Iranian Threat Actors Use Password Spraying And MFA Push-Bombing To Hack Organizations In Critical Sectors

October 17, 2024October 22, 2024 Wyatt Cyber Security and Cyber Crime, Data Privacy & Security Brute Force Credential Access, CISA Cybersecurity Advisory, Cyber Security, cybersecurity, Iranian Cyber Threat Actors, MFA, MFA fatigue, password spraying MFA push-bombing, security, technology

Written by: Kathie McDonald-McClure

On October 16, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”), the Federal Bureau of Investigation (“FBI”) and the National Security Agency (“NSA”) issued a Joint Cybersecurity Advisory warning that threat actors from Iran are using “password spraying” and Multi-Factor Authentication (MFA) “push-bombing” (also called “MFA fatigue”) to gain access to organization networks and web-based applications in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.

With password spraying, the threat actor creates a list of usernames and then tries to login to each account with a single commonly used password. If the attempt fails, the attacker moves on to a different common password and tries again until they get a hit. Even with MFA, using a strong password in the first instance can impede a threat actor’s further attempts to gain access via MFA push-bombing.

With MFA push-bombing, the threat actor sends a legitimate user’s smartphone a large number of MFA push-notifications, hoping that the user will click on one to stop the barrage. Once the threat actor gains access to an account, they frequently register their devices with MFA to enable persistent access to the environment via a valid account.

The use of MFA push-notifications to a smartphone in the absence of a second form of authentication (e.g., entering a code in an Authenticator app) is particularly vulnerable to the use of brute force and credential access. Does your network or any of your web-based applications rely solely on a push notification to gain access? Specifically, if access to your network or a web-based application can be gained by a mere click on a link in a SMS or email message, or by answering a call to a mobile device and there is no second method of authentication before permitting access, talk to your IT team or the vendor of the web-based application about strengthening the authentication method.

Regularly review your password policy to ensure it is up-to-date with best practices. Ensure users in your organization are educated on the password policy. Also, educate permitted users on the network and web-based applications on the techniques used by threat actors to gain access via weak and reused passwords. Ensure users understand the criticality of denying MFA push-notification requests that they did not generate.

Talk to your IT team today regarding the Joint Cybersecurity Advisory on the threats to weak passwords and MFA methods. As recommended in the Advisory, implement exercises, tests and validate your organization’s security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in the Advisory (e.g., Modify Authentication Process: MFA and MFA Request Generation).

We regularly work with clients to assist in preparing or updating applicable IT information security policies and procedures. Learn more about Wyatt’s data privacy and cyber security practice by visiting the Wyatt Data Privacy & Cyber Security webpage.

CMS Issues Updated Guidance on Texting Patient Orders

February 22, 2024June 11, 2024 Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, Electronic Health Records, Health Information Technology, HIPAA, Privacy & Security computerized provider order entry, Cyber Security, data security, EHR, Health IT, healthcare, HHS CMS, HIPAA, Joint Commission, Medicare CoPs, technology

By: Margaret Young Levi

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum entitled Texting of Patient Information and Orders for Hospitals and CAHs (the 2024 Memo), which provides updated guidance to State Survey Agency Directors. This 2024 Memo now permits the texting of patient orders among members of the hospital care team—if the texting is accomplished on a secure platform that protects the privacy and integrity of the patient information.

This new guidance updates CMS’ previous memorandum entitled Texting of Patient Information among Healthcare Providers in Hospitals and Critical Access Hospitals (CAHs) (the 2017 Memo), which permitted texting patient information if done through a secure platform, but prohibited texting of patient orders regardless of the platform utilized.

Even though texting of patient orders through a secure platform is now permitted by CMS, that does not mean it is recommended. CMS still prefers that providers enter their orders into the medical record via computerized provider order entry (CPOE) or even a handwritten order because of concerns about medical record retention, accuracy, privacy and security, etc. as set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Medicare Conditions of Participation (CoPs), and, if applicable, The Joint Commission (TJC) standards discussed below.

HHS and American Hospital Association Alert Providers to Act Now on “Citrix Bleed” Vulnerability

December 7, 2023December 11, 2023 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, Health Information Technology Citrix Bleed, critical infrastructure, cyber threats, cybersecurity, hacking, healthcare sector, HIPAA Security Rule, ransomware, technology

The United States Health & Human Services Department (HHS) Health Sector Cybersecurity Coordination Center (HH3) issued an HH3 Sector Alert for a software vulnerability dubbed the “Citrix Bleed“. The HH3 Alert advises on a Citrix security advisory regarding a zero-day vulnerability that impacts the NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (fomerly Citrix Gateway). The HH3 Alert, issued on November 30, 2023, urges healthcare organizations to upgrade their devices to prevent damage to the health sector from cyber attacks, including ransomware.

