Clearwater delivers a monthly Cyber Briefing to leaders across the healthcare ecosystem—this live information session features a threat intel update and a deeper dive into topics affecting healthcare organizations, like managing vendor risk, improving board engagement, hybrid resiliency, and much more.
The Clearwater team keeps a constant pulse on new and emerging threats, patches, and cyber-related news—we asked Clearwater’s CISO, Steve Akers, to share some helpful resources for leaders and summarize his reaction to the cyber resources, news, and updates from the last few weeks; here are Steve’s notes for June 2023.
To sum up the reactions of the last two weeks of cyber news that lingered with me, it would be, ‘a welcomed resource’, ‘of course another hot target gets exploited,’ and the last one is utter ‘surprise.’
I’m referring to the following items:
CISA Guide to Securing Remote Access Software – A Welcomed Resource
This is a comprehensive guide that covers all sizes of organizations and addresses the Information Technology (IT) and Operational Technology (OT) need for remote access and monitoring software. Remote access software and tools offer a diverse range of capabilities that empower organizations to maintain and enhance their IT infrastructure, operational technology, and industrial control systems. By enabling remote oversight of networks, computers, and other devices, these solutions provide a proactive and flexible approach to managing and optimizing organizational resources. In this blog post, we delve into the world of remote access software, including remote administration solutions and remote monitoring and management (RMM), to understand their potential to revolutionize the way managed service providers (MSPs), software-as-a-service (SaaS) providers, IT help desks, and network administrators operate. In other words, there must be a greater focus on the security and use of these tools.
Legitimate remote monitoring and management (RMM) software is also being leveraged by adversaries. Cisco Talos IR Q4 2022 report noted:
Adversaries increasingly rely on the Syncro remote management and monitoring (RMM) tool used in nearly 30 percent of engagements, a significant increase compared to previous quarters. Syncro is a commercially available RMM solution that advertises remote desktop access, remote registry editor, remote event viewer, and more.
This guide does a good job of detailing the aspects needed to prevent this legitimate software from being used in unauthorized manners. This includes the self-contained portable executables that a phishing campaign could deploy, bypassing the need for system admin privileges to run. This was based on the experience from this past event:
Hackers don’t need a key to get past your defenses if they can essentially teleport using RMMs, warns CISA and the NSA.
HC3 Sector Alert MoveIT transfer software – Of Course, Another Hot Target Gets Exploited
The nature of the exploitation bears similarities to previous incidents, such as the mass exploitation of a GoAnywhere MFT zero-day in January 2023 and the exploitation of Accellion FTA servers in December 2020. And the largest was in 2020 when over 18,000 SolarWinds customers installed the malicious updates, with the malware spreading undetected.
This current incident involved unauthorized access and data exfiltration from MoveIT managed file transfer platforms, which was subsequently exploited by the Clop ransomware gang for data theft and extortion purposes.
Analysis has also shown identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit this particular flaw in April 2022 and as far back as July 2021.
What happens when you’ve been prepared to patch, maintain, and monitor your security tools, like the Barracuda email security gateway (ESG), but now the vendor recommends a full replacement? This is a real concern when organizations rely on these tools to function and protect their organization, then out of the blue are told to abandon them.
Based on these notes, there are some fundamental questions all organizations should be asking:
- Do I have a business impact plan for when or if my security tools themselves need to be patched, paused till a patch is available, or worse, immediately replaced?
- Is my security orchestration able to detect anomalous activity, traffic, or data loads associated with legitimate software in my environment?
- Does the organization have a way to collate alerts and security notifications from the critical vendors utilized in their organization?
- Do I have access to industry-specific critical warnings and have the resources to act upon them in a timely manner?
If any of these answers concern you, the Clearwater team is ready to help you address continuous threat chaos. vCISO services, Managed Security Services, and our ClearAdvantage managed services program are designed to help you enable the right security, compliance, and resiliency that fits your needs. Contact us if you would like to review how to address any of these threats or others that are targeting your organization.