Skip to main content

H-ISAC Hacking Healthcare 4-21-2020

TLP White

 

In this edition of Hacking Healthcare, we explore how COVID-19 is impacting coordinated vulnerability disclosure and why the healthcare sector may be significantly affected. Next, we highlight the newest example of a nation-state using COVID-19 to further geopolitical goals, and we discuss how those efforts may be undermining COVID-19 response efforts. Lastly, we break down insights a group of experts at Oxford may have on the viability and effectiveness of contact tracing apps.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

 

Welcome back to Hacking Healthcare.

 

1.  COVID-19 Impacts Patching and Coordinated Vulnerability Disclosure.

COVID-19 continues to force organizations to adapt their business operations. Last week, ZDNet reported on ways this reality is affecting the process of coordinated vulnerability disclosure. The report, which focuses on some of Cisco’s internet protocol phones, overlaps with the healthcare sector due to the product’s heavy usage by healthcare professionals and staff.[1]

The vulnerability, CVE-2020-3161, stems from “[a] vulnerability in the web server for Cisco IP Phones [that] could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone.”[2] It was discovered by the security company Tenable and disclosed to Cisco on January 23rd.[3] Initially, the vulnerability was on track for Cisco’s 90-day disclosure window, but the advent of COVID-19 led them to request an extension to that timeline in late March. Ultimately, Cisco did end up disclosing the vulnerability within the 90-day window that is set forth in their existing policy, as they could not “prevent the fix from going ahead on April 15.”[4]

While this particular vulnerability, with its potential to directly impact the healthcare sector at a critical moment, ended as successfully as could be hoped for, it draws attention to ways COVID-19 is affecting day-to-day cybersecurity processes. As producers of products and services see their efficiency and capabilities decline as their workforces adapt to telework and confront health concerns, their ability to successfully meet established disclosure and patching timelines is being tested.

 

2. Foreign Powers See Cyber Opportunities in COVID-19 Chaos.

Although they have garnered much attention, criminal actors looking for profit aren’t the only ones taking advantage of COVID-19 to further their goals. Nation-state actors have been reportedly stepping up their efforts as COVID-19 weakens security organizations and creates new avenues of attack. The Syrian government appears to be the latest example of a state creating or redirecting their cyber campaigns to implement COVID-19 themes.

Last week, mobile security firm Lookout published their findings of a “long-running surveillance campaign tied to Syrian nation-state actors.”[5] The campaign appears to target Arabic speakers in Syria and adjacent territories, and it includes at least 71 malicious android applications.[6] While the campaign itself predates the outbreak of COVID-19, a number of new applications, such as a fake body temperature app, appear to have been created in March specifically to take advantage of COVID-19 confusion and fear.[7] The applications deliver malware capable of accessing cameras, exfiltrating call logs, and recording audio.[8]

Syria is far from the only nation-state taking advantage of COVID-19. It has already been well documented that groups associated with the governments of China, Russia, and North Korea have adapted their cyber tactics to COVID-19.[9], [10] It may surprise few to see those nation-states listed, but many other governments with sophisticated cyber capabilities are likely also engaged in the practice. These attacks are sometimes made even more successful by the inclusion of legitimate medical information and advice.

 

3.  University of Oxford’s Experts Weigh in on NHS’s Contact Tracing Effort. As we touched on last week, the buzz around contact tracing applications has been building for the past few weeks. In Europe, The U.K. appears close to implementing their own contact tracing effort through the National Health Service (NHS) with some help from experts at Oxford.

In part, these experts have focused on the creation of a model to simulate the potential effect a contact tracing app could have on stemming the spread of COVID-19. Their model, which simulates a city of 1 million inhabitants, has given them several insights into how the NHS effort may help, and where it may struggle.

According to the team at Oxford, 56% of the population would have to use the app as intended in order to “halt the outbreak.”[11] This translates into roughly 80% of the total smartphone users within the U.K.[12] How viable that number is remains an open question. Singapore, one of the earliest adopters of a voluntary contact tracing application, reportedly only managed adoption of around 12% of the population from the deployment in late March.[13]

Further complicating that target are the number of active smartphones in the U.K. market that do not possess Bluetooth technology. Bluetooth, a wireless technology that allows short range data exchange, is the technology that will underpin many of these contact tracing efforts. Estimates for U.K. Bluetooth compatibility range from roughly 66% to 88%, which will present an additional barrier to workable contact tracing applications.[14] This is especially worrisome as older individuals, the population most at risk from COVID-19, are the ones most likely to continue to use devices old enough to predate the needed Bluetooth technology.[15]

 

Congress

 

Tuesday, April 21st:

– No relevant hearings

 

Wednesday, April 22nd:

– No relevant hearings

 

Thursday, April 23rd:

– No relevant hearings

 

 

International Hearings/Meetings

 

– No relevant hearings

 

 

EU – No relevant hearings/meetings

 

– No relevant hearings

 

 

Conferences, Webinars, and Summits

–H-ISAC Monthly Member Threat Briefing – Webinar (4/28/2020)

https://h-isac.org/hisacevents/h-isac-monthly-member-threat-briefing-7/

–Leverage SecurityScorecard’s Self-Monitoring and Vendor Risk Management Solution for H-ISAC Members (TLP GREEN) – Webinar (4/30/2020)

https://h-isac.org/hisacevents/leverage-securityscorecards-self-monitoring-and-vendor-risk-management-solution-for-h-isac-members-tlp-green/

