Healthcare Cybersecurity

Biden Signs Expansive Executive Order to Improve Cybersecurity for Federal Networks

On May 13, 2021, President Biden signed an expansive Executive Order that aims to significantly bolster cybersecurity protections for federal networks, improve threat information sharing between the government, law enforcement and the private sector, and introduce a cyber threat response playbook to accelerate incident response and mitigation.

The 34-page Executive Order includes short time frames for making significant improvements to cybersecurity, with all elements of the Executive Order due to be implemented within the next 360 days and the first elements due in 30 days.  The Executive Order was penned following a series of damaging cyberattacks that impacted government departments and agencies, such as the SolarWinds Orion Supply chain attack and attacks on Microsoft Exchange Servers. The recent DarkSide ransomware attack on Colonial Pipeline served as yet another reminder of the importance of improving cybersecurity, not just for the Federal government but also the private sector which owns and operates much of the country’s critical infrastructure.

President Biden is planning to lead by example and is urging the private sector and critical infrastructure firms to follow the lead of the Federal government in improving resilience to cyberattacks and preparing for attacks to ensure that disruption to operational capabilities is kept to a minimum.

The key elements of the Executive Order on Improving the Nation’s Cybersecurity are:

  • Removing barriers to threat information sharing to make it easier for private sector companies to report threats and data breaches that could potentially have an impact on Federal networks.
  • Modernizing and implementing stronger cybersecurity standards in the Federal government. This includes widespread use of multifactor authentication, more extensive use of data encryption, the adoption of a zero-trust architecture, and a more rapid transition to secure cloud services.
  • The creation of a standard cyber incident response playbook. Government departments and agencies need to know, in advance, how to respond to threats. The playbook will ensure a rapid and uniform response to any cybersecurity incident.
  • Improvements to investigative and remediation capabilities. Detailed security event logs must be maintained by federal departments and agencies to ensure that cyberattacks can be easily investigated and remediated. Breach investigations have previously been hampered due to the lack of robust and consistent logging.
  • Improving software supply chain security. All software sold to the U.S. government will need to adhere to new security standards. Developers will be required to maintain greater visibility into their software solutions and make security data publicly available. The government will also launch a pilot “energy star” label program to demonstrate whether software was developed securely.
  • A Cybersecurity Safety Review Board will be created that consists of government and private sector leads that will meet following any significant security breach to analyze what has happened. Recommendations can then be made and implemented to ensure similar attacks are prevented in the future.
  • Improvements to cyber incident detection capabilities. A government-wide endpoint detection and response system will be implemented, along with robust intra-governmental information sharing.

“This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur,” explained the Biden Administration in a statement about the Executive Order. “It is the first of many ambitious steps the Administration is taking to modernize national cyber defenses.”

The post Biden Signs Expansive Executive Order to Improve Cybersecurity for Federal Networks appeared first on HIPAA Journal.

Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall

2020 was certainly not a typical year. The pandemic placed huge pressures on IT security teams and businesses were forced to rapidly accelerate their digital transformation plans and massively expand their remote working capabilities. Cyber actors seized the opportunities created by the pandemic and exploited vulnerabilities in security defenses to gain access to business networks and sensitive data.

In 2020, phishing and ransomware attacks increased, as did web application attacks, according to the recently published Verizon 2021 Data Breach Investigations Report. The report provides insights into the tactics, techniques and procedures used by nation state actors and cybercriminal groups and how these changed during the pandemic.

To compile the Verizon 2021 Data Breach Investigations Report, the researchers analyzed 79,635 incidents, of which 29,207 met the required quality standards and included 5,258 confirmed data breaches in 88 countries – one third more data breaches than the previous year’s DBIR.

2020 saw an 11% increase in phishing attacks, with cases of misrepresentation such as email impersonation attacks at 15 times the level of 2019. There was a 6% increase in ransomware attacks, with 10% of all data breaches in 2020 involving the use of ransomware – Twice the level of the previous year.

Across all industry sectors, phishing was the main cause of data breaches and was involved in 36% of incidents. The researchers attributed the increase in phishing attacks to the pandemic, with COVID-19 and other related pandemic lures extensively used in targeted attacks on at-home workers. While phishing attacks and the use of stolen credentials are linked, the researchers found attacks involving stolen credentials were similar to the level of the previous year and were involved in 25% of breaches. Exploitation of vulnerabilities was also common, but in most cases it was not new vulnerabilities being exploited but vulnerabilities for which patches have been available for several months or years.

