WIXLIB

LEADERSHIP FOR IT SECURITY & PRIVACY ACROSS HHSHHS CYBERSECURITY PROGRAMOFFICE OF INFORMATION SECURITYZero-Day Attacks11/18/2021TLP: WHITE, ID# 202111181300

Agenda What are Zero-Day Attacks? Famous Attacks Leveraging Zero-Days Zero-Day Trends Bug Bounty Programs Impact on the HPH sector MitigationsSlides Key:Non-Technical: Managerial, strategic and highlevel (general audience)Technical: Tactical / IOCs; requiring in-depthknowledge (sysadmins, IRT)2

What We Mean When We Say “Zero-Day”Zero-DayAttack Threat actorsleverage theirzero-day exploitin a cyberattackZero-DayExploit A method thatweaponizes adiscoveredvulnerability,often involvesmalwareZero-DayVulnerability An unknown flawin a softwareprogram3

Zero-Days Collectively, a zero-day attack is a vulnerability that is exploited by threat actors before a patch is developed andapplied. Because no time exists between when the vulnerability is discovered by developers and when it is exploited bythreat actors, these vulnerabilities are called “zero-days”.Vulnerability exists during softwaredevelopmentThreat actor discovers the vulnerabilityVulnerability is exploitedVulnerability is discovered internally (bydevelopers) or externally (outsideresearchers)Vulnerability is patched4

Famous Zero-Days Attacks 2010 Stuxnet attack on Iranian nuclear programo Four zero-dayso Successfully caused Iranian centrifuges to self-destruct, damaging Iran’s nuclear program 2017 Dridex Trojano Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document and ledto installation of the Dridex botnet on deviceso Avoided common malware-blocking mitigations and did not require user interaction beyond openingthe documento Patched on April 11, 2017 2021 SonicWall zero-day ransomware attacko UNC2447 used vulnerability in SonicWall SMA 100 Series VPN to deploy FiveHands ransomware FiveHands, HelloKitty, and DeathRansom ransomwares are in the same familyo Later exploited indiscriminately in the wildo SonicWall released mitigations in February 20215

HAFNIUM January 2021 HAFNIUM attack on Microsoft Exchange serverso Collection of four zero-days Threat actors look for internet-accessible Microsoft Exchange servers usingOutlook Web Access (OWA), then create a web shell to gain remote controlof the compromised server Once compromised, threat actors can steal an organization’s data, gainunauthorized access to critical systems, elevate privileges, and movelaterally to other systems and environmentso Originally accomplished by Chinese state-sponsored group Expanded to at least ten APT groups by mid-March, including six groupsexploiting the vulnerability before a patch was created Possible convergent discovery, more likely purposeful distributiono Affected over 100,000 mail servers Targeted organizations included biotechnology, pharmaceutical, andhealthcare entitieso Patched in March 2021 Patch prevents new organizations from being compromised, does not solveexisting infiltration6

Ponemon ResearchSurveyed approximately 400 IT and IT security practitioners located in the United States in 2019100%80% The amount that new or unknown zero-day attacks were expected to increase from 2019 to2020 The percentage of successful breaches that are new or unknown zero-days These attacks either involved the exploitation of undisclosed vulnerabilities, or the use ofnew malware variants that detection solutions do not recognize The average time to apply, test and fully deploy patches97 Days7

MIT Research Identifies Zero-Day Trends8

What’s Driving This Trend?More ZeroDays UsedMore ZeroDays Identified9

More Zero-Days Used vs. IdentifiedMore Used:More Identified: Zero-day exploits are incredibly valuable Consensus of security researchers is thatincreased rate of detection is driving at least partof this trend “Defenders have clearly gone from being ableto catch only relatively simple attacks todetecting more complex hacks.” – Mark Dowd,founder of Azimuth Security. Increase in quality and availability of detectiontoolso 1 million on open marketo Zerodium’s public zero-day prices shows asmuch as a 1,150% rise in the cost of thehighest-end hacks from 2018-2021 Market for zero-days is opening upo Previously limited to groups with deep pocketso “If you can’t develop your own zero-days, storebought is fine” “Financially motivated actors are moresophisticated than ever. One-third of the zerodays we’ve tracked recently can be traced directlyback to financially motivated actors.” – JaredSemrau, Director of Vulnerability and Exploitation atFireEye Mandianto Zero-days can be leveraged into lucrativeattacks, such as ransomware A single vulnerability can put millions of customers atrisk Private sector groups devote massive resourcesto the problem Google’s Threat Analysis Group (TAG) Kaspersky’s Global Research & AnalysisTeam (GReAT) Microsoft’s Threat Intelligence Center(MSTIC)Bug bounty programs provide financial rewardsfor turning in vulnerabilities rather than exploitingthem10

Bug Bounty Programs Vendors may reward hackers directly for flaws withtheir productso In October 2021, blockchain technologycompany Polygon paid 2 million USD to anethical hacker for his discovery of a flaw thatwould have allowed a hacker to makerepeated double-withdrawals from theirnetwork Third parties may act as intermediaries betweenhackers and software companieso Examples: Zerodium and Zero Day Initiativeo Can preserve security researcher anonymityand privacyo Acquiring company owns the rights to the zeroday exploit and any intellectual propertyo Resells information to affected vendors11

Recent HPH Sector Zero-Days August 2021 discovery of zero-day vulnerability “PwnedPiper” affecting the pneumatic tube systems usedby hospitals to transport medication, bloodwork, and test sampleso Attackers could exploit flaws in the control panel software Control panel allowed unsigned, as well as unauthenticated and unencrypted, firmwareupdates Hard coded credentials could allow attackers access Required physical access to the panelo "The Nexus Control Panel powers the stations on-premises. Once you compromise a station, without[needing] credentials, you can harvest any employee credentials to access these systems.” – BenSeri, Vice President of Research at Armiso Network segmentation can mitigate this vulnerability12

