3rd Party Risk Management , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

HHS HC3: Healthcare Sector Remains at Risk for Log4j Attacks

'No Major Compromises' in Sector - So Far, Says Agency
HHS HC3: Healthcare Sector Remains at Risk for Log4j Attacks

Although there have been no major compromises in the healthcare and public health sector to date involving Apache Log4j flaws, the health sector remains highly vulnerable, as do other industries, federal regulators warn.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

"Health sector adversaries are actively leveraging these vulnerabilities," says the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in an threat report issued on Thursday.

"Updating can be a time-consuming and tedious process. Further vulnerabilities may continue to be identified soon," HC3 says.

"There are both short- and long-term steps to take in order to remain secure. Vulnerabilities in ubiquitous apps will present similar issues in the future," the report says.

Foreign Exploitation

Foreign actors are believed to be leveraging Log4Shell in several nation-states, including China and Iran, according to HC3. It says that:

  • In China, Microsoft reports that the cyberthreat actor known as Hafnium has been leveraging the vulnerability to attack virtualization infrastructure, using DNS to conduct fingerprinting.
  • Also in China, CrowdStrike reports that Aquatic Panda has used a modified version of Log4Shell to harvest credentials and memory dumps.
  • In Iran, according to Microsoft, the cyberthreat actor known as Phosphorous has used a modified version of Log4Shell to deploy ransomware.
  • Also in Iran, according to Checkpoint, the APT35 group has been conducting aggressive scanning for systems vulnerable to Log4Shell.
  • In Turkey and North Korea, according to Microsoft, threat actors have been leveraging Log4Shell.

In addition, "SecurityScorecard has reported seeing reconnaissance activity related to Log4Shell originating from Chinese and Russian state-sponsored actors. Mandiant reported having observed Chinese and Iranian state-sponsored actors leveraging Log4Shell," HC3 writes.

Nonstate cybercriminal groups, specifically ransomware operators, are also leveraging Log4Shell. They include the Muhstik and Mirai botnets. And HC3 says Conti is a "prolific threat to the health sector" adding that, "Per Advanced Intelligence, Conti is one of the first sophisticated cybercriminal groups to leverage Log4Shell."

Taking Action

HC3's analysis report on Thursday follows an alert the HHS unit issued on Dec. 10 advising healthcare and public health organizations to survey their infrastructure to ensure they are not running vulnerable versions of Log4j (see: Log4j Flaw: Healthcare Sector Warned to Take Action).

"Any vulnerable systems should be upgraded, and a full investigation of the enterprise network should commence to identify possible exploitation if a vulnerable version is identified," that advisory said.

HC3 in its analysis report Thursday notes that healthcare sector entities, among other steps, should stay abreast of a repository of affected vendor platforms that the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency is maintaining, as well as CISA mitigation guidance.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.