Apr 16, 2024NewsroomEncryption / Network Security

The maintainers of the PuTTY Secure Shell (SSH) and Telnet client are alerting users of a critical vulnerability impacting versions from 0.68 through 0.80 that could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys.

The flaw has been assigned the CVE identifier CVE-2024-31497, with the discovery credited to researchers Fabian Bäumer and Marcus Brinkmann of the Ruhr University Bochum.

“The effect of the vulnerability is to compromise the private key,” the PuTTY project said in an advisory.

“An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for.”

However, in order to obtain the signatures, an attacker will have to compromise the server for which the key is used to authenticate to.

In a message posted on the Open Source Software Security (oss-sec) mailing list, Bäumer described the flaw as stemming from the generation of biased ECDSA cryptographic nonces, which could enable the recovery of the private key.

“The first 9 bits of each ECDSA nonce are zero,” Bäumer explained. “This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques.”

“These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents.”

Besides impacting PuTTY, it also affects other products that incorporate a vulnerable version of the software –

• FileZilla (3.24.1 – 3.66.5)
• WinSCP (5.9.5 – 6.3.2)
• TortoiseGit (2.4.0.2 – 2.15.0)
• TortoiseSVN (1.10.0 – 1.14.6)

Following responsible disclosure, the issue has been addressed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. Users of TortoiseSVN are recommended to use Plink from the latest PuTTY 0.81 release when accessing an SVN repository via SSH until a patch becomes available.

Specifically, it has been resolved by switching to the RFC 6979 technique for all DSA and ECDSA key types, abandoning its earlier method of deriving the nonce using a deterministic approach that, while avoiding the need for a source of high-quality randomness, was susceptible to biased nonces when using P-521.

On top of that, ECDSA NIST-P521 keys used with any of the vulnerable components should be considered compromised and consequently revoked by removing them from authorized_keys files files and their equivalents in other SSH servers.

On Thanksgiving Day 2023, while many Americans were celebrating, hospitals across the U.S. were doing quite the opposite. Systems were failing. Ambulances were diverted. Care was impaired. Hospitals in three states were hit by a ransomware attack, and in that moment, the real-world repercussions came to light—it wasn’t just computer networks that were brought to a halt, but actual patient care itself.

Cybercriminals are more brazen than ever, targeting smaller healthcare organizations for big payouts. Sure, it would be nice to believe thieves once lived by a code of conduct, but if one ever existed, it’s been torn to shreds and tossed into the wind. Sophisticated hacker groups are now more than happy to launch cyberattacks on medical clinics, nursing homes, and other health service providers. Small- to mid-sized healthcare organizations have, unfortunately, become vulnerable targets from which cybercriminals can easily steal sensitive data, extort heavy ransoms, and, worst of all, diminish critical patient care.

Ransomware and Phishing Attacks are Spreading at an Unhealthy Rate

If you work in healthcare, everything you do is important. That’s why the frequency by which healthcare organizations now come under attack is so concerning. According to the U.S. Department of Health and Human Services (HHS), there’s been a 93% increase in large breaches from 2018 to 2022. In that same period, there’s been a 278% increase in breaches involving ransomware.

Ransomware doesn’t just hold your pocketbook hostage, but also your patients’ safety. At best, you’re locked out of your systems for a moment. At worst, patient care is radically compromised. This is especially alarming if you service smaller communities, where the local population relies on your clinic, cancer center, or physician’s office as the first and last lines of critical care.

Your patients are obviously your top priority, but you also have to consider the dollars at stake. The HIPAA Journal notes that in 2021, the average ransomware payment in the healthcare industry was $197,000. And that’s an increase of 33% from the prior year!

Phishing—fraudulent emails disguised as legitimate sources attempting to solicit personal information—is now the most popular means of attack. In fact, The HIPAA Journal cites that more than 90% of cyberattacks on healthcare organizations are phishing scams. That means carelessly clicking on one email can have dire consequences for your staff, your patients, and your operation.

Aside from the potential financial burden inflicted by cybercriminals, Health Insurance Portability and Accountability Act (HIPAA) fines can also be debilitating. If you fall prey to data breaches, you can potentially be fined tens of thousands of dollars per violation. Case in point, a medical group in Louisiana recently paid a staggering fine of $480,000, settling the first-ever cyberattack investigation conducted by HHS’ Office for Civil Rights. This was all the result of a basic phishing scam where a cybercriminal gained access to the medical group’s Microsoft 365 environment, the storage point for their patients’ protected health information (PHI).

