CISA and HC3 have issued critical warnings on emerging cybersecurity threats. CISA emphasizes five new vulnerabilities and a list of ransomware-related misconfigurations. HC3 alerts healthcare organizations about “NoEscape” ransomware with unique shared encryption, evolving from the defunct Avaddon group. They urge vigilance, as almost 25% of attacks target U.S. entities. CISA enhances its resources to combat ransomware, allowing the sorting of exploited vulnerabilities and publishing a list of common weaknesses. Additionally, they flag vulnerabilities in Microsoft, Adobe, and Cisco systems. CISA also highlights the potential impact of DDoS attacks via CVE-2023-44487 (Rapid Reset) and the ongoing Israeli-Hamas conflict.
In recent cybersecurity developments, both the Cybersecurity and Infrastructure Security Agency (CISA) and the Health Sector Cybersecurity Coordination Center (HC3) have issued important warnings regarding emerging threats. Here’s a breakdown of the key information:
CISA’s Ransomware Alert:
CISA has raised concerns by highlighting five newly discovered vulnerabilities in its KEV catalog. Additionally, they have compiled a fresh list of misconfigurations and weaknesses that are known to be exploited in ransomware campaigns. The agency has given federal organizations until the end of the month to address these specific vulnerabilities discovered on Patch Tuesday.
HC3’s NoEscape Ransomware Warning:
HC3, the Health Sector Cybersecurity Coordination Center, has sounded the alarm about a recently discovered ransomware variant known as “NoEscape.” This ransomware has garnered attention due to its unique shared encryption feature, designed to lure victims with the promise of easier data recovery. NoEscape ransomware-as-a-service first emerged in May 2023. It is believed to be a rebrand of the defunct Avaddon ransomware group, which ceased operation in 2021. The developers behind NoEscape claim to have created the malware from scratch.
HC3’s alert provides a comprehensive overview of the threat group, an analysis of NoEscape’s ransomware attacks, details on MITRE ATT&CK techniques used, recommended defense and mitigation strategies, and more. Notably, nearly 25% of NoEscape attacks have targeted U.S. entities, with only a minimal number of healthcare organizations among the known victims.
NoEscape is written in C++ and is capable of encrypting data on Windows NT 10.0 operating systems, Linux machines, and VMware ESXi. What sets it apart is its shared encryption feature, seemingly designed to expedite decryption if a ransom is paid. Victims of NoEscape ransomware will discover files labeled “HOW_TO_RECOVER_FILES.TXT” in each folder containing encrypted files.
CISA’s Ransomware Resources:
The prevalence of ransomware attacks has led CISA to enhance its resources. They now allow their known exploited vulnerabilities catalog to be sorted by vulnerabilities “known to be used in ransomware campaigns.” Additionally, they have published a list of commonly exploited misconfigurations and weaknesses, which includes non-CVE-based information.
CISA has also highlighted specific vulnerabilities that organizations should prioritize patching or discontinuing. This includes Microsoft Skype for Business’s CVE-2023-41763, which contains an unspecified vulnerability allowing privilege escalation, and WordPad’s CVE-2023-36563, which contains an unspecified vulnerability allowing information disclosure, particularly concerning HIPAA-covered entities.
Another highlighted vulnerability in Adobe Acrobat and Reader’s CVE-2023-21608, is characterized by a use-after-free vulnerability enabling code execution in the context of the current user. Cisco IOS and IOS XE in Group Encrypted Transport VPN’s CVE-2023-20109 present an out-of-bounds write vulnerability that could allow an authenticated remote attacker with administrative control to execute malicious code or crash a device.
DDoS Threat via Rapid Reset:
Apart from ransomware, DDoS threats have been a growing concern. CISA’s October 10 alert draws attention to CVE-2023-44487, affecting HTTP/2 and known as Rapid Reset. This vulnerability, exploited since August, has facilitated some of the largest distributed denial-of-service attacks recorded.
The ongoing Israeli-Hamas conflict, which began on October 7, has accelerated DDoS attacks, potentially impacting the U.S. healthcare sector. Denise Anderson, President of the Health Information Sharing and Analysis Center (H-ISAC), has raised awareness of this threat and alerted H-ISAC members to CISA’s warning. Notably, DDoS attacks on healthcare targets increased by 13% in 2016, as reported for Healthcare IT News by Neustar.
While efforts have been made to reach out to international and Israeli-based vendors in the Health Information Technology (HIT) space for comments on risks to U.S. healthcare organizations, no comments have been received at this time.
