"Operation Doppelganger" has convincingly masqueraded as multiple news sites with elaborate fake stories containing real bylines of journalists, blasting them out on social media platforms.

It wasn’t long ago that medical devices were isolated and unconnected, but the rise of IoT has brought real computing power to the network edge. Today, medical devices are transforming into interconnected, smart assistants with decision-making capabilities.

Any device in a medical setting must be designed with one core priority in mind: delivering patient care. Medical professionals need instant access to data from devices with minimal friction so they can focus on what they do best. But at the same time, any device holding sensitive medical records must be secure.

To balance these needs, security software for medical devices must be lightweight enough to maximize the performance of the device without overloading the processor, taxing battery life, or putting the user through cumbersome processes. It must be high-performing and reliable with great battery life, so the device is always ready and works every time it’s needed.  

Recently, Microsoft and global technology services firm HCL Technologies teamed up to help solve the security challenge with a high-performance solution for medical devices. The result is a new reference architecture and platform for building secure medical devices and services based on HCL’s Connected Assets in Regulated Environment (CARE), Microsoft Defender for IoT, and Azure IoT.

By freeing medical device manufacturers from the need to build security solutions and cloud services, this new platform will enable them to focus on their own core mission and strengths, which are healthcare-related innovation and patient care, even as they build new, better, and more secure medical devices.

Combining HCL’s CARE and Microsoft Defender for IoT

As a long-time Microsoft partner, HCL brings deep expertise in applications, systems integration, network engineering, and managed services.

Built on Microsoft Azure, HCL’s CARE Platform has been designed and developed with security best practices and standards in mind. The platform provides the foundation and platform that medical device manufacturers need to develop innovative high-performance healthcare services and devices while ensuring an integrated security approach from the cloud to the network edge.

By including Microsoft Defender for IoT in the device itself, device builders are able to create secure-by-design, managed IoT devices. Defender for IoT offers continuous asset discovery, vulnerability management, and threat detection—continually reducing risk with real-time security posture monitoring across the device’s operating system and applications.

Partner Director of Enterprise and OS Security for Azure Edge and Platform at Microsoft, David Weston, highlighted the value of this collaboration saying, “By partnering with HCL to incorporate Defender for IoT into HCL’s CARE, we see a bright future for medical device manufacturers to build secured medical devices, with minimal effort.” Sunil Aggarwal, Senior Vice President at HCL and Client Partner for Microsoft, added, “HCL’s CARE enables medical original design manufactures (ODMs) and original equipment manufacturers (OEMs) to quickly develop new devices and solutions focused on patients’ needs. By including Defender for IoT, those devices benefit from Microsoft’s deep security expertise, thousands of security professionals, and trillions of security signals captured each day.”

The combined Microsoft and HCL solution for healthcare IoT provides the high-performance security needed to protect the sensitive data on the medical device—in transit and in the cloud. By using a combination of endpoint and network security signals, the system can monitor what’s happening on the network, in the operating system, and at the application layer while keeping a pulse on the integrity of the device. This combination of external and internal security signals yields advanced security not often found on medical devices, which are typically monitored using only network data.   

Advanced threat detection with Defender for IoT

CARE’s use of Defender for IoT offers the best possible security using Defender’s agent-based monitoring. This means security is built directly into IoT devices with the Microsoft Defender for IoT security agent, which supports a wide range of operating systems including popular Linux distributions. With an agent, richer asset inventory, vulnerability management, and threat detection and response is possible.  

Figure 1. Devices are monitored and assessed for vulnerabilities and security recommendations. The combination of network and endpoint signals enables a deeper assessment and a broader range of detections.

Defender for IoT security monitors the security of the device and enables the following scenarios for medical device manufacturers using HCL’s CARE with Defender for IoT:

• Asset inventory: Gain visibility to all your IoT devices so operators can manage a complete inventory of their entire healthcare IoT fleet.
• Posture management: Identify and prioritize misconfigurations based on industry benchmarks and software vulnerabilities or anomalies in the software bill of materials (SBOM) that may arise from supply chain attacks and use integrated workflows to bring devices into a more secure state.
• Threat detection and response: Leverage behavioral analytics, machine learning, and threat intelligence based on trillions of signals to detect attacks through anomalous or unauthorized activity.  
• Microsoft Security integration: Defender for IoT is part of the Microsoft security information and event management (SIEM) and extended detection and response (XDR) offering, enabling quick detection and response capabilities for multistage attacks that may move across network boundaries.
• Third-party integration: Integrates with third-party tools you’re already using, including SIEM, ticketing, configuration management database (CMDB), firewall, and other tools.