More Endpoints and Fewer Resources Make Healthcare Easier Targets

Simply put, effective cybersecurity needs both advanced technology and human expertise. However, according to the report, The State of Cybersecurity for Mid-Sized Businesses in 2023, Huntress discovered over 60% of respondents didn’t have any dedicated cybersecurity experts on staff. That’s because many small- and mid-sized businesses (SMBs) are constrained, struggling to attain just one of these core components. Due to a variety of economic factors, SMBs—both within and beyond healthcare—have had to reduce budgets, which means foregoing much-needed investments in cybersecurity products and people.

According to the Healthcare Information and Management Systems Society (HIMSS), healthcare organizations typically spend less than 6% of their overall IT budgets on cybersecurity. Making matters worse, there’s a profound shortage of cybersecurity talent, so filling internal roles with qualified candidates has become a rising challenge. And with top talent being few and far between, the best candidates are commanding top-level salaries, which at times are out of reach for smaller healthcare organizations.

Aging tech isn’t helping matters either. Outdated equipment and legacy operating systems have become easy points of access for cybercriminals. Therefore, smaller healthcare organizations are ideal targets due to weaker defenses. With limited budgets and less manpower, your IT team may be stretched thin or may not possess the cybersecurity expertise to manage evolving cyber threats.

Adding to the chaos, there are more endpoints to protect than ever before. Over the past decade, most notably throughout COVID, remote work and telehealth have grown significantly. The good news is patients can now receive care from the comfort of their own homes, and providers like you can monitor and assist them from off-site. However, this level of care demands more avenues to access data, specifically via tablets, laptops, and mobile devices. Conversely, this also means there are now more attack surfaces for unscrupulous actors to access your data.

The Threat Landscape is Evolving, for the Worse

One reason threats are becoming more frequent is because cybercriminals are becoming more organized. And more ruthless. It’s no longer a mischievous loner in a dark basement, hunched over a monitor, hiding behind a black hoodie. These are sophisticated criminal entities that can carry out carefully choreographed heists. Imagine Ocean’s Eleven, but with less style and far less remorse.

U.S. intelligence has even uncovered hacking groups tied to hostile nations. Also known as advanced persistent threats (APTs), these state-sponsored cybercriminals have the means to debilitate everything from water-treatment plants to natural gas pipelines to electric grids. If these groups have grown powerful enough to take out military and civilian infrastructure, your small- to mid-sized healthcare organization is no challenge. For them, you’re just a drive-by ATM.

In the Huntress report, The State of Cybersecurity for Mid-Sized Businesses in 2023, it was revealed that nearly 25% of SMBs have either suffered a cyberattack or didn’t even realize they had suffered one in the past year.

Cybercriminals are now hiding in plain sight. They’ve advanced beyond the point of standard ransomware tactics, and they’re “blending into” your normal IT operations to exploit built-in system functionalities. This makes it easier for them to gain control over legitimate applications, such as remote monitoring and management (RMM), to manipulate your systems. For instance, cybercriminals can use living-off-the-land binaries (LOLBins)—trusted executables pre-installed on your operating systems—and exploit them for malicious intent. If these threat actors are no longer just relying on custom malware, then your standard spam filters or anti-malware solutions just aren’t enough. Therefore, you need visibility into your entire security system.

You Can Take Action Now with a Few Solutions

When it comes to healthcare cybersecurity, there’s a lot on the line—including lives—so it’s important that organizations like yours are vigilant and proactive. Because no single layer of your security is completely safe anymore, you must adopt a defense-in-depth approach.

This entails creating layers to your defenses with solutions such as intrusion prevention, data encryption, threat detection, patch management, and more. So if a threat bypasses one of these countermeasures, there’s another layer to stop it from slipping through the cracks. A layered approach, however, likely requires ongoing monitoring and fine-tuning. If you happen to lack the in-house resources and expertise to manage your cybersecurity, rest assured there are a variety of simple solutions you can still implement to achieve effective protection, with one of the most potent being a managed EDR.

Security Awareness Training (SAT)

Introduce SAT to educate your staff on cybersecurity best practices. These programs can include phishing simulations and relevant cyber threat lessons that can guide them to make smarter decisions to keep your organization and your patients safe. When it comes to SAT programs, it’s advised you introduce engaging, story-driven lessons, as those are proven to be more effective for knowledge retention.

