{"id":7591,"date":"2020-10-15T21:31:26","date_gmt":"2020-10-16T04:31:26","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7591"},"modified":"2023-04-05T12:42:49","modified_gmt":"2023-04-05T19:42:49","slug":"cyber-hygiene-ransomware-is-causing-critical-care-disruption-in-hospitals","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/cyber-hygiene-ransomware-is-causing-critical-care-disruption-in-hospitals\/","title":{"rendered":"Cyber Hygiene: Ransomware is Causing Critical Care Disruption in Hospitals"},"content":{"rendered":"<blockquote><p><span style=\"font-size: 18px;\"><strong><span style=\"font-family: verdana,geneva,sans-serif;\">We analyzed three ransomware incidents (Ryuk, Revil &amp; AKO) and found 16 CVEs associated with them. Incidentally, CSW warned about four of these CVEs in our cyber risk series way back in March 2020!<\/span><\/strong><\/span><\/p><\/blockquote>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><img decoding=\"async\" style=\"width: 550px; height: 453px; float: right;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/hospital-ransomware-image1-corrected.png\" alt=\"\" \/>Hospitals all over the world, stringently follow infection management protocols such as hand washing, sterilization of gowns, face masks &amp; shields, continuous sterilization of equipment and devices to ensure proper protection for patients and doctors alike.<\/span><\/span><\/p>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">If only health care workers, doctors, nurses and hospital employees could extend the same principles to cyber hygiene, we wouldn\u2019t be seeing a spate of Ransomware attacks sweeping all over the world.<\/span><\/span><\/p>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Last week, Universal Health Services was attacked by Ryuk Ransomware, leading to a shutdown of the network in over 250 hospitals all over the US.<\/span><\/span><\/p>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Investigations revealed that Ryuk ransomware has infected their systems. Ryuk attackers trick users into opening malicious links and they use vulnerable Internet Explorer browsers to exploit and deliver malware.<\/span><\/span><\/p>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Ryuk exploits the following vulnerabilities &#8211;<\/span><\/span><\/p>\n<ul>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2013-2618\" target=\"_blank\" rel=\"noopener\">CVE-2013-2618<\/a> (Network Weathermap HTML Injection Vulnerability),<\/span><\/span><\/li>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-6884\" target=\"_blank\" rel=\"noopener\">CVE-2017-6884<\/a> (Zyxel EMG2926 home router OS Command Injection Vulnerability)<\/span><\/span><\/li>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-8389\" target=\"_blank\" rel=\"noopener\">CVE-2018-8389<\/a> (Internet Explorer Remote Code Execution Vulnerability)<\/span><\/span><\/li>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-12808\" target=\"_blank\" rel=\"noopener\">CVE-2018-12808<\/a> (Adobe Acrobat and Reader Arbitrary Code Execution Vulnerability)<\/span><\/span><\/li>\n<\/ul>\n<blockquote><p><strong><span style=\"font-family: verdana,geneva,sans-serif;\"><span style=\"font-size: 18px;\">It\u2019s high time that hospitals and health care centers take cyber hygiene seriously because a ransomware attack is not a pesky technical problem anymore. It can take lives. It already has.<\/span><\/span><\/strong><\/p><\/blockquote>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Last month, D\u00fcsseldorf University Hospital (Germany) was attacked by Revil through Citrix\u2019s VPN server vulnerability <a href=\"http:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2013-2618\" target=\"_blank\" rel=\"noopener\">CVE-2019-19781<\/a>.\u00a0<\/span><\/span><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">This ransomware attack led to the death of a patient &#8211; making this incident first recorded fatality caused by a ransomware.<\/span><\/span><\/p>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Revil exploits vulnerabilities such as &#8211;<\/span><\/span><\/p>\n<ul>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><a href=\"https:\/\/www.mcafee.com\/enterprise\/en-hk\/threat-center\/threat-landscape-dashboard\/vulnerabilities-details.cve-2019-2725.html\" target=\"_blank\" rel=\"noopener\">CVE-2019-2725<\/a> (Oracle Weblogic Vulnerability)<\/span><\/span><\/li>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><a href=\"http:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2013-2618\" target=\"_blank\" rel=\"noopener\">CVE-2019-19781<\/a> (Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution)<\/span><\/span><\/li>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-8453\" target=\"_blank\" rel=\"noopener\">CVE-2018-8453<\/a> (Window 10 and Windows Server vulnerability)<\/span><\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Earlier last month, the AKO ransomware attack on Children\u2019s Minnesota and Allina Health hospitals led to the exposure of over 160,000 patients\u2019 records through a cloud computing company called Blackbaud that manages the hospital&#8217;s database.