Drupal Vulnerability, Hack Speed, Supply Chain Attacks, MHR and DNS
TLP White: In this edition of Hacking Healthcare, we draw your attention, in the unlikely event you missed it, to a new Drupal vulnerability. We then breakdown Crowdstrike’s revelation on just how quick Russian hackers are. Next, we summarize worrying growth in supply chain attacks. We then discuss Australia’s contentious opt-out legislation and its impact on their “My Health Records” system. Finally, we discuss the implications of and lessons learned from the recent widespread DNS hijacking attacks.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.
Welcome back to Hacking Healthcare.
Hot Links –
1. New Drupal Vulnerability Rated Highly Critical.
Sites making use of Drupal, an open source content management platform, should be aware of a newly discovered vulnerability that may allow malicious actors to remotely execute code. The vulnerability, listed as CVE-2019-6340, should be addressed immediately through the application of security updates and version upgrades.[1] Drupal is estimated to run 3-4% of the world’s websites, which would mean tens of millions of websites could potentially be exposed to the vulnerability.[2]
This represents the second time in as many years that Drupal has experienced a critical vulnerability threatening its users. In 2018, the content management system was hit by a hacking campaign that turned hundreds of websites using Drupal into cryptocurrency mining platforms that targeted the sites’ visitors. The attack, known as “Drupalgeddon2,” was notable in that the flaw was still being exploited six weeks after a patch was released.[3]
While there is currently no known case of this vulnerability being exploited in the wild, there is concern based on last year’s response to Drupalgeddon2 that malicious actors will have ample time to find the vulnerability and exploit it.
2. Blink and You’ll Miss it: Russian Hackers Set the Bar High.
An analysis of cyber threat actors released by Crowdstrike last week details just how efficient the Russians are when it comes to targeted attacks. Analyzing tens of thousands of incidents across its customer base, Crowdstrike determined that Russian “breakout time,” or the time it takes from an initial compromise to spread laterally across an environment, topped the global rankings by a considerable margin. While cyber criminals took nine hours and forty minutes on average to “breakout,” and Chinese groups averaged just over four hours, Russian groups managed to average an astonishing eighteen minutes.[4]
While this data is interesting, Crowdstrike itself noted the limitations of these metrics in its initial release and cautioned jumping to conclusions. Crowdstrike disclosed important caveats to its findings by stating that its methodology did not take into account volume of attacks and noting the imperfect attribution of some attacks it counted in its study. Furthermore, Crowdstrike acknowledged that its aggregation of attacks into groups masks particular actors that may have extreme skill and sophistication when grouped with large quantities of less effective actors. However, Crowdstrike hopes to release more granular data in the future that could shed light on some of these more nuanced insights.
Regardless of the limitations in Crowdstrike’s analysis, the detailed report provides a glimpse of just how difficult the job of a network defender is when up against the concerted power of highly sophisticated groups.[5] On the brighter side, Crowdstrike notes that breakout time across all actors actually substantially increased from last year, with the average time of all breakouts increasing from just short of two hours to just over four and a half hours.[6] While it’s impossible to note how much of that increase is due to better cybersecurity products and policies, releasing comprehensive data like this will help set useful benchmarks for future analysis.
3. Supply Chain Attacks on the Rise.
According to a new Symantec report, malicious hackers are increasingly looking to supply chain attacks to reach their target. Symantec’s report shows a remarkable 78% increase in supply chain attacks in 2018.[7] Symantec noted that supply chain attacks, making use of third party services and software as the attack vector to their intended target, represent a growing sophisticated threat vector for exploitation, especially in eCommerce. Symantec further elaborated on the difficulty of combating malicious intent emanating from trusted sources, saying that “effectively identifying and blocking these attacks requires the use of advanced detection methods such as analytics and machine learning.”[8]
The rise of supply chain attacks this past year comes as ransomware infections declined 20%, while phishing declined for the fourth year in a row overall, down 7% from last year.[9] While a one year spike in supply chain attacks does not make a trend, this change in attack vector warrants monitoring. If supply chain attacks become a mainstream method of infiltrating protected systems, companies will need to respond with innovations in cyber defenses to counter these efforts.