Multi-Factor Authentication (MFA)

MFA adds an extra layer of protection by requiring your staff to use a second verification factor, such as a personal phone or a security token, to gain access to an account. You’ve likely seen MFA used when logging into your banking app or even your go-to streaming service. The benefit of MFA is it goes beyond usernames and passwords, which can easily be lost, forgotten, or stolen.

Managed EDR

This can be the most powerful and cost-effective solution for your healthcare organization. By coupling advanced technology with human-led analysis, a managed EDR performs critical cybersecurity tasks on your behalf, namely:

• Monitoring and collecting endpoint data
• Detecting and investigating threats
• Triaging alerts
• Providing actionable remediation steps, including one-click solutions

Easy to deploy, Huntress Managed EDR is fully managed and monitored by a 24/7 Security Operations Center. These cybersecurity experts have your back from the first signs of suspicious activity all the way to remediation.

Huntress Safeguards Healthcare’s Cybersecurity Needs

As healthcare organizations sit in the crosshairs of cybercriminals, it’s absolutely vital you keep your defenses up. This is especially important in a world marked by ever-expanding threats and shrinking budgets.

Cybercriminals are now smarter, more coordinated, and definitely more unforgiving. They don’t care who they hurt, just so long as they can turn a quick profit. Therefore, it’s critical you bolster your cybersecurity in order to protect your organization, your staff, and your patients.

Building a thorough defense infrastructure, however, requires sizable capital, resources, and expertise. While smaller healthcare organizations can find it difficult to prioritize these, there are solutions. Evaluate potential risks. Educate your staff on cyber threats. And adopt a managed EDR. Just like in medicine, even the most basic preventive measures can stop the spread of something far more harmful.

Schedule a Trial Today

Huntress can help healthcare organizations like yours remain secure from ever-evolving cybersecurity threats. Schedule your free trial today.

Attending HIMSS 2024?

In Orlando, from March 11 to 15, you can visit Huntress in Booth 1616. Come learn more about how Huntress can help your healthcare organization thwart cyberattacks.

In the current digital landscape, data has emerged as a crucial asset for organizations, akin to currency. It’s the lifeblood of any organization in today’s interconnected and digital world. Thus, safeguarding the data is of paramount importance. Its importance is magnified in on-premises Exchange Server environments where vital business communication and emails are stored and managed.

In this article, you will learn about the evolving threats of data loss, the shift in responsibilities of administrators, and key backup and recovery strategies for preventing data loss in the Exchange Server environment.

Data Loss Scenarios in Exchange Servers

Data loss in on-premises Exchange Server environment has become increasingly common. Cybersecurity threats, like ransomware attacks, have emerged as a significant cause of data loss in recent years, with many financially motivated threat actors increasingly targeting the vulnerabilities in Exchange Servers. These attackers try to exploit the vulnerabilities, such as ProxyLogon, to gain unauthorized access to the server or users’ email accounts.

Besides vulnerabilities in the system, hardware failure and human errors can also cause data loss in on-premises Exchange Servers. According to a study by Gartner, it is estimated that 30% of organizations will experience an incident involving data loss caused by a negligent employee by 2025.

Evolving Role of Exchange Server Administrators

The role of Exchange Server administrators has significantly evolved in recent years due to increasing malware/ransomware attacks, forcing them to quickly adapt and act as guardians to protect the organizations’ data and reputation.

However, the complexity of managing huge volumes of data in modern on-premises Exchange Server environments has also increased substantially. Today, administrators need to navigate the complexity of the Exchange Server environment, which is primarily driven by factors such as requirements for enhanced security measures to fight against sophisticated cybercriminals and newer threats.

Understanding the Stakes

The consequences of data loss in Exchange Server environments are profound.

1. Financial Losses

Financial losses are one of the most common consequences of data loss. The operations of an organization are supported by data. If the data is lost, it means the organization loses not only its ability to generate income but also its ways of operating. In addition, when data is lost, a considerable amount of resources are channeled towards data recovery.

2. Reputational Damage

Building trust takes time. However, losing it takes only one bad decision. A data breach or ransomware attack can severely tarnish an organization’s reputation in the market, breaking customers’ or clients’ trust. Nobody wants to end up in the headlines of the media for all the wrong reasons.

3. Downtime and Lack of Business Continuity

Email communication is essential for daily operations. Loss of critical data can disrupt workflow and hamper productivity, which can have severe implications on the organization.

A report by IDC states that the average cost of downtime due to data loss in a mid-sized organization is approximately $1.25 million per year.