\u00a0 AKO ransomware uses Citrix vulnerability <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2013-2618\" target=\"_blank\" rel=\"noopener\">CVE-2019-19781<\/a>\u00a0to deliver ransomware.<\/span><\/span><\/p>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Cyber hygiene and a lack of awareness about cyber security is being exploited by these malicious actors who don\u2019t think twice before attacking a hospital during pandemic times.<\/span><\/span><\/p>\n<blockquote><p><strong><span style=\"font-size: 18px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Our research has revealed that there are many state-sponsored groups that are using Ryuk and Revil to take down health care centers and hospitals in Europe, UK, US etc. <\/span><\/span><\/strong><\/p><\/blockquote>\n<table style=\"width: 500px;\" border=\"1\" cellspacing=\"1\" cellpadding=\"1\" align=\"center\">\n<caption>\n<h3><\/h3>\n<\/caption>\n<thead>\n<tr>\n<th style=\"background-color: #ffffff;\" scope=\"col\">Ransomware<\/th>\n<th style=\"background-color: #ffffff;\" scope=\"col\">CVEs<\/th>\n<th style=\"background-color: #ffffff;\" scope=\"col\">APT Groups<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"background-color: #ffffff;\" colspan=\"1\" rowspan=\"3\">Ryuk<\/td>\n<td style=\"background-color: #ffffff;\">CVE-2017-0143<\/td>\n<td style=\"background-color: #ffffff;\">Calypso<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: #ffffff;\">CVE-2017-0144<\/td>\n<td style=\"background-color: #ffffff;\">Shadow Brokers<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: #ffffff;\">CVE-2017-0145<\/td>\n<td style=\"background-color: #ffffff;\">APT3 (Chinese Group)<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: #ffffff;\" colspan=\"1\" rowspan=\"3\">Revil<\/td>\n<td style=\"background-color: #ffffff;\">CVE-2019-2725<\/td>\n<td style=\"background-color: #ffffff;\" colspan=\"1\" rowspan=\"3\">GOLD SOUTHFIELD threat group<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: #ffffff;\">CVE-2019-19781<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: #ffffff;\">CVE-2018-8453<\/td>\n<\/tr>\n<tr>\n<td style=\"background-color: #ffffff;\">AKO<\/td>\n<td style=\"background-color: #ffffff;\">CVE-2019-19781<\/td>\n<td style=\"background-color: #ffffff;\">APT41 (Chinese Actor)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"display: none;\">\u00a0<\/span><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">We urge hospitals and health centers to patch these CVEs without further delay.<\/span><\/span><\/p>\n<p>&nbsp;<\/p>\n<p><iframe class=\"airtable-embed\" style=\"background: transparent; border: 1px solid #ccc;\" src=\"https:\/\/airtable.com\/embed\/shrqClOVyTY98KZk9?backgroundColor=blue&amp;viewControls=on\" width=\"100%\" height=\"533\" frameborder=\"0\"><\/iframe><\/p>\n<p><span style=\"font-size: 11px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><strong>Table 1<\/strong>: Download information about\u00a016 CVEs, known exploits, APT Groups, Ransomware &amp; Patches<\/span><\/span><\/p>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">These incidents could have been avoided. We warned about five CVEs in our <a href=\"https:\/\/cybersecurityworks.com\/cyber-risk-series\/\" target=\"_blank\" rel=\"noopener\">Cyber Risk Series<\/a> (published in 2020) as\u00a0potential vulnerabilities that could be exploited by ransomware and sadly our prediction came true.<\/span><\/span><\/p>\n<ol>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">CVE-2019-6109\u00a0<\/span><\/span>(<a href=\"https:\/\/cybersecurityworks.com\/resources\/cyber-risk-series\/cyber-risk-in-enterprise-data-storage.html\" target=\"_blank\" rel=\"noopener\">Cyber Risk in Enterprise Data Storage<\/a>)<\/li>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">CVE-2019-6110\u00a0<\/span><\/span>(<a href=\"https:\/\/cybersecurityworks.com\/resources\/cyber-risk-series\/cyber-risk-in-enterprise-data-storage.html\" target=\"_blank\" rel=\"noopener\">Cyber Risk in Enterprise Data Storage<\/a>)<\/li>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">CVE-2018-20685\u00a0<\/span><\/span>(<a href=\"https:\/\/cybersecurityworks.com\/resources\/cyber-risk-series\/cyber-risk-in-enterprise-data-storage.html\" target=\"_blank\" rel=\"noopener\">Cyber Risk in Enterprise Data Storage<\/a>)<\/li>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">CVE-2019-19781\u00a0<\/span><\/span>(<a