At ONYPHE, we are very concerned about cyber-criminals taking advantage of the current worldwide coronavirus crisis. At our scale, we want to give a hand to hospitals by giving them free information about vulnerabilities we have discovered on their Internet borders. We are willing to share this data with hospitals or any state agency that could deliver information to them. In fact, we already provided some data to a few of them. But it is far from enough in regards to our results.
We already know many hospitals were compromised, before the crisis or even now. Specific critical vulnerabilities were exploited and ransomware were deployed to extort those hospitals. We are checking those vulnerabilities too. Hospitals are already under pressure because they are (or will be) overwhelmed by sick people that need medication and care, they don’t need a cyber-security crisis added on top.
This blog post describes what we check, how we check, and which kind of information we currently have. We also describe what we need to cooperate with hospitals and state agencies. But make no mistake, cyber-criminals probably already have the same information at their disposal, so we must take quick action.
Critical vulnerabilities we are currently checking
This week, we worked on writing checking codes in order to detect, in a non-intrusive manner, critical vulnerabilities we know are exploited against hospitals worldwide. Those vulnerabilities are exploited to deploy ransomware. They may have names (or not), but in all cases, they are intrusive and you must fix them as soon as possible. Here is our current list:
- CVE-2020-1938: Apache Tomcat AJP Connector RCE, known as #Ghostcat
- CVE-2018-13379: Fortinet FortiGate SSL VPN RCE
- CVE-2019-19781: Citrix Gateway RCE, known as #shitrix
- CVE-2019-11510: PulseSecure Pulse Connect Secure RCE
We currently have 74,166 unique IP addresses vulnerable to one of these 4 critical vulnerabilities. Fortunately, they are not all hospitals.
Around 63% are about CVE-2020-1938, 20% about CVE-2018-13379, 14% about CVE-2019-19781 and finally 3% for CVE-2019-11510.
How do we check these vulnerabilities?
Exploit codes are available for all these critical vulnerabilities. We developed our own checking methodology based on that information. We verify the existence (or lack thereof) of these vulnerabilities by connecting to an innocuous URL and verifying the response. We are not relying solely on versions discovered by banner grabbing for these specific vulnerabilities.
What do we need from hospitals or state agencies?
If you are a hospital or a state agency in search for vulnerable hospitals in your country, we are willing to give you free information on impacted devices. To do so, what we need from you is the list of domain names or host names for your country’s hospitals. With this list, we are able to correlate with our vulnscan data to extract the needed information.
For instance, we did that for hospitals in some countries. We were provided a CSV file with a list of domain names. We won’t communicate any result or numbers because we don’t want to help cyber-criminals. We communicated our results to some state agencies and hospitals (we won’t communicate their name either). We hate saying that, but trust us, we have to take action.
How do we correlate data?
We feed our tool with a CSV file as input. Each line is the domain name or host name of an hospital. For instance:
cat hospital-domains.csv domain hospital1.com hospital2.com
Then we simply launch our tool (publicy available, but you require an Eagle View subscription for querying) as the following to get full JSON information as output (example JSON output can be found in this blog post):
onyphe -export 'category:vulnscan -exists:cve -weekago:0 | whitelist hospital-domains.csv'
This query scrolls every information we have in vulnscan category of information with an existing CVE field for the current week results. Each week, we scan for described vulnerabilities on a list of potentially vulnerable devices we build by continuously scouting the Internet and applying pattern matching to identify devices and known brands.
For instance, we are able to list all Fortinet FortiGate products connected on the Internet by entering the following query:
category:datascan device.productvendor:Fortinet device.product:FortiGate
Note: this request requires en Entreprise subscription.
During the execution of this scrolled query, we apply the white listing by using values taken from the CSV file and comparing against each result we found. For each line in the CSV, the tool checks if the vulnerable entry has a field named “domain” and a corresponding value in the file.
We are willing to help. We do monitor the Internet to discover vulnerabilities and weaknesses so our customers can act before cyber-criminals exploit them.
We want to share freely this information with hospitals and state agencies worldwide. You may contact us by sending an email at contact at onyphe dot com so we can help you.