Healthcare Cybersecurity

CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity authorities Australia, New Zealand, Singapore, and the United Kingdom have issued an alert for users of the Accellion File Transfer Appliance (FTA) about 4 vulnerabilities which are being actively exploited by a threat actor to gain access to sensitive data.

The Accellion FTA is a legacy file transfer appliance used to share large files. Accellion identified a zero-day vulnerability in the product in mid-December and released a patch to address the flaw, although further vulnerabilities have since been identified.

The vulnerabilities are tracked as:

  • CVE-2021-27101 – SQL injection vulnerability via a crafted HOST header
  • CVE-2021-27102 – Operating system command execution vulnerability via a local web service
  • CVE-2021-27103 – Server-side request forgery via a crafted POST request
  • CVE-2021-27104 – Operating system command execution vulnerability via a crafted POST request

The SQL injection flaw (CVE-2021-27011) allows unauthorized individual to run remote commands on targeted devices. An exploit for the vulnerability has been combined with a webshell, with the latter used receive commands sent by the attacker and exfiltrate data and clean up logs. The removal of clean up logs allows the attacker to avoid detection and hampers analysis of the attack.

Once sensitive data have been exfiltrated, the attacker attempts to extort money from the victim. Threats are issued to publicly expose the stolen data on a ransomware data leak site if the ransom is not paid. FireEye/Mandiant have linked the attacks with the FIN11 and CL0P ransomware operation, although ransomware is not being used in the attacks.

Accellion became aware of attacks exploiting the vulnerabilities in January 2021 and reports fewer than 100 clients have been affected and around 2 dozen clients are believed to have suffered significant data theft. Kroger has recently reported that some pharmacy and little Clinic customers have been affected, and Centene has similarly suffered a data breach via the exploitation of the vulnerabilities. Other victims include Transport for New South Wales in Australia, the Canadian Aircraft manufacturer Bombardier, the Reserve Bank of New Zealand, the Australian financial regulator ASIC, the Office of the Washington State Auditor, and the University of Colorado.

CISA has provided Indicators of Compromise (IoCs) in its cybersecurity alert (AA21-055A) which can be used by Accellion customers to determine if the vulnerabilities have been exploited, along with advice should malicious activity be detected.

In addition to performing an analysis to identify if the flaws have been exploited, CISA recommends isolating systems hosting the software from the Internet and updating Accellion FTA to version FTA_9_12_432 or later. It is also recommended by Accellion and CISA to migrate from this legacy product to a supported file sharing platform. The Accellion FTA reaches end-of-life on April 30, 2021. Accellion recommends upgrading to its Kiteworks file sharing platform, which has enhanced security features.

The post CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities appeared first on HIPAA Journal.

Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity

Throughout the pandemic, cybercriminals have taken advantage of new opportunities and have been attacking hospitals, clinics and other businesses and organizations on the front line in the fight against COVID-19.

Ransomware attacks on the healthcare industry soared in 2020, especially in the fall when a coordinated campaign claimed many healthcare victims. Ransomware remains a major threat to the healthcare sector and the high numbers of attacks have continued into 2021.

A recent report from the CTIL League provides further information on these attacks and some of the other ways the healthcare industry was targeted in 2020. The report highlights the work conducted by the CTIL Dark team, which monitors the darknet and deep web for signs of data breaches and cybercriminal activity that has potential to impact the healthcare industry or general public health.

This is the first report to be released that highlights the discoveries and achievements of the CTIL Dark team, and delves into realm of healthcare ransomware attacks and the dark markets where access to healthcare networks are traded.

In 2020, the CTIL Dark team’s research determined the main ransomware gangs targeting the healthcare sector to be Maze, Conti, Netwalker, REvil, and Ryuk. Between these five operations more than 100 ransomware attacks were conducted on the healthcare sector, two thirds of which were in North America and Europe. The attacks by these groups accounted for 75% of all attacks on the sector in 2020.