Powerful automated services for detection and response

HCL’s CARE Gateway and CARE Device Agent complement Defender for IoT’s security and can help capture application-level security events and send them into Defender for IoT analytics services, such as an attempt to connect an unknown device, use of invalid provisioning credentials, attempts to run unauthorized commands remotely, short-and-lengthy remote access sessions, anomalies related to data transfer rate, event sequence anomalies, and more.

Figure 2. Medical devices send security and other types of events to HCL’s CARE Gateway which forwards data to the Azure IoT hub. Security events are forwarded to the Defender for IoT cloud services while non-security-related events are sent to HCL’s CARE Core and business app.

Integrating HCL’s CARE with Defender for IoT can protect and monitor connected medical devices and gateways too. The CARE Platform integrated with Defender for IoT provides a powerful solution to secure healthcare devices:

• CARE Cloud runs in Azure, utilizing Azure cloud security services to ensure that customers’ health data is secure and accessible only to authorized persons.

• CARE Device Gateway keeps devices isolated from the public internet.

• The Defender for IoT micro agent can help to capture events at the system level and push them to Defender for IoT analytics services, along with the service level events captured by gateway itself.

• Device Agent connects to Device Gateway to get events out. It can also capture device software level events and push them to Defender for IoT analytics services through the Device Gateway.

• CARE Cloud can make critical events captured at Defender for IoT analytics services actionable, such as gracefully isolating medical devices from the network and alerting device owners.

• CARE Reusable Modules and design guidelines make the application and connected device secure by enabling secure design, development, and deployment. This includes static and dynamic application security testing and software composition analysis.

• CARE can also act on critical events by alerting the device owners’ IT security, and sending commands to devices for network isolation, graceful shutdown, and other preconfigured actions.

Find out more

Both Microsoft and HCL are excited to bring this new platform and security technologies to the medical device industry, and we invite you to learn more about how HCL’s CARE and Defender for IoT deliver the security that medical device manufacturers need. Using these technologies, manufacturers can focus more on medical and patient innovation and the quicker delivery of new solutions to the marketplace.

These new security capabilities are available today. Medical device manufacturers and OEMs should check out HCL’s CARE, Microsoft Defender for IoT, and Microsoft’s recently announced Edge Secured-core preview.  

If you are an IoT solution builder, reach out to the Azure Certified Device team. We are ready to work with you!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Secure your healthcare devices with Microsoft Defender for IoT and HCL’s CARE appeared first on Microsoft Security Blog.

Also: A report out today warns ransomware criminals are becoming more politically motivated.

On Friday March 3, the Cybersecurity and Infrastructure Security Agency (CISA) added a whopping number of 95 new known exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog.

This catalog provides Federal Civilian Executive Branch (FCEB) agencies with a list of vulnerabilities that are known to be exploited in the wild and gives the agencies a due date by when the vulnerability needs to be patched in their organization.

But even if your organization isn’t a FCEB agency that needs to follow the Binding Operation Directive 22-01, the CISA list can act as a good guide for your patch management strategy.

95 new ones?

CISA normally sends out a mail every few days in which it details a few important vulnerabilities it’s added to the Catalog. However, on March 3 it didn’t even enumerate the list. Instead, it just emailed a link to the Catalog and included instructions on how to find the most recently added vulnerabilities. If you’re looking yourself, you need to click on the arrow on the of the “Date Added to Catalog” column, which will sort by descending dates.

Not so new

The first thing that jumped out at me is that these vulnerabilities were not all very new at all. The oldest vulnerability on that list is CVE-2002-0367, an almost 20 year old vulnerability in Windows NT and Windows 2000. In fact, only 5 vulnerabilities were patched in 2022. All these applied to Cisco’s Small Business RV160, RV260, RV340, and RV345 series routers by the way.

This brings me to the next thing that is remarkable. 38 of the 95 added vulnerabilities are for Cisco products. Other products include those by Microsoft (27), Adobe (16), and Oracle(7).

