3rd Party Risk Management , Cybercrime , Fraud Management & Cybercrime

CISA: NextGen Healthcare Flaw Still Exploited After 7 Months

Attackers Are Targeting the Widely Used Mirth Connect Data Integration Platform
CISA: NextGen Healthcare Flaw Still Exploited After 7 Months
Image: NextGen

Attackers are actively exploiting a vulnerability in NextGen Healthcare Mirth Connect product, a widely used, open-source data integration platform - seven months after the vulnerability was publicly disclosed and months after a patch was first made available, according to a CISA alert Monday.

See Also: How Enterprise Browsers Enhance Security and Efficiency

The federal agency added the vulnerability, CVE-2023-43208 - a NextGen Healthcare Mirth Connect "deserialization of untrusted data vulnerability" - to its Known Exploited Vulnerabilities Catalog, based on "evidence of active exploitation." CISA did not provide examples of the type of exploitation being reported.

The NextGen vulnerability was first reported in October - and then updated in January - by researchers at security firm Horizon3.ai.

"NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. This vulnerability is caused by the incomplete patch of CVE-2023-37679," NIST said in its latest description of the issue.

Horizon3.ai in Oct. 2023 released an advisory for CVE-2023-43208 in which the firm described the problem as "a pre-authenticated remote code execution vulnerability" affecting NextGen Mirth Connect.

"If you're a user of Mirth Connect and haven't patched yet, we strongly encourage you to upgrade to the 4.4.1 patch release or later. This is an easily exploitable vulnerability that our own pentesting product, NodeZero, has exploited successfully against a number of healthcare organizations," Horizon3.ai said in January.

It's an unauthenticated remote code execution vulnerability, meaning that attackers can exploit it without any prior credentials and fully compromise the Mirth Connect server, Horizon3.ai said.

"Given that Mirth Connect is widely adopted among healthcare entities, it is very likely that healthcare entities have been attacked using this vulnerability," Naveen Sunkavally, a researcher and chief architect at Horizon3.ai, told Information Security Media Group on Tuesday.

"We don't have the details right now about the specific entities that were impacted. Back in April, Microsoft threat intelligence reported that China-based threat actor Storm-1175 exploited CVE-2023-43208 for initial access," Sunkavally told ISMG.

"This vulnerability can be used for initial access to breach healthcare entities, as reported by Microsoft threat intelligence. It can also be used for lateral movement within internal networks, leading to access to sensitive healthcare data," he said.

The vulnerability was fixed in Mirth Connect 4.4.1, but it might be tricky for some entities to simply upgrade to that version, Sunkavally said. "We've seen reports that upgrading to the latest version might break existing integrations, and some entities may be applying custom patches. In addition, as it is an open-source solution, Mirth Connect may be embedded in other products in the environment," he said.

"The best way to check if you're really patched is to try to exploit the vulnerability in your environment to see if it's still exploitable."

Organizations that expose Mirth Connect to the internet should patch this vulnerability on an emergency basis or disconnect it from the internet altogether, Sunkavally said. "In internal networks, this vulnerability should be high on the list of things to fix. It really depends on how Mirth Connect is being used in your environment and what kind of sensitive data is exposed through it."

NextGen, a provider of cloud-based electronic health records, did not immediately respond to ISMG's request for comment on the vulnerability or the types of exploitations reported.

NextGen is already facing at least a dozen proposed class action lawsuits for a health data breach discovered in April 2023 that affected 1 million individuals.

The company told regulators that hackers gained unauthorized access to a database by using client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen. The company has not said what type of vulnerability attackers might have been exploiting in that incident (see: NextGen Facing a Dozen Lawsuits So Far Following Breach).

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.