The increase in ransomware attacks in 2020 was attributed to the ease at which the industry could be attacked and the increased prominence of the industry during the pandemic, and no healthcare organization was immune. In fact while attacks on large healthcare organizations with the means to pay large ransom demands were favored, in the fall there was a significant increase in attacks on small- to medium-sized hospitals and clinics.

Ransomware attacks tend to dominate the news reports due to the major impact these attacks have on healthcare providers and their patients. Hospitals are forced to switch to pen and paper, appointments often have to be cancelled, and patient information is frequently leaked online and made available to a wide range of cybercriminals. What is less well understood is the supply chain that makes many of these attacks possible.

During the pandemic, demand for backdoor access to healthcare networks increased considerably, as did the number of criminals providing access. The supply chains established to provide credentials for healthcare networks to ransomware gangs and other threat actors saw the barrier to entry into cyberattacks on the sector significantly lowered.

2020 saw an increase in the number of Initial Access Brokers. These are the hackers who target and breach vulnerable networks and sell on access to the highest bidder, including ransomware gangs and their affiliates. The CTIL Dark team reports a doubling of the number of Initial Access Brokers between Q2, 2020 and Q4, 2020. Skilled hackers that can breach healthcare networks often sign up to ransomware-as-a-service operations as affiliates themselves. In 2020, several RaaS operations started recruitment drives targeting individuals who already had access to healthcare networks and could conduct large numbers of attacks.

The CTIL Dark team notes that ransomware attacks are becoming more extensive, targeted, and coordinated, with threat groups often partnering and sharing resources and information. In 2020, the ransomware activity investigated by the team most commonly involved attacks on perimeter vulnerabilities such as unpatched systems and weak passwords in remote connectivity solutions, rather than phishing attacks.

The CTIL Dark team also identified an increase in the number of databases containing PHI being sold on darknet forums for use in targeted attacks on patients, and employee databases for targeting healthcare employees to gain access to healthcare networks.

Phishing attacks increased in 2020, with opportunistic threat actors abandoning their regular campaigns and switching to COVID-19 themed campaigns that closely mirrored equipment shortages and knowledge gaps. Scams were conducted in response to the shortage in COVID-19 tests and PPE, followed by fake offers of antibody blood. When hydroxyquinoline was touted as a game changer for COVID-19 treatment, darknet vendors switched from offering cocaine to offering doses of the drug. Now, as the vaccine rollout gathers pace, scammers have switched to offering fake vaccines.

CTIL has predicted attacks targeting the healthcare sector will most likely increase in 2021 rather than decline, so it is essential for healthcare organizations to remain on high alert and leverage data from cybersecurity vendors, health-ISACs, law enforcement, and organizations such as CTIL league and implement policies, procedures, and protections to combat these threats.

The post Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity appeared first on HIPAA Journal.

100% of Tested mHealth Apps Vulnerable to API Attacks

The personally identifiable health information of millions of individuals is being exposed through the Application Programming Interfaces (APIs) used by mobile health (mHealth) applications, according to a recent study published by cybersecurity firm Approov.

Ethical hacker and researcher Allissa Knight conducted the study to determine how secure popular mHealth apps are and whether it is possible to gain access to users’ sensitive health data. One of the provisos of the study was she would not be permitted to name any of the apps if vulnerabilities were identified. She assessed 30 of the leading mHealth apps and discovered all were vulnerable to API attacks which could allow unauthorized individuals to gain access to full patient records, including personally identifiable information (PII) and protected health information (PHI), indicating security issues are systemic.

mHealth apps have proven to be invaluable during the COVID-19 pandemic and are now increasingly relied on by hospitals and healthcare providers. According to Pew Research, mHealth apps are now generating more user activity than other mobile device apps such as online banking. There are currently an estimated 318,000 mHealth apps available for download from the major app stores.