The increase in remote working forced businesses to move many of their business functions to the cloud and securing those cloud resources proved to be a challenge. Attacks on web applications accounted for 39% of all data breaches, far higher than the previous year. Attacks on external cloud assets were much more common than attacks on on-premises assets.

61% of data breaches involved credential theft, which is consistent with previous data breach investigation reports and 85% of data breaches involved a human element. In the majority of cases (80%), data breaches were discovered by a third party rather than the breached entity.

There were considerable variations in attacks and data breaches across the 12 different industry verticals represented in the report. In healthcare, human error continued to be the main cause of data breaches, as has been the case for the past several years. The most common cause of data breaches in misdelivery of paper and electronic documents (36%), but this was far higher in the financial sector (55%). In public administration, the main cause of data breaches was social engineering, such as phishing attacks to obtain credentials.

Healthcare Data Breaches in 2020. Source: Verizon 2021 Data Breach Investigations Report

Verizon analyzed 655 healthcare security incidents, which included 472 data breaches. 221 incidents involved malware, 178 hacking, 137 human error, and 106 social attacks. For the second consecutive year, incidents involving malicious insiders have fallen out of the top three attack types. While it is certainly good news that the number of malicious insider incidents is falling, that does not mean that these incidents are no longer occurring. It could indicate malicious insiders are able to cover their tracks much better. Attacks by external threat actors significantly increased, with healthcare industry cyberattacks commonly involving the use of ransomware. 61% of incidents were the work of external threat actors and 39% were internal data breaches.

Interestingly, considering the value of medical data on the black market, medical data was not the most commonly breached data type. Medical data was breached in 55% of data breaches, with personal data breached in 66% of incidents.  32% of breached involved the theft of credentials. Verizon suggests that could be due to the opportunistic nature of attacks by external threat actors. “With the increase of External actor breaches, it may simply be that the data taken is more opportunistic in nature. If controls, for instance, are more stringent on Medical data, an attacker may only be able to access Personal data, which is still useful for financial fraud. Simply put, they may take what they can get and run.

Breach detection has been steadily improving since 2016, when the majority of data breaches took months or more to identify. The majority of data breaches are now being discovered in days or less, although most commonly not by the breached entity.  80% of data breaches were identified by a third party.

The cost of a data breach is now estimated to be $21,659 on average, with 95% of data breaches having a financial impact of between $826 and $653,587.

The post Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall appeared first on HIPAA Journal.

CISA/FBI Provide Best Practices for Preventing Business Disruption from Ransomware Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert about DarkSide ransomware in the wake of the attack on the fuel pipeline company Colonial Pipeline.

The cyberattack caused major disruption to fuel supplies to the East Coast. Colonial Pipeline was forced to shut down systems to contain the threat, including the operational technology of its 5,500-mile pipeline which supplies diesel, gasoline, and jet fuel to the U.S. East Coast. The four main pipelines were shut down over the weekend, and while smaller pipelines were quickly restored, the main pipelines have remained shut down pending safety assessments. The pipelines transport around 2.5 million barrels of fuel a day and provide 45% of the East Coast’s fuel.

The attack affected Colonial Pipeline’s information technology network, but its operational technology network was not affected. The DarkSide ransomware gang issued a statement shortly after the attack explaining the attacks was conducted purely for financial reasons and not for political reasons or to cause economic or social disruption. The group also said it would be vetting future ransomware attacks by its affiliates and partners to avoid social consequences in the future.

The joint advisory from CISA and the FBI includes technical details of the attack along with several mitigations to reduce the risk of compromise in DarkSide ransomware attacks and ransomware attacks in general. All critical infrastructure owners and operators are being urged to implement the mitigations to prevent similar attacks.

Previous attacks by DarkSide partners have gained initial access to networks via phishing emails and the exploitation of vulnerabilities in remotely accessible accounts and systems and Virtual Desktop Infrastructure. The group is known to use Remote Desktop Protocol (RDP) to maintain persistence. As with many other human-operated ransomware operations, prior to the deployment of ransomware the attackers exfiltrate sensitive data and threaten to sell or publish the data if the ransom is not paid.

