Healthcare Cybersecurity

DHS Warns of Increasing Risk of Wiper Malware Attacks by Iranian Threat Actors

The Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning following a rise in cyberattacks by ‘Iranian regime actors.’

The warning from Christopher C. Krebs came as tensions are building between the United States and Iran. Iran has been accused of planting magnetic mines to damage commercial shipping vessels and a U.S. surveillance drone was shot as it flew over the Strait of Hormuz. Iran claims the drone was flying in its territory.

The U.S. responded with a planned air strike, although it was called off by President Trump due to the likely loss of life. However, a strike did take place in cyberspace. The U.S. Cyber Command has reportedly launched an attack on an Iranian spying group, Islamic Revolutionary Guard Corps, that is believed to have been involved in the mine laying operation. According to a recent report in the Washington Post, the cyberattacks disabled the command and control system that was used to launch missiles and rockets.

Iranian threat actors have also been highly active. There have been increasing numbers of cyberattacks on United States industries and government agencies.

While cyberattacks can take many forms, Iranian threat actors have increased attacks using wiper malware. In addition to stealing data and money, the threat actors use the malware to wipe systems clean and take down entire networks.

Iran is one of three countries rated by the United States as having highly capable threat actors involved in economic espionage and theft of trade secrets and proprietary data. Iranian hackers are more than capable of conducting devastating cyberattacks.

Iranian hackers were behind the SamSam ransomware attacks on healthcare providers and hackers working for the Iranian regime are believed to be responsible for the cyberattack on the Saudi Arabian oil firm Saudi Aramco in 2012. Shamoon wiper malware was used in that attack to wipe tens of thousands of devices.

The harm caused by these wiper attacks is considerable. In 2017, attacks using NotPetya wiper malware resulted in global financial losses of between $4 billion and $8 billion. The attack on the shipping firm Maersk resulted in losses of around $300 million. The attacks are also common. According to a recent report by Carbon Black, 45% of healthcare CISOs have experienced a wiper malware attack in the past 12 months.

The hackers may be highly capable, but they still use basic techniques and exploit common weaknesses to gain access to networks. These include phishing and spear phishing, social engineering, password spraying, and credential stuffing.

All of these attack methods can be blocked with basic cybersecurity measures such as enforcing the use of strong passwords, changing all default passwords, rate limiting on logins, applying the rule of least privilege when setting permissions, implementing multi-factor authentication, closing unused ports, disabling RDP, prompt patching,  adopting a robust backup strategy, and providing security awareness training to employees.

Krebs warned that all U.S industries, government agencies, and businesses should be alert to the risk of cyberattacks. “If you suspect an incident, take it seriously and act quickly,” said Krebs.

The post DHS Warns of Increasing Risk of Wiper Malware Attacks by Iranian Threat Actors appeared first on HIPAA Journal.

Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches

Cybercriminals are managing to find and exploit vulnerabilities to gain access to healthcare networks and patient data with increasing regularity. The past two months have been the worst and second worst ever months for healthcare data breaches in terms of the number of breaches reported.

Phishing attacks on healthcare organizations have increased and email is now the most common location of breached protected health information. However, a recent analysis of the data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in the past 12 months has revealed servers to be the biggest risk. Servers were found to be involved in more than half of all healthcare data breaches.

Clearwater Cyberintelligence Institute (CCI) analyzed the 90 healthcare data breaches reported to OCR in the past 12 months. Those breaches resulted in the exposure, impermissible disclosure, or theft of the records of more than 9 million individuals.

The CCI analysis revealed 54% of all reported breaches of 500 or more healthcare records were in some way related to servers.

Servers house essential programs that are used across the healthcare organization. As a central repository of programs and data, they are an attractive target for hackers. Once access has been gained, data can be viewed, copied, altered, or deleted, systems can be sabotaged, and healthcare organizations can be subjected to extortion using ransomware.

CCI performed a risk analysis to determine high and critical risks facing health systems and hospitals. CCI determined 63% of all identified risks were related to the failure to adequately address vulnerabilities in servers.