The 30 mHealth apps analyzed for the study are used by an estimated 23 million people, with each app downloaded an average of 772,619 times from app stores. These apps contain a wealth of sensitive data, from vital signs data to pathology reports, test results, X-rays and other medical images and, in some cases, full medical records. The types of information stored in or accessible through the apps carries a high value on darknet marketplaces and is frequently targeted by cybercriminals. The vulnerabilities identified in mHealth apps makes it easy for cybercriminals to gain access to the information.

“Look, let’s point the pink elephant out in the room. There will always be vulnerabilities in code so long as humans are writing it. Humans are fallible,” said Knight. “But I didn’t expect to find every app I tested to have hard-coded keys and tokens and all of the APIs to be vulnerable to broken object level authorization (BOLA) vulnerabilities allowing me to access patient reports, X-rays, pathology reports, and full PHI records in their database.”

BOLA vulnerabilities allow a threat actor to substitute the ID of a resource with the ID of another. “When the object ID can be directly called in the URI, it opens the endpoint up to ID enumeration that allows an adversary the ability to read objects that don’t belong to them,” explained Knight. “These exposed references to internal implementation objects can point to anything, whether it’s a file, directory, database record or key.” In the case of mHealth apps, that could provide a threat actor with the ability to download entire medical records and personal information that could be used for identity theft.

APIs define how apps can communicate with other apps and systems and are used for sharing information. Out of the 30 mHealth apps tested, 77% had hard-coded API keys which made them vulnerable to attacks that would allow the attacker to intercept information as it is exchanged. In some cases, those keys never expired and 7% of the API keys belonged to third-party payment processors that strongly advise against hard coding these private keys in plain text, yet usernames and passwords had still been hard coded.

All of the apps lacked certificate pinning, which is used to prevent man-in-the-middle attacks. Exploiting this flaw would allow sensitive health and personal information to be intercepted and manipulated. Half of the tested apps did not authenticate requests with tokens, and 27% did not have code obfuscation protections, which made them vulnerable to reverse engineering.

Knight was able to access highly sensitive information during the study. 50% of records included names, addresses, dates of birth, Social Security numbers, allergies, medications, and other sensitive health data. Knight also found that if access is gained to one patient’s records, other patient records can also be accessed indiscriminately.  Half of all APIs allowed medical professionals to view pathology, X-ray, and clinical results of other patients and all API endpoints were found to be vulnerable to BOLA attacks, which allowed Knight to view the PHI and PII of patients not assigned to her clinical account. Knight also found replay vulnerabilities that allowed her to replay FaceID unlock requests that were days old and take other users’ sessions.

Part of the problem is mHealth apps do not have security measures baked in. Rather than build security into the apps at the design stage, the apps are developed, and security measures are applied afterwards. That can easily result in vulnerabilities not being fully addressed.

“The fact is that leading developers and their corporate and organizational customers consistently fail to recognize that APIs servicing remote clients such as mobile apps need a new and dedicated security paradigm,” said David Stewart, founder and CEO of Approov. “Because so few organizations deploy protections for APIs that ensure only genuine mobile app instances can connect to backend servers, these APIs are an open door for threat actors and present a real nightmare for vulnerable organizations and their patients.”

The post 100% of Tested mHealth Apps Vulnerable to API Attacks appeared first on HIPAA Journal.

Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers

The Conti ransomware gang has dumped a large batch of healthcare data online that was allegedly stolen from Leon Medical Centers in Florida and Nocona General Hospital in Texas.

Leon Medical Centers suffered a Conti ransomware attack in early November 2020, which was initially reported to the HHS’ Office for Civil Rights on January 8, 2021 as affecting 500 individuals. Leon Medical Centers explained in its substitute breach notice that the incident involved the use of malware and the investigation confirmed the attackers accessed the personal and protected health information of certain patients.

It is unclear when the ransomware attack on Nocona General Hospital occurred, as notification letters do not appear to have been sent to affected individuals, no breach notice has been posted on its website, and the incident is not listed on the HHS’ Office for Civil Rights breach portal.

