TLP White HC3: Monthly Cybersecurity Vulnerability Bulletin: News of Interest to the Health Sector October 15, 2021

BrakTooth - The BrakTooth vulnerabilities were first made public on August 31, 2021, after being discovered by the ASSET Research Group. This new family of security vulnerabilities, found in commercial Bluetooth Classic stacks for various System-on-Chips (SoC),uses the Bluetooth Classic (BR/EDR) protocol and affects millions of Bluetooth-enabled devices. BrakTooth vulnerabilities pose a threat to the Healthcare and Public Health (HPH) sector because the risk associated with the BrakTooth set of security flaws ranges from denial-of-service (DoS) by crashing the device firmware, or a deadlock condition where Bluetooth communication is no longer possible, to arbitrary code. It is recommended that Healthcare Delivery Organizations (HDOs), Healthcare Professionals and manufacturers reach out to the ISAC/ISAOs for assistance with responding.

Conti Ransomware - Conti is a ransomware group that has aggressively targeted the healthcare industry, major corporations, and government agencies, particularly those in North America since it was first observed in 2019. During this type of cyber-attack, the threat actor steals sensitive data from compromised networks, encrypts the targeted organizations’ servers and workstations, and threatens to publish the stolen data unless the target pays a ransom. According to the Joint Cybersecurity Advisory from CISA and the FBI, they have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations, at least 16 of which have targeted US healthcare and related organizations. To secure systems against Conti ransomware, CISA/NSA/FBI recommends implementing the recommended mitigations in the advisory.

Hardening Remote Access VPN - The NSA and CISA issued a joint information sheet providing guidance on hardening Virtual Private Networks (VPNs) services because remote access VPN servers are entry points into protected networks and have become targeted by malicious actors. The healthcare industry uses VPN technologies for telehealth, telemedicine, patient access to records and appointments as well as a variety of other applications. The NSA and CISA advises selecting standards-based VPNs from reputable vendors with a proven track record of quickly remediating vulnerabilities and following best practices in regard to using strong authentication credentials.

Compromise can lead to the disruption of healthcare operations and leaking of sensitive health information, including research-related intellectual property as well as protected employee and patient information, leading to a leak of personal health information (PHI) and a potential HIPAA violation. HC3 recommends that healthcare organizations review the NSA/CISA joint information sheet and take appropriate actions in accordance with their risk management strategy.

Medusa TangleBot – Medusa (AKA TangleBot) is a malware spreading via SMS and is targeting Android mobile users by sending COVID-19 related SMS messages with a malicious link to trick victims into installing Medusa/TangleBot onto their devices then collecting data and installing additional malware. Once the malware infects a device, it can use a multitude of data gathering capabilities, including accessing the victim’s internet, call logs, GPS, and using the victim’s device to spread malware throughout the mobile network. This is concerning if someone in the Healthcare industry’s mobile work device is compromised because once the malware is installed onto a device it can be difficult to detect and remove. Currently, warning messages from Android appear to be the best option available to protect mobile devices from infection. HC3 recommends ensuring enterprise Android device users are made aware of this threat and that everyone only clicks links or download applications(apps) that are reputable.

New Azure AD Brute Force - A newly discovered bug in Microsoft Azure's Active Directory implementation enables a single-factor brute-forcing of an Active Directory instance without authentication. Currently there is no available patch for this vulnerability. This vulnerability is expected to impact the health sector due to the fact that Microsoft Active Directory technology is ubiquitous and, as such, is heavily utilized. The nature of this vulnerability allows for compromise with minimal possibility of detection and the lack of a patch makes it further challenging, leaving administrators and network defenders with minimal visibility into an attacker's actions. HC3 recommends healthcare organizations take mitigation actions in accordance with their unique risk posture and continue to monitor for patches or further recommendations.

View the entire report below.