Urgent Notice: Patch Microsoft Zerologon Exploits ASAP
Microsoft and the U.S. Cyber Security and Infrastructure Security Agency urgently recommend applying the patches for CVE-2020-1472 that were released in August.
The vulnerability, known as Zerologon, allows for authentication bypass within Microsoft’s Netlogon Remote Protocol as well as within Samba.
This flaw puts domain controllers at risk – federal organizations had until September 21 to patch their systems. Microsoft notes that it is tracking new threat actor activity that seeks to exploit these vulnerabilities.
To check what systems are vulnerable (and for to check other Microsoft products for vulnerabilities), please visit the Microsoft Security Update Guide.
*Clients of Ideal Integration’s managed services will already have had this issue addressed. If you need support, complete the form at the bottom of this article
Healthcare Breach Attack Amplifiers
When it comes to vulnerabilities, such as the ZeroLogon exploit, all companies need to be concerned.
However, between the health of their patients and the threat of additional HIPAA sanctions, healthcare providers have extra motivation.
Unfortunately, many healthcare providers also have additional barriers to deployment. Beyond the typical issues of manpower shortages and a long existing list of priority tasks to accomplish, hospitals, clinics, pharmacies, and other healthcare entities suffer more extreme consequences.
Downtime may cause issues with treating patients, so they cannot afford to apply untested patches that may cause connected systems to fail. Even the process of applying the patch and rebooting the systems must be done with the goal of minimizing downtime for an environment operating 24/7/365.
Worst Nightmare Realized
On Sept. 10, 2020, a cyberattack using a known Citrix VPN vulnerability sought to attack the Heinrich Heine University.
The attack took down the admission and patient record systems for the Duesseldorf University Clinic. As a result, on Sept. 17, a patient in critical condition died in transit when they were trying to reroute her to a different hospital.
The fatality is the first associated with a ransomware attack.
German authorities are investigating whether or not it’s possible to charge the hackers with manslaughter. However, it will be difficult to prove that the ransomware contributed to the death, and that the patient would have lived with more immediate treatment.
What’s worse? The Citrix VPN vulnerability has been known since 2019 and the first patches became available in January 2020.
If the patient had died in the United States, how much liability would the hospital bear for allowing the vulnerability to go unpatched for over half a year?
Check Point’s 2020 Mid-Year Report on Cyber Attack Trends noted that 20% of ransomware attacks observed in the first half of 2020 involved vulnerabilities at least seven years old. Additionally, 80% of the attacks used vulnerabilities found at least by 2017.
In other words, only 1 out of 5 attacks involved a vulnerability detected in 2018 or later.
Often, legitimate reasons exist to delay patches. But, if you have known vulnerabilities, you’ll need to isolate the systems more thoroughly.
No one wants to be the first organization found criminally negligent because they intentionally did not patch their systems.
Negligence & Large Settlements
During a cyber attack, the stress involved is crippling.
From trying to counter the attack to keeping it from going public, everyone within the organization experiences some form of pain. For some, the pain becomes magnified by million-dollar fines.
On Sept. 22, the Athens Orthopedic Clinic agreed to pay a $1.5 million HIPAA settlement resulting from a 2016 data breach. A few days later, Tennessee-based CHS Community Health Systems agreed to pay $2.3 million settlement related to a breach from 2014.
In both cases, the government found the healthcare provider to be negligent.
CHS Community Health Systems took five months to stop the exfiltration of data after they had been notified by the FBI that the attack was in progress. It was later determined that the hospital accepted a longstanding systemic noncompliance with HIPAA requirements.
The government likewise determined that Athens Orthopedic exhibited a systemic failure to implement reasonable risk-based security.
The government pursued large settlements to penalize both organizations for a lack of fundamental policies and procedures, foregoing basic safeguards, and a failure to perform security risk assessments.
Getting Supplemental Assistance
All too often, IT departments leave patching undone because they are working on more pressing matters.
However, once an attack occurs, everything changes abruptly.
Does your team need assistance catching up with patching, isolating systems, or implementing safeguards? Perhaps your team simply needs help monitoring for potential attacks?
We’re here to help! Our teams at Ideal Integrations & Blue Bastion Cyber Security team provides comprehensive options for monitoring. We also provide red-teaming attacks to test existing systems as required by HIPAA regulations.
Let’s work together to keep your organization safe and secure! Ready to get started? Just complete the form below or call us at 412-349-6680.