Organizations using security defaults “experience 80 percent less compromise than the overall tenant population,” according to the blog. “When we look at hacked accounts, more than 99.9% don’t have MFA, making them vulnerable to password spray, phishing, and password reuse,” Weinert added.