According to NBC, which spoke with an attorney representing the hospital, none of its systems appeared to have been breached, files were apparently not encrypted, and no ransom note had been identified by the hospital. The Conti leak site had around 20 files uploaded on February 3, 2021 which contained patient information and reports that the site included more than 1,760 leaked files on February 10, most of which appeared to be old data. was contacted by the hospital’s attorney who confirmed that the current systems used by the hospital had not been compromised, instead an old server was compromised that held files relating to patient or patient data transfers. The incident is still under investigation.

The theft of patient data prior to file encryption, often called double extortion, is now commonplace. According to the New Zealand cybersecurity firm Emsisoft, at the start of 2020 only one ransomware group was exfiltrating data prior to file encryption, but by the end of the year at least 17 ransomware groups were exfiltrating data prior to deploying ransomware.

This tactic increases the probability of the ransom being paid. Healthcare organizations may be able to recover files from backups, but they would need to pay the ransom to prevent the stolen data from being dumped on leak sites or sold to other threat actors.

There are signs, however, that this tactic is now proving to be less effective. A recent report by Coveware suggests trust has been eroded and more victims are choosing not to pay the ransom when they can recover their data from backups as there is no guarantee that stolen data will be deleted if the ransom is paid.

Coveware attributed the dramatic reduction in ransom payments in Q4, 2020 to victims choosing not to pay due to a lack of trust that in the attackers. “Coveware continues to witness signs that stolen data is not deleted or purged after payment. Moreover, we are seeing groups take measures to fabricate data exfiltration in cases where it did not occur,” explained Coveware, in its Q4 Ransomware Report.

The post Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers appeared first on HIPAA Journal.

Feds Release Ransomware Fact Sheet

A ransomware factsheet has been released by the National Cyber Investigative Joint Task Force (NCIJTF) to raise awareness of the threat of ransomware attacks and provide insights that can be leveraged to prevent and mitigate attacks.

The fact sheet was developed by an interagency group of more than 15 government agencies and is primarily intended for use by police and fire departments, state, local, tribal and territorial governments, and critical infrastructure entities. The factsheet was released as part of the “Reduce the Risk of Ransomware Campaign” launched by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) in January 2021.

The fact sheet explains the impact ransomware attacks have had on the public sector, provides information on U.S. government efforts to combat ransomware threats, and details the most common methods used by threat actors to gain access to networks to deploy ransomware payloads: Phishing emails, Remote Desktop Protocol (RDP) vulnerabilities, and software vulnerabilities.

Phishing emails contain either a malicious link or file attachment. If the user opens the attachment or visits the link, code is executed which downloads a malicious payload. That payload may be ransomware or another malware variant which will ultimately be used to deliver ransomware. A recent report from Coveware has revealed phishing emails are now the most common method of ransomware delivery, overtaking the exploitation of RDP vulnerabilities.

Exploitation of RDP vulnerabilities is also common. RDP allows remote workers to access resources and data over the Internet. Brute force tactics are often used to guess weak passwords and stolen credentials are purchased on darknet marketplaces that allow the attackers to remotely access systems and deploy malware or ransomware. While less common, vulnerabilities in software are also exploited to gain control of victim systems and deploy ransomware.

Many of the recent ransomware campaigns have been highly sophisticated and targeted. While it is not possible to eliminate risk entirely, most ransomware attacks can be prevented by following cybersecurity best practices.

NCIJTF suggests:

  1. Backing up data, testing backups, and ensuring a copy is stored securely offline.
  2. Implementing multifactor authentication.
  3. Updating software and patching all systems.
  4. Ensuring security solutions such as antivirus software are kept up to date.
  5. Creating, reviewing, and testing an incident response plan.

The ransomware fact sheet can be accessed on this link.

Further information on preventing and mitigating ransomware attacks can be found here (CISA).

The post Feds Release Ransomware Fact Sheet appeared first on HIPAA Journal.

