Businesses are already ducking and covering as the invasion of Ukraine drives a surge of cybercriminal attacks, but the publication of yet another severe security vulnerability has given malicious actors new ways to attack medical and other devices anywhere in the world.

The vulnerabilities – which were revealed and documented by security firm Forescout and have collectively been dubbed Access:7 – are found in a library called PTC Axeda, and its companion Axeda Desktop Server application.

Axeda is used by many Internet of Things (IoT) manufacturers to enable the remote management of devices – but its poorly-designed authentication, including use of hardcoded credentials and unauthenticated services, means that attackers can easily access and control connected devices.

Six other vulnerabilities enable cybercriminals to access devices, reconfigure them, control them remotely, disconnect them, and more.

That’s a major problem for the healthcare environments that make up around 55 per cent of Axeda’s user base – where the software powers systems administering life-sustaining medical care including imaging, laboratory, ventilation, infusion, ventilation, implantables, and surgery.

Over 150 potentially affected devices, from over 100 vendors, have already been identified – from vendors like Abbott, Acuo, Carestream, GE HealthcareVarian, and Bayer – and Axeda is also used in ATMs, industrial, and other settings.

PTC paid $235m for Axeda back in 2018, integrating the remote management tool into its broader ThingWorx IoT platform and then ending support for Axeda at the end of 2020.

With so many installed devices still so easily exploitable, the vulnerabilities were given CVSS scores as high as 9.8 out of 10 – motivating the US Cybersecurity & Infrastructure Security Agency (CISA) to publish an Industrial Control System (ICS) Advisory warning of the low-complexity attack.

Affected devices should, CISA advised, be disconnected from the Internet, isolated from business networks, and patched with the latest software versions.

New fears in a climate of unrest

Coming on the heels of high-risk vulnerabilities like the SolarWinds hack and recent Log4j disaster, yet another critical weakness would be a concern even in normal times – but as nation-states and rogue security experts fight an escalating proxy war online, companies running affected devices must be aware of the risks of collateral damage even here in Australia.

Chinese cybercriminals, in particular, have been observed quickly taking advantage of new vulnerabilities to attack targets.

A Chinese government-aligned APT group called TA416, security firm Proofpoint recently warned, has been targeting phishing campaigns against European diplomatic, refugee and other targets for several years – with increasing frequency before and during the current conflict.

Each new vulnerability provides another arrow in the quiver of nation-state groups and cybercriminal gangs, which regularly mobilise to exploit new vulnerabilities before businesses can patch them.

Aubrey Perin, lead nation-state threat intelligence analyst with Qualys, noting that China tapped the recent Log4j vulnerability within “mere hours following CISA’s advisory” to compromise government systems in two US states.

With recent analyses suggesting that 30 per cent of Log4j systems still yet to be patched, Perin said, “organisations that continue to leave this flaw unaddressed are hitting the snooze button when it comes to the wake-up calls that China and other adversaries are delivering.”

The increasing cybercrime threat is, he added, “a critical point for inflection and a reminder that… while all eyes have been diverted to Russia and Ukraine, there are still other threats that are present and must be closely watched.”