CyberWeekly 05' Oct | Issue #8
Texas Hospital ransomware attack, Ivanti Endpoint Manager vulnerability, Zimbra flaw, CUPS DDoS, US Healthcare Cybersecurity Bill, CVE-2024-29824, CVE-2024-45519, CISA
Texas Hospital Forced to Divert Ambulances Following Ransomware Attack
The University Medical Center (UMC) Health System in Lubbock, Texas, experienced a ransomware attack, causing a significant IT outage that disrupted hospital operations.
UMC is a Level 1 trauma center, which provides the highest level of trauma care in the region. Due to the outage, UMC has had to temporarily divert incoming emergency and non-emergency patients to nearby health facilities.
The diversion is critical because the nearest Level 1 trauma center is approximately 400 miles away, which could result in longer response times for severe trauma cases.
UMC stated that they are currently diverting only a few patients and have been reaching out to patients with scheduled appointments to update them on modified procedures. The attack also affected UMC Children’s Hospital, a Pediatric Level 2 Trauma Center, which hosts the region’s only verified burn center for children.
No ransomware gang has taken credit for the incident as of Monday afternoon but several groups have announced attacks against other hospitals across the U.S., including Weiser Memorial Hospital, which last week reported significant technology outages due to what they called a “computer network event.”
US Senate Introduces Healthcare Cybersecurity Bill
Two US Senators introduced the Health Infrastructure Security and Accountability Act, which mandates that hospitals and healthcare organizations implement minimum cybersecurity standards.
The bill would require organizations to undergo annual independent audits and allocate $1.3 billion to the Department of Health and Human Services (HHS) to support these efforts. The funding aims to strengthen the cybersecurity posture of the healthcare sector, which has been heavily targeted by ransomware attacks.
The legislation applies to healthcare providers, health plans, clearinghouses, and business associates. It introduces new requirements, including mandatory stress tests and annual accountability audits. It also removes caps on fines that HHS can impose for non-compliance.
Establishing a mandatory cybersecurity baseline is a positive step, but existing frameworks like NIST CSF, ISO 27001, and CIS Critical Security Controls could also be considered. Many healthcare organizations have already adopted these frameworks and measure compliance regularly.
Additionally, the creation of a separate ‘cottage industry’ for conducting annual audits could impose unnecessary costs. Allowing self-assessments, similar to the CMMC model, would keep organizations accountable without the need for external audits.
Ivanti: Known Endpoint Manager Vulnerability is Being Actively Exploited
Ivanti has updated a previously issued advisory to highlight that a critical SQL-injection vulnerability (CVE-2024-29824) in its Endpoint Manager is currently being actively exploited by attackers.
The vulnerability was initially disclosed in May 2024, and its active exploitation has been confirmed as of October 2024. The flaw allows attackers to manipulate SQL queries and access the backend database, potentially leading to unauthorized data exposure or further system compromise.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-29824 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are expected to address this vulnerability by October 23, 2024. This inclusion in the KEV catalog typically signals a high-priority patch requirement, urging organizations to act swiftly to secure their systems.
The vulnerability, affecting Ivanti Endpoint Manager up to 2022 SU5, has a CVSS score of 9.6, reflecting its severity. The issue arises from improper input sanitization in SQL commands, allowing attackers to inject malicious code into vulnerable systems. Ivanti recommends updating to the latest version of Endpoint Manager to mitigate the flaw.
Organizations shouldn’t wait for active exploitation reports to take action. If a vulnerability is categorized as critical, like CVE-2024-29824, it should be patched immediately, regardless of whether exploitation is confirmed. The current situation is a race against time—don’t lose to a determined adversary.
Critical Zimbra Flaw in Postjournal is Being Actively Exploited
Zimbra has issued an urgent update for a critical remote code execution (RCE) vulnerability (CVE-2024-45519) in its postjournal service. The flaw is due to inadequate user input sanitization, which allows unauthenticated attackers to execute arbitrary commands on vulnerable installations.
The vulnerability is being actively exploited in the wild, prompting warnings from Computer Emergency Response Teams (CERTs) in Italy and Latvia, as well as from multiple threat researchers globally.
CVE-2024-45519 has a maximum CVSS score of 10.0, indicating its critical nature. The fix involves updating the postjournal service to the latest version or disabling it entirely if it’s not in use.
Additionally, organizations should ensure that “mynetworks” is properly configured to prevent unauthorized access and apply all available Zimbra updates.
Zimbra administrators should not only patch this vulnerability but also verify that no unauthorized changes have occurred in the system as a result of the ongoing exploitation.
While the update or mitigation helps secure the environment, a thorough review of the system logs and configurations is recommended to ensure no backdoors or malicious modifications have been introduced.
Akamai Researchers Find that CUPS Vulnerabilities Can be Exploited to Launch DDoS Attacks
Akamai researchers have discovered that multiple vulnerabilities in the Common UNIX Printing System (CUPS) can be chained together to launch distributed denial-of-service (DDoS) attacks. The vulnerabilities allow attackers to send a single packet to vulnerable CUPS services exposed to the internet, potentially disrupting the printing services and impacting system performance.
Organizations using CUPS are advised to update their installations to the latest patched versions. If CUPS is not in use, it should be uninstalled to completely remove any vulnerable code from the system. For those actively using CUPS, careful consideration should be given to how TCP and UDP Port 631 (Internet Printing Protocol) is exposed and configured.
The CUPS vulnerability disclosure is not new. Security researcher Simone Margaritelli has been trying for months to get the CUPS developers to acknowledge the risks associated with these vulnerabilities.
Simply disabling CUPS is not enough if you are not actively using it. Uninstalling the service will ensure that the vulnerable code is removed and attackers cannot exploit it in any way. If CUPS is necessary, limiting its exposure to the internet and ensuring only authorized devices can access the service will mitigate many potential risks.
Sponsored
Introduction to Bug Hunting in Games: Our adventure with FreeDroid RPG began when we were perusing the National Vulnerability Database (NVD) for video game-related bugs and discovered two CVEs from 2020 related to this game: CVE-2020-14938 and CVE-2020-14939. Both CVEs involved ways to maliciously manipulate the save game data—each fascinating in their own right. As we looked into the technical details of this original research from LogicalTrust, we noticed anomalies in the patches that were meant to address these vulnerabilities, sparking a deeper investigation Link: https://guidedhacking.com/threads/bug-hunting-in-video-games.20472/
Without the sponsors and partners, hacklido wouldn't be where it is now, So we would like to thank them.
Sponsors:
Community Partners:
If you wish to Sponsor / Partner with hacklido and get benefitted? Reach out to us via email@hacklido.com to discuss with us!