VMWare Carbon Black Explores the State of Healthcare Cybersecurity in 2020

Throughout 2020, the healthcare industry was on the frontline of the pandemic providing medical care to patients suffering from COVID-19 but also had to deal with increasing numbers of cyberattacks, as cybercriminals stepped up their attacks on hospitals and health systems.

Recently, VMware Carbon Black conducted a retrospective review of the state of healthcare cybersecurity in 2020 that revealed the extent to which the healthcare industry was targeted by cybercriminals, how those attacks succeeded, and what healthcare organizations need to do to prevent cyberattacks in 2021.

VMware Carbon Black analyzed data from attacks on its healthcare customers in 2020 and found 239.4 million cyberattacks were attempted in 2020, which equates to an average of 816 attempted attacks per endpoint. That represents a 9,851% increase from 2019.

As it became clear that the outbreak in Wuhan was turning into a pandemic, cyberattacks on healthcare providers started to increase. Between January and February 2020, cyberattacks on healthcare customers increased by 51% and continued to increase throughout the year, peaking between September and October when there was an 87% month-over-month increase in attacks. The large spike in attacks in the fall was due to increased ransomware activity, with the Ryuk ransomware gang in particular stepping up attacks on the healthcare industry.

Attacks were conducted to gain access to healthcare data for identity theft and fraud, with the stolen data bought and sold on darknet marketplaces but the biggest threat came from ransomware. “In 2020, we saw ransomware go mainstream. The wide-reaching impact of ransomware has been assisted largely by way of affiliate programs,” explained VMWare Carbon Black. “With many ransomware groups offering ransomware-as-a-service (RaaS), making the deployment of ransomware easily accessible to millions of cybercriminals who previously didn’t have the tools to carry out these attacks.” The high potential rewards for conducting attacks have drawn many individuals into ransomware distribution who would otherwise have not been able to conduct these types of attacks. Cybercriminals are also recruiting insiders that can provide them with access to networks in exchange for large sums of money or a cut of any ransoms that are paid.

Double extortion tactics have also been extensively adopted by ransomware gangs to increase the likelihood of victims paying, if only to prevent the exposure of stolen data rather than for the keys to recover encrypted files. Much of the stolen data is being offered for sale on dark web sites, especially stolen protected health information and COVID-19 test result data.

2020 saw many threat actors join forces and share resources and exchange tactics, with access to systems being provided to other threat groups to conduct their own attacks. Collaboration between threat groups is increasing and threat actors are discovering new ways of gaining access to networks to deploy their malicious payloads.

The researchers have seen attacks increase throughout 2020 and there are no signs that the attacks will slow as 2021 progresses. In fact, it is possible that attacks will continue to increase.

VMWare Carbon Black makes three recommendations for CISOs to ensure that they stay one step ahead of attackers. Most AV solutions only focus on the delivery stage. For much better protection healthcare organizations should deploy next-generation antivirus solutions that protect against every stages of ransomware attacks, from delivery to propagation to encryption. Endpoint protection solutions should be chosen that can be rapidly scaled and deployed to protect new users, while maintaining data privacy, compliance, and security practices.

Lastly, healthcare CISOs need to be proactive and address vulnerabilities before they are exploited. That means IT tracking tools should be deployed that provide full visibility into devices that connect to the network. This will allow CISOs to track configuration drift and quickly remediate issues and ensure all devices are patched and protected.

The post VMWare Carbon Black Explores the State of Healthcare Cybersecurity in 2020 appeared first on HIPAA Journal.

FDA Appoints Kevin Fu as its First Director of Medical Device Security

The U.S. Food and Drug Administration (FDA) has announced the appointment of University of Michigan associate professor Kevin Fu as its first director of medical device security.

Kevin FuFu will serve a one-year term as acting director of medical device security at the FDA’s Center for Devices and Radiological Health (CDRH) and the recently created Digital Health Center of Excellence, starting on January 1, 2021. Fu has been tasked with helping “to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.”

