The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an update on AvosLocker ransomware, which includes known indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods associated with the AvosLocker ransomware variant.

AvosLocker is a relatively new ransomware-as-a-service operation that was first identified in July 2021. While the group is not as prominent as LockBit Clop, and ALPHV (BlackCat), AvosLocker ransomware affiliates have compromised organizations across multiple critical infrastructure sectors. The group engages in exfiltration-based extortion, requiring the payment of a ransom to prevent the release of stolen data and for the keys to decrypt files.

AvosLocker affiliates use legitimate software and open source tools during their ransomware operations. The group has been observed using Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent as backdoor access vectors, the open source networking tunneling tools Ligolo and Chisel, Cobalt Strike for command and control, PowerShell and batch (.bat) scripts for lateral movement, Lazagne and Mimikatz for credential harvesting, and FileZilla and Rclone for data exfiltration. The FBI has also observed affiliates using custom webshells to enable network access.

The cybersecurity advisory updates the joint advisory issued the FBI, CISA, and the Treasury’s Financial Crimes Enforcement Network (FinCEN) in March 2023 and includes a YARA rule that was created by the FBI for detecting a signature for a file identified as enabling malware – NetMonitor.exe. NetMonitor.exe masquerades as a legitimate process but functions like a reverse proxy to allow affiliates to connect to the tool from outside the victim’s network. Indicators of Compromise (IoCs) have also been shared that were obtained from investigations of attacks from January 2023 to March 2023, along with recommended mitigations to reduce the risk of compromise by AvosLocker ransomware.

The post CISA and FBI Update AvosLocker Ransomware Cybersecurity Advisory appeared first on HIPAA Journal.

Microsoft has issued a security alert warning that a Chinese Advanced Persistent Threat (APT) Group has been exploiting a zero-day vulnerability in Atlassian Confluence Data Center and Server products.

The vulnerability, CVE-2023-22515, is a critical privilege escalation vulnerability caused by broken access controls. The vulnerability has a maximum CVSS severity score of 10 and can be exploited by any device with a network connection to a vulnerable application. Successful exploitation of the vulnerability allows unauthorized individuals to create Confluence administrator accounts and access Confluence instances.

Atlassian issued a security advisory about the vulnerability on October 4, 2023, and released patches to fix the flaw. Fixed versions are 8.3.3 or later, 8.4.3 or later, and 8.5.2 or later. The vulnerability does not affect Atlassian Cloud sites. Microsoft said it has observed the Chinese APT group Storm-0062 (aka DarkShadow/Oro0lxy) exploiting the flaw since September 14, 2023, and identified four malicious IP addresses sending exploit traffic: 192.69.90[.]31 104.128.89[.]92 23.105.208[.]154 199.193.127[.]231. The extent to which the vulnerability has been exploited has not been disclosed, although Atlassian said earlier this month that a handful of customers had been targeted.

Atlassian and Microsoft say urgent action is required to prevent the vulnerability from being exploited and warn that publicly accessible Confluence Data Center and Server instances are at critical risk. Customers should ensure they upgrade their instances to a fixed version and should conduct comprehensive threat detection. After updating their instances, customers should search for unexpected members of the confluence-administrators group, unexpected newly created user accounts, requests to /setup/*.action in network access logs, and look for the presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory.

The post Atlassian Confluence Data Center and Server Vulnerability Actively Exploited by Chinese APT Actor appeared first on HIPAA Journal.

More than 700 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and 2022, and 2023 is on track to become the third successive year with 700+ large healthcare data breaches. Malicious actors continue to target healthcare organizations as they store large amounts of easily monetized data, which can be held to ransom or sold. Cyberattacks on healthcare organizations have financial and human costs. Healthcare organizations are having to pay millions in breach costs and the attacks often cause disruption to patient care, which increases the risk of complications, affects patient outcomes, and causes an increase in patient mortality rates.

A recent survey of 653 healthcare IT and security professionals has confirmed the impact of these attacks on healthcare organizations. The survey was conducted by the Ponemon Institute on behalf of the cybersecurity firm Proofpoint for its Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023 report. The survey confirmed the extent to which healthcare organizations are being attacked. 88% of the surveyed organizations experienced an average of 40 attacks in the past 12 months, with the attacks costing an average of $4.99 million per incident, which is a 13% increase from the previous year.

