GREYCORTEX is actively responding to the reported high severity vulnerability (CVE-2021 – 44228) that was found in the Apache Log4j library. All Mendel installations deployed in the last few years are vulnerable to this vulnerability. The new version, 3.8.0, which will be released in the upcoming days, is not affected and current versions 3.7.x and 3.6.x have now been covered with security updates.

Background

A high severity vulnerability (CVE-2021 – 44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021. The vulnerability impacts Apache Log4j 2 versions 2.0 to 2.14.1.

Log4j is used as a component of our GREYCORTEX Mendel product. More information on the vulnerability can be found in the links below.

CVE-2021 – 44228 Detail (NIST)

CVE-2021 – 44228 vulnerability in Apache Log4j library (SecureList)

Is my Mendel deployment vulnerable? 

All Mendel installations deployed in the last few years are affected by this vulnerability but the vulnerable part of the Mendel deployment is NOT exposed to a direct Internet connection.

What can I do to mitigate and resolve this issue?

GREYCORTEX has actively responded to the reported remote code execution vulnerability in the Apache Log4j 2 Java library, dubbed Log4Shell (or LogJam). We have investigated and taken action regarding our product GREYCORTEX Mendel. The new version 3.8.0, which will be released in the upcoming days, is not affected and current versions 3.7.x and 3.6.x are now covered with security updates, which are automatically distributed through the update server.

Older systems will not be patched, customers who are using older versions are strongly advised to upgrade.

Mitigations: if you are not able to upgrade to the newer version or your Mendel instance does not have access to the update server, then please restrict access to Mendel via your firewall settings. It is recommended to restrict access only to a trustworthy IP address range, also for normal operations.

How can I find out if my Mendel system or other systems of our customers have been compromised?

Mendel includes a set of detection rules that can detect whether a vulnerability in the Apache Log4j logging framework has been exploited to attack the Mendel system itself or other systems in your infrastructure. These rules are automatically available through the GREYCORTEX update server. If your Mendel instance or your customer instance is online, these signatures will be added to it automatically.

There is a simple reason why hospitals are the frequent targets of cybercriminals. Hospital networks contain patients’ and research data that is highly valued on the black market. And their infrastructure specifics make protecting it difficult.

In 2020, all 16 Czech key hospitals covered that year by the Cybersecurity Act reported a cyber incident. But also smaller healthcare facilities were being attacked and protecting them was no less complicated.

There are a few complications that make hospital cybersecurity challenging: the complex architecture of hospital networks, the frequent obsolescence of operating systems and also the insufficient number of qualified security personnel.

In addition, legislative requirements place high demands on security, including:

• GDPR
• Your National eHealth Center’s methodological guidelines (if you have one)
• International standards that summarize security recommendations for the use of healthcare systems and best practices (ENISA – Cyber security and resilience for Smart Hospitals, MDISS – Medical Device Innovation, Safety & Security Consortium)

Last, but not least, every organization usually has its own internal security regulations. These are based on risk analyses or the internal recommendations and requirements of the hospital’s governing board for the operation of IT in the hospital.

The Most Common Targets of Attackers

In the first stages, attackers aim usually at hospital employees’ login credentials, through which attackers try to gain access to VPNs, internal or health information systems. All these systems contain high-value data through which the attacker can hold the hospital to ransom.

Another source of income for attackers is research data that can be effectively monetized, but patient data is an especially big gain. The price for this information (data about a person and their health status) is from tens to hundreds of dollars per record on the black market. By contrast, mere contact details (for example, from a hacked e-shop) are only worth units of dollars.

And, of course, there are attacks whose primary goal is to take a hospital out of operation. In the case of compromised information systems, hospitals are unable to retrieve medical records or determine the availability of drugs and supplies. In the worst case scenario, the attack affects the operational infrastructure.

In short: the hospital cannot provide the healthcare function essential for its patients.

The Specifics of Internal Hospital Networks

Hospital internal networks have a specific and rather complicated architecture. They are the combination of not only IT elements but also include the operational technology of specialized medical departments as well as devices such as air conditioning, heating or blind controls.

There are many different types of IT networks in hospitals, for example:

• Medical networks, in which doctors and nurses access medical records, inventories and other medical information
• Patient networks, which are used by patients and visitors to the hospital
• Private physician networks, which lease connectivity from the hospital and also have access to the internal network of information systems

All of this is often complicated by the frequent use of outdated systems and insufficient staff capacity to ensure the organization’s cybersecurity.