Fu will help to develop the CDRH cybersecurity programs, public-private partnerships, and premarket vulnerability assessments to ensure the safety of medical devices including insulin pumps, pacemakers, imaging machines, and healthcare IoT devices and protect them against digital security threats.

Fu has considerable experience in the field of medical device cybersecurity. Fu currently serves as chief scientist at the University of Michigan’s Archimedes Center for Medical Device Security, which he founded, he co-founded the healthcare cybersecurity startup Virtua Labs with his doctoral students and was previously a member of the National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board. Fu has also conducted research into software radio attacks on implantable medical devices such as pacemakers and cardiac defibrillators and demonstrated how off-the-shelf radio software could be used to access the devices and intercept communications. Fu is currently associate professor of electrical engineering and computer science and the Dwight E. Harken Memorial Lecturer and will retain those University of Michigan roles.

Securing medical devices is a major challenge. Huge numbers of medical devices are now used by hospitals in complex interconnected networks. Many hospitals do not have complete inventories of their devices, and since many run on legacy systems, vulnerabilities can easily go unaddressed. Those vulnerabilities could be exploited by cyber threat actors to cause harm to patients or to gain a foothold in healthcare computer networks.

As Fu explained in an interview recently published on Michigan News, the threat landscape has changed dramatically over the past decade. “Today, there are many more adversaries that are mounting attacks. A decade ago, it was very theoretical. But now you have hundreds of hospitals literally shut down because of ransomware. And new security vulnerabilities are identified in medical device software almost every day,” said Fu. “We need to be vigilant in making sure that all of our medical devices have a basic level of security built in. Medical devices must remain safe and effective despite cybersecurity risks.”

Medical devices need to have privacy and security measures incorporated early in the design process, rather than being bolted on after the devices have been developed. By that time, security flaws have been baked into the devices and they are much harder to address.

Unfortunately, all too often, medical device manufacturers do not seek input from security experts during the design of medical devices and fail to design the devices based on established computer security engineering principles. That is something that needs to change. “You can’t simply sprinkle magic security pixie dust after designing a device,” said Fu.

“Right now, though, I’m focused on medical device safety,” explained Fu. “I’m really looking forward to working at FDA to help build public trust in the safety and effectiveness of medical devices despite the inherent cybersecurity risks.”

The post FDA Appoints Kevin Fu as its First Director of Medical Device Security appeared first on HIPAA Journal.

Global Law Enforcement Action Disrupts NetWalker Ransomware Operation

The U.S. Department of Justice (DOJ) has announced a dark web website used by the NetWalker ransomware gang has been sized as part of a global action to disrupt operations and bring the individuals responsible for the file-encrypting extortion attacks to justice.

The action was taken in coordination with the United States Attorney’s Office for the Middle District of Florida, the Computer Crime and Intellectual Property Section of the Department of Justice, with substantial assistance provided by the Bulgarian National Investigation Service and General Directorate Combatting Organized Crime. The announcement comes just a few hours after Europol an international effort that resulted in the takedown of the Emotet Botnet.

The NetWalker ransomware gang is one of around 20 ransomware-as-a-service (RaaS) operators that recruit affiliates to distribute ransomware for a cut of any ransom payments they generate. The NetWalker gang started operating in late 2019. Since then, the ransomware has proven popular with affiliates and many attacks have been conducted. It has been estimated that in the first 5 months of the operation, the gang had generated around $25 million in ransom payments, around $1.14 million of which was paid by the University of California San Francisco to recover data encrypted in June 2020 attack. The total amount of ransom payments is believed to be in excess of $46 million.

The gang has attacked businesses and organizations in a range of different sectors, with the healthcare industry targeted throughout the pandemic. Attacks have also been conducted on schools, colleges, universities, companies, municipalities, and the emergency services.

