Ensuring cybersecurity: Horizon3.ai’s Rapid Response Service in action

How Horizon3.ai’s rapid response identified and fixed a critical vulnerability in Mirth Connect

An important consideration in cybersecurity is determining whether a known software vulnerability is actually exploitable. This often depends on how and where the vulnerable software is deployed in your environment. To address the need to find exploitable vulnerabilities, Horizon3.ai developed and recently introduced its Rapid Response service.

This service proactively notifies our customers of potentially exploitable vulnerabilities in their environments. They can then use NodeZero to test the exploitability of zero-day and n-day vulnerabilities. Once remediation is in place, they can use NodeZero to verify that the issues have been resolved.

Let’s look at an example of Rapid Response in action, in the context of a Mirth Connect remote code execution (RCE) vulnerability that our research team discovered last year.

Mirth Connect Vulnerability Timeline: CVE-2023-43208

As part of our Rapid Response service, Horizon3.ai’s attack team conducts expert research on popular software applications, this time on Mirth Connect from NextGen HealthCare. Mirth Connect is an open source data integration platform widely used by healthcare organizations.

Last August, our attack team tracked a vulnerability in Mirth (CVE-2023-37679) that was supposedly patched in Mirth Connect 4.4.0, released on August 2, 2023. In the release notes for 4.4.0, our research team found it odd that this vulnerability only affected Mirth Connect versions running Java 8. They felt that further investigation was needed. According to Shodan, several thousand instances of Mirth Connect were available on the Internet at the time.

On September 8, 2023, based on a closer look at the Mirth patch and the above-mentioned CVE, the attack team privately disclosed a new unauthenticated remote code execution (RCE) vulnerability they discovered in Mirth Connect 4.4.0, which was the result of an incomplete patch for CVE-2023-37679.

On October 2nd, after we confidentially disclosed our discovery of the RCE vulnerability in Mirth, our researchers developed an exploit capable of taking full advantage of vulnerable versions of Mirth. The exploit was added to NodeZero at that time. After we added the exploit to NodeZero, our customers were able to launch a Rapid Response test for the Mirth vulnerability we discovered to quickly confirm whether their Mirth instances were exploitable. In fact, many of them were exploitable.

Through our Rapid Response Test for Mirth, our customers had a 15-day window to test the exploitability of Mirth before a patch for the RCE vulnerability was even available from NextGen. The Rapid Response Zero-Day Test allowed our customers to take action to protect their exploitable Mirth implementations while waiting for a patch from NextGen.

On October 17, after working closely with NextGen, who provided a test version to our researchers, they released a patched version to address the vulnerability discovered by our researchers. More information about our public disclosure can be found here.

On October 26, the vulnerability (CVE-2023-43208) discovered by our researchers was officially published in the NVD (National Vulnerability Database). According to our disclosure, “Mirth Connect is an interesting application for us at Horizon3.ai because many of our customers are in the healthcare space and use this application. Healthcare companies are often the target of ransomware threat actors, and this application has a good presence on the internet.”

After giving healthcare workers sufficient time to update all vulnerable Mirth instances, our researchers released an exploit for the Mirth vulnerability on January 12, 2024. According to our public announcement, “We strongly advise you to update to patch version 4.4.1 or later if you are using Mirth Connect and have not yet installed a patch. This is an easily exploitable vulnerability that our own pentesting product NodeZero has successfully exploited on a number of healthcare organizations (customers).”

As part of our Rapid Response service, all Horizon3.ai customers who were previously running NodeZero in their environments were already informed that their Mirth Connect implementations were likely vulnerable. We also recommended that they run the Mirth zero-day test to identify all systems running the vulnerable version of Mirth. Since Mirth is an open source platform, other systems using Mirth could also be vulnerable.

On February 29, Bayer Radiology Solutions released an important update for Mirth Connect. This update revealed that other healthcare systems could also be vulnerable. Here is an excerpt from this update: “Bayer has performed an initial assessment of the recently disclosed remote code execution vulnerabilities affecting Mirth Connect versions prior to 4.4.1 (CVE-2023-37679 and CVE-2023-43208).

After a thorough analysis, we found that the following Bayer devices contain a vulnerable version of Mirth Connect:

• MEDRAD® Stellant FLEX CT Injection System
• MEDRAD® Stellant CT Injection System with Certegra® Workstation
• MEDRAD® MRXperion MR Injection System”

Then, on March 7, our researchers learned through a discussion on GitHub that attackers were actively attempting to exploit the vulnerability. At that time, NodeZero was updated with information about the vulnerability being exploited in the wild to further alert organizations of the urgent need to update to Mirth 4.4.1.

On April 19, Microsoft Threat Intelligence on X (formerly Twitter) announced that they were tracking multiple ransomware threat actors exploiting both CVE-2023-37679 and CVE-2023-43208.

On May 20, CISA added CVE-2023-43208 to the CISA Catalog of Known Exploited Vulnerabilities (KEV), meaning the vulnerability was reported as widely exploited seven months after NextGen issued a patch on October 17, 2023.

Why a quick response is important in the context of exploitability

Even before a patch was available from NextGen, our customers tested their environments with the NodeZero Rapid Response test to determine if their Mirth Connect instances were vulnerable – many of them were. After a patch was issued, our customers patched their Mirth instances and re-ran the NodeZero Rapid Response test to confirm that the patch was effective and their systems were no longer vulnerable.

More importantly, our customers who ran the Mirth Rapid Response test and found the vulnerability to be vulnerable spent nearly nine months patching all Mirth instances before the vulnerability was added to the CISA KEV.

(Here is a screenshot of the NextGen Mirth Connect test on NodeZero with information about the CVE, links to resources to learn more about the issue, and a corresponding timeline of key events.)

More about Rapid Response

With the latest enhancements to NodeZero, both new and existing customers now have a dedicated center for all rapid response activities, including self-service testing, threat details, and alerts from Horizon3.ai about the exploitability of specific assets in their environments.

In today’s dynamic threat landscape, speed is king, closely followed by prioritizing business impact. By emphasizing speed and providing tailored, actionable threat intelligence, Horizon3.ai’s Rapid Response service uses offensive security principles to inform defenders of the targets that matter most when protecting critical infrastructure.

The post “Ensuring Cybersecurity: Horizon3.ai’s Rapid Response Service in Action” appeared first on Horizon3.ai.

***This is a Horizon3.ai blog by Stephen Gates, syndicated by the Security Bloggers Network. Read the original post at: https://www.horizon3.ai/insights/blogs/ensuring-cybersecurity-horizon3-ais-rapid-response-service-in-action/