Per the HH3 Alert, even if the patch that Citrix released for this vulnerability was implemented, Citrix warns that compromised sessions will still be active after the patch is implemented. Organizations should follow the Citrix guidance to upgrade devices and remove any active or persistent sessions with the commands listed in the Alert.

On December 1, 2023, the American Hospital Association (AHA) similarly alerted its members about the Citrix Bleed issuing its own alert titled, “Urgent: Hospital Action Needed to Protect Against ‘Citrix Bleed’ Threat.” AHA also published the following article the same day: “HHS-HC3 calls for immediate hospital action to protect against ‘Citrix Bleed’ vulnerability and ransomware threat.”

In its weekly Medicare MLN Connects news on December 7, 2023, the Centers for Medicare and Medicaid Services (CMS) asks providers to make sure their IT department reads the information and takes necessary action. Providers also should share the HH3 Alert with their network clearinghouse and vendors.

Relatedly, on December 6, 2023, CNN reported that HHS shared exclusively with CNN a plan focused on getting more money and training to small and rural health care providers who lack dedicated cybersecurity staff. CNN reported that Biden administration officials “have long been concerned that software providers continue to sell insecure products that hackers are too easily able to exploit.” Click here to read the full CNN article, titled “US health officials call for surge in funding and support for hospitals in wake of cyberattacks that diverted ambulances,” by Sean Lyngass.

Looking for assistance with your organization’s data security policies? We work with clients and their IT team in the preparation and updating of information security policies and procedures to comply with the HIPAA Security Rule, FTC Safeguards Rule, and more. Such policies are essential in today’s cyber threats environment to meet the expectations of regulatory enforcement agencies such as the HHS Office for Civil Right and FTC. Information security policies also aide organizations in meeting other legal requirements and expections, e.g., contractual, cyber insurance underwriting, consumer, and other third-parties. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526

FTC Enforcement Action Against Company and CEO Provides Roadmap for Reasonable Data Security Measures

November 8, 2022November 9, 2022 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, FTC Enforcement account credentials, consumer privacy and security, FTC Act Section 5, FTC enforcement action, multi-factor authentication, passwords

Company’s Security Failures Exposed Data of 2.5 Million Consumers

By Kathie McDonald-McClure

On October 24, 2022, the Federal Trade Commission (FTC) announced enforcement action against Drizly, an online alcohol marketplace and subsidiary of Uber, and the Drizly CEO, over allegations that Drizly and the CEO failed to implement safeguards to prevent unauthorized access to consumer data stored on the Amazon Relational Database Service (Amazon RDS) that Drizly used to host its online marketplace platform. The FTC said that Drizly and its CEO were alerted to a security issue two years before the breach yet failed to take appropriate responsive action to secure personal information of consumers stored on Drizly’s Amazon RDS.

Employee posted company account login information on GitHub contributing to 2018 and 2020 security breaches. In 2018, a Drizly employee posted company cloud computing account login information on GitHub. GitHub is a free, online software development and hosting platform used for storing, tracking and collaborating on software projects. Drizly uses GitHub not only to manage and support its e-commerce website, but also to store spreadsheets, data sets, and repositories of past company data and projects.

The GitHub repositories included the AWS credentials used to access Drizly’s production environment. This security lapse allowed hackers to use Drizly’s servers to mine cryptocurrency in 2018. Upon discovering this, Drizly changed the login information for its cloud computing account and publicly claimed that it used adequate data security protections. Its website privacy policy stated: “We use standard security practices such as encryption and firewalls to protect the information we collect from you.”

Company employee is allowed access to GitHub repositories for a hackathon, using compromised credentials. According to the FTC complaint, in 2020 the company granted a company executive access to the GitHub repositories in order to participate in a one-day hackathon. The company failed to terminate the executive’s access after the event was over. At the time of granting such access, Drizly had not required unique and complex passwords nor multifactor authentication for access to the GitHub repositories. As a result, the executive had used a seven-character, alphanumeric password that he had used for other personal accounts and that was the subject of an unrelated data breach. The hacker used the executive’s compromised password to gain access to his GitHub account and to then access the company’s AWS and database credentials stored in the repositories. Ultimately, the hacker located the customer information stored on the company databases and put the information up for sale on two publicly available websites on the dark web.

Large volume of nonpublic, personal information was accessed by hacker. The FTC said Drizly’s security failures led to a breach of the personal information of about 2.5 million consumers. The personal information includes data collected from consumers who visited or placed e-commerce orders on the platform, such as name, age, email address, postal address, phone numbers, unique device identifiers, order histories, partial payment information, geolocation information, as well as personal information automatically collected from consumer computers and mobile devices by the website’s data collection tools.