The four most common types of attacks were cloud compromise, ransomware, supply chain, and business email compromise (BEC), all of which were found to result in disruption to patient care. Two-thirds (66%) of organizations that experienced one or more of these common attacks said they disrupted patient care, 50% reported an increase in medical procedure complications, and 23% said the attacks increased patient mortality rates. The findings are similar to the previous year, indicating healthcare organizations have not made much progress in improving patient safety and well-being following cyberattacks.

Out of the four most common types of attacks, supply chain attacks were the most likely to negatively affect patient care. Supply chain attacks were experienced by 64% of surveyed organizations in the past 2 years and 77% of those organizations said the attacks caused disruption to patient care, up from 70% in 2022. All 653 surveyed organizations said they had experienced at least one incident that involved the loss or exfiltration of sensitive data in the past 2 years, and on average, 19 such incidents occurred at each organization. 43% of respondents said these incidents impacted patient care, 46% of those organizations experienced an increase in patient mortality rates, and 38% saw increased complications from medical procedures.

BEC attacks were most likely to result in poor outcomes due to delayed procedures (71%). BEC attacks also resulted in an increase in medical procedure complications (56%) and longer lengths of stay (55%). 59% of organizations that suffered a ransomware attack said it resulted in poorer outcomes due to delayed procedures, and 68% said a ransomware attack caused disruption to patient care.

Ransomware attacks have increased in 2023.  54% of surveyed organizations said they experienced an attack in the past 12 months, up from 41% in 2022; however, fewer healthcare organizations are paying ransoms to obtain the keys to decrypt files and/or prevent the release of stolen data. 40% of organizations that suffered a ransomware attack paid the ransom, compared to 51% in 2022. Threat actors have responded to the falling ransom payments by increasing their ransom demands. The average total cost for the highest ransom payment spiked 29% to $995,450 in 2023.

When healthcare IT professionals were asked about their biggest concerns about cyberattacks, cloud compromise (74%) was the biggest worry followed by supply chain attacks (63%), BEC (62%), and ransomware (48%). The two biggest cybersecurity challenges were both related to staffing. 58% of respondents said a lack of in-house cybersecurity expertise was keeping their organization’s cybersecurity posture from being fully effective, and 50% said insufficient staffing was a major challenge.

“While the healthcare sector remains highly vulnerable to cybersecurity attacks, I’m encouraged that industry executives understand how a cyber event can adversely impact patient care. I’m also more optimistic that significant progress can be made to protect patients from the physical harm that such attacks may cause,” said Ryan Witt, chair, Healthcare Customer Advisory Board at Proofpoint. “Our survey shows that healthcare organizations are already aware of the cyber risks they face. Now they must work together with their industry peers and embrace governmental support to build a stronger cybersecurity posture—and consequently, deliver the best patient care possible.”

The post 66% of Healthcare Organizations Say Patient Care was Disrupted by a Cyberattack appeared first on HIPAA Journal.

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a health and public health (HPH) sector alert about a new ransomware group called Akira, which has been in operation since March 2023. Akira is a ransomware-as-a-service (RaaS) group that recruits affiliates to conduct attacks in exchange for a percentage of the profits they generate. The group mostly attacks small- to medium-sized businesses, although sets substantial ransom payments, which are typically between $200,000 and $4 million. The group has claimed at least 60 victims in a little over 5 months of operation, including organizations in the HPH sector.

The group engages in double extortion tactics, where valuable data are identified and exfiltrated before files are encrypted. The group issues a ransom demand, payment of which is required for the keys to decrypt files and to prevent the release of stolen data. Victims are required to contact the group via their TOR site to negotiate the ransom payment. Victims who pay the ransom are offered a security report that explains the vulnerabilities the group exploited to access their network.

The group uses a variety of methods for initial access including compromised credentials and the exploitation of vulnerabilities in virtual private networks (VPNs), especially where multi-factor authentication has not been implemented. The group has a Windows and Linux ransomware variant and targets both Windows and VMware ESXi servers and incident response data show the group uses a variety of tools in its attacks, including the PCHunter toolkit, the MASSCAN port scanner, Mimikatz for credential harvesting, WinSCP, and PsExec.