The high number of server-related data breaches clearly shows that those flaws are being exploited by hackers to gain access to healthcare networks.

According to CCI, one of the most common server vulnerabilities is the failure to keep on top of user account management. When employees leave the company their accounts must be deleted. Dormant accounts are a major risk and are often used by malicious actors to access systems and mask their activities. CCI notes the risk increases with the number of accounts that are left dormant. The longer those accounts are left open, the greater the likelihood that at least one will be used for illicit or malicious purposes.

To address this risk, security controls should be implemented that automatically disable or delete accounts when the HR department changes the status of an employee. If that is not possible, CCI recommends conducting frequent, periodic reviews to ensure all unused accounts are disabled.

In an ideal world, an account would be disabled instantly. In practice, CCI recommends having the systems, policies, and procedures in place to ensure no account remains open for more than 48 hours after it is no longer required.

Reviews of system activity logs should also be conducted to determine whether dormant accounts have been used inappropriately or if any actively used accounts have been compromised or are being misused.

Excessive permissions on user accounts is another serious server vulnerability. Excessive permissions can result in accidental or deliberate access, alteration, or deletion of data. The failure to restrict access rights is also a violation of the HIPAA principle of least privilege.

CCI reports that the risk of excessive user permissions is highest in organizations that do not regularly review user permissions (43.6%), perform user activity reviews (43.6%), or when there is a lack of proper user account management (43.1%).

Regular reviews of user activity will help healthcare organizations to quickly identify anomalies in user data that could be indicative of account misuse or a cyberattack. The frequency of those reviews should be dictated by several factors, including staff turnover and the number of users. CCI suggests user permission and user activity log reviews at least every quarter for an organization with 100 or more users.

The post Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches appeared first on HIPAA Journal.

May 2019 Healthcare Data Breach Report

In April, more healthcare data breaches were reported than in any other month to date. The high level of data breaches has continued in May, with 44 data breaches reported. Those breaches resulted in the exposure of almost 2 million individuals’ protected health information.

Healthcare data breaches by month 2014-2019

On average, 2018 saw 29.5 healthcare data breaches reported to the HHS’ Office for Civil Rights each month – a rate of more than one a day.

From January 2019 to May 2019, an average of 37.2 breaches have been reported each month. Up until May 31, 2019, 186 healthcare data breaches had been reported to OCR, which is more than half (52%) the number of breaches reported last year.

It remains to be seen whether the increase in data breaches is just a temporary blip or whether 40+ healthcare data breaches a month will become the new norm.

Healthcare records exposed by month 2017-2019

May saw a 186% increase in the number of exposed records compared to April. Across the 44 breaches, 1,988,376 healthcare records were exposed or compromised in May. So far this year, more than 6 million healthcare records have been exposed, which is more than half of the number of records exposed in 2018.

Healthcare records exposed by year 2014-2019

In terms of the number of records exposed, May would have been similar to April were it not for a massive data breach at the healthcare clearinghouse Inmediata Health Group. The breach was the largest of the year to date and resulted in the exposure of 1,565,338 records.

A web page which was supposed to only be accessible internally had been misconfigured and the page could be accessed by anyone over the internet.


Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Inmediata Health Group, Corp. Healthcare Clearing House 1,565,338 Unauthorized Access/Disclosure
2 Talley Medical Surgical Eyecare Associates, PC Healthcare Provider 106,000 Unauthorized Access/Disclosure
3 The Union Labor Life Insurance Company Health Plan 87,400 Hacking/IT Incident
4 Encompass Family and internal medicine group Healthcare Provider 26,000 Unauthorized Access/Disclosure
5 The Southeastern Council on Alcoholism and Drug Dependence Healthcare Provider 25,148 Hacking/IT Incident
6 Cancer Treatment Centers of America® (CTCA) at Southeastern Regional Medical Center Healthcare Provider 16,819 Hacking/IT Incident
7 Takai, Hoover, and Hsu, P.A. Healthcare Provider 16,542 Unauthorized Access/Disclosure
8 Hematology Oncology Associates, PC Healthcare Provider 16,073 Hacking/IT Incident
9 Acadia Montana Treatment Center Healthcare Provider 14,794 Hacking/IT Incident
10 American Baptist Homes of the Midwest Healthcare Provider 10,993 Hacking/IT Incident

