23.12.24 Threat Report

Medway IT Systems Still Unrestored Following Cybersecurity Incident

The IT systems at Medway Community Healthcare remain non-operational after a suspected cyberattack.

On 2 December 2024, Medway disclosed that it had detected "suspicious activity" and disconnected its IT systems to "protect patient and staff data". An investigation into the incident is ongoing.

As of 17 December, Medway confirmed its systems are not yet fully functional but stated it is "working methodically and carefully to restore them".‍

An update published on 13 December expressed gratitude to patients for their understanding and commended staff for maintaining services during the disruption. Medway acknowledged delays and disruptions caused by the outage, reiterating its commitment to patient safety while undergoing a thorough investigation overseen by NHS England.

The statement clarified that no evidence of unauthorised access to patient data was found during the investigation. As a result, Medway has begun the cautious reconnection of priority systems. However, it noted that the restoration process would be gradual and limited initially. Patients requiring blood tests will continue using paper forms in the interim.

‍

Wider Context of NHS Cyber Incidents

This incident follows a cyberattack on Alder Hey Children’s NHS Foundation Trust on 28 November 2024, which also affected Liverpool Heart and Chest Hospital and Royal Liverpool University Hospital. Additionally, Wirral University Teaching Hospital NHS Foundation Trust declared a major incident for "cyber security reasons" on 25 November 2024.

In an update on 4 December, Wirral reported that the incident had been downgraded to a business continuity issue, with efforts underway to reinstate its main clinical systems.

Call for Increased Vigilance

Richard Horne, the recently appointed head of the National Cyber Security Centre (NCSC), emphasised the importance of ongoing vigilance in a speech on 3 December. Highlighting the June 2024 ransomware attack on pathology provider Synnovis, Horne noted:

"In the past year, we have seen crippling attacks against institutions that have brought home the true price tag of cyber incidents. The attack against Synnovis showed us how dependent we are on technology for accessing our health services."

These incidents underscore the growing necessity for robust cybersecurity measures across healthcare organisations to safeguard critical services and sensitive data.

‍

Sophos Releases Hotfixes for Critical Firewall Vulnerabilities

Sophos has issued hotfixes to address three security vulnerabilities in its firewall products that could allow remote code execution and privileged system access under certain conditions. Two of these vulnerabilities are classified as Critical. There is no evidence of exploitation in the wild at this time.‍

Details of Vulnerabilities

• CVE-2024-12727 (CVSS Score: 9.8)
  A pre-auth SQL injection vulnerability in the email protection feature. Exploitation is possible if Secure PDF Exchange (SPX) is enabled alongside High Availability (HA) mode, potentially leading to remote code execution.
• CVE-2024-12728 (CVSS Score: 9.8)
  A weak credentials flaw involving a non-random SSH login passphrase for HA cluster initialisation. This passphrase remains active even after HA setup, exposing an account with privileged access if SSH is enabled.
• CVE-2024-12729 (CVSS Score: 8.8)
  A post-authentication code injection vulnerability in the User Portal, allows authenticated users to achieve remote code execution.‍

Sophos disclosed that CVE-2024-12727 affects 0.05% of devices, while CVE-2024-12728 impacts approximately 0.5%.‍

Affected Versions

The vulnerabilities affect Sophos Firewall versions 21.0 GA (21.0.0) and older. The following versions include fixes:

• CVE-2024-12727: v21 MR1 and newer (Hotfixes available for v21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2)
• CVE-2024-12728: v20 MR3, v21 MR1 and newer (Hotfixes for earlier versions as listed above)
• CVE-2024-12729: v21 MR1 and newer (Hotfixes for earlier versions as listed above)‍

Verification of Hotfix Installation

Users are encouraged to verify that the hotfixes have been applied:

• CVE-2024-12727:
  Access the Sophos Firewall console, launch Device Management > Advanced Shell, and run the command:

cat /conf/nest_hotfix_status  


(Hotfix applied if the value is 320 or above).

• CVE-2024-12728 and CVE-2024-12729:
  Access the console, launch Device Console, and run the command:

system diagnostic show version-info  


(Hotfix applied if the value is HF120424.1 or later).

Temporary Workarounds‍

Until the updates can be applied, Sophos advises the following measures:

• Restrict SSH access to a dedicated, physically separate HA link.
• Reconfigure HA using a sufficiently long, random passphrase.
• Disable WAN access via SSH.
• Ensure that User Portal and Web admin are not exposed to WAN.

This announcement comes shortly after the U.S. government unsealed charges against Guan Tianfeng, a Chinese national, accused of exploiting a zero-day vulnerability (CVE-2020-12271, CVSS score: 9.8) in Sophos firewalls. This attack reportedly compromised 81,000 devices globally.

Sophos firewall users are strongly advised to apply the necessary updates immediately to prevent potential exploitation and to follow recommended security practices for additional protection.

‍

Critical Vulnerabilities in IBM Cognos Analytics

IBM has released an urgent security update for its Cognos Analytics software, addressing two critical vulnerabilities, CVE-2023-42017 and CVE-2024-51466, which could enable malicious file uploads and Expression Language (EL) injection attacks. Organisations are strongly advised to apply the updates immediately to safeguard sensitive data and system functionality.

CVE-2023-42017: Malicious File Upload Vulnerability

• Description: This vulnerability arises from inadequate validation of files uploaded via the web interface. Privileged users could exploit this weakness to upload malicious executable files, potentially leading to system compromise if the files are executed by unsuspecting users.
• Classification: CWE-434 (Unrestricted Upload of File with Dangerous Type).
• Severity: CVSS v3.0 base score of 8.0 (High).
• Impact: Exploitation could compromise confidentiality, integrity, and availability. The attack is remote, requires minimal effort, and poses significant risks.
• Mitigation: No workarounds are available. Upgrading to fixed versions is critical.

CVE-2024-51466: Expression Language Injection Vulnerability

• Description: This flaw allows remote attackers to embed malicious EL statements, leading to potential data exposure, resource exhaustion, or server crashes.
• Classification: CWE-917 (Improper Neutralisation of Special Elements Used in an Expression Language Statement).
• Severity: CVSS v3.1 base score of 9.0 (Critical).
• Impact: The attack vector is highly exploitative in networked environments, with no direct interaction required for exploitation.
• Mitigation: No direct mitigations exist; users must apply the fixes provided by IBM.

Affected Versions

The following versions of IBM Cognos Analytics are vulnerable to both flaws:

• Versions 12.0.0 to 12.0.4
• Versions 11.2.0 to 11.2.4 FP4

Available Fixes

• Users of Version 12.0.4 should install Interim Fix 1.
• Users of Version 11.2.4 FP4 should upgrade to FP5.

Recommendations

• Apply Updates Immediately: Ensure affected systems are upgraded to the fixed versions without delay to prevent exploitation.
• Audit System Configurations: Regularly review user privileges and restrict unnecessary access.
• Monitor for Indicators of Compromise: Be vigilant for unusual activity, particularly in web interfaces or server logs.

‍

The discovery of CVE-2023-42017 and CVE-2024-51466 underscores the necessity of proactive cybersecurity measures. Organisations using IBM Cognos Analytics should prioritise these updates to prevent exploitation, mitigate risks, and ensure the continued protection of sensitive information.