In October 2020 and April 2021, the U.S. National Security Administration posted advisories regarding known vulnerabilities that Chinese and Russian hackers use to breach U.S. and other networks.
Our Observations:
- Many of the vulnerabilities are in Virtual Private Network (VPN) software solutions specifically designed to prevent hacking.
- It is interesting to note, that in light of the U.S. Administration’s newly announced sanctions against Russia, that China has exploited many more vulnerabilities than Russia, according to the U.S. National Security Administration’s published vulnerabilities list (see below).
- In healthcare, HIPAA Covered Entities should review the material and contact their vendors for additional guidance, yet, that may be inadequate.
- For example, some of the vendors with impacted systems and vulnerabilities have opportunistically reported vulnerabilities in other vendors’ systems, but not in their own.
- Specifically, Fortinet reports vulnerabilities that its “Lab” detects but has not reported a vulnerability in its own Fortinet FortiGate VPN. As of April 15, 2021 there are no 2020 or 2021 updates on Fortinet’s searchable vulnerabilities list pertaining to its own FortiGate VPN. (See https://www.fortiguard.com/ )
- For the sectors of the healthcare industry that use or disclose protected health information (PHI) and who are HIPAA Covered Entities, there are specific Administrative Safeguards that are designed to encourage cyclical review and revision of policies to prevent against hacking and breaches of Protected Health Information (PHI). See Administrative Safeguards in this article.
I. Administrative Safeguards (See §164.308(a)(1))
The first standard under Administrative Safeguards section is the Security Management Process. This standard requires covered entities to: “Implement policies and procedures to prevent, detect, contain and correct security violations.” The purpose of this standard is to establish the administrative processes and procedures that a covered entity will use to implement the security program in its environment.
There are four implementation specifications in the Security Management Process standard. Here are the first two:
Risk Analysis (Required)
‘Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity’ as provided for in § 164.308(a)(1)(ii)(A)
Covered Entities’ Risk Analysis is implemented by the policies and policy review as well as our security infrastructure. Known vulnerabilities should be identified in the infrastructure, policies should be revised, and technology updates or replacements should be performed to mitigate risks.
Risk Management (Required)
‘“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”
Covered Entities’ Risk Management should be implemented by the policies and policy review, as well as in security infrastructure.
II. Russian hacking associated vulnerabilities
On April 15, 2021 the U.S. National Security Administration published known vulnerabilities that impact U.S. and Allied networks.
NSA states that users of these products should mitigate against the following known vulnerabilities including two VPNs
- CVE-2018-13379 Fortinet FortiGate VPN.
- CVE-2019-9670 Synacor Zimbra Collaboration Suite.
- CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN.
- CVE-2019-19781 Citrix Application Delivery Controller and Gateway.
III. Chinese hacking associated vulnerabilities
Related Posts
Healthcare Cyber Security Standards
Electronic Health Record Forensic Expert
Works Cited
See https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
See https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/
See also
- “SA44101 – 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure® / Pulse Policy Secure 0RX.” PulseSecure®, 07 August 2020. [Online] Available: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101 [Accessed 22 September 2020]
- “K52145254: TMUI RCE vulnerability CVE-2020-5902.”F5, 22 July 2020. [Online] Available at: https://support.f5.com/csp/article/K52145254 [Accessed 22 September 2020]
- “Citrix® | Support Knowledge Center: CTX267027 CVE-2019-19781 – Vulnerability in Citrix® Application Delivery Controller, Citrix® Gateway, and Citrix SD-WAN WANOP appliance.” Citrix®, 24 Jan 2020. [Online] Available at: https://support.citrix.com/article/CTX267027 [Accessed 21 September 2020]
- “Citrix® | Support Knowledge Center: CTX276688 Citrix® Application Delivery Controller, Citrix® Gateway, and Citrix® SDWAN WANOP appliance Security Update.” Citrix, 17 Aug 2020. [Online] Available at: https://support.citrix.com/article/CTX276688 [Accessed 21 September 2020]
- “MobileIron® Security Updates Available.” MobileIron®, 01 July 2020. [Online] Available: https://www.mobileiron.com/en/blog/mobileiron-security-updates-available [Accessed 22 September 2020]
- “Stop using LAN Manager and NTLMv1.” Microsoft®, 7 Nov 2017. [Online] Available at: https://blogs.technet.microsoft.com/miriamxyra/2017/11/07/stop-using-lan-manager-and-ntlmv1 [Accessed 22 September 2020]
- “Network security: Restrict NTLM: Audit NTLM authentication in this domain.” Microsoft®, 19 Apr 2017. [Online] Available at: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm- audit-ntlm-authentication-in-this-domain [Accessed 22 September 2020]
- “CVE Details: Vulnerability Details: CVE-2018-6789.” CVE Details, 26 Oct [Online] Available at: https://www.cvedetails.com/cve/CVE-2018-6789/ [Accessed 18 September 2020]
- “CVE-2020-0688 | Microsoft Exchange® Validation Key Remote Code Execution Vulnerability.” Microsoft®, 11 Feb. 2020. [Online] Available at: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688 [Accessed 18 September 2020]
- “Adobe® Security Bulletin: Security updates available for Cold Fusion® | APSB18-14.” Adobe, 10 Apr 2018. [Online] Available at: https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html [Accessed 18 September 2020]
- “Oracle®25 Security Alert for CVE-2015-4852.” Oracle®, 12 Nov 2015. [Online] Available at: https://www.oracle.com/security-alerts/alert-cve-2015-4852.html [Accessed 23 September 2020]
- “Confluence® Security Advisory – 201903-20: March 2019 Confluence® Server Advisory – WebDAV and Widget Connector ” Atlassian®, 20 Mar 2019. [Online] Available at: https://confluence.atlassian.com/doc/confluence-security- advisory-2019-03-20-966660264.html [Accessed 18 September 2020]
- DrayTek Vigor® is a registered trademark of Draytek Corp. 25 Oracle® is a registered trademark of Oracle
- “Crowd Security Advisory 2019-05-22: Crowd: pdkinstall development plugin incorrectly enabled (CVE-2019-11580).” Atlassian® 23 May 2019. [Online] Available at: https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22- html [Accessed 21 September 2020]
- “ManageEngine® Desktop Central remote code execution vulnerability (CVE-2020-10189).” ManageEngine®. [Online] Available at: https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html [Accessed 21 September 2020]
- “Tenable®: https://www.tenable.com/cve/CVE-2019-18935.” Tenable®, 16 Jan 2020. [Online] Available at: https://www.tenable.com/cve/CVE-2019-18935 [Accessed 23 September 2020]
- “Symantec® Messaging Gateway RCE and CSRF.” Broadcom®, 05 March 2020. [Online database entry] Available at: https://support.broadcom.com/security-advisory/content/0/0/SYMSA1411 [Accessed 22 September 2020]
- “Cisco IOS® XR Software Discovery Protocol Format String Vulnerability.” Cisco®, 05 February, 2020. [Online] Available at: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa20200205-iosxr-cdp-rce [Accessed 22 September 2020
- “Vigor3900® / Vigor2960® / Vigor300B® Router Web Management Page Vulnerability (CVE-2020-8515).” DrayTek®, 10 February 2020. [Online] Available: https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/vigor300b-router- web-management-page-vulnerability-(cve-2020-8515)
Disclaimer of Endorsement
The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed in furtherance of NSA’s cybersecurity missions, including its responsibilities to identify and disseminate threats to National Security Systems, Department of Defense, and Defense Industrial Base information systems, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.