Causes of May 2019 Healthcare Data Breaches

Hacking/IT incidents were the most numerous in May with 22 reported incidents. In total, 225,671 records were compromised in those breaches. The average breach size was 10,258 records with a median of 4,375 records.

There were 18 unauthorized access/disclosure incidents in May, which resulted in the exposure of 1,752,188 healthcare records. The average breach size was 97,344 records and the median size was 2,418 records.

8,624 records were stolen in three theft incidents. The average breach size 2,875 records and the median size was 3,578 records. There was one loss incident involving 1,893 records.

causes of May 2019 healthcare data breaches

Location of Breached PHI

Email continues to be the most common location of breached PHI. 50% of the month’s breaches involved at least some PHI stored in email accounts. The main cause of these types of breaches is phishing attacks.

Network servers were the second most common location of PHI. They were involved in 11 breaches, which included hacks, malware infections and ransomware attacks.  Electronic medical records were involved in 7 breaches, most of which were unauthorized access/disclosure breaches.

Location of breached PHi (may 2019)

May 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in May with 34 breaches. 5 breaches were reported by health plans and 4 breaches were reported by business associates of HIPAA-covered entities. A further two breaches had some business associate involvement. One breach involved a healthcare clearinghouse.

May 2019 healthcare data breaches by covered entity type

May 2019 Healthcare Data Breaches by State

May saw healthcare data breaches reported by entities in 17 states.  Texas was the worst affected state in May with 7 reported breaches. There were 4 breaches reported by covered entities and business associates in California and 3 breaches were reported in each of Indiana and New York.

2 breaches were reported by entities base in Connecticut, Florida, Georgia, Maryland, Minnesota, North Carolina, Ohio, Oregon, Washington, and Puerto Rico. One breach was reported in each of Colorado, Illinois, Kentucky, Michigan, Missouri, Montana, and Pennsylvania.

HIPAA Enforcement Actions in May 2019

OCR agreed two settlements with HIPAA covered entities in May and closed the month with fines totaling $3,100,000.

Touchstone Medical Imaging agreed to settle its HIPAA violation case for $3,000,000. The Franklin, TN-based diagnostic medical imaging services company was investigated after it was discovered that an FTP server was accessible over the internet in 2014.

The settlement resolves 8 alleged HIPAA violations including the lack of a BAA, insufficient access rights, a risk analysis failure, the failure to respond to a security incident, a breach notification failure, a media notification failure, and the impermissible disclosure of the PHI of 307,839 individuals.

Medical Informatics Engineering settled its case with OCR and agreed to pay a financial penalty of $100,000 to resolve alleged HIPAA violations uncovered during the investigation of its 2015 breach of 3.5 million patient records. Hackers had gained access to MIE servers for 19 days in May 2015.

OCR determined there had been a failure to conduct a comprehensive risk analysis and, as a result of that failure, there was an impermissible disclosure of 3.5 million individuals’ PHI.

It did not end there for MIE. MIE also settled a multi-state lawsuit filed by 16 state attorneys general. A multi-state investigation uncovered several HIPAA violations. MIE agreed to pay a penalty of $900,000 to resolve the case.

The post May 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

High and Critical Severity Vulnerabilities Identified in Certain BD Alaris Gateway Workstations

Two vulnerabilities have been identified in certain Becton Dickinson (BD) infusion pumps. One of the vulnerabilities is rated critical and has been given the maximum CVSS v3 score of 10 out of 10.