Preventing DarkSide and other ransomware attacks requires steps to be taken to block the initial attack vectors. Strong spam filters are required to prevent phishing emails from reaching inboxes and multi-factor authentication should be enabled for email accounts to prevent the stolen credentials from being used. MFA should also be implemented on all remote access to operational technology (OT) and information technology (IT) networks. An end user training program should be implemented to train employees how to recognize spear phishing emails and to teach cybersecurity best practices.

Network traffic should be filtered to prohibit communications with known malicious IP addresses, and web filtering technology used to prevent users from accessing malicious websites. It is vital for software and operating systems to be kept up to date and for patches to be applied promptly. CISA recommends using a centralized patch management system and a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.

Access to resources over networks should be restricted, especially RDP, which should be disabled if not operationally necessary. If RDP is required, MFA should be implemented. Steps should also be taken to prevent unauthorized execution of code, including disabling Office Macros and implementing application allowlisting to ensure only authorized programs can be executed in accordance with the security policy.

Inbound connections from Tor exit nodes and other anonymization services to IP addresses and ports for which external connections are not expected should be monitored and/or blocked and signatures should be deployed to block inbound connection from Cobalt Strike servers and other post exploitation tools.

It may not be possible to block all attacks, so steps should be taken to limit the severity of a successful attack to reduce the risk of severe business or functional degradation. These measures include robust network segmentation, organizing assets into logical zones, and implementing regular and robust backup procedures.

You can view the alert and recommended mitigations here.

The post CISA/FBI Provide Best Practices for Preventing Business Disruption from Ransomware Attacks appeared first on HIPAA Journal.

CISA Warns of FiveHands Ransomware Threat

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about a new ransomware variant being used in attacks on a wide range of industry sectors, including healthcare.

So far, the threat group behind the attacks has mainly targeted small- to medium-sized companies, according to researchers at FireEye who have been tracking the activity of the threat group. It is currently unclear whether this is the work of a nation state-backed hacking group or a cybercriminal organization. FireEye is tracking the group as UNC2447.

The threat group was first identified conducting FiveHands ransomware attacks in January and February, mostly on businesses in healthcare, telecommunications, construction, engineering, education, real estate, and the food and beverage industries. The group has been targeting an SQL injection vulnerability in the SonicWall SMA 100 Series VPN appliance – CVE-2021-20016 – to gain access to business networks and is using a variety of publicly available penetration and exploitation tools in the attacks.

FiveHands is a novel ransomware variant that utilizes public key encryption called NTRUEncrypt. This ensures files encrypted cannot be decrypted without paying the ransom. Windows Volume Shadow copies are also deleted to hamper any attempts to recover data without paying the ransom. As with most other ransomware variants, sensitive data are identified and exfiltrated prior to file encryption and victims are pressured into paying the ransom with the threat of the exposure or sale of stolen data.

Once access to a network is gained, the attackers use SoftPerfect Network Scanner for Discovery and netscan.exe to find hostnames and network services. The attackers use PsExec for executing programs, including the Microsoft Sysinternals remote administration tool Servemanager.exe, along with other publicly available pen testing tools such as routerscan.exe, grabff.exe for extracting stored Firefox passwords and authentication data, and rclone.exe and s3browser-9-5-3.exe for uploading and downloading files. The SombRAT Trojan is also utilized in attacks as a loader for executing batch and text files.

FiveHands ransomware is able to evade security solutions through the use of PowerShell and can download additional malicious payloads. Communications with the C2 server are via a Secure Sockets Layer tunnel and are AES encrypted, and allow the threat group to execute downloadable DLL plug-ins through the protected SSL session. CISA reports that the FiveHands malware itself only provides the framework, with functionality added through the DLL plugins which collect and exfiltrate system data such as operating processes, computer name, username, operating system version, local system time, and other key data.

CISA has offered several mitigations that can be implemented to strengthen security and block FiveHands ransomware attacks. Organizations that use the SonicWall SMA 100 Series VPN appliance should ensure the patch for the CVE-2021-20016 vulnerability is applied. SonicWall corrected the vulnerability in February.