href=\"https:\/\/cybersecurityworks.com\/resources\/cyber-risk-series\/cyber-risk-in-remote-desktop.html\" target=\"_blank\" rel=\"noopener\">Cyber Risk in Remote Desktop<\/a>)<\/li>\n<\/ol>\n<p><img decoding=\"async\" style=\"width: 550px; height: 182px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/img3(10).png\" alt=\"\" \/><\/p>\n<p style=\"text-align: center;\"><span style=\"font-size: 11px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><strong>Cyber Risk Report: An extract from Cyber Risk in\u00a0<a href=\"https:\/\/cybersecurityworks.com\/resources\/cyber-risk-series\/cyber-risk-in-enterprise-data-storage.html\" target=\"_blank\" rel=\"noopener\">Enterprise Data Storage<\/a><\/strong><\/span><\/span><\/p>\n<p><img decoding=\"async\" style=\"width: 550px; height: 239px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/img4(6).png\" alt=\"\" \/><\/p>\n<p style=\"text-align: center;\"><span style=\"font-size: 11px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><strong>Cyber Risk: <a href=\"https:\/\/cybersecurityworks.com\/resources\/cyber-risk-series\/cyber-risk-in-working-remotely.html\" target=\"_blank\" rel=\"noopener\">Cyber Risk in Working Remotely<\/a><\/strong><\/span><\/span><\/p>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><img decoding=\"async\" style=\"width: 1000px; height: 527px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/hospital-ransomware-image-2.png\" alt=\"\" \/><\/span><\/span><\/p>\n<p><span style=\"font-family: verdana,geneva,sans-serif;\"><strong>The way forward<\/strong><\/span><\/p>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Hospitals need to protect themselves from Ransomware attacks especially now when we need them functioning to help people cope with a pandemic.<\/span><\/span><\/p>\n<ol>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Protect your network against trending ransomware attacks by applying patches and updates.<\/span><\/span><\/li>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Avoid misconfigurations<\/span><\/span><\/li>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Initiate a continuous vulnerability management process.<\/span><\/span><\/li>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Backing up your data is critical.<\/span><\/span><\/li>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Integrating Ransomware detection tools in your infrastructure is essential.<\/span><\/span><\/li>\n<li><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Frequent pentesting and enhancing your defenses is crucial<\/span><\/span><\/li>\n<\/ol>\n<p><span style=\"font-size: 14px;\"><span style=\"font-family: verdana,geneva,sans-serif;\">Lastly, awareness about cyber security is low among hospital staff another reason why phishing and email scams are so successful. Most hospitals do not have a budget for cyber security and nor do they have dedicated security teams to manage vulnerabilities or educate employees.<\/span><\/span><\/p>\n<hr \/>\n<h4><span style=\"font-family: verdana,geneva,sans-serif;\"><strong>Definition<\/strong><\/span><\/h4>\n<p><span style=\"font-size: 12px;\"><span style=\"font-family: verdana,geneva,sans-serif;\"><strong>Ransomware<\/strong>: Ransomware is a malicious software (malware) that encrypts\u00a0computers. Once encrypted, you cannot access your files or see the content. After encrypting, the attacker will demand a ransom from you if wish to get access back to your files. Once the ransom is paid (which can range from thousands or hundreds of dollars\/bitcoins), you will recieve instructions about the decryptiion key that will restore your files back to you.\u00a0<\/span><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We analyzed three ransomware incidents (Ryuk, Revil &#038; AKO) and found 16 CVEs associated with them. Incidentally, CSW warned about five of these CVEs in our cyber risk series way back in March 2020!<\/p>\n","protected":false},"author":1,"featured_media":7592,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[82,80,81,117],"tags":[356,119,91,355,350,139],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7591"}],"collection":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/comments?post=7591"}],"version-history":[{"count":4,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7591\/revisions"}],"predecessor-version":[{"id":12234,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/posts\/7591\/revisions\/12234"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/media\/7592"}],"wp:attachment":[{"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/media?parent=7591"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/categories?post=7591"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webdev.securin.xyz\/wp-json\/wp\/v2\/tags?post=7591"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}