company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecOps

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Threat Feeds

Threat Research

White Paper

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

Our Story

Our Team

Careers

Press & Media

Contact Us
loading..
loading..
loading..
Loading...

Appsec

Cloud

Hack

loading..
loading..
loading..

TSA No-Fly List Hack: 1.5 Million Names Exposed in Development Server

Uncover the shocking truth behind the TSA No-Fly List snafu and the risks of using sensitive data in development environments.

27-Jan-2023
3 min read

Related Articles

loading..

PHI

DICOM

Healthcare

A 10-year-old bug in DICOM has leaked 59 million Patients personal data & medica...

Digital Imaging and Communications in Medicine (DICOM), the internationally accepted standard for medical images and related information protocol, encounters what is known to be the most critical healthcare data leak of 2023. Aplite security researchers identified a decade-old critical vulnerability present in DICOM protocol, exposing millions of critical patient personal and medical records globally. The dichotomy of DICOM's viable role in healthcare and its susceptibility to data leaks, which has now become a globally recognized source of data leaks, according to Aplite, is setting the stage for a healthcare cybersecurity crisis on a new level. ## **Key Findings** Aplite's extensive analysis for the past 6 months thoroughly reveals staggering statistics turning out to be one of the biggest healthcare data leaks before 2024. Over 3,800 DICOM accessible servers across 111 countries exposed 1,159 of these servers leaking over 59 million patients' personal and medical records, including names, addresses, phone numbers, and even Social Security numbers, in some cases highlighting the precarious state of millions of patient records. The analysis also reveals that over 73% of these servers are hosted on the Cloud or exposed via DSL, signifying a shift towards cloudification in the healthcare industry. Meanwhile, it was also found that India took a critical spotlight with over 9.6 million records at risk, making it a focal point of concern, unlike attacks on [SAFDARJUNG Hospital](https://www.secureblink.com/cyber-security-news/another-indian-hospital-servers-down-for-24-hours-following-hack) & [AIIMS](https://www.secureblink.com/cyber-security-news/200-cr-ransom-demanded-from-aiims-after-hitting-nearly-3-4-cr-patients). Following closely, the United States hosts over 8 million records, and South Africa adds to the urgency with 7.3 million at stake. ## **Root Cause: Modernization Meets Legacy** The healthcare industry's pivotal transition to cloudification, catalyzed by major players like Amazon AWS and Microsoft Azure, inadvertently exposes underlying vulnerabilities as legacy protocols like DICOM persist, housing 73% of their exposed servers, as mentioned above. A clash between modernization and dated infrastructure ensues, leaving a staggering 39.3 million health records at the risk of getting tempered anyway. ## **DICOM's Security Measures** DICOM's legacy clashes with modern security demands and the standard organization's efforts fall short. Aplite's research reveals that less than 1% of internet-accessible DICOM