Customer Security Newsletter - January 2025

Welcome to the January 2025 MEDITECH Customer Security Newsletter, where we provide you with information and resources to give you insight on security challenges facing your organization and the healthcare community as a whole. Here we endeavor to provide some good information to help you improve your organization's security posture. This data has been gleaned from the review of public records on file with CISA, H-ISAC and Health Sector Cybersecurity Coordination Center (HC3) alerts.  Please note the Talk To Us section, as we would like to tailor future editions of the newsletter to address specific concerns.

Known Exploited Vulnerabilities

From November 1, 2024 until the writing of this bulletin, there have been thirty-six known exploited vulnerabilities added to CISA's list . They are CVE-2014-2120,CVE-2018-14933, CVE-2019-11001,CVE-2019-16278, CVE-2021-26086, CVE-2021-40407, CVE-2021-41277, CVE-2021-44207, CVE-2022-23227, CVE-2023-45727, CVE-2024-0012, CVE-2024-1212,CVE-2024-5910,CVE-2024-8956,CVE-2024-8957,CVE-2024-9463,CVE-2024-9465,CVE-2024-9474,CVE-2024-11667,CVE-2024-11680,CVE-2024-12356, CVE-2024-20767,CVE-2024-21287,CVE-2023-28461,CVE-2024-35250, CVE-2024-38812,CVE-2024-38813,CVE-2024-43093,CVE-2024-43451,CVE-2024-44308,CVE-2024-44309,CVE-2024-49039,CVE-2024-49138,CVE-2024-51378, CVE-2024-51567, and CVE-2024-55956.

All of these additions are based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks. When looking at the catalog, the CVEs are listed from most recently added by default and the list may be manipulated by using the provided filters. This list was most recently reviewed on December 30, 2024. 

Vulnerabilities for Hospitals to Watch Out For

These significant vulnerabilities have been shown to have been weaponized in November and December 2024. Intelligence indicates a high degree of caution for hospital infrastructures.

• CVE-2024-11680 (CRITICAL): This critical vulnerability allows attackers to bypass authentication and gain unauthorized access to ProjectSend. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
• CVE-2024-49138 (High): Successful exploitation of this privilege escalation flaw in the Windows Common Log File System (CLFS) Driver allows attackers to gain SYSTEM privileges, providing complete control over the targeted system.
• CVE-2024-44308 (High) and CVE-2024-44309 (Medium): These zero-day vulnerabilities in Apple's macOS allow remote code execution and cross-site scripting (XSS) attacks.
• CVE-2024-38812 (CRITICAL) and CVE-2024-38813 (CRITICAL): These critical vulnerabilities in VMware vCenter Server enable remote code execution and privilege escalation.
• CVE-2024-42057 (High): This command injection vulnerability allows unauthenticated attackers to execute OS commands on vulnerable Zyxel devices. It has been linked to the Helldown ransomware group, which uses it for network infiltration.
• CVE-2024-10914 (CRITICAL): This critical command injection vulnerability affects legacy D-Link NAS devices. Attackers can exploit it to gain unauthorized access and control of the device.

News

CISA Updates Toolkit with Seven New Resources to Promote Public Safety Communications and Cyber Resiliency

On December 11, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) highlighted their Public Safety Communications and Cyber Resiliency Toolkit to identify and address emergent trends and issues, consolidate resources, educate stakeholders at all levels of government, and propose mitigations to enable resilient public safety communications. Read more here...

Feds Warn That Connected Devices Are Prey for Cyberattackers

On December 20, H-ISAC  linked to a news article at healthcareinfosecurity.com wherin the U.S. Health and Human Services has urged healthcare enjtities to beef up their connected device defenses. Read more here...

Crowdstrike Outage

On July 19, 2024, Crowdstrike distributed an update to their Falcon sensor program which caused a coding error and resulted in many hospitals and other facilities losing services.  They have since released an Executive Summary and Root Cause Analysis. Please refer to these links for updates and provided solutions.

https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/ (Remediation and Guidance Hub)

Change Health Care

Change Healthcare is experiencing an extended outage resulting from a cyber incident.  We encourage all customer of Change Healthcare to follow the links below for updates on the incident and resulting outages.

https://status.changehealthcare.com/ (Page Listing Product Availability)

https://status.changehealthcare.com/incidents/hqpjz25fn3n7 (Page Offering Updates On The Incident)

Additional Resources

• HHS 405(d) Aligning Health Care Industry Security Approaches  - The 405(d) Program and Task Group is a collaborative effort between industry and the federal government, which aims to raise awareness, provide vetted cybersecurity practices, and move healthcare organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector. Their website provides the latest resources and information as well as an opportunity for involvement.
• Helpful resources CISA has provided can be found on the following pages:
  • Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
  • StopRansomware.gov
  • Cyber Hygiene Services

Talk to us!

We at MEDITECH would love to hear your feedback about this newsletter and we’d like to know what is on your mind. Is there something you would like us to address?

We also have a question for you that is important to us. What are your largest concerns or security hopes for 2024?

Please let us know by contacting us!

Until next time, stay alert out there!