Medic! Uncle Sam warns hospitals not to use outdated IPnet freely on their networks

Meanwhile ransomware forces Alabama doctors to turn away non-urgent patients

The US Food and Drug Administration is warning hospital IT admins to keep a close eye on their networks following the discovery of security vulnerabilities in a relatively obscure and dated TCP/IP stack – IPnet – used in embedded devices.

The flaws, mostly buffer overflows and memory in various components of IPnet, can be potentially exploited by miscreants to remotely take control of equipment, in this case medical implants and the base stations that manage them.

IPnet was acquired by Wind River when it gobbled up Interpeak in 2006, though the software has been licensed to loads of vendors. As such, the wonky code is present in some editions of Wind River’s VxWorks, Microsoft’s ThreadX Operating System, Embedded from ENEA, Greenhills' INTEGRITY, TRON’s ITRON, and ZebOS from IP Infusion, all of which are used in medical systems among other specialist gear.

While the vulnerabilities, known collectively as Urgent/11, have been known of since July when Wind River issued a bulletin about IPnet, security teams have recently found that the flaws are more widespread than first believed, and could be present on any device that uses the stack for networking.

"Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support," the US FDA explains.

"Therefore, the software may be incorporated into other software applications, equipment, and systems which may be used in a variety of medical and industrial devices that are still in use today."

Obviously, the risk from these flaws would depend on the use case, but few medical implants, if any, would be directly vulnerable. Rather, the communications between controller base stations and home servers or the hospital's own LAN would be more likely to be exposed.

The FDA is advising IT admins to keep a close eye on their networks for signs of exploitation of Urgent/11 holes, and make sure to lock down their firewalls and VPN setups. Manufacturers, meanwhile, are being advised to take a close look at their products and patch or replace anything that uses the dated IPnet stack.

Ransomware attack leaves patients out in the cold

Of more immediate worry for patients and doctors is the report out of Alabama that three hospitals in the state are shutting down some of their operations in the midst of an ongoing ransomware attack.

Not so fast AI Doctor, the FDA would like to check how good you really are at healthcare


DCH Health System says that its hospitals in Tuscaloosa, Northport, and Fayette would all be turning away non-critical patients for the forseeable future as works to clean up the attack.

"While the attack has impacted DCH’s ability to accept new patients, we are still able to provide critical medical services to those who need it," the hospital chain said.

"Patients who have non-emergency medical needs are encouraged to seek assistance from other providers while DCH works to restore its systems."

No estimate was given for when the hospital might be back online and taking in new patients. ®

Send us news

Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network

Microsoft details this ransomware-as-a-service

Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

Continue reading

We're now truly in the era of ransomware as pure extortion without the encryption

Why screw around with cryptography and keys when just stealing the info is good enough

Feature US and European cops, prosecutors, and NGOs recently convened a two-day workshop in the Hague to discuss how to respond to the growing scourge of ransomware.

"Only by working together with key law enforcement and prosecutorial partners in the EU can we effectively combat the threat that ransomware poses to our society," said US assistant attorney general Kenneth Polite, Jr, in a canned statement.

Earlier this month, at the annual RSA Conference, this same topic was on cybersecurity professionals' minds – and lips.

Continue reading

HelloXD ransomware bulked up with better encryption, nastier payload

Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

"While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

Continue reading

DeadBolt ransomware takes another shot at QNAP storage

Keep boxes updated and protected to avoid a NAS-ty shock

QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

The previous attacks occurred in January, March, and May.

Continue reading

This startup says it can glue all your networks together in the cloud

Or some approximation of that

Multi-cloud networking startup Alkira has decided it wants to be a network-as-a-service (NaaS) provider with the launch of its cloud area networking platform this week.

The upstart, founded in 2018, claims this platform lets customers automatically stitch together multiple on-prem datacenters, branches, and cloud workloads at the press of a button.

The subscription is the latest evolution of Alkira’s multi-cloud platform introduced back in 2020. The service integrates with all major public cloud providers – Amazon Web Services, Google Cloud, Microsoft Azure, and Oracle Cloud – and automates the provisioning and management of their network services.

Continue reading

Beijing-backed attackers use ransomware as a decoy while they conduct espionage

They're not lying when they say 'We stole your data' – the lie is about which data they lifted

A state-sponsored Chinese threat actor has used ransomware as a distraction to help it conduct electronic espionage, according to security software vendor Secureworks.

The China-backed group, which Secureworks labels Bronze Starlight, has been active since mid-2021. It uses an HUI loader to install ransomware, such as LockFile, AtomSilo, Rook, Night Sky and Pandora. But cybersecurity firm Secureworks asserts that ransomware is probably just a distraction from the true intent: cyber espionage.

"The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the company argues.

Continue reading

$6b mega contract electronics vendor Sanmina jumps into zero trust

Company was an early adopter of Google Cloud, which led to a search for a new security architecture

Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.

Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.

With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.

Continue reading

Zscaler bulks up AI, cloud, IoT in its zero-trust systems

Focus emerges on workload security during its Zenith 2022 shindig

Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.

Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.

In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.

Continue reading

Cisco execs pledge simpler, more integrated networks

Is this the end of Switchzilla's dashboard creep?

Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

"We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

"Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

Continue reading

Cloudflare explains how it managed to break the internet

'Network engineers walked over each other's changes'

A large chunk of the web (including your own Vulture Central) fell off the internet this morning as content delivery network Cloudflare suffered a self-inflicted outage.

The incident began at 0627 UTC (2327 Pacific Time) and it took until 0742 UTC (0042 Pacific) before the company managed to bring all its datacenters back online and verify they were working correctly. During this time a variety of sites and services relying on Cloudflare went dark while engineers frantically worked to undo the damage they had wrought short hours previously.

"The outage," explained Cloudflare, "was caused by a change that was part of a long-running project to increase resilience in our busiest locations."

Continue reading

Now Windows Follina zero-day exploited to infect PCs with Qbot

Data-stealing malware also paired with Black Basta ransomware gang

Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

Continue reading

If you didn't store valuable data, ransomware would become impotent

Start by pondering if customers could store their own info and provide access

Column Sixteen years ago, British mathematician Clive Humby came up with the aphorism "data is the new oil".

Rather than something that needed to be managed, Humby argued data could be prospected, mined, refined, productized, and on-sold – essentially the core activities of 21st century IT. Yet while data has become a source of endless bounty, its intrinsic value remains difficult to define.

That's a problem, because what cannot be valued cannot be insured. A decade ago, insurers started looking at offering policies to insure data against loss. But in the absence of any methodology for valuing that data, the idea quickly landed in the "too hard" basket.

Continue reading