BD has a history of proactively searching for vulnerabilities, addressing cybersecurity issues, and communicating details of the vulnerabilities in a timely fashion. BD voluntarily disclosed the two vulnerabilities in recent security bulletins and shared details of the flaws with information Sharing and Analysis Organizations (ISAOs). In this instance, the vulnerabilities were discovered by Elad Luz of CyberMDX and reported to BD. The Department of Homeland Security’s Industrial Control System Computer Emergency Response Team (ICS-CERT) has also issued a security advisory about the flaws.

Both flaws affect BD Alaris™ Gateway Workstations, but not any gateway workstations that are sold or used in the United States. The affected devices are used in around 50 countries, mostly in Europe in Germany, Spain, the Netherlands, and the United Kingdom. The vulnerability affects fewer than 3,000 devices in each country, and have fewer than 1,000 affected devices. The flaws affect older firmware versions. The latest versions of the firmware – 1.3.2 and 1.6.1 – are not affected.

No reports have been received to suggest the vulnerabilities have been exploited in the wild, but due to the seriousness of the flaws, affected users are advised to upgrade to the latest version of the firmware and take the recommended steps to mitigate the vulnerabilities.

Information Exposure Vulnerability – High Severity

An improper access control vulnerability has been identified that could be exploited on a vulnerable Gateway Workstation that is used in its standalone configuration. If an attacker discovered the IP address of the workstation terminal it would be possible to gain access to the web user interface and gain read-only access to information such as monitoring, configuration, event logs and the user guide. The vulnerability is being tracked as CVE-2019-10962 and has been assigned a CVSS v3 base score of 7.3 out of 10 – high severity.

Vulnerable versions are:

  • 0.13
  • 1.3 Build 10
  • 1.3 MR Build 11
  • 1.5
  • 1.6


Unrestricted Upload of Unauthorized Firmware – Critical Severity

A critical vulnerability has been identified that could be exploited by an attacker to upload unauthorized firmware to a compromised device. If successfully exploited an attacker could gain control of the device and its functions, including the infusion rate, dosage, and could even stop infusions entirely. It would also be possible to silence devices to prevent any alerts from being generated.

According to ICS-CERT, “Exploitation of these vulnerabilities could allow unauthorized arbitrary code execution, which could allow an attacker to view and edit device status and configuration details as well as cause devices to become unavailable.”

The flaw is tracked as CVE-2019-10959 and has been assigned a CVSS v3 base score of 10 out of 10 – Critical severity.

Exploitation of the flaw would require access to first be gained to the hospital network. A vulnerable device would need to be located, and the attacker would need to have intimate knowledge of the product. An attacker would also need to be able to update and manipulate a CAB file.

A custom file would need to be developed that could run in a CE environment, an attacker would need to correctly use the internal communications protocols and create a specific installer for the manipulated CAB file and set it to run the program. The complicated nature of the attack and knowledge and skill required make this a difficult vulnerability to exploit.

The Dangerous file upload vulnerability affects the following firmware versions

  • 1.3 Build 10
  • 1.3 MR Build 11
  • 3.0 Build 14
  • 3.1 Build 13

And the following products if running software version 2.3.6

  • Alaris GS
  • Alaris GH
  • Alaris CC
  • Alaris TIVA

The information disclosure can be fully mitigated by updating to the latest firmware version. BD recommends also restricting access to devices and isolating their network from untrusted systems.

The dangerous file upload vulnerability can be addressed by updating to the latest firmware version. If this is not possible, BD will be issuing a patch within 60 days.

BD also recommends blocking SMB protocol, segregating the VLAN network, the use of access controls and restricting the number of associates who have access to the customer network.

The post High and Critical Severity Vulnerabilities Identified in Certain BD Alaris Gateway Workstations appeared first on HIPAA Journal.

HHS One of Three Departments in Most Critical Need of IT Modernization

The Government Accountability Office (GAO) has published the findings of an audit of all federal government systems that run on legacy systems. The aim of the audit was to determine the extent to which legacy software and systems are in use, and which departments are in most critical need of modernization.

