- The Healthcare Cybersecurity and Communications Integration Center (HCCIC) released a statement warning healthcare organizations about further Microsoft vulnerabilities related to how WannaCry spread late last month, potentially impacting health IT security.
The statement specified vulnerabilities in the Windows operating system, and a threat the Department of Homeland Security (DHS) called “Hidden Cobra.”
The report warned that the wide range of vulnerabilities from “Hidden Cobra” cannot be fully prevented by simply installing Microsoft patches. DHS stated that healthcare and public health sector systems and devices are possible targets for this cyber-attack.
“These vulnerabilities allow an attacker to remotely run programs or attacks on systems,” HCCIC stated. “This could allow an attacker to perform a wide range of actions including exfiltrating documents or data, or gain access to other internal systems via the local network once initial access is gained.”
“Hidden Cobra” has been around since 2009 and has targeted a variety of systems that have resulted in DoS attacks and data loss. “Hidden Cobra” cyberattacks can cause temporary or permanent loss of data, disruption of regular operations, financial losses when files or systems need to be restored, and harm to an organization’s reputation.
“If users or administrators detect the custom tools indicative of ‘Hidden Cobra’, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation,” DHS stated.
“This alert identifies IP addresses linked to systems infected with DeltaCharlie malware and provides descriptions of the malware and associated malware signatures,” the agency continued. “DHS and FBI are distributing these IP addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network. FBI has high confidence that HIDDEN COBRA actors are using the IP addresses for further network exploitation.”
“Hidden Cobra” is known to use vulnerabilities affecting various applications. These vulnerabilities include:
- CVE-2015-6585: Hangul Word Processor Vulnerability
- CVE-2015-8651: Adobe Flash Player 18.104.22.1684 and 19.x Vulnerability
- CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
- CVE-2016-1019: Adobe Flash Player 22.214.171.124 Vulnerability
- CVE-2016-4117: Adobe Flash Player 126.96.36.199 Vulnerability
DHS recommended that organizations upgrade each of these applications to their latest version and make sure that all patches are up to date. They added that if any of the applications listed are no longer used, that they are deleted immediately.
DHS also advised that organizations should:
- Patch applications and operating systems
- Use application whitelisting
- Restrict administration privileges
- Segment networks and segregate them into security zones
- Validate input
- Use stringent file reputation settings
- Understand firewalls
Microsoft released additional critical security updates last week in response to these vulnerabilities for current and older platforms. Last month in response to WannaCry, Microsoft released patches for legacy platforms and OSes so the organizations running them could protect their network infrastructure against the malware attack.
“Our security teams actively monitor for emerging threats to help us prioritize and take appropriate action,” Microsoft stated. “We are committed to ensuring our customers are protected against these potential attacks and we recommend those on older platforms, such as Windows XP, prioritize downloading and applying these critical updates, which can be found in the Download Center (or alternatively in the Update Catalog).”
Microsoft systems need to be patched to protect IT infrastructure against Sever Message Block (SMB) vulnerabilities that were exploited in the WannaCry attack. Unpatched systems are also vulnerable to malicious code via shared drives that can disguise malware as common icons and shortcuts. This executes malware without the user clicking on the link file.
Affected Microsoft systems included: Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 8.1, Windows 8.1 RT, Windows Server 2012 R2, Windows 10, Windows Server 2016, Windows XP, Windows Vista, Windows 8, Windows Server 2003, and Windows Server 2003 R2.
Healthcare organizations continue to be threatened by malware and need to ensure that all applications and programs are patched and up-to-date. Cyberattacks often come through unpatched vulnerabilities, and it is well within an organization’s power to prevent many of these attacks.