Cyber Intelligence Weekly (Oct 3, 2021): Our Take on Three Things You Need to Know
Welcome to our weekly post where I will be sharing some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!
You can also Subscribe to receive Cyber Intelligence Weekly in your inbox each week.
Away we go!
1. Infant Death in Alabama Blamed on Ransomware
This week’s CIW leads off with a very somber story. According to legal documents filed by her lawyers, Teiranni Kidd of Mobile, Alabama is accusing Springhill Memorial Hospital, doctors, and other staff of and fraudulent non-disclosure and negligence surrounding a recent ransomware attack. The suit claims that ransomware left technology and critical healthcare services inoperable, and led to her daughter’s death. The deceased infant’s name is Nicko Silar.
This is both a heartbreaking and groundbreaking case, whereby, if proved successful, would mark the first death caused by a ransomware attack on record. Some may recall a story out of Germany last year where a patient had to be moved due to a ransomware incident and died in the process. After months of investigation the authorities concluded that the death was not due to circumstances from the ransomware attack but from the underlying conditions alone.
The Alabama lawsuit alleges that Ms. Kidd was not informed of the ransomware attack upon her admission to the hospital, nor was she made aware of the decrease in technology and medical services available to the hospital staff. Ms. Kidd notes that she would have made the choice to be cared for elsewhere had she known about the ransomware event. The hospital refused to pay the ransom when it was first struck by ransomware on July 8, 2019 and instead shut down all systems to prevent the spread in a containment effort and reverted to manual workarounds, normally used for brief outages, for three weeks. Ms. Kidd’s daughter Nicko was born on July 17, 2019, right in the midst of these events.
New details surrounding the lawsuit have recently been reported on by the Wall Street Journal ($). Ms. Kidd’s baby, Nicko, was born with an umbilical cord wrapped around her neck and was unresponsive at birth, requiring resuscitation. Baby Nicko had brain damage because of this and eventually succumbed to her injuries nine months later. Normally, these events cause heart activity to rise and they would be spotted on the heart monitor. If the condition would have been spotted much sooner, doctors would typically perform an emergency c-section.
However, the lawsuit alleges that, due to the ransomware attack, the heart monitor readouts that would typically occur at the nursing station were not there and the baby’s issue went unreported. Due to this, the attending obstetrician, Katelyn Parnell was not notified of the condition which ultimately led to the baby’s death, alleges the lawsuit. The WSJ article also unveils screenshots of texts between Springhill obstetrician Katelyn Parnell and the nurse manager, and between Dr. Parnell and another colleague, which were submitted as evidence in the lawsuit. In these text messages Dr. Parnell says, “100% would have sectioned this patient. I need u to help me understand why I was not notified,” referring to the fact that she had not seen the heart rate monitor results and if she would have, she would have performed a c-section. In a text string with another colleague, Dr. Parnell notes, “It just sucks, totally preventable. I know bad things happen and sometimes you can’t control it but this was preventable.”
The hospital is arguing in a motion that Dr. Parnell held the responsibility to inform Ms. Kidd of the ransomware attack. Mind you, the hospital released public statements during and after the ransomware attacks that mention that “patient safety is top priority” and they would “never allow our staff to operate in an unsafe environment.”
In my personal view, first and foremost, this is a terrible tragedy no matter who is to blame. My heart goes out to Ms. Kidd and her family for their loss. I cannot fathom the pain that they must feel. Also, whether proved in court or not, there is no denying that ransomware is a uniquely destructive and disruptive cyber attack that can cause very adverse events to occur.
Based on the facts surrounding this case, it seems that there was enough of a degradation in key hospital systems and therefore services and communication that led to safety issues. For me personally, I am motivated to help our clients prevent these types of situations from ever occurring in the first place, and this is further motivation for me to keep helping our clients do the right thing. Even if prevention isn’t an option, was the right decision made to shut down IT systems and continue to serve patients for three weeks? Hindsight is always 20/20, but my gut is telling me that patient health and safety was not at the top of the priority list when making this decision. And finally, let’s not forget the real criminals here, and where the blame ultimately should go, the threat actors who carried out the attack
2. MFA Meets its Match?
Multi-factor authentication (MFA) has long been a widely recommended cybersecurity control due to its ability to keep threat actors from authenticating to services from anywhere easily over the internet.
MFA has been and remains to be a strong security control because it requires two of the following three items for a user to log into their account:
- Something you know (e.g., a password)
- Something you have (e.g., a token or mobile device)
- Something you are (e.g., biometrics, fingerprints, etc.)
A recent article from Brian Krebs has highlighted some new and emerging services that farm for one-time passcodes from users on a mass basis. The so-called OTP interception services will call or text a user posing as a legitimate source and ask for the OTP credentials that were just sent to them. The threat actors that use these services typically already have the other authentication credentials needed to access the user’s account, they are at the final step where they need to bypass the MFA in place.
The research notes that these services are springing up because they are successful and profitable. This is yet another social engineering vector that organizations must be aware of when training their staff to be on the lookout. While most social engineering training focusing on phishing, these OTP harvesters present a new challenge that we must be aware of and educate people on.
3. VMware vCenter Server Critical Vulnerability Exploited in the Wild
Last week the US Cybersecurity & Infrastructure Security Agency (CISA) warned organizations to expect "widespread exploitation" of a VMware vCenter Server flaw because of publicly available exploit code confirmed to be exploited in the wild. Anyone running vCenter Server 6.5, 6.7, and 7.0 is affected.
vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. It pretty much is the central hub for all VMware services for clients.
The VMware advisory classifies the vulnerability as a CVSS 9.8, a critical level, and recommends updating to the “Fixed Version” of 7.0 U2c. The advisory also recommends that if the update isn’t able to be made immediately, there is a workaround that may be applied in the meantime.
As most week’s remind us, patching and staying up on vendor advisories as part of your vulnerability management process should be of the utmost importance.