HHS HC3: Healthcare Sector Remains at Risk for Log4j Attacks'No Major Compromises' in Sector - So Far, Says Agency
Although there have been no major compromises in the healthcare and public health sector to date involving Apache Log4j flaws, the health sector remains highly vulnerable, as do other industries, federal regulators warn.
See Also: Healthcare Sector Threat Brief
"Health sector adversaries are actively leveraging these vulnerabilities," says the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in an threat report issued on Thursday.
"Updating can be a time-consuming and tedious process. Further vulnerabilities may continue to be identified soon," HC3 says.
"There are both short- and long-term steps to take in order to remain secure. Vulnerabilities in ubiquitous apps will present similar issues in the future," the report says.
Foreign actors are believed to be leveraging Log4Shell in several nation-states, including China and Iran, according to HC3. It says that:
- In China, Microsoft reports that the cyberthreat actor known as Hafnium has been leveraging the vulnerability to attack virtualization infrastructure, using DNS to conduct fingerprinting.
- Also in China, CrowdStrike reports that Aquatic Panda has used a modified version of Log4Shell to harvest credentials and memory dumps.
- In Iran, according to Microsoft, the cyberthreat actor known as Phosphorous has used a modified version of Log4Shell to deploy ransomware.
- Also in Iran, according to Checkpoint, the APT35 group has been conducting aggressive scanning for systems vulnerable to Log4Shell.
- In Turkey and North Korea, according to Microsoft, threat actors have been leveraging Log4Shell.
In addition, "SecurityScorecard has reported seeing reconnaissance activity related to Log4Shell originating from Chinese and Russian state-sponsored actors. Mandiant reported having observed Chinese and Iranian state-sponsored actors leveraging Log4Shell," HC3 writes.
Nonstate cybercriminal groups, specifically ransomware operators, are also leveraging Log4Shell. They include the Muhstik and Mirai botnets. And HC3 says Conti is a "prolific threat to the health sector" adding that, "Per Advanced Intelligence, Conti is one of the first sophisticated cybercriminal groups to leverage Log4Shell."
HC3's analysis report on Thursday follows an alert the HHS unit issued on Dec. 10 advising healthcare and public health organizations to survey their infrastructure to ensure they are not running vulnerable versions of Log4j (see: Log4j Flaw: Healthcare Sector Warned to Take Action).
"Any vulnerable systems should be upgraded, and a full investigation of the enterprise network should commence to identify possible exploitation if a vulnerable version is identified," that advisory said.
HC3 in its analysis report Thursday notes that healthcare sector entities, among other steps, should stay abreast of a repository of affected vendor platforms that the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency is maintaining, as well as CISA mitigation guidance.