Of the Adobe vulnerabilities, nine were found in Flash Player. Adobe Flash Player reached End of Life (EOL)  on December 31, 2020, after being first announced in 2017. Since Adobe no longer supports Flash Player, on January 12, 2021,  the company started blocking Flash content from running. In fact, Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems.

Possible reasons

Pondering the reason for CISA to suddenly add 95 vulnerabilities to their list, I came up with the following options:

• It suddenly became aware of several old vulnerabilities that were nonetheless still being exploited.
• It suddenly decided to list vulnerabilities in software that has long reached EOL but could still be used a lot.
• The nature of actively exploited vulnerabilities has changed.

Some examples

Personally, I suspect that the nature of the actively exploited vulnerabilities has changed. Last year, you would typically see exploited vulnerabilities that would allow an attacker to breach a network or compromise a system to gain a foothold. This allows attackers to exfiltrate data, plant ransomware, and other criminal activities that could lead to financial gain.

However, looking at some of the vulnerabilities that were included in this list of 95, I noticed that many could lead to Denial-of-Service (DoS) attacks.

Examples:

• A vulnerability in Siemens SIMATIC CP 1543-1 versions before 2.0.28 allows remotely authenticated users to cause a denial of service by modifying SNMP variables.
• Multiple Cisco vulnerabilities on this list which could result in a DoS condition or cause an affected system to reload.

Other vulnerabilities could allow attackers to run arbitrary code or cause a denial of service. For example, a PowerPoint vulnerability that has been around since 2015 and was found to be used by the Russian state-sponsored team APT28 (aka Fancy Bear) in 2018.

Some Flash Player vulnerabilities were found to be used in targeted attacks. The suspect in this case was APT37, also known as the North Korean “Lazarus” group.

A vulnerability in older Windows versions (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1) would allow remote attackers to execute arbitrary code via a crafted OLE object in an Office document. The use of this exploit was attributed to the Russian “SANDWORM” operation.

I also found an Elevation of Privilege (EoP) vulnerability in a Windows Installer on the CISA list that would allow an attacker to delete targeted files on a system. However, they would NOT gain privileges to view or modify file contents.

Other interesting items on the list are some IoT vulnerabilities that got some fame in 2020 under the name Ripple20.  Successful exploitation of these vulnerabilities could result in denial of service, information disclosure or remote code execution.

So, is it just me or is there a trend here that shows vulnerabilities that were previously hard to exploit for financial gain, but are perfectly usable to disrupt operations? Could it be that, no surprise, the war in Ukraine has changed the nature of the actively exploited vulnerabilities?

According to Adam Kujawa, Security Evangelist and Director of Malwarebytes’ Threat Intel team:

“In 2007, we observed Russian sympathizers online utilizing hacking tools to launch disruption attacks against Georgian news networks and government networks, to prevent information from flowing to the public while Russia had troops roll in. Similar events have happened in Estonia, and Russian sponsored hackers are known to utilize Ukrainian networks as a kind of “playground” for their attacks, shutting off power grids and other critical infrastructure, launching massive supply chain attacks against them (as in the case of NotPetya). And those are just some of the attacks we know about.

With that in mind, I believe that while many of these vulnerabilities are useless against actual intrusion and espionage, the exploits developed from them will be used to disrupt and degrade rather than collect.

I am not sure how many of these have been used in the wild, and while it is great to see CISA be proactive in spreading this information, I must wonder how much of the information will get to those protecting networks in Ukraine?  Could it be that CISA may have just handed over the knowledge about various disruptive exploits that will work on unpatched systems, to be used against those who don’t have endpoint patching as their top priority?”

Mitigation

Given the varied nature of the list, the most actionable advice is to keep an eye on the known exploited vulnerabilities catalog. To make things easier, you can subscribe to receive the updates. Besides the usual security advice, now seems to be a good time to invest in clever patch management, and ditch that software which has reached EOL and no longer receives security updates.

Stay safe, everyone!

The post CISA list of 95 new known exploited vulnerabilities raises questions appeared first on Malwarebytes Labs.

Misconfigured Database Leaks Info on 150K E-commerce Buyers

The days of superstars stealing the limelight may be numbered, even in team sports, as it's becoming clearer that "collective functioning" is how modern sports teams succeed. Building a franchise around a single player like Messi or Ronaldo is short-sighted.