The group is thought to have links to the disbanded Conti ransomware group due to Akira and Conti ransomware using similar code, cryptocurrency wallets, and the directory exclusions. HC3 has shared Indicators of Compromise (IoCs) in the Akira ransomware sector alert and provides several recommended mitigations to help network defenders improve resilience to attacks and detect attacks in progress.

The post Akira Ransomware Group Targeting the Healthcare and Public Health Sector appeared first on HIPAA Journal.

A recent survey of healthcare professionals indicates 78% of healthcare organizations have experienced at least one cybersecurity incident in the past 12 months. 60% of those incidents had a moderate or significant impact on the delivery of care, 15% had a severe impact, and 30% involved sensitive data. Protected Health Information (PHI) was exposed or stolen in 34% of incidents in North America.

The survey was conducted by Pollfish on behalf of the cybersecurity firm Claroty on 1,100 individuals in North and South America, APAC, and Europe. Respondents worked full-time in the health sector in cybersecurity, engineering, IT, or networking. The survey indicates 26% of organizations that experienced a cyberattack paid a ransom to either prevent the release of stolen data or to decrypt encrypted files. The costs of these attacks typically fell in the range of $100,000 to $1 million; however, more than one-third of respondents who experienced a cyberattack said the recovery costs were greater than $1 million. The biggest cost from the attacks in all but the APAC region was operational downtime.

61% of respondents in North America said they were very or moderately concerned about cyberattacks on their systems. The biggest concerns in this region were insider threats (47%), followed by supply chain and privilege escalation attacks (41%), denial of service (DoS) attacks (39%), and ransomware attacks (38%). A majority of organizations (78%) said they have clear leadership in place for medical device security, which is most commonly the responsibility of IT security teams, and cybersecurity programs typically covered sensitive data such as PHI, EHRs, IT systems, endpoints, medical devices, and BMS such as elevators and HVAC equipment. When asked about the security standards, regulations, and guidelines, the NIST and HITRUST Cybersecurity Frameworks were seen as the most important in North America followed by HIPAA and 405(d).

The survey indicates that healthcare organizations have a clear understanding of the aspects of security that need to be improved. The biggest gaps in defenses were cited as medical device vulnerability patching, asset inventory management, and medical device network segmentation. 60% of respondents said their organization’s security posture has improved over the past 12 months and 51% said their security budgets had been increased in the past year; however, efforts to improve cybersecurity were being hampered by the global shortage of cybersecurity professionals. More than 70% of respondents said they were looking to hire additional cybersecurity staff members and 80% said finding qualified candidates was difficult.

“Security challenges in the healthcare sector continue to mount as the number and types of connected assets grow and the attack surface expands. Beyond the financial ramifications organizations in any sector can face in the wake of a successful attack, in healthcare the stakes are raised due to the patient outcomes at risk,” explained Claroty in the report. “With strong security leadership in place, well-rounded security programs implemented, and the adherence to guidelines and frameworks from regulatory bodies, healthcare organizations are on the right track to ensuring cyber and operational resilience. Recognizing there is more work to be done, they are also prioritizing investments in people, processes, and technologies to build resilience further and ensure compliance while delivering uninterrupted, quality care to their patients.”

The post 78% of Healthcare Organizations Suffered a Cyberattack in the Past Year appeared first on HIPAA Journal.

CyCognito has published its latest State of External Exposure Management Report, which highlights the extent to which vulnerabilities affect organizations and how easy it is for hackers to exploit those vulnerabilities.

For the report, CyCognito’s researchers aggregated and analyzed 3.5 million digital assets across its customer base between June 2022 and May 2023, which includes small, medium, and large enterprises, including Fortune 500 companies.

The study found that 70% of web applications had severe security gaps, such as lacking web application firewall (WAF) protection and not using encrypted connections such as HTTPS, with 25% of web applications lacking both protections. A typical enterprise has more than 12,000 web apps such as APIs, SaaS applications, databases, and servers. The researchers found at least 30% of those web apps have more than 3,000 assets and had at least one exploitable or high-risk vulnerability.

