A Month In Breaches: May

Cyber breaches and attacks are discovered in the month of May.

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends. We see an array of attacks launched globally for the month of May.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening on the expansive and scary internet.

The Biggest Cyberattack in New Zealand’s History   

Another month, another story of a devastating ransomware campaign. This month New Zealand, Ireland and Canada have all had their health sector targeted with many other countries including Australia likely to join them soon.

New Zealand’s Waikato district health board (DHB) has been attacked with ransomware in an event that is being called one of the “biggest cyberattack[s] in New Zealand’s history”. Twenty per cent of elective surgeries and outpatient clinic appointments have likely been cancelled in a single week as the DHB continues to struggle for multiple weeks to recover from the incident. Staff were forced to work from hard copy documents to continue to serve their patients, while the systems around them, including payroll, continued to fail.

The most concerning issue for many patients however is the possibility of their personal information being exposed. New Zealand reporters have claimed to have been contacted by an attacker claiming responsibility for the incident, who provided intimate details on exposed records as proof. At the time of writing this summary, however, patients’ fear has not been quelled with the head of the health board Kevin Snee stating “there’s a real threat some people’s personal information may have been breached as a result of the cyberattack”. No official statement with specific details has been provided at this time.

Every month there is another major story about a successful, devastating ransomware campaign and the reason for this is because it only takes a couple of small mistakes to become the next victim. The good news is that proactive steps can be taken to significantly reduce the risk of being attacked. These include:

  • Ensuring that all employees are up to date in the latest phishing and vishing awareness training.
  • Developing controls around the permissibility of employees installing unknown executables and applications onto their devices.
  • Meticulously backing up all mission-critical systems, including the creation of regular hot and cold backups.
  • Regularly and promptly updating all systems in the organization when a new patch is released by all vendors.
  • Maintaining strong network security practices, including network segmentation and restricting the external endpoints to the absolute minimum amount required.

In the case of a successful attack, do not panic. Isolate the affected system from the network to prevent further infection and keep the device running. Then contact the appropriate authorities (including CTRL Group) for further analysis and triage. If backups have been properly maintained and cold storage is adequately protected, a business can promptly recover from a devastating incident.

 

VMWare Patched a 9.8 Severity Bug (CVE-2021-21985) 

VMware patched a critical bug impacting its vCenter Server platform with a severity rating of 9.8 out of 10. The company said the flaw could allow a remote attacker to exploit its products and take control of a company’s affected system. In this era of ransomware, it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why VMWare strongly recommend patching as soon as possible.

The vulnerability impacts vCenter Server platforms, which is in widespread use and used to administer VMware’s vSphere and ESXi host products. All an attacker would need to do is be able to access the vCenter Server over port 443. Even if an organisation has not exposed vCenter Server externally, attackers can still exploit this flaw once inside a network.

Many organisations use VMWare products for their virtual environment and CTRL Group’s clients are no exception. With every vulnerability, the most important step is to patch the systems as soon as they are made available. CTRL Group highly recommends mitigating the risk around this bug by updating to the latest security patch.

 

More Ransomware Attacks Involved Threat to Leak Exfiltrated Data 

Hewlett Packard Enterprise (HPE) has fixed a critical zero-day remote code execution (RCE) flaw in its HPE Systems Insight Manager (SIM) software for Windows that it originally disclosed in December. HPE SIM is a tool that allows remote support automation solutions for multiple HPE solutions, including servers, storage, and networking products.

The vulnerability is tracked as CVE-2020-7200 and it affects HPE Systems Insight Manager (SIM) 7.6.x and rated as a critical severity 9.8 out of 10 security flaw that allows attackers without privileges to exploit it as part of low complexity attacks that don’t require user interaction. The lack of proper validation of user-supplied data can lead to the deserialization of untrusted data, enabling attackers to execute code on servers running vulnerable SIM software.

HPE has released a software update to resolve the vulnerability.

  • Hotfix Update Kit for HPE Systems Insight Manager 7.6
    • Version:1 (rev.1) – 16 December 2020 Initial release
    • Version:2 (rev.2) – 21 January 2021 Update corrected CVSS v2 score to reflect Authentication as none for CVSS v2, CVSS v3 is unchanged
    • Version:3 (rev.3) – 26 May 2021 HPE SIM released with fix for remote code execution

For those who can’t immediately deploy the CVE-2020-7200 security update on vulnerable systems, there is a workaround. However, HPE SIM users will no longer be able to use the federated search feature after using the workaround.

  1. Stop HPE SIM Service
  2. Delete <C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\simsearch.war> file from sim installed path del /Q /F C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\simsearch.war
  3. Restart the HPE SIM Service
  4. Wait for HPE SIM web page “https://sim_ip:50000/” to be accessible and execute the following command-from-command prompt: mxtool -r -f tools\multi-cms-search.xml 1>nul 2>nul

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS,  Jae, Jake & Manharsh.