4. Australians Opt Out.
A new report has shocked some in government by revealing that roughly one in ten Australians have opted out of using the My Health Record online system (“MHR”).[10] This represents a dramatic increase from last year, which hovered around 3%. This shift appears to coincide with newly passed legislation that allows Australians to opt out of MHR at any time and have their data deleted from the system.
Tim Kelsey, the Chief Executive of the Australian Digital Health Agency (“ADHA”), defended the MHR project as a serious effort to ensure that doctors have access to the most up-to-date records available for their patients, and that the MHR system will help crack down on misdiagnoses.[11] He further noted the growth of MHR adoption within the majority of pharmacies in Australia as proof of industry getting onboard.[12]
The significant increase in patient opt-outs has also roiled some members of parliament. The Labor party has criticized the inclusion of opt-out legislation as negatively impacting the implementation of a program that would have health benefits. They have called for an independent privacy commissioner to review the MHR system.[13]
5. Recent DNS Hijacking Campaign Highlights Internet’s Structural Vulnerability.
The recent and widespread Domain Name Service (“DNS”) hijacking attacks that appear to have primarily targeted Middle Eastern and North African state government agencies, and caused the U.S. Department of Homeland Security to direct federal agencies to secure login credentials for their internet domain records, emphasizes the seriousness of the system’s vulnerability to hijacking attacks.[14] The DNS attacks, widely attributed to Iran or a pro-Iran entity, were complex and required a sophisticated actor to be able to compromise the DNS to divert targets’ internet traffic to their own servers.[15] The attacks are notable because of who was targeted, how easily it appears the DNS was hijacked and its protections circumvented, and how important cybersecurity basics like multi-factor authentication and avoiding public Wi-Fi really are.
Congress –
Tuesday, February 26th:
–Hearing on protecting consumer privacy in the era of big data (House Committee on Energy and Commerce Subcommittee on Consumer Protection and Commerce).[16]
–Hearing on securing U.S. surface transportation from cyber attacks (House Committee on Homeland Security Subcommittee on Transportation and Maritime Security and Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation).[17]
Wednesday, February 27th:
–Hearing to examine policy principles for a Federal data privacy framework in the United States (Senate Committee on Commerce, Science, and Transportation).[18]
–Hearing on “Securing our Nation’s Chemical Facilities: Building on the Progress of the CFATS Program” (House Committee on Homeland Security).[19]
Thursday, February 28th:
–No relevant hearings.
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–H-ISAC Member Meet-Up at RSA Conference – TBD (3/6/19)
–H-ISAC Radio Show DMARC discussion – Reg link in Member Portal (3/18/19 Noon EST)
–FIRST Symposium 2019 – London, UK (3/18/19-3/20/19)
<https://nhisac.org/events/nhisac-events/first-symposium-2019/>
–HEALTH IT Summit (Midwest) – Cleveland, OH (3/19/19-3/20/19)
<https://h-isac.org/hisacevents/health-it-summit-cleveland-2019/>
–National Association of Rural Health Clinics Spring Institute – San Antonio, TX (3/20/19-3/22/19)
<https://h-isac.org/hisacevents/national-assoc-of-rural-health-clinics-spring-institute/>
–InfoSec World 2019 – Lake Buena Vista, FL (4/1/19-4/3/19)
<https://infosecworld.misti.com/>
–HSCC Joint Cybersecurity Working Group – San Diego, CA (4/3/19– 4/4/19)
<https://h-isac.org/hisacevents/hscc-joint-cybersecurity-working-group/>
–H-ISAC Israel Showcase & Innovation – Tel Aviv, Israel (4/8/19-4/13/19)