Other recommendations include:

  • Maintain up-to-date antivirus signatures and engines.
  • Disabling file and printer sharing services.
  • Restricting users’ permissions to install and run software applications.
  • Implementing multi-factor authentication (MFA), especially on VPN connections
  • Decommissioning unused VPN servers
  • Monitoring network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).
  • Exercising caution when opening email attachments
  • Enabling personal firewalls on agency workstations
  • Disable unnecessary services on agency workstations and servers.
  • Monitoring users’ web browsing habits

The post CISA Warns of FiveHands Ransomware Threat appeared first on HIPAA Journal.

Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause

Network intrusion incidents have overtaken phishing as the leading cause of healthcare data security incidents, which has been the main cause of data breaches for the past 5 years.

In 2020, 58% of the security incidents dealt with by BakerHostetler’s Digitial Assets and Data Management (DADM) Practice Group were network intrusions, most commonly involving the use of ransomware.

This is the 7th consecutive year that the BakerHostetler 2021 Data Security Incident Response (DSIR) Report has been published. The report provides insights into the current threat landscape and offers risk mitigation and compromise response intelligence to help organizations better defend against attacks and improve their incident response. The report is based on the findings of more than 1,250 data security incidents managed by the company in 2020, which included a wide variety of attacks on healthcare organizations and their vendors.

Ransomware attacks are now the attack method of choice for many cybercriminal organizations and have proven to be very profitable. By exfiltrating data prior to encryption, victims not only have to pay to recover their files, but also to prevent the exposure or sale of sensitive data. This new double extortion tactic has been very effective and data exfiltration prior to file encryption is now the norm. Throughout 2020, ransomware attacks continued to grow in frequency and severity.

BakerHostetler reports that the ransoms demanded and the number being paid increased dramatically in 2020, as did the number of threat groups/ransomware variants involved in the attacks. In 2019, there were just 15. In 2020, the number had grown to 75.

Out of the incidents investigated and managed by BakerHostetler in 2020, the largest ransom demand was for more than $65 million. The largest ransom demand in 2019 was ‘just’ $18 million. Payments are often made to speed up recovery, ensure data are recovered, and to prevent the sale or exposure of data. In 2020, the largest ransom paid was more than $15 million – up from just over $5 million in 2019 – and the average ransom payment more than doubled from $303,539 in 2019 to $797,620 in 2020.

In healthcare, the average initial ransom demand was $4,583,090 with a median ransom demand of $1.6 million. The average payment was $910,335 (median $332,330), and the average number of individuals affected was 39,180 (median 1,270). The average time to acceptable restoration of data was 4.1 days and the average forensic investigation cost was $58,963 (median $25,000).

Across all industry sectors, 70% of ransom notes claimed sensitive data had been stolen and 90% of investigations found some evidence of data exfiltration. 25% of incidents resulted in theft of data that required notifications to be issued to individuals. 20% of victims made a payment to the attackers even though they were able to recover their data from backups.

When ransoms are paid, in 99% of cases the payment was made by a third party for the affected organization and in 98% of cases a valid encryption key was provided to allow data to be recovered. It took an average of 13 days from encryption to restoration of data.

Phishing accounted for 24% of all security incidents. Phishing attacks often led to network intrusion (33%), ransomware attacks (26%), data theft (24%), and Office 365 account takeovers (21%).

“In 2020 we saw a continued surge in ransomware as well as an increase in large supply chain matters, further stretching the capacity of the incident response industry,” said Theodore J. Kobus III, chair of BakerHostetler’s DADM Practice Group “Organizations worked to quickly contain incidents – despite challenges in simply getting passwords changed and endpoint, detection and response tools deployed to remote workers.”

It is more common now for legal action to be taken by breach victims. The trend for lawsuits being filed when breaches impact fewer than 100,000 individuals continued to increase in 2020, which is driving up the data breach cost. HIPAA enforcement activity also continued at elevated levels, although in 2020 the majority of the financial penalties issued were for HIPAA Right of Access failures, rather than fines related to security breaches.

The post Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause appeared first on HIPAA Journal.

CISA/NIST Issue Guidance on Improving Defenses Against Software Supply Chain Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have published guidance to help organizations improve their defenses against software supply chain attacks.

The guidance documentDefending Against Software Supply Chain Attacks – explains the three most common methods that threat groups use in supply chain attacks along with in-depth recommendations for software customers and vendors for prevention, mitigation, and improving resilience against software supply chain attacks.