We should view these characteristics as specifics that cannot be immediately addressed but need to be kept in mind when securing health facilities. For example, some modalities (diagnostic equipment such as X-ray machines, ultrasound, etc.) were purchased by hospitals 10 to 15 years ago and their level of security corresponds to their age. Often, the manufacturer does not even provide necessary updates, so there are devices with an un-updated operating system in the network. We have seen devices running on Windows XP. Even DOS and old versions of Linux are not rare as without these operating systems, it is not possible to use these devices.

Our experience, coming from dozens of hospitals in the European Union and Asia, has shown us that there are many hospitals with a high level of cyber protection. Unfortunately, there are also those with a large number of security shortcomings that need to be solved. Fortunately, GREYCORTEX Mendel can help them all.

There is a simple reason why hospitals are the frequent targets of cybercriminals. Hospital networks contain patients’ and research data that is highly valued on the black market. And their infrastructure specifics make protecting it difficult.

In 2020, all 16 Czech key hospitals covered that year by the Cybersecurity Act reported a cyber incident. But also smaller healthcare facilities were being attacked and protecting them was no less complicated.

There are a few complications that make hospital cybersecurity challenging: the complex architecture of hospital networks, the frequent obsolescence of operating systems and also the insufficient number of qualified security personnel.

In addition, legislative requirements place high demands on security, including:

• GDPR
• Your National eHealth Center’s methodological guidelines (if you have one)
• International standards that summarize security recommendations for the use of healthcare systems and best practices (ENISA – Cyber security and resilience for Smart Hospitals, MDISS – Medical Device Innovation, Safety & Security Consortium)

Last, but not least, every organization usually has its own internal security regulations. These are based on risk analyses or the internal recommendations and requirements of the hospital’s governing board for the operation of IT in the hospital.

The Most Common Targets of Attackers

In the first stages, attackers aim usually at hospital employees’ login credentials, through which attackers try to gain access to VPNs, internal or health information systems. All these systems contain high-value data through which the attacker can hold the hospital to ransom.

Another source of income for attackers is research data that can be effectively monetized, but patient data is an especially big gain. The price for this information (data about a person and their health status) is from tens to hundreds of dollars per record on the black market. By contrast, mere contact details (for example, from a hacked e‑shop) are only worth units of dollars.

And, of course, there are attacks whose primary goal is to take a hospital out of operation. In the case of compromised information systems, hospitals are unable to retrieve medical records or determine the availability of drugs and supplies. In the worst case scenario, the attack affects the operational infrastructure.

In short: the hospital cannot provide the healthcare function essential for its patients.

The Specifics of Internal Hospital Networks

Hospital internal networks have a specific and rather complicated architecture. They are the combination of not only IT elements but also include the operational technology of specialized medical departments as well as devices such as air conditioning, heating or blind controls.

There are many different types of IT networks in hospitals, for example:

• Medical networks, in which doctors and nurses access medical records, inventories and other medical information
• Patient networks, which are used by patients and visitors to the hospital
• Private physician networks, which lease connectivity from the hospital and also have access to the internal network of information systems

All of this is often complicated by the frequent use of outdated systems and insufficient staff capacity to ensure the organization’s cybersecurity.

We should view these characteristics as specifics that cannot be immediately addressed but need to be kept in mind when securing health facilities. For example, some modalities (diagnostic equipment such as X‑ray machines, ultrasound, etc.) were purchased by hospitals 10 to 15 years ago and their level of security corresponds to their age. Often, the manufacturer does not even provide necessary updates, so there are devices with an un-updated operating system in the network. We have seen devices running on Windows XP. Even DOS and old versions of Linux are not rare as without these operating systems, it is not possible to use these devices.

Our experience, coming from dozens of hospitals in the European Union and Asia, has shown us that there are many hospitals with a high level of cyber protection. Unfortunately, there are also those with a large number of security shortcomings that need to be solved. Fortunately, GREYCORTEX Mendel can help them all.

There are several basic tools for securing network infrastructure that should not be missing from any organization. Let’s take a look at the role of GREYCORTEX Mendel in all those products protecting the data and network in your company.

Antivirus software, firewalls and intrusion prevention systems (IPS) should be an integral part of any organization’s cybersecurity solution. Nowadays, however, they are often not enough. That’s where Mendel steps in.