In total, 65 federal agency systems were assessed at 24 different agencies to produce a list of the top ten systems in need of modernization. GAO then assessed the agencies’ plans to update their systems and measured those plans against IT modernization best practices.

The Department of Health and Human Services (HHS) was in the top three departments in need of modernization, behind the Department of Education (DoE) and the Department of Defense (DoD). Only three departments were deemed to have both high system criticality and a high security risk: HHS, DoE, and the Department of Homeland security.

The level of modernization required by HHS is considerable. One legacy system is 50 years old yet is still being extensively used to support clinical and patient administrative activities. GAO was unable to get an accurate gauge of the age of the systems in HHS. That unknown contributed to the high security risk rating.

The HHS is still using systems that have been written in C++ and MUMPS, both of which are legacy languages. One of the problems faced by the HHS is finding programmers who can code in MUMPS: A clear sign that modernization is desperately needed.

Th system has been developed to include a further 50 modules and is installed and used on hundreds of computers and are many different configuration variations. The system is invaluable, but cumbersome and difficult to develop and maintain.

GAO notes that the continued use of legacy infrastructure and software invariably involves a greater maintenance cost and the systems are exposed to more cybersecurity risks. Modernization is essential for managing those risks and improving efficiency and the effectiveness of the system.

While there are plans to modernize IT in most government departments, the HHS has yet to document a plan for modernizing IT. “When deciding to modernize a legacy system, [HHS] considers the degree to which core mission functions of the agency or other agencies are dependent on the system.” It is understandable why such an update has been put off.

Until a modernization plan is developed and implemented, which incorporates IT modernization and security best practices, the department “will have an increased risk of cost overruns, schedule delays, and project failure,” wrote GAO.

The HHS has recognized the issues raised by GAO and is keen to update its technical architecture and infrastructure, which continues to present many difficult challenges. A contract has been awarded to a third party to research how the HHS can modernize its systems in stages over the course of a year. Once that report has been received, HHS will develop its modernization plan, which it hopes to implement in 2020.

The HHS has one of the largest IT budgets of any government agency. Modernization has potential to reduce that cost, but GAO noted that the modernization will require a considerable capital investment and it is unclear when and if the modernization will actually lead to cost savings.

The post HHS One of Three Departments in Most Critical Need of IT Modernization appeared first on HIPAA Journal.

Ransomware and Data Destruction Attacks Dominate Healthcare Threat Landscape

A recent report from Carbon Black has revealed 66% of healthcare organizations have experienced a ransomware attack in the past year and 45% experienced an attack in which data destruction was the main motivation behind the attack.

The figures come from Carbon Black’s latest report: Healthcare Cyber Heists in 2019. Carbon Black sought input from 20 industry leading CISOs and questioned them about the cyberattacks they had experienced in the past year, the tactics used in the attacks, and how the threat landscape is evolving.

Last year was a record-breaking year for healthcare data breaches and attacks are continuing at an unprecedented level. April 2019 was the worst ever month for healthcare data breaches with 46 major breaches (500+ records) reported to the HHS’ Office for Civil Rights.

“The potential, real-world effect cyberattacks can have on healthcare organizations and patients is substantial,” explained Rick McElroy, Carbon Black’s Head of Security Strategy and co-author of the report. “Cyber attackers have the ability to access, steal and sell patient information on the dark web. Beyond that, they have the ability to shut down a hospital’s access to critical systems and patient records, making effective patient care virtually impossible.”

83% of surveyed CISOs believe there has been an increase in cyberattacks over the past 12 months and 66% of CISO’s think attacks have grown in sophistication in the past year.

Two thirds of surveyed organizations have had to deal with an attempted ransomware attack in the past 12 months. A variety of ransomware variants were used although Kryptik/GenKryptik ransomware variants were most common and were used in 74% of attacks.

Almost half of respondents experienced a data destruction attack. These attacks involved the destruction of data in an attempt to paralyze business operations. The attacks are commonly associated with nation-state sponsored hacking groups in Russia, China, and North Korea.