Like many supply chain attacks, the recent SolarWinds Orion attack involved hijacking the software update mechanism of the platform to deliver a version of the software with malicious code that provided the attackers with persistent access to the solution on more than 18,000 customers’ systems, with the attackers then cherry picking targets of interest for more extensive compromises. This was also the method used by the threat group behind the NotPetya wiper attacks in 2017. The software update mechanism used by a popular tax accounting software in Ukraine was hijacked to gain control of the software for use in destructive attacks.

It is also common for attackers to undermine the code signing process to hijack software update mechanisms to deliver malicious code. This is often achieved by self-signing certificates and exploiting misconfigured access controls to impersonate trusted vendors. CISA reports that the Chinese advanced persistent threat group APT41 commonly undermines code signing in its sophisticated attacks in the United States.

The third most common method used in supply chain attacks is to target publicly accessible code libraries and insert malicious code, which is subsequently downloaded by developers. In May 2020, GitHub, the largest platform for open source software, discovered 26 open source projects had been compromised as a result of malicious code being injected into open source software. Blocks of open source code are also commonly used in privately owned software solutions and these too can be easily compromised.

Software supply chain attacks are time consuming and resource intensive and usually require long-term commitment. While criminal threat actors have successfully conducted supply chain attacks, they are more commonly conducted by state sponsored advanced persistent threat groups that have the intent, capabilities, and resources for prolonged software supply chain attack campaigns.

These attacks can allow large numbers of organizations to be compromised by attacking just one. Organizations are vulnerable to these attacks as they give software vendors privileged access to their systems to allow them to operate effectively. Vendors need regular communication with installed software solutions to provide updates to improve security against emerging threats and to fix vulnerabilities. If a vendor is compromised, the attackers can bypass security measures such as firewalls and gain persistent access to all customers’ systems.

The guidance document provides several recommendations and tips for using NIST’s Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF). Organizations can greatly improve resilience to software supply chain attacks by operating software within a C-SCRM framework with a mature risk management program.

“A mature risk management program enables an organization to understand risks presented by ICT products and services, including software, in the context of the mission or business processes they support. Organizations can manage such risks through a variety of technical and non-technical activities, including those focused on C-SCRM for software and the associated full software lifecycle,” explained NIST.

The guidance details 8 best practices for establishing a C-SCRM approach and applying it to software:

  1. Integrate C-SCRM across the organization.
  2. Establish a formal C-SCRM program.
  3. Know and manage critical components and suppliers.
  4. Understand the organization’s supply chain.
  5. Closely collaborate with key suppliers.
  6. Include key suppliers in resilience and improvement activities.
  7. Assess and monitor throughout the supplier relationship.
  8. Plan for the full lifecycle.

Even when this approach is adopted, it is not possible to prevent all supply chain attacks so it is essential for other steps to be taken to mitigate vulnerable software components.

Organizations should develop a vulnerability management program and reduce the attack surface through configuration management. This includes placing configurations under change control, conducting security impact analyses, implementing manufacturer-provided guidelines to harden software, operating systems, and firmware, and maintaining an information system component inventory. Steps should also be taken to increase resilience to a successful exploit and limit the harm that can be caused to mission critical operations, personnel and systems in the event of a successful attack.

The post CISA/NIST Issue Guidance on Improving Defenses Against Software Supply Chain Attacks appeared first on HIPAA Journal.

Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks

The increase in ransomware attacks in 2020 has continued in 2021 with healthcare one of the most targeted industries, according to the latest Coveware Quarterly Ransomware Report. Healthcare ransomware attacks accounted for 11.6% of all attacks in Q1, 2021, on a par with attacks on the public sector and second only to attacks on firms in professional services (24.9%).

While ransom demands declined in Q4, 2020, that trend abruptly stopped in Q1, 2021 with the average ransom payment increasing by 43% to $220,298 and the median ransom payment up 59% to $78,398. The increase in payments was not due to ransomware attacks but data exfiltration extortion attacks by the Clop ransomware gang.

The Clop ransomware gang exploited two zero-day vulnerabilities in the Accellion legacy File Transfer Appliance, exfiltrated customers’ data, then threatened to publish the stolen data if the ransom was not paid. When victims refused to pay, the stolen data were leaked on the Clop ransomware data leak site.