The study confirmed the extent to which personally identifiable information (PII) is put at risk. 74% of assets containing PII were found to be exposed to at least one major exploit, and one in ten assets had at least one easily exploitable issue. While critical severity vulnerabilities are a major concern, for every easily exploitable critical vulnerability identified, there were 133 easily exploitable high, medium, or low severity issues.

As CyCognito explains in the report, the attack surface is constantly changing and its research suggests the attack surface fluctuates by as much as 10% each month. That means that over the course of a year, thousands of new assets may have been added to the network and any one of those assets could contain an exploitable vulnerability. Because the attack surface is dynamic, organizations cannot make do with mapping it just once as the map created will be out of data almost immediately.

Naturally, there is a balance to be struck, so many organizations have a biannual or quarterly mapping cadence, although such infrequent mapping could result in serious gaps in awareness and coverage. “To stay aware of risks as soon as they appear, use frequent mapping and scanning of all assets to maintain an up-to-date, comprehensive understanding of your external attack surface,” suggests CyCognito.

Attention needs to be paid to web apps, which typically account for around 22% of the attack surface. They are easy to deploy, provide access to valuable data, connect businesses with employees and customers, and can have dozens of components, each of which can be affected by security issues. Organizations should ensure that web apps are properly protected with WAF and encrypted connections, especially those that provide access to PII or e-commerce platforms.

Addressing security issues is a never-ending process. It is important to ensure that the most serious issues are prioritized and addressed first. CyCognito recommends using context about affected assets and threat actor activity to identify the most serious threats to prioritize and not to rely on CVSS scores, as there may be a far greater risk from less severe flaws, which threat actors can easily exploit.

The post Study Reveals State of External Exposure Management appeared first on HIPAA Journal.

Ransomware groups have accelerated their attacks and are now spending less time inside victims’ networks before triggering file encryption, according to the 2023 Active Adversary Report from Sophos. The data for the report came from the first 6 months of 2023 and was gathered and analyzed by the Sophos X-Ops team.

The median dwell time for ransomware groups fell from 9 days to 5 days in the first half of 2023, which the researchers believe is close to the limit of what is possible for hackers. They do not expect the median dwell time to fall below 5 days due to the time it typically takes for the hackers to achieve their objectives. On average, it took 16 hours from initial access for attackers to gain access to Microsoft Active Directory and escalate privileges to allow broad access to internal systems. The majority of ransomware groups do not rely on encryption alone and also exfiltrate data so they can apply pressure to get victims to pay up. Oftentimes, backups of data exist so recovery is possible without paying the ransom, but if there is a threat of data exposure, ransoms are often paid. On average, it takes around 2 days for ransomware gangs to exfiltrate data.

The reduction in dwell time is understandable. The longer hackers remain in networks, the greater the probability that their presence will be detected, especially since intrusion detection systems are getting better at detecting intrusions and malicious activity. One of the ways ransomware groups have accelerated their attacks is by opting for intermittent encryption, where only parts of files are encrypted. The encryption process is far quicker, which means there is less time to detect and stop an attack in progress, but the encryption is still sufficient to prevent access to files.

Ransomware gangs often time their attacks to reduce the risk of detection. In 81% of attacks analyzed by the researchers, the encryption process was triggered outside normal business hours such as at the weekend or during holidays when staffing levels are lower. 43% of ransomware attacks were detected on a Friday or Saturday. While the dwell time for ransomware actors has reduced, there was a slight increase in the dwell time for non-ransomware incidents, which increased from an average of 11 days to 13 days in H1 2023.

In many cyberattacks, a vulnerability was exploited that allowed hackers to use a remote service for initial access, such as vulnerabilities in firewalls or VPN gateways. The exploitation of vulnerabilities in public-facing applications has been the leading root cause of attacks for some time followed by external remote services; however, in H1, 2023, these were reversed and compromised credentials were the root cause in 50% of attacks, with vulnerability exploitation the root cause of 23% of attacks.

Compromised credentials make attacks easy for hackers especially when there is no multi-factor authentication. Implementing and enforcing phishing-resistant