The investigation into the NetWalker ransomware operation was led by the FBI’s Tampa Field Office and has so far resulted in one arrest. Sebastien Vachon-Desjardins of Gatineau, a Canadian national, has been indicted for his involvement in extortion attacks as an affiliate of the operation. The DOJ alleges Vachon-Desjardins obtained more than $27.6 million in ransom payments since at least April 2020. Vachon-Desjardins is believed to have been responsible, as an affiliate, for hacking networks and deploying ransomware, for which he received 80% of the ransom payments he generated. He is believed to have conducted at least 91 attacks in 8 months. According to a report from Chainalysis, Vachon-Desjardins is also suspected of working with other RaaS operations.

The DOJ said $454,530 in cryptocurrency, paid by three victims of the ransomware attacks, has been seized and Bulgarian law enforcement officials have taken control of a dark web website used by NetWalker ransomware affiliates to communicate with victims and provide instructions for paying ransoms. The website now has a notice explaining the resource is under the control of law enforcement.

The developers of the ransomware are still at large and only one affiliate has been arrested out of more than a dozen, but the action will have caused some disruption to the operation and further arrests may follow.

“We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division.  “Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”

McQuaid also took the opportunity to encourage victims of ransomware attacks to contact law enforcement, saying, “Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”

The post Global Law Enforcement Action Disrupts NetWalker Ransomware Operation appeared first on HIPAA Journal.

Multinational Law Enforcement Operation Takes Down the Emotet Botnet

Europol has announced the notorious Emotet Botnet has been taken down as part of a multinational law enforcement operation. Law enforcement agencies in Europe, the United States, and Canada took control of the Emotet infrastructure, which is comprised of hundreds of servers around the world.

The Emotet botnet was one of the most prolific malware botnets of the last decade and the Emotet Trojan was arguably the most dangerous malware variant to emerge in recent years. The Emotet operators ran one of the most professional and long-lasting cybercrime services and was one of the biggest players in the cybercrime world. Around 30% of all malware attacks involved the Emotet botnet.

The Emotet Trojan was first identified in 2014 and was initially a banking Trojan, but the malware evolved into a much more dangerous threat and became the go-to solution for many cybercriminal operations. The Emotet Trojan acted as a backdoor into computer networks and access was sold to other cybercriminal gangs for data theft, malware distribution, and extortion, which is what made the malware so dangerous. Emotet was used to deliver TrickBot and QakBot, which in turn were used to deliver ransomware variants such as Ryuk, Conti, Egregor, and ProLock.

Once a device was infected with the Emotet Trojan it would be added to the botnet and used to infect other devices. Emotet could spread laterally across networks and hijacked email accounts to send copies of itself to contacts. The Emotet gang took phishing to the next level and their campaigns were highly successful. A wide range of lures were used to maximize the chance of the emails being opened and the malware installed. Emotet also hijacked message threads and inserted itself into email conversations to increase the chance of malicious attachments being opened.

The law enforcement operation was planned for around 2 years and was a collaborative effort between authorities in the Netherlands, Germany, France, Lithuania, Canada, Ukraine, the United States, and the United Kingdom, with the operation coordinated by Europol and Eurojust.

The infrastructure used to control the botnet was spread across hundreds of servers, each of which performed different functions and were used to manage infected computers, distribute copies of the Emotet Trojan, exfiltrate data, and provide services to other cybercrime groups. The Emotet gang had also built resiliency into its infrastructure to prevent any takedown attempts.

In order to takedown the infrastructure and prevent any attempts at restoration, the operation was coordinated and saw law enforcement agencies take control of servers simultaneously from the inside. The servers are now under the control of law enforcement and a module that uninstalls the malware is already being distributed. Europol says the malware will be uninstalled from infected devices on March 25, 2021 at 12:00.

In addition to severely disabling the operation, several members of the Emotet gang in Ukraine suspected of running the botnet have been arrested and other arrests are expected to follow.

The post Multinational Law Enforcement Operation Takes Down the Emotet Botnet appeared first on HIPAA Journal.