These attacks show that file encryption is not always necessary, with the threat of publication of stolen data often sufficient to ensure payment is made. Coveware notes that while exploitation of the vulnerabilities allowed data to be exfiltrated, it was not possible to deploy ransomware across victims’ networks, otherwise ransomware would most likely have also been used in the attacks.

The Clop ransomware gang was particularly active in Q1, 2020. The group often attacks large enterprises and demands huge ransoms and like many other ransomware gangs, steals data prior to file encryption and threatens to expose that data if payment is not made. These double extortion tactics have become the norm and most ransomware attacks now involve data exfiltration. In Q1, 77% of ransomware attacks involved data exfiltration up from 70% in Q4, 2020.

Ransomware victims may have no choice other than paying the ransom if they are unable to recover encrypted data from backups, but there are risks associated with paying the ransom demand, especially to prevent a data leak. There is no guarantee that data will be destroyed and could still be traded or sold to other threat groups after payment is made. Exfiltrated data may also be stored in multiple locations. Even if the threat actor destroys the data, third parties may still have a copy. Coveware notes that while data exfiltration has increased, a growing number of ransomware victims are electing not to give in to the attackers’ demands and are refusing to pay the ransom to prevent a data leak for these and other reasons.

“Over hundreds of cases, we have yet to encounter an example where paying a cybercriminal to suppress stolen data helped the victim mitigate liability or avoid business / brand damage.” – Coveware.

Many RaaS operations have increased the number of attacks by recruiting more affiliates, but some RaaS operations have struggled to scale up their operations. The Conti gang outsourced their chat operations which made negotiations and recoveries more difficult. The Lockbit and BlackKingdom gangs experienced technical difficulties which resulted in permanent data loss for some of their victims, and even the most prolific ransomware operation – Sodinokibi – experienced problems matching encryption keys with victims resulting in permanent data loss.

These technical problems show that even ransomware operations that intend to provide the keys to decrypt data are not always able to. Coveware also observed a worrying trend where ransomware gangs deliberately disrupt recovery after the ransom is paid. The Lockbit and Conti gangs were observed attempting to steal more data during the recovery phase and even attempting to re-launch their ransomware after victims have paid. Coveware notes that this kind of disruption was rare in 2020, but it is becoming more common. Technical issues and disruption to the recovery process have contributed to an increase in downtime due to an attack, which is up 10% in Q1 to 23 days.

In Q4, email phishing became the most common method of ransomware delivery, but Remote Desktop Protocol connections are once again the most common method of gaining access to victim networks. Phishing is still commonly used and is the method of attack favored by the Conti ransomware gang – the second most prevalent ransomware operation in Q1.

Exploitation of software vulnerabilities also increased, with unpatched vulnerabilities in Fortinet and Pulse Secure VPN appliances the most commonly exploited flaws. Coveware believes the majority of ransomware-as-a-service operators and affiliates do not exploit software vulnerabilities, instead they pay specialist threat actors for access to compromised networks. Those threat actors mostly target smaller organizations, with RDP the most common method of attack for larger organizations.

The post Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks appeared first on HIPAA Journal.

Best Practices for Network Defenders to Identify and Block Russian Cyber Operations

A joint cybersecurity advisory has been issued by the Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) about ongoing cyber operations by the Russian Foreign Intelligence Service (SVR).

The advisory provides further information on the tactics, techniques, and procedures (TTPs) used by SVR hackers to gain access to networks and the stealthy intrusion tradecraft used to move laterally within compromised networks. Best practices have been shared to allow network defenders to improve their defenses, secure their networks, and conduct investigations to determine whether their systems have already been compromised.

The advisory follows on from an April 15, 2021 joint alert from the NSA, CISA, and FBI following the formal declaration by the U.S. Government that the SolarWinds supply chain attack was conducted by SVR cyber actors known as The Dukes, CozyBear, Yttrium, and APT29. The CVR operatives are primarily targeting government agencies, policy analysis organizations and think tanks, IT companies, and critical infrastructure companies to gather intelligence information.

Prior to 2018, SVR operatives were primarily using stealthy malware on victims’ networks but have now changed their focus to target cloud resources, including cloud-based email services such as Microsoft Office 365, as was the case with the SolarWinds supply chain attack.

