At a glance.
- Email platform bug allows for theft of clear-text credentials.
- Update on the Kaiser Permanente breach.
- Arizona hospital suffers ransomware attack.
Email platform bug allows for theft of clear-text credentials.
The researchers at SonarSource detail a newly detected vulnerability in enterprise-level email solution Zimbra that could allow an attacker to steal user login credentials. Similar to Microsoft Exchange, Zimbra is used by the employees of 200,000 businesses, universities, financial firms, and government institutions to send and receive emails. If exploited, this Memcache Injection bug would allow an unauthenticated intruder to steal cleartext credentials from a Zimbra instance without any user interaction. One technique would require the attacker to know the email address of the victim, not difficult given that many companies rely on a basic pattern using the employee’s name or initials. The second strategy would require the hacker to exploit “Response Smuggling,” the act of transferring HTTP responses from a server to a client through an intermediary HTTP device, to bypass the restrictions imposed by the first strategy.
Erich Kron, security awareness advocate at KnowBe4, wrote to put the risk in the larger context of business email compromise:
“In a time when Business Email Compromise (a.k.a. CEO Fraud) attacks have become a multi-billion dollar industry, any vulnerability that can provide access to an email account and associated credentials, is worth being concerned about. A compromised legitimate email account can be used to effectively spread malware throughout an organization much more effectively than a spoofed account can, by bypassing external filters, and even gives the attackers access to previous conversations that can be used to lure victims into a false sense of trust.
"In addition to the risk posed by sending attacks through a compromised account, email is the mechanism that we use to reset passwords for many of our other web services and accounts, making it an easy way to take over those accounts as well.
"To add to the concerns of a compromised account, it is common knowledge that people often reuse the same passwords in multiple places, giving the attackers an opportunity to take over accounts that are not related to the email, by simply trying the stolen credentials on other websites.
"To protect against this, organizations should consider requiring Multi-Factor Authentication (MFA) on all sensitive accounts and should ensure that employees are educated about the dangers of password reuse and of using simple passwords.”
Update on the Kaiser Permanente breach.
As we noted yesterday, US managed care consortium Kaiser Permanente disclosed an April employee email breach that exposed the personal medical information on nearly 70,000 of its patients. It is still unclear exactly how an unauthorized party gained access to the emails, but Gizmodo reports that Kaiser’s filing with the Department of Health and Human Services categorizes the breach as a “Hacking/IT Incident.” Kaiser, the largest hospital system in the state of California, stated in an email to customers, “We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident. We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility.”
Arizona hospital suffers ransomware attack.
In other healthcare data breach news, Yuma Regional Medical Center (YRMC), a non-profit hospital facility in the US state of Arizona, has begun informing patients that the center experienced a ransomware attack. JDSupra explains that the breach was first detected when employees noticed some of the Center’s systems were not functioning properly. YRMC responded by taking the systems offline and arranging an investigation with a third-party forensics firm. The acute care facility sent approximately 700,000 notification letters to impacted parties, informing them that the hospital will continue assisting patients through “established back-up processes and other downtime procedures” while it works to get the systems back online.
Several industry experts wrote to share their reactions to the incident in Arizona. Tim Prendergast, CEO of strongDM, noted the importance of access to successful crime. "Virtually every major security challenge from ransomware to insider threats requires one core element: access. While much has been done to address physical security and application access, there is one glaring vulnerability: infrastructure access. This gap is critical, as getting access to infrastructure is the equivalent of getting the keys to the kingdom - as the ransomware incident at Yuma Regional Medical Center illustrates. With no centralized approach to managing access across databases, servers, cloud service providers, or even newer tools like Kubernetes, CISOs will need to evaluate how they can ensure high standards of security, while not impacting existing access management processes that are already overbearing for these technologies."
Neil Jones, director of cybersecurity evangelism at Egnyte, took the occasion as an opportunity to argue for redoubled security. "The recent data breach at Yuma Regional Medical Center in Arizona spotlights the need for comprehensive ransomware detection, data security and suspicious log-in capabilities," he wrote. "According to published reports, the organization took effective action upon detection, which indicates that a meaningful incident response plan was in place. However, the affected files included sensitive information, in particular Social Security numbers. The recent convergence of Personally Identifiable Information (PII) and Protected Health Information (PHI) has made it even more important for companies to put additional safeguards in place for highly-confidential data like worker’s compensation reports, employees' and patients' health records and confidential test results, such as COVID-19 notifications.”
Danny Lopez, CEO of Glasswall, found the incident troubling. "Organisations need to adopt robust processes for protecting sensitive information. It's vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the public domain. This will help to limit the blast radius, and in most cases, defeat the data breach," he wrote. "Attacks like these caused by illegal access demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside."
Arti Raman, CEO and Founder of Titaniam, sees a lesson on the importance of encryption. “In the recent ransomware database attack on Yuma Regional Medical Center, bad actors were able to access and steal over 700,000 patients' personally identifiable information. To minimize the risk of potential extortion and minimize lost clear text data, a data security platform, specifically data-in-use encryption, also referred to as encryption-in-use, is recommended," she wrote. "Utilizing data-in-use encryption technology provides unmatched immunity. Should adversaries break through perimeter security infrastructure and access measures, data-in-use encryption keeps the PII encrypted and protected even when it is being actively utilized. This helps neutralize all possible data-related leverage and limits the need for breach disclosure.”