4. Business Closure

Data loss can potentially lead to an organization’s bankruptcy or closure. According to the University of Texas, 94% of companies that suffer from catastrophic data loss do not survive. Out of these, 43% never reopened, and 51% closed within two years.

5. Regulatory and Legal Fines

Businesses are obliged by the data protection laws, rules, regulations, and industry standards. Failing to do so can have severe implications, such as hefty fines. Legal actions can also undermine your organization’s reputation.

Prevent Data Loss – Develop a Thoughtful Backup Strategy

The most common reason for data loss in Exchange Servers is database corruption or damage. To safeguard against data loss, administrators need a comprehensive backup strategy tailored to their Exchange Server environments.

Below are some Exchange Server backup methods and strategies that administrators can follow to prevent permanent data loss.

1. Utilize VSS-Based Backup

Exchange Server supports Volume Shadow Copy Service (VSS)-based backups. You can use the Exchange-aware Windows Server Backup application with a VSS plug-in to back up active and passive Exchange database copies and restore the backed-up database copies.

2. Backup Combination

Exchange administrators should ideally use a combination of full and incremental backups. Full backups capture the entire Exchange Server database, while Exchange Server incremental backupscapture and store the changes since the last full backup.

In addition, there are differential backups that record changes since the last full backup without truncating transaction logs. However, these are used less frequently due to their complexity.

3. Transaction Log Management

Transaction logs play a crucial role in maintaining database consistency. It’s also critical for database recovery on Exchange Servers. When you perform a full backup, it automatically truncates the transaction logs to save disk storage. Thus, always backup the transaction logs before performing a full backup.

4. Circular Logging

Circular logging is disabled in Exchange Server by default. However, administrators can enable it to truncate the database logs automatically. You can use this when the transaction logs are not purging automatically after a full backup.

5. Follow the 3-2-1 Backup Rule

Follow the 3-2-1 backup strategy to protect your Exchange Server data from permanent loss. The strategy simply states that you must have the following:

• At least three copies of your data on different media, such as disks and tape.
• One copy is stored off-site or in a remote location to ensure that natural, man-made, or geographical disasters cannot damage all the backup copies (disaster recovery).

Proactive Measures for Data Protection

A proactive approach has been fundamental in preventing data loss. Therefore, administrators should consider the following best practices for data protection:

• Robust Security Measures
• Implement robust security protocols, regularly update security software, and install Exchange Server and Windows updates to protect against threats.
• Continuous Learning
• Continuous learning and training about email security and cyber-attacks among administrators, employees, and customers is critical to stay informed about emerging threats and vulnerabilities.
• Access Control
• Restrict access to sensitive data and implement strong authentication mechanisms. Make sure to use the RBAC to restrict access on Windows and Exchange Server environments.

Exchange Server Recovery Strategies

Exchange administrators also need to be ready when it comes to the recovery of corrupt or dismounted databases in case something happens. Here are some strategies that can help in the quick recovery of the database in case of an issue or incident.

1. Recovery Databases

Recovery databases (RDBs) are special Exchange Server databases that allow administrators to mount and extract data from the restored mailbox database. RDBs help in restoring data without impacting the live environment.

2. Use Exchange Native Data Protection

Exchange Server 2016 and 2019 have capabilities to safeguard data without relying solely on traditional backups.

3. Dial Tone Portability

Administrators can use Dial Tone Portability or Dial Tone Recovery. In this, an empty Exchange database with the same database name and schema version is created that allows users to continue to send and receive new emails while the administrators restore and recover the failed databases. This method provides continuity during disaster recovery.

4. Exchange Recovery Tools

In case of a server crash and/or when the Exchange database backup isn’t available or obsolete, Exchange recovery tool, such as Stellar Repair for Exchange, can help Exchange administrators extract mailboxes from severely corrupt or damaged Exchange database. The tool also assists in the dial tone recovery method. It allows the extraction and export of recovered mailboxes from damaged EDB files to the dial tone database or any existing healthy database on the same Exchange Server. This helps restore the mailboxes of users and their Outlook connectivity and minimize downtime and disruption.

Conclusion

Exchange Server administrators play a critical role in protecting crucial business data in an increasingly challenging landscape. The risks associated with data loss are substantial and range from financial repercussions to damage to the organization’s reputation. To mitigate these risks, administrators must develop thoughtful backup strategies and adopt proactive security measures along with robust recovery plans in place.

To mitigate data loss risks, organizations should prioritize backup and recovery strategies. Regularly backing up Exchange Server data and having a well-defined recovery plan can significantly reduce the impact of data loss incidents.