System misconfigurations are exploited, and compromised accounts are used to blend in with normal traffic in cloud environments. The hackers are able to avoid detection more easily when attacking cloud resources as many organizations do not effectively defend, monitor, or even fully understand these environments.

The SVR operatives have previously used password spraying to guess weak passwords associated with administrative accounts. These attacks are conducted in a slow and low manner to avoid detection, such as attempting small numbers of passwords at infrequent intervals using IP addresses in the country where the target is located. Once administrator access is gained, changes are made to the permissions of email accounts on the network to allow emails to be intercepted. Once an account is compromised, it is typically accessed using a single IP address on a leased virtual private server. If an account is accessed which turns out to be of no use, permissions are changed back to the original settings to minimize the possibility of detection.

Zero-day vulnerabilities in virtual private networks (VPN) have also been exploited to obtain network access, including the Citrix NetScaler vulnerability CVE-2019-19781. Once exploited, user credentials are harvested and used to authenticate to systems on the network without multifactor authentication enabled. Attempts are also made to access web-based resources containing information of interest to the foreign intelligence service.

A Go-based malware variant dubbed WELLMESS has been used to gain persistent access to networks and, in 2020, was primarily used in targeted attacks on organizations involved in COVID-19 vaccine development, with the attackers targeting research repositories and Active Directory servers.

The SVR cyber actors are capable adversaries that use custom malware and open source and commercially available tools in their attacks. Several recommendations and best practices have been offered to help network defenders improve resilience to each of the methods known to be used by SVR operatives and identify potential attacks in progress.

The post Best Practices for Network Defenders to Identify and Block Russian Cyber Operations appeared first on HIPAA Journal.

DOJ Launches Ransomware and Digital Extortion Task Force

In response to the growing threat from ransomware attacks, the U.S Department of Justice has launched a new Ransomware and Digital Extortion Task Force that will target the entire ransomware ecosystem as a whole. The aim is not only to bring the individuals conducting the attacks to justice, but also any individuals who assist attackers, including those who launder ransom payments.

The Task Force will include representatives from the DOJ criminal, national security and civil divisions, the Federal Bureau of Investigation, and the Executive Office for United States Attorneys and will work closely with the Departments of Homeland Security and the Treasury. The task force will also work to improve collaboration with the private sector and international partners.

Resources will be increased to address ransomware attacks, training and intelligence gathering will be improved, and the task force will coordinate with the Department of Justice to investigate leads and connections to known cybercriminal organizations and nation state threat groups. In addition to aggressively pursuing all individuals involved in attacks, the task force will make recommendations to Congress on how best to help victims of attacks while discouraging the payment of ransoms.

The task force will help to tackle the proliferation of ransomware attacks by making them less lucrative. According to an internal DOJ Memo written by DOJ Acting Deputy Attorney General John Carlin, “This will include the use of all available criminal, civil, and administrative actions for enforcement, ranging from takedowns of servers used to spread ransomware to seizures of these criminal enterprises’ ill-gotten gains.”

The aim of the task force is to better protect individuals and businesses from ransomware attacks and to ensure the individuals involved are brought to justice. At present, ransomware gangs, members of which are often based overseas, know that there is little risk of being caught and attacks can be extremely profitable.

Ransomware attacks increased sharply in 2020, which was the worst ever year for ransomware attacks. According to a recent report from Chainalysis, more than $370 million in ransom payments were collected by ransomware gangs in 2020, which is an increase of 336% from the previous year. Ransoms are often paid as victims are well aware that paying the ransom, even if it is several million dollars, is a fraction of the cost of recovering from the attack without paying. The cost of attacks could easily be 10 or 20 times higher if the ransom is not paid.

In 2019, the City of Baltimore refused to pay a $75,000 ransom and the attack ended up costing the city more than $18 million. According to the GetApp 2020 Data Security Survey, 28% of businesses have suffered a ransomware attack in the past 12 months and 75% of victims paid the ransom to reduce the cost of remediation.

Ransomware attacks are costing the U.S economy billions. Cybersecurity Ventures has predicted ransomware attacks will continue to increase and are likely to occur at a rate of one every 11 seconds in 2021, with the total cost of the attacks rising to $20 billion in 2021 in the United States alone, with the global cost expected to reach $6 trillion in 2021.

The post DOJ Launches Ransomware and Digital Extortion Task Force appeared first on HIPAA Journal.