<https://www.regonline.com/registration/Checkin.aspx?EventID=2551847>
–H-ISAC CYBER RX – IOMT Executive Symposium – Munich, Germany (4/15/2019–4/16/2019)
<https://h-isac.org/hisacevents/cyberrx-iomt-executive-symposium/>
–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)
<https://h-isac.org/hisacevents/health-it-summit-southern-california-2019/>
–H-ISAC Cybersecurity Workshop – Huntsville, AL (4/25/19)
<https://h-isac.org/hisacevents/h-isac-workshop-huntsville/>
–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
–HEALTH IT Summit (Florida) – Wesley Chapel, FL (5/21/19-5/22/19)
<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
<https://h-isac.org/hisacevents/health-it-summit-northeast/>
–2019 NH-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)
<https://www.loewshotels.com/coronado-bay-resort>
Sundries –
–Complex court battle for Methbot, 3ve cybercrime suspects only is getting started
<https://www.cyberscoop.com/methbot-3ve-timchenko-zhukov-court/>
–As Europe prepares to vote, Microsoft warns of Fancy Bear attacks on democratic think tanks
<https://www.cyberscoop.com/european-think-tanks-hack-microsoft-fancy-bear-russia/>
–Researchers paint different portraits of hackers behind Ryuk ransomware
<https://www.cyberscoop.com/researchers-paint-different-portraits-hackers-behind-ryuk-ransomware/>
–Password manager report gets researcher booted from Bugcrowd
<https://www.cyberscoop.com/bugcrowd-adrian-bednarek-lastpass/>
–Can you guess which face is real, and which is computer generated?
<https://techcrunch.com/2019/02/20/can-you-guess-which-face-is-real-and-which-is-computer-generated/>
–Google says Nest’s secret microphone was ‘never intended to be a secret’
<https://techcrunch.com/2019/02/20/nest-secret-microphone/>
–Nasty code-execution bug in WinRAR threatened millions of users for 14 years
–Hard-to-detect credential-theft malware has infected 1,200 and is still going
–Groups hit Facebook with another FTC complaint
—A ‘SMART WALL’ COULD SPARK A NEW KIND OF BORDER CRISIS
<https://www.wired.com/story/border-smart-wall-privacy-surveillance/>
—ANDROID USERS: CHECK THIS FACEBOOK LOCATION PRIVACY SETTING ASAP
<https://www.wired.com/story/android-facebook-location-privacy-setting/>
Contact us: follow @HealthISAC, and email at contact
[1] https://arstechnica.com/information-technology/2019/02/millions-of-websites-threatened-by-highly-critical-code-execution-bug-in-drupal/
[2] Ibid
[3] https://arstechnica.com/information-technology/2018/05/hundreds-of-big-name-sites-hacked-converted-into-drive-by-currency-miners/
[4] https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
[5] https://www.wired.com/story/russian-hackers-speed-intrusion-breach/
[6] https://searchsecurity.techtarget.com/news/252458156/CrowdStrike-report-says-breakout-time-for-threat-actors-is-increasing
[7] https://www.symantec.com/security-center/threat-report?om_ext_cid=biz_vnty_istr-24_multi_v10195
[8] Ibid
[9] https://www.nextgov.com/cybersecurity/2019/02/supply-chain-attacks-spiked-78-percent-2018-cyber-researchers-found/154996/
[10] https://www.zdnet.com/article/more-than-2-5-million-australians-have-opted-out-of-my-health-record/
[11] https://www.healthcareitnews.com/news/one-ten-australians-opt-out-my-health-record-system-adha-says
[12] Ibid
[13] Ibid
[14] https://www.cyberscoop.com/dhs-dns-directive-government-shutdown/
[15] https://www.cyberscoop.com/fireeye-dns-hijacking-record-manipulation-iran/
[16] https://energycommerce.house.gov/committee-activity/hearings/hearing-on-protecting-consumer-privacy-in-the-era-of-big-data
[17] https://homeland.house.gov/hearings-and-markups/hearings/securing-us-surface-transportation-cyber-attacks
[18] https://www.commerce.senate.gov/public/index.cfm/hearings?ID=CBA2CD07-4CC7-4474-8B6E-513FED77073D
[19] https://homeland.house.gov/hearings-and-markups/hearings/securing-our-nation-s-chemical-facilities-building-progress-cfats