What information and/or resources were compromised by this intrusion?
According to our investigation, no information was compromised. A database containing a limited set of user information (first/given name, last/surname, email address, usernames, and hashed/obfuscated passwords) was stored in a software container (using Docker) on the same server, parallel to the Atlassian Confluence container which was impacted.
When was this intrusion first discovered?
OpenHIE secretariat Regenstrief Institute was alerted of the vulnerability through our colleagues at Indiana University on the morning of Aug. 2, 2022. We immediately took action to remove access to the platform and have since done a thorough examination of the server and our processes.
Should I update my Wiki password?
All user passwords were “salted” and “hashed” using a cryptographically secure algorithm provided by Atlassian and not stored as plain text. Again, we do not believe any information was compromised. It does not hurt to update your password. You may do so via https://ohie.org/forgot. We always recommend you choose a strong password. Never re-use passwords across multiple services/websites.
What was the exact vulnerability?
The actors deployed crypto mining software using a known exploit in Atlassian Confluence. The vulnerability is identified as CVE-2022-26134.
How was the vulnerability addressed and what’s being done to fix it?
The exploit was patched prior to receiving notice of the intrusion. We recently rebuilt the Wiki on a new cloud server using a backup of the data to ensure no potentially corrupted software is retained. Out of an abundance of caution, system passwords and user admin credentials have been changed.
What’s being done to prevent something like this in the future?
We are further restricting access to user data and shortening the window in which we apply software updates. We are also investigating additional firewall and endpoint detection and response (EDR) software to monitor and address activity on the server.