While there were many different methods used to attack healthcare organizations, one of the most common was the use of Excel spreadsheets containing macro-enabled PowerShell to download malware.

One third of CISOs said they had experienced an ‘island hopping’ attack in the past year. This is where hackers have compromised a third party and used it to attack their organization. For example, an attack via partner-provisioned Virtual Desktop Infrastructure access, VPNs, or private network links. One third of CISOs also said counter incident response tactics were used by the hackers to prevent mitigation of a breach and to try to maintain persistent access.

CISOs were also asked about their biggest concerns. Compliance was the most stated area of concern (33%) followed by budget restrictions (22%), loss of patient data (16%), and vulnerable devices (16%).

Compliance as the main concern is worrying. It suggests healthcare organizations believe that becoming compliant with HIPAA equates to robust cybersecurity when that is not the case. Compliance with HIPAA only means an organization has achieved a baseline level of security. Many healthcare organizations that were HIPAA-complaint have still experienced data breaches. It is important for compliance to be viewed as a starting point in an organization’s security program. Once HIPAA compliant, security programs must be developed further.

The report shows organizations have realized the importance of staff security awareness training, not just for compliance but for improving security posture. 84% of organizations provide staff security awareness training at least annually with 45% providing more frequent training sessions.

When asked to rate their security posture, most CISOs believed there was still considerable room for improvement. 74% gave their organization a B or less (25% B, 16% B-, 33% C).

While the majority of organizations that engage in threat hunting say that it has significantly improved their cybersecurity posture, only one third of respondents said they had a threat hunting team. Carbon Black notes that threat hunting is no longer reserved for the security elite. Threat hunting software is available to help businesses of all sizes gain better visibility and find and address threats before they result in a data breach.

The post Ransomware and Data Destruction Attacks Dominate Healthcare Threat Landscape appeared first on HIPAA Journal.

Fresh BlueKeep Warning Issued by Microsoft: Public Exploits Exist and Attacks Imminent

Microsoft has issued a fresh warning about the recently discovered BlueKeep vulnerability in Remote Desktop Services (CVE-2019-0708) following the online publication of proof-of-concept exploits for the flaw.

Microsoft released fixes for the flaw on May 14, 2019. As was the case with the vulnerability that was exploited in the WannaCry ransomware attacks in 2017, patches were also released for unsupported Windows versions.

The vulnerability is critical and could be exploited remotely via Remote Desktop Protocol (RDP) without any user interaction required. As one security researcher has shown, finding devices that have not been patched is far from difficult. Robert Graham of Errata Security performed a scan of the internet and found almost 1 million devices that have still not had the patch applied or protected using Microsoft’s recommended mitigations. Graham is not the only person to have performed scans for vulnerable devices. There has been a major increase in scans in recent days. It appears that cybercriminals are preparing for attacks.

The fresh warning is an unusual step for Microsoft to take. It has satisfied its obligations through the release of patches and has even issued patches for unsupported Windows versions. The decision to release a further warning was due to the growing risk of exploitation of the vulnerability. Several security firms claim to have developed exploits for the flaw and proof-of-concept exploit code has now been leaked online. Microsoft is confident that viable exploits exist for the vulnerability.

Several people have posted fake POC code for the vulnerability online, although security researcher Chase Dardaman tested one public DOS POC for BlueKeep which he confirmed to be genuine.

“It’s been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we’re out of the woods,” said Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC) in a recent TechNet blog post. “If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner.”

It took just two months from the MS17-010 patch being released before the global WannaCry ransomware attacks were conducted using the EternalBlue exploit. Yet even with major attacks occurring, many organizations still failed to take action. Now two years on, WannaCry ransomware attacks are still occurring and patches still are not being applied. One report last week indicated 40% of healthcare organizations have been attacked with WannaCry in the past 6 months and the attacks show no sign of stopping.