Impact on HPH Sector Zero-day attacks can be used both to target specific,high value targets or affect wide swathes oforganizations through commonly used softwareo Both pose substantial dangers to the HPH sector The most effective mitigation for zero-day attacks ispatching, which can be difficult on medical IOT orlegacy systems August 2020: Zero-day vulnerabilities in healthcarerecords application OpenClinic exposed patients’ testresultso Developers were unresponsive to reports of fourzero-dayso Due to lack of developer action, users wereurged to stop using the open-source programo Unauthenticated attackers could successfullyrequest files containing sensitive documentsfrom the medical test directory, including medicaltest results Files must be requested by name13

Mitigations Mitigating zero-day attacks completely is not possible– by nature, they are novel and unexpected attackvectors Patch early, patch often, patch completelyo Security resources like HC3 can provide insightinto active zero-days and available patches Implementing a web-application firewall to reviewincoming traffic and filter out malicious input canprevent threat actors from reaching securityvulnerabilitieso Analyzes traffic to and from applications, but notactivity within applicationso Requires considerable effort to monitor and“tune” to correctly identify malicious and nonmalicious inputs Runtime application self-protection (RASP) agentssits inside applications’ runtimeo RASP’s ability to detect anomalous behaviorcan prevent threat actors from executing zerodays14

Reference Materials

References “What is a Zero-Day Exploit?” FireEye. October 28, 2021. ero-day-exploit.html “Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day,” Proofpoint. April 11,2017. osoft-zero-day Gatlin, Sergiu. “New ransomware group uses SonicWall zero-day to breach networks,” Bleeping Computer.April 29, 2021. -networks/ Abrams, Lawrence. “SonicWall SMA 100 zero-day exploit actively used in the wild,” Bleeping Computer.February 1, 2021. e-wild/ Deuby, Sean. “Timeline of a Hafnium Attack,” Security Boulevard. May 5, e-of-a-hafnium-attack/ Flesher, Michael. “Healthcare's Microsoft Exchange Critical Exposure,” Meditology Services. March 15,2021. rosoft-exchange-critical-exposure/ Ponemon, Larry. “The state of endpoint security risk: it’s skyrocketing,” Ponemon Institute. May 2020.https://ponemonsullivanreport.com/2020/05/ Ponemon Institute. “The Third Annual Study on the State of Endpoint Security Risk,” Morphisec. January2020. 20Endpoint%20Security%20Final.pdf16

References O'Neill, Patrick. “2021 has broken the record for zero-day hacking attacks,” MIT Technology Review.September 23, 2021. 0/2021-record-zero-day-hacksreasons/ O'Neill, Patrick. “This US company sold iPhone hacking tools to UAE spies,” MIT Technology Review.September 15, 2021. 3/us-sold-iphone-exploit-uae/ Haworth, Jessica. “Bug Bounty Radar // The latest bug bounty programs for November 2021,” Port Swigger.November 1, 2021. r-the-latest-bug-bounty-programs-fornovember-2021 “What Is Runtime Application Self-Protection (RASP)?” CheckPoint Security. November 1, -rasp/ “Zero-day (0day) exploit,” Imperva. November 1, 2021. zero-day-exploit/ Goodin, Dan. “There’s a vexing mystery surrounding the 0-day attacks on Exchange servers,” Ars Technica.March 11, 2021. pts/ Bannister, Adam. “Zero-day vulnerabilities in healthcare records application OpenClinic could exposepatients’ test results,” PortSwigger. December 2, 2020. Jackson Higgens, Kelly. “Multiple Zero-Day Flaws Discovered in Popular Hospital Pneumatic Tube System,”Dark Reading. August 2, 2021. ospital-pneumatic-tube-system/d/d-id/134158417

?Questions

QuestionsUpcoming Briefs 12/2 – FIN12 as a Threat to HealthcareProduct EvaluationsRecipients of this and other Healthcare SectorCybersecurity Coordination Center (HC3) ThreatIntelligence products are highly encouraged to providefeedback. If you wish to provide feedback, pleasecomplete the HC3 Customer Feedback Survey.Requests for InformationNeed information on a specific cybersecuritytopic? Send your request for information(RFI) to HC3@HHS.GOV.DisclaimerThese recommendations are advisory and arenot to be considered as Federal directives orstandards. Representatives should review andapply the guidance based on their ownrequirements and discretion. HHS does notendorse any specific person, entity, product,service, or enterprise.19

About UsHC3 works with private and public sector partners to improve cybersecuritythroughout the Healthcare and Public Health (HPH) SectorProductsSector & Victim NotificationsDirect communications to victims orpotential victims of compromises,vulnerable equipment or PII/PHI theft,as well as general notifications to theHPH about current impacting threatsvia the HHS OIG.White PapersDocument that provides in-depthinformation on a cybersecurity topic toincrease comprehensive situationalawareness and provide riskrecommendations to a wide audience.Threat Briefings & WebinarBriefing presentations that provideactionable information on health sectorcybersecurity threats and mitigations.Analysts present current cybersecuritytopics, engage in discussions withparticipants on current threats, andhighlight best practices and mitigationtactics.Need information on a specific cybersecurity topic, or want to join our Listserv? Send your request for information (RFI) toHC3@HHS.GOV,or visit us at www.HHS.Gov/HC3.20

Contactwww.HHS.GOV/HC3HC3@HHS.GOV

Non-Technical: Managerial, strategic and high-level (general audience) . Once compromised, threat actors can steal an organization’s data, gain unauthorized access to critical systems, elevate privileges, and move . Control panel allowed unsigned, as w