1/13 Nothing can absolutely go wrong with privacy or people abusing this.. Oh wait. Lets do some OSINT. Maybe we can uncover some stuff for Maryland to show how unsolicited phone calls/mails/texts can be made more legit if you just were more.. official.
2/13 According to this FOX Baltimore article.. "..The innovative COVID Link platform uses medical data from the Chesapeake Regional Information System for our Patients (CRISP) and incorporates it into Salesforce" foxbaltimore.com/news/local/hog…
3/13 So what is CRISP? Simple google search should suffice. This landed me on crisphealth.org, with this picture as the landing page. lets poke around! 
4/13 Login Redirects to ulp.crisphealth.org. Quick dig and ipinfo call gives me some info on the host. Shodan shows 80 & 443 open, thankfully nothing exposed (so far) shodan.io/host/206.41.20…
5/13 Whats that wee little button at the top? user guide? Sure lets do it. Could be some useful stuff in here. Shows Amazon IP, check shodan. 22, 80 & 443 Open. Shodan reports a bunch of vulns on the Apache version, but those can be spotty. Let's keep moving
6/13 Alright, userguide doesnt look that good on my monitor. But theres a lot of interesting pages here. "User Access & Onboarding", "Points of Contacts" at the top, and "Documents" at the bottom. Internal docs can be used as a great pretext when you are phishing. Builds rapport
7/13 Access & Onboarding. Great info if I want to go after CRISP directly.. Lots of this info can convince a health employee of this DB that Im legit. Lets keep moving
8/13 "Data Types" page. Looks like a reduced version of a SQL DB/Relational DB. Always good to understand what to target if you have an internal doc explaining all the components of your system :)
9/13 Connected sites to CRISP. Even better for targeting and pretext. Now my target list has expanded out to all these participants! I even have a handy-dandy excel sheet download at the bottom.
10/13 A userguide available to the whole public on how to use a health record db.. probably not good. User Guides should be gated
11/13 Ha, training videos. They even have one on cybersecurity. I have a cardinal rule for security presentations: 1 meme per presentation or it diminishes the value. Looks like they used a meme on the title :)
12/13 Ugh. I hate this page the most! These are all word docs and forms with official letterhead. These are AWESOME to use to send out to people if you want to spearphish or attack. Embed with a macro using many open source tools, download a dropper and install your malware
13/13 Overall, Im supportive of doing things right during COVID-19. But these findings took me 30 mins to compile. If a motivated attacker wanted to go after MD citizens or connected hospitals.. they can enumerate ALL of this to get some great pretext resources.