GREYCORTEX Mendel stands on several levels:

• It is a unique tool that sees, visualizes and analyzes everything in your network – devices, access and all communications.
• It is a great extension to the functionality of standard cybersecurity tools: antivirus, firewalls and network performance monitoring. They are crucial, but there are some threats that even they cannot detect. The reason is simple: attackers are often ready for these standard systems.

Mendel Sees and Visualizes in the Context of Time and Events

Imagine a tool that sees all the devices in your network, how they are communicating together, what protocols they are using and where your data is going. With Mendel, you can see all of that. You can also view the details of a specific device, its communication and where it is connected to at the moment, and also yesterday or a year ago.

With this unique analysis, you can uncover a sophisticated attack on your infrastructure before it really happens. That’s because you can relate current events to events that happened before, even in the more distant past.

Let’s take a look at an example of an attack that may go unnoticed by a standard detection mechanism: Advanced malware is not detected on the end device, but that device shows behavior that could endanger the network – for example, trying to access somewhere it has not accessed before. It could be spyware or an APT in your internal domains that is gradually spreading across your network through a domain, while the infected machines start accessing unusual devices and data sources and performing lateral movement. Mendel can identify and notify you of such unusual behavior.

More Reliable End-Point Security

Because end-points are an easy target, often provide valuable data and are an entry point for gaining deeper access to your network, they are the frequent initial targets of cyber-attacks.

Commonly known end-point attacks include:

• network mapping
• data exfiltration (sending data in non-standard or encrypted channels, communication with control devices)
• Dictionary attacks, password data breaches
• Data mining (reading important information, mining data from a database, mining users from information systems or from a domain controller)

Mendel flags such attacks as dangerous behavior and recognizes the threat that might not have been recognized by endpoint security or that is well hidden by the attacker. Even if antivirus software is deployed, Mendel monitors the communication of your devices and reveals any anomalies in it. All of that using a broad database specializing in network cyber threats that include not only known threats but also signatures of unusual behavior.

A Smarter Firewall

We can understand a few things that fall under the term firewall: standard firewalls and smart solutions known as an IPS.

Traditional firewalls stand first in the line of defense and secure broad traffic filtering. They adjust network transitions and the availability of network services and are mostly used on the external perimeter – in some cases within the internal network. They are often open or insufficiently configured.

In such cases, Mendel plays the role of an auditing tool – controlling the function of the firewall itself and checking its configuration. You can use this feature for verifying and controlling the communication matrix in your internal network and critical systems. It helps you understand who is connecting where, who is using what and who is behaving differently than they should.

Smart solutions such as IPS see more deeply into your network, can detect known threats and block them. Also here, Mendel provides you a double-check by monitoring the operation of web proxies and email gateways. This means no potential threat can pass. Even in this case, Mendel’s advantage is its extensive database of threats, consisting of multiple sources and signatures that verify not only known attacks but also security policies and potentially dangerous access to data sources, such as administrative sharing. This approach is much more effective for the detection of vulnerabilities than just a database of known threats from one vendor.

This way, Mendel shows much more – not only what needs to be blocked but also unwanted or insecure applications and access to risky services. You’ll get a much better overview of what is going on and what is going through your network and how.

The Danger of Unknown Threats

In all mentioned cases, Mendel not only deals better with detecting known threats, its strength lies in also detecting unknown threats. How? Mendel recognizes different types of actions using behavioral analysis.

Right after anomalous behavior or an unknown threat is detected, the system notifies you, for example, by email. It’s then your choice. You can either take the necessary steps or you can connect Mendel to the firewall API and it will block the unwanted communication automatically for you.

A Huge Help for Monitoring Network Performance

At the next level, there are tools for internal system monitoring. In this case, Mendel shows a clear overview of the network – how it is loaded and used, who is accessing it, what services are operating and what the performance of applications and transmission lines is.

Imagine seeing just how loaded your information system, domain controller, Wi-Fi network or data center are!

GREYCORTEX Mendel helps you increase the reliability of your network. Even industrial control systems can get the right amount of control, so any attack or even a major network failure has no catastrophic consequences.

Antivirus software shows you current threats. A firewall displays the current settings and whether it is leaking something or not. But nothing will clearly show you events in your network an hour, a week or a year ago. In a nutshell, Mendel sees, visualizes and (thanks to data storage of up to the last several years) also analyzes current as well as past events.