The latest flaw does not affect Windows 8 and Windows 10, but older Windows versions – Windows XP, Windows 7, Windows 2003 and Windows Server 2008 – are vulnerable. Many businesses have upgraded to Windows 10, but legacy Windows operating systems are still extensively used in healthcare, at least on some devices.

The advice from Microsoft has not changed. “We strongly advise that all affected systems should be updated as soon as possible,” said Pope. “It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise.”

The NSA has also issued an alert via its Central Security Service division in an attempt to prevent another global malware attack like WannaCry, which used the NSA-developed EternalBlue exploit.

The post Fresh BlueKeep Warning Issued by Microsoft: Public Exploits Exist and Attacks Imminent appeared first on HIPAA Journal.

40% of Healthcare Delivery Organizations Attacked with WannaCry Ransomware in the Past 6 Months

Healthcare organizations have been slow to correct the flaw in Remote Desktop Services that was patched by Microsoft on May 14, 2019, but a new report from cybersecurity firm Armis has revealed many healthcare organizations have still not patched the Windows Server Message Block (SMB) flaw that was exploited in the WannaCry ransomware and NotPetya wiper attacks in May and June 2017.

The WannaCry attacks served as a clear reminder of the importance of prompt patching. Microsoft released patches for the vulnerability on March 2017. On May 12, 2017, the WannaCry ransomware attacks started. In the space of just a few days, more than 200,000 devices were infected in 150 countries.

The hackers behind the attack used the NSA exploits EternalBlue and DoublePulsar to spread the malware across entire networks. The National Health Service (NHS) in the UK was hit particularly badly due to the extensive use of legacy systems and the failure to apply patches promptly. Around one third of NHS Trusts in the UK were affected, 19,000 appointments had to be cancelled at a cost of around £20 million, and the cleanup cost was around £72 million.

Globally, the attacks are estimated to have cost $4 billion, with $325 million of that amount paid in ransoms to recover files that were encrypted by the ransomware.

WannaCry is still active and is being used in attacks around the globe, even though the attacks could be prevented by applying Microsoft’s MS17-010 patch.

According to the Armis report, around 40% of healthcare delivery organizations have experienced at least one WannaCry ransomware attack in the past 6 months. It is a similar story in manufacturing, where 60% of companies in the sector have experienced at least one attack in the past 6 months.

The problem is the continued reliance on legacy software. “In healthcare organizations, many of the medical devices themselves are based on outdated Windows versions, and cannot be updated without complete remodeling,” said Armis VP of research, Ben Seri.

Searches on the Shodan search engine showed around 1.7 million devices are still vulnerable to attack, even though patches were released by Microsoft more than 2 years ago. Those devices are being attacked at an alarming rate.

According to Armis, attacks are taking place in 103 countries at a rate of around 3,500 devices per hour. Seri determined that around 145,000 devices are currently compromised.

Thanks to the identification and activation of a kill switch in May 2017, it was possible to prevent encryption, even on devices that had been compromised. While that prevented many organizations from having to pay the ransom, it did not mean the threat had been neutralized entirely. Several variants of the ransomware are now in use, some of which lack the kill switch.

In Q3, 2018, 30% of all ransomware attacks involved WannaCry and the United States has the highest number of attacks. In the United States there are around 130,000 new attacks conducted every week.

All it takes is for one device to be infected with WannaCry. That device can then be used to move laterally and infect many other vulnerable devices on the network through the use of the DoublePulsar exploit.

The failure to apply patches due to having to rebuild systems is not the only problem. Seri explained that healthcare organizations often have a large number of unmanaged devices. Security agents have been turned off or uninstalled out of frustration, unsanctioned devices are connected to the network, and many IoT devices are allowed to connect to the network, even though they cannot have security agents installed. This creates a major blind spot for IT teams who are unable to monitor those devices and, in many cases, they have zero visibility into their existence.

