Change Healthcare Impacts Providers; More Fortinet Exploits and Ivanti Flaws

The attack is being felt nationwide. HHS has issued $2.5 billion in advance Medicaid and Medicare action payments, which providers will need to reconcile later, so providers can continue to operate. HHS is insisting insurance companies do the same for providers. The good news is that Change Healthcare is paying 95% of their insurance health insurance claims. Here is a clear example of third-party provider outage risk. Make sure you are capturing the risk of service interruptions from your third parties and options, if any, mitigate them, note you may need to accept more than you think.

Lee Neely

The cyberattack on Change Healthcare continues to highlight 1) the dependency on 3rd party service providers; 2) the unintended consequences of vendor consolidation; and 3) its impact on healthcare operations. For one and three internal workarounds can be established. Unfortunately, to reduce vendor consolidation (via merger and acquisition), the government will have to weigh in.

Curtis Dukes

Luckily, only few FortiClient EMS systems appear to be exposed to the internet. But with an exploit available, this vulnerability could also be used for lateral movement after a network is breached. Access to this software will allow attackers to reach managed systems and it will make it more difficult to evict an attacker.

Johannes Ullrich

No surprised looks, researchers released a POC exploit for CVE-2023-48788, SQL Injection flaw, last Thursday. You know that means is a race condition between your application of the update and successful exploitation. The vulnerability is being targeted to gain access to corporate networks to facilitate ransomware attacks and/or corporate espionage campaigns.

Lee Neely

CVE-2023-41724, unauthenticated user RCE flaw, CVSS score 9.6; and CVE-2023-46808, authenticated user remote file write issue, CVSS score 9.9; were identified in late 2023, but not publicized as they were not being exploited and Ivanti didn't have a patch yet. As there are no mitigations other than applying the update, which may require you to update to a supported release as well, you're going to want to get ahead of this one.

Lee Neely

With tax filing in the US being almost entirely electronic, the cybercriminals are taking advantage of the weakest link in the chain: you. They target your identity, financial accounts and passwords in hopes of tricking you into giving them information and/or access needed to grab your refund. Your primary mitigations are phishing awareness training and enabling MFA on all your accounts. Don't forget to secure your state tax account if you have one.

Lee Neely

While this report focuses on the US tax season, the adversary also builds campaigns for other important dates. The stats tell us that the average click rate for a phishing email is 18%; for targeted email, the number goes up to 53%. Why not focus on patch and configuration management vice trying to sus out malicious email?

Curtis Dukes

Seven of the Chrome flaws were reported by security researchers; Google paid a total of $22,000 in bug bounty rewards to them. While your systems are downloading updates to Chrome and its Chromium based cousins, remember Thunderbird and Firefox ESR 115.9 also dropped addressing ten vulnerabilities, nine of which are addressed in Firefox 124. The tenth is CVE-2024-2614, a memory safety bug which could be used to execute arbitrary code.

Lee Neely

Having used GitHub's Copilot as a coding aid, AutoFix looks like it may become a very useful tool to avoid many of the basic oversights that sneak in when coding. Looking forward to testing it.

Johannes Ullrich

Cross-site scripting is a huge target as making sure your code is sanitizing all inputs is hard, let alone going back and working all the code in your app, not just the part with an identified weakness. This tool looks at multiple files in your app to discover repeated issues, and you could, in theory, fix them consistently with one click. More importantly, IMO, this could dramatically cut the time it takes to do the needed security checks. I would start evaluating this sooner than later, assume attack tool counterpart is out, or nearly out.

Lee Neely

Just before the March Microsoft Vulnerability Tuesday patch release, Microsoft released a progress update on the first four months of their “Secure Future Initiative.” The first two accomplishments said 86% of Azure code and over 1 billion lines of code overall were now being analyzed for vulnerabilities using the GitHub CodeQL tool. Microsoft has to move to faster than monthly patch release and bad updates are a major impediment to ever convinces CIOs to move forward with expecting all software to do what cloud software and browsers already do – patch critical vulnerabilities nearly continuously. I’d like to see Microsoft put out a lessons learned how this memory leak made into the released update.

John Pescatore

If you've not applied the March security update to your DC's (KB5035857) to your DCs, hold off. This affects Windows Server 2022, 2019, 2016 and 2012 R2. Expect the updated patch in the next week. While you're waiting you can focus on browser and iOS/iPadOS updates.

Lee Neely

The attack started with exploiting the Chattr AI based hiring system, which has been fixed. That lead researchers to the discovery of other flawed applications on 842 websites. Attempts to contact the owners of these sites resulted in an 85% email success rate, 25% of the sites addressing the issue, and 1% emailing back. Only two of these sites offered a bug bounty. If you're hosting or using a Firebase application, and you're relying on their security rules to keep data safe, you may want to introduce additional security protections and monitoring as those rules continue to be found problematic.

Lee Neely

Oddly, nobody is trying to claim this assumed ransomware attack as theirs. Radiant is currently deep in their forensics, response and restoration process. They state they don't expect this incident to materially impact the company's financial conditions.

Lee Neely

Two phrases in the 8-K filing worth noting 1) …initial stages of a cybersecurity incident…; and 2) …as of the date of this filing, the incident has not had a material impact on the company’s overall operations. The words businesses use in cybersecurity disclosures matter. It’s been three months since the SEC cyber disclosure rules took effect, and we still have little additional insight into cyber incidents. For all the brouhaha about the rule changes, little has actually changed.

Curtis Dukes

Both AWS and Microsoft took steps to mitigate the risk in response to Tenable's claims. Google elected not to take action after determining the flaw is not severe enough to be tracked as a security issue. If you've been running the current version of MWAA since September, you're not impacted. While exploitation requires social engineering, it's still a good idea to make sure that you're on the most current MWAA to mitigate the risk.

Lee Neely