servers have effective authorization, which translates to nearly 128, with over 85% vulnerable to dictionary attacks due to weak authorization out of 23% of the servers having authorization enabled. ## **Patient Data at the Mercy of Hackers** The sheer magnitude of exposed personally identifiable information (PII) and protected health information (PHI) now open on the internet makes things even more alarming than ever. A staggering 16.1 million PII and 43.5 million PHI records are open to being exploited by hackers, leading to identity theft, social engineering, and potential blackmail. ## **Tampering with Integrity** Hackers now pose a severe threat by systematically disrupting medical images or injecting false signs of illnesses using the [DICOM store service](https://dicom.nema.org/dicom/2013/output/chtml/part07/sect_9.3.html). Aplite's [findings](https://aplite.de/2023/12/06/millions-of-patient-records-at-risk-118/) indicate a vulnerability in DICOM's inability to close a series after storing via a modality, allowing hackers to inject new images at will. This poses a direct risk to those 39.3 million health records, as mentioned already. ## **Mitigation Strategies** To address this critical issue, a multi-faceted approach is imperative. The [DICOM standard](https://en.m.wikipedia.org/wiki/DICOM) organization must enforce mandatory security measures, while medical institutions, vendors, and country CERTs should collaborate for immediate mitigation. ##### **Medical Institutions: Prioritized Actions** 1. **Exposure Control:** - Prevent public internet access. - Secure connections using IPSec. - Regularly scan TCP ports for potential exposures. 2. **Segmentation:** - Create a dedicated DICOM segment. - Restrict access to modalities via DICOM protocol. - Deploy Web Application Firewall (WAF) for TLS protection. 3. **Access Control:** - Authorize only modalities' IP addresses. - Implement strong [AET](https://www.dicomstandard.org/news/supplements/view/dicom-conformance-statement) authorization. - Integrate DICOMweb with Identity and Access Management (IAM). ##### **Vendors: Enhanced Security Measures** 1. **Authorization Implementation:** - Implement AET authorization. - Disallow new images for an existing series after a set time. - Conduct regular security tests, including fuzzing and penetration tests. ##### **Country CERTs: Collaborative Efforts** 1. **Regular Scanning:** - Scan a country's IP ranges to identify DICOM servers. - Assist in hardening DICOM setups for identified IP owners. ## **Persistent Legacy Problems** Despite previous [warnings and reports](https://techcrunch.com/2020/01/10/medical-images-exposed-pacs/), the persistent issue with DICOM security remains. Aplite's findings indicate an escalating issue with an increasing number of leaked records each day. The disclosed attack vector allowing data tampering within existing medical images adds a new layer of urgency to address DICOM's inherent security flaws. ## **Dilemma of Security vs. Legacy Compatibility** While DICOM has security measures, their non-mandatory nature poses a challenge. Enforcing these measures could disrupt many legacy products and systems, creating a dilemma for the Medical Imaging & Technology Alliance, overseer of the DICOM standard.