–H-ISAC Monthly Member Threat Briefing – Webinar (5/26/2020)

https://h-isac.org/hisacevents/h-isac-monthly-member-threat-briefing-8/

–H-ISAC Security Workshop – Frederick, MD (6/9/2020)

https://h-isac.org/hisacevents/h-isac-security-workshop-frederick-md/

–AAMI Exchange – New Orleans, LA (6/12/2020-6/15/2020)

https://h-isac.org/hisacevents/aami-exchange/

–H-ISAC Security Workshop – Lisbon, Portugal (6/17/2020) (POSTPONED)

https://h-isac.org/hisacevents/h-isac-security-workshop-lisbon-portugal/

–H-ISAC Security Workshop – Buffalo, NY (6/23/2020)

https://h-isac.org/hisacevents/h-isac-security-workshop-buffalo-ny-2/

–H-ISAC 2020 Spring Summit – Singapore (6/23/2020-6/25/2020)

/summits/

H-ISAC Monthly Member Threat Briefing – Webinar (6/30/2020)

https://h-isac.org/hisacevents/h-isac-monthly-member-threat-briefing-9/

–Healthcare Cybersecurity Forum – Mid-Atlantic – Philadelphia, PA (7/17/2020)

https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/426497

–Healthcare Cybersecurity Forum – Rocky Mountain – Denver, CO (7/20/2020)

https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/426499

–Healthcare Cybersecurity Forum – Southeast – Nashville, TN (9/9/2020)

https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/426517

–H-ISAC Security Workshop – Greenwood Village, CO (9/16/2020)

https://h-isac.org/hisacevents/h-isac-security-workshop-greenwood-villiage-co/

–Healthcare Cybersecurity Forum – Northeast – Boston, MA (9/22/2020)

https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/427126

–H-ISAC Cyber Threat Intel Training – Titusville, FL (9/22/2020)

https://h-isac.org/hisacevents/h-isac-security-workshop-titusville-fl/

–H-ISAC Security Workshop – Forchheim, Germany

https://h-isac.org/hisacevents/h-isac-security-workshop-forchheim-germany/

–Summit on Security & Third Party Risk – National Harbor, MD (9/28/2020-9/30/2020)

GRF Summit on Security & Third Party Risk Digital Series

–Healthcare Cybersecurity Forum – Texas – Houston, TX (10/8/2020)

https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/428840

–CYSEC 2020 – Dubrovnik, Croatia (10/27/2020 – 10/28/2020)

https://h-isac.org/hisacevents/cysec-2020-croatia/

–H-ISAC Security Workshop – Mounds View, MN (10/27/2020)

https://h-isac.org/hisacevents/h-isac-security-workshop-buffalo-ny/

–Healthcare Cybersecurity Forum – Pacific Northwest – Seattle, WA (10/28/2020)

https://endeavor.swoogo.com/2020_healthcare_innovation_cybersecurity_forums/428886

–H-ISAC Security Workshop – Seattle, WA – (10/29/2020)

https://h-isac.org/hisacevents/h-isac-security-workshop-seattle-wa-2/

–Healthcare Cybersecurity Forum – California – Los Angeles, CA (11/12/2020)

–H-ISAC Security Workshop – Paris, France (11/18/2020)

https://h-isac.org/hisacevents/h-isac-security-workshop-paris-france/

 

 

Sundries –

 

–Google Blocks 18M Daily COVID-19-Related Phishing Emails

https://healthitsecurity.com/news/google-blocks-18m-daily-covid-19-related-phishing-emails

 

–Microsoft delays end of support for older Windows, software versions

https://www.bleepingcomputer.com/news/microsoft/microsoft-delays-end-of-support-for-older-windows-software-versions/

 

–VA and DOD Now Default to Sharing Patient Data with Private-Sector Providers

https://www.nextgov.com/it-modernization/2020/04/va-and-dod-now-default-sharing-patient-data-private-sector-providers/164752/

 

 

Contact us: follow @HealthISAC, and email at contact@h-isac.org

[1] https://www.zdnet.com/article/coronavirus-cisco-wanted-to-delay-patch-for-critical-flaw-in-phone-used-by-doctors/#ftag=CAD-03-10abf5f

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3161

[3] https://www.zdnet.com/article/coronavirus-cisco-wanted-to-delay-patch-for-critical-flaw-in-phone-used-by-doctors/#ftag=CAD-03-10abf5f

[4] https://www.zdnet.com/article/coronavirus-cisco-wanted-to-delay-patch-for-critical-flaw-in-phone-used-by-doctors/#ftag=CAD-03-10abf5f

[5] https://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures

[6] https://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures

[7] https://www.cyberscoop.com/coronavirus-syria-surveillance-apps-lookout/

[8] https://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures

[9] https://securityaffairs.co/wordpress/99552/apt/apt-coronavirus-themed-attacks.html

[10] https://www.technologyreview.com/2020/03/12/916670/chinese-hackers-and-others-are-exploiting-coronavirus-fears-for-cyberespionage/

[11] https://www.bbc.com/news/technology-52294896

[12] https://www.bbc.com/news/technology-52294896

[13] https://www.bbc.com/news/technology-52294896

[14] https://arstechnica.com/tech-policy/2020/04/2-billion-phones-cannot-use-google-and-apple-contract-tracing-tech/

[15] https://arstechnica.com/tech-policy/2020/04/2-billion-phones-cannot-use-google-and-apple-contract-tracing-tech/

This site is registered on Toolset.com as a development site.