Preventing attacks is straightforward in theory, but time consuming and complicated in practice. Patches must be applied, even though that process is difficult and time consuming. It is essential for IT teams to maintain an asset inventory of all devices that connect to the network and to monitor those devices and monitor networks for other unknown, suspicious, or misplaced devices.

Solutions also need to be implemented that monitor and protect unmanaged devices that lack security controls. “Healthcare and manufacturing environments are rampant with such devices from MRIs to infusion pumps to ventilators to industrial control devices, robotic arms, HMIs, PLCs, etc. Without such solutions, these devices, and consequently your entire network, are sitting ducks for any hacker,” explained Seri.

According to Seri, 70% of devices in healthcare are running old operating systems such as Windows 7. Seri points out that Windows 7 will reach end of life in 2020 and will no longer be supported, which will leave the healthcare industry even more vulnerable to attack.

The latest patch for the flaw in RDS is also not being applied, even though the flaw can be exploited remotely with no user interaction required in a WannaCry-style attack. As Seri explained, many organizations will not consider patching until an exploit is developed and attacks commence. Of course, by then, it may be too late.

The post 40% of Healthcare Delivery Organizations Attacked with WannaCry Ransomware in the Past 6 Months appeared first on HIPAA Journal.

Almost 1 Million Windows Devices Still Vulnerable to Microsoft BlueKeep RDS Flaw

More than two weeks after Microsoft issued a patch for a critical, wormable flaw in Remote Desktop Services, nearly 1 million devices have yet to have the patch applied and remain vulnerable. Those devices have also not had the recommended mitigations implemented to reduce the potential for exploitation of the flaw.

The vulnerability – CVE-2019-0708 – can be exploited remotely with no user interaction required and could allow a threat actor to execute arbitrary code on a vulnerable device, view, change, or delete data, install programs, create admin accounts, and take full control of the device. It would also be possible to then move laterally and compromise other devices on the network. Microsoft has warned that the vulnerability could be exploited via RDP and could potentially be used in another WannaCry-style attack.

Microsoft released patches for the vulnerability on May 14 and, due to the seriousness of the flaw, the decision was taken to also release patches for unsupported Windows versions. The flaw affects Windows XP, Windows 7, Windows 2003, Windows Server 2008, and Windows Server 2008 R2. Patches are available for all vulnerable systems.

Microsoft also detailed mitigations that could be implemented if the patch could not be promptly applied.

  • Disable RDP from outside the organization and limit its use internally
  • Block TCP port 3389 at the firewall
  • Implement Network Level Authentication (NLA)

Due to the seriousness of the flaw, Robert Graham of Errata Security conducted a scan to determine how many devices had not yet been patched. Graham used a masscan port scanner and an additional scanning tool to scan the internet to identify systems that were still vulnerable to the BlueKeep vulnerability. 7 million systems were identified that had port 3389 open and 950,000 of those systems had not had the patch applied. All of those systems are vulnerable to attack and if a worm-like exploit is developed, every one could be compromised.

While an exploit for the vulnerability does not appear to be in use in the wild as of yet, it is only a matter of time before one is developed and used to attack vulnerable devices. Several security firms claim to have already developed a workable exploit for the vulnerability, although they have not released that exploit publicly.

Graham has predicted an exploit will be developed by a threat actor and used in real world attacks in the next couple of months, although attacks could take place much sooner. Some evidence has already been found which suggests hackers are already searching for vulnerable devices. GreyNoise Intelligence identified several dozen hosts that are being used to scan the internet for unpatched devices.

All it takes is for one device to remain vulnerable to give an attacker a foothold in the network, after which many more devices could be compromised even if they are not vulnerable to BlueKeep.

Any healthcare organization that has yet to apply the patch or implement the recommended mitigations should do so as soon as possible to prevent the vulnerability being exploited.

Opatch has also released a micropatch that can be applied to always-on servers which means they can be protected without having to reboot the servers.

The post Almost 1 Million Windows Devices Still Vulnerable to Microsoft BlueKeep RDS Flaw appeared first on HIPAA Journal.