loading..   06-Dec-2023
loading..   5 min read
loading..

BLUFFS

Bluetooth

AitM

Discover BLUFFS Bluetooth attack: a critical threat exposing devices to Adversar...

Security researchers from EURECOM discovered a series of critical vulnerabilities in Bluetooth Classic, affecting versions 4.2 through 5.4. Termed BLUFFS (Bluetooth Forward and Future Secrecy) attacks, these exploits challenge the forward secrecy and future secrecy guarantees of Bluetooth Classic, paving the way for Adversary-in-the-Middle (AitM) scenarios between connected peers. They are tracked under the identifier [CVE-2023-24023](https://nvd.nist.gov/vuln/detail/CVE-2023-24023)(CVSS score: 6.8) and were responsibly disclosed in October 2022. ## Disclosing BLUFFS Attack Daniele Antonioli, a researcher at EURECOM, drew attention to six novel BLUFFS attacks capable of compromising a wide array of devices, including laptops, smartphones, headsets, and speakers. Targeting major chip vendors like Intel, Broadcom, Apple, Samsung, and Qualcomm, these attacks operate at an architectural level, making them particularly impactful. The [attacks](https://github.com/francozappa/bluffs) hinge on exploiting flaws in the Bluetooth standard's session key derivation mechanism. Antonioli's study revealed two critical vulnerabilities allowing the derivation of the same key across sessions, thereby enabling device impersonation and machine-in-the-middle attacks. ## Understanding the Vulnerabilities 1. **Forward Secrecy Undermined:** The BLUFFS attack challenges the fundamental principle of forward secrecy in key-agreement cryptographic protocols. While forward secrecy protects past sessions against future compromises, the attack compromises this assurance by deriving a weak session key through architectural vulnerabilities. 2. **Architectural Weaknesses Exploited:** The AitM attacker leverages four architectural vulnerabilities, including the flaws in the session key derivation mechanism. This enables the derivation of a weak session key, subsequently used to spoof arbitrary victims, facilitating live injection attacks on traffic between vulnerable peers. 3. **Session Key Brute-Force:** The attacker, in proximity to two vulnerable Bluetooth devices, initiates a pairing procedure and captures Bluetooth packets. The attack involves brute-forcing the encryption key in real-time, potentially leading to live injection attacks on traffic between affected peers. ## Mitigations and Recommendations To mitigate the BLUFFS vulnerability, Bluetooth SIG recommends several measures: - **Key Strength Requirements:** Implementations should reject service-level connections on an encrypted baseband link with key strengths below 7 octets, with a higher threshold for Security Mode 4 Level 4. - **Secure Connections Only Mode:** Devices should operate in "Secure Connections Only Mode" to ensure sufficient key strength, reducing the risk of session key compromises. - **Enhanced Key Derivation Function:** Researchers have developed and tested an enhanced key derivation function to counter BLUFFS attacks. Implementing this function can add an extra layer of security to Bluetooth-enabled devices. ## Bluetooth SIG's Response Bluetooth SIG [acknowledges](https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/bluffs-vulnerability/) the severity of the BLUFFS vulnerability and issues a statement outlining the potential impact on devices supporting Secure Connections pairing and Secure Simple Pairing. The statement emphasizes the need for rejecting service-level connections with weak keys and underscores the importance of Secure Connections mode for sufficient key strength. ## Real-World Implications The success of BLUFFS attacks relies on the attacker being within the wireless range of two vulnerable Bluetooth devices during the encryption procedure. The ability to capture Bluetooth packets in plaintext and ciphertext, known as the victim's Bluetooth address, is crucial for executing these attacks. The researchers' toolkit, designed to automate and assess the effectiveness of BLUFFS attacks, adds a layer of urgency for vendors to address these vulnerabilities promptly. The real-world implications extend to potential live injection attacks and the need for immediate mitigations. ## Vendors' Response and User Recommendations Acknowledging the seriousness of the BLUFFS vulnerability, vendors are advised to implement solutions that reject service-level connections with weak keys. EURECOM researchers provide a low-cost toolkit for patching Bluetooth firmware, offering a temporary solution until vendors implement comprehensive fixes. Users are left with limited options for securing connections, as the vulnerability resides at the protocol level. Vigilance is crucial, with users encouraged to stay informed about firmware updates and implement patches as soon as they become available. ## Bluetooth SIG's Path Forward Bluetooth SIG expresses gratitude for the responsible disclosure of [BLUFFS](https://francozappa.github.io/post/2023/bluffs-ccs23/) vulnerabilities by EURECOM researchers. The organization emphasizes ongoing efforts to enhance Bluetooth security and urges vendors to implement recommended mitigations promptly.

loading..   05-Dec-2023
loading..   4 min read
loading..

Data Breach

Uncover the fallout of the 23andMe breach affecting 14,000 users. Hackers stole ...