In addition, the personal information included consumer data that Drizly purchased from third parties such as income level, marital status, gender, ethnicity, existence of children, and home value. The Drizly databases also contained consumer account passwords that were hashed using MD5 which the FTC said is “cryptographically broken and widely considered insecure.”

The FTC complaint provides a roadmap for minimum reasonable data security measures. The FTC complaint alleges that Drizly failed to implement “reasonable information security practices” to protect consumers’ personal information. These reasonable security practices include:

Continue reading →

CISA Discourages Use of App-Based, SMS and Voice MFAs and Encourages Phishing-Resistant MFAs

November 3, 2022November 4, 2022 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security CISA, IT data security policies, MFA, MFA fatigue and push bombing, multi-factor authentication, phishing, SIM swapping, SS7 protocol vulnerabily

Cyber Threat Actors Are Breaking the Security of Commonly Used MFAs

By: Kathie McDonald-McClure

A best practice in securing sensitive data is to deploy Multi-Factor Authentication (MFA) to prevent access by unauthorized users to internet-connected sources for such data. MFA requires authorized users to present a combination of two or more different authenticators (something you know, you have, or you are) to verify identity prior to access. MFA makes it more difficult for unauthorized users to gain access to servers and applications. For example, if one factor, such as a PIN, becomes compromised, the unauthorized user cannot gain access if they do not have the second factor, such as a mobile token or fingerprint.

Cyber security experts recommend MFA for all internet-facing applications with access to sensitive information. Such applications include remote desktop, Virtual Private Networks (VPNs), email accounts, financial and accounting software, file sharing and document management platforms, CRM, just to name a few.

Demonstrated compromises in commonly used MFAs prompts CISA to issue guidance. On October 31, 2022, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released Guidance on Phishing-Resistant and Numbers Matching Multifactor Authentication. The CISA Guidance includes two Fact Sheets. One Fact Sheet, Implementing Phishing-Resistant MFA, describes the methods cyber threat actors are using to gain access to MFA credentials. These methods include phishing emails and malicious websites, MFA fatigue, exploitation of SS7 protocol vulnerabilities, and SIM swapping. This CISA Fact Sheet identifies App-Based MFA and SMS or Voice MFA as being particularly vulnerable to these methods of stealing MFA credentials.

CISA strongly encourages organizations currently using App-Based, SMS or Voice MFA to migrate to a Phishing-Resistant MFA for as many applications as is feasible. CISA indicates that the currently available Phishing-Resistant MFA options are limited to FIDO/WebAuthn (included in most major browsers) and the PKI-based MFA (smart cards used with SSO technologies). App-Based MFAs verify the identity of users either by generating a one-time password (OTP) or sending a “push” pop-up notification to the mobile application. SMS and Voice MFAs send a code to the user’s phone or email. The user then retrieves this second factor code from their text or email to use for login authentication. CISA says that SMS and Voice MFA should only be used as a last resort.

CISA acknowledges there are several stumbling blocks to the deployment of Phishing-Resistant MFAs. These include the lack of support for it in the organization’s existing systems and products, difficulty in deploying it to all staff members at once, and upper management concerns that users will resist the migration. Nevertheless, CISA recommends that the organization’s IT leadership prioritize the migration to Phishing-Resistant MFA in logical phases focusing on the technologies at highest risk, such as email systems, file servers, and remote access systems, and the users who are high-value targets, such as system administrators, attorneys, HR staff, and others with access to sensitive data.

What if your organization uses mobile push-notification based MFA and migration to Phishing-Resistant MFA is not feasible? CISA recommends using “number matching” in the MFA application to mitigate MFA fatigue. CISA says, “MFA fatigue, also known as ‘push bombing,’ occurs when a cyber threat actor bombards a user with mobile application push notifications until the user either approves the request by accident or out of annoyance with the nonstop notifications.” Refer to the CISA Fact Sheet titled, Implementing Number Matching in MFA Applications, for guidance on how to enable “number matching” on MFA configurations to prevent MFA fatigue.

So why is a lawyer writing this technical piece? We assist clients proactively to prevent security breaches and reactively after a security incident in the preparation or revision of IT data security policies and procedures necessary to meet regulatory, contractual, cyber insurance underwriting, and other third-party expectations. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and security practice, visit Data Privacy and Cyber Security.

If you need additional information, please contact:

Kathie McDonald-McClure

Phone: 502.562.7526

Email: kmcclure@wyattfirm.com