*In a startling disclosure, 23andMe revealed a data breach impacting 0.1% of its vast customer base of 14 million users. This exposé dissects the intricacies of the breach, scrutinizes the aftermath, and delves into the broader implications for the security landscape of genetic testing.* ## **Breach Exposed & Credentials Compromise** In an [SEC filing](https://www.sec.gov/ix?doc=/Archives/edgar/data/1804591/000119312523287449/d242666d8ka.htm), 23andMe confirmed that hackers leveraged the standard technique of "credential stuffing," accessed 0.1% of their customer base. The breach, however, extended beyond mere account access. The hackers were able to delve into a significant number of files containing profile information linked to the [DNA Relatives feature](https://www.secureblink.com/cyber-security-news/23and-me-s-dna-relatives-feature-temporarily-disabled-following-data-breach) which has been temporarily disabled. ## Ancestral Data at Risk For the initial 14,000 users affected, the stolen data included ancestry information and, for a subset, health-related information based on genetics. The company, however, didn't specify the extent of the impact on the _"other users"_ connected to these accounts. ## **DNA Relatives Feature Exploited: Unraveling the Domino Effect** 23andMe's DNA Relatives feature allowed hackers to navigate beyond a single victim's account, opening a Pandora's box of interconnected genetic profiles. The far-reaching consequences of this exploit underscore the need for robust security architecture in features that share sensitive genetic information. ## **Advertisements and Dark Web Activities** The breach came to public attention when hackers advertised the alleged data of specific user groups on a well-known hacking forum. Subsequent advertisements revealed a broader scope, with another hacker claiming possession of 300 terabytes of stolen 23andMe user data months before the public revelation. ## **23andMe's Response Strategy** The [Threatfeed](https://www.secureblink.com/cyber-security-nees) critically evaluates 23andMe's response, from immediate password resets to the subsequent mandate of two-step verification. Questions arise about the efficacy of these measures and the timing of their implementation, raising concerns about the adequacy of cybersecurity strategies in the genetic testing domain. ## Response Measures In response to the breach, 23andMe took decisive actions. On October 10, users were compelled to reset passwords, with the company strongly encouraging the adoption of multi-factor authentication. By November 6, two-step verification became mandatory for all users. ## **Our Forensic Analysis: Tracing the Genetic Data Footprint** Secure Blink's threat researchers conducted a forensic analysis of the stolen data. Despite variations in formatting, a disconcerting alignment with publicly available genealogy records is revealed. This section meticulously breaks down the findings, emphasizing the technical nuances of the analysis. ## **Underground Market Dynamics: Monetizing Genetic Data** Beyond the initial breach, hackers capitalized on the [stolen genetic data](https://www.secureblink.com/cyber-security-news/4-million-new-23and-me-genetic-profiles-leaked-amidst-ashkenazi-lawsuits), creating a lucrative market on the dark web. The article navigates the underground dynamics, spotlighting the commodification of personal and intimate genetic information. ## **Timeline of Shadows: Unraveling Advertisements and Motivations** The breach evolved in stages, with hackers strategically advertising subsets of stolen data. This section provides a chronological timeline, dissecting the motivations behind each wave of advertisements and the evolving tactics employed by the threat actors. ## **Industry-wide Impact: Ancestry and MyHeritage Mandate 2FA** Ancestry and MyHeritage's proactive move to mandate two-factor authentication (2FA) industry-wide is explored. The implications for over 100 million users highlight a collective recognition of the urgent need to fortify security measures in the genetic testing domain. ## **Industry History Repeats: Lessons from Previous Breaches** Drawing parallels with previous breaches in the genetic testing industry, the article analyzes the recurring vulnerabilities. GEDmatch in 2020 and Veritas Genetics in 2019 serve as cautionary tales, urging the industry to learn from past lapses in security. ## **Code, Scripts, and Vulnerabilities: Decrypting the Underlying Threats** A focused data breach analysis reveals the importance of scrutinizing codebases and scripts. Integrating relevant code snippets and examples emphasizes the technical intricacies, magnifying the vulnerabilities that resulted in the breach. To grasp the severity of the breach, it's essential to delve into the potential vulnerabilities in 23andMe's security architecture. Analyzing code snippets associated with authentication processes could reveal insights into the exploitable areas that led to this breach. ```python # Sample authentication code (simplified) def authenticate_user(username, password): # Check if the provided username and password match the stored credentials if validate_credentials(username, password): # Grant access return "Access granted" else: # Deny access return "Access denied" ``` Here, a hypothetical authentication function illustrates the simplified process. A vulnerability in the `validate_credentials` function could be exploited through credential stuffing. ## Dark Web Transactions The advertisements on hacking forums highlight the thriving dark web trade in stolen data. The asking price for individual victim data, ranging from $1 to $10, underscores the monetization potential for cybercriminals.

loading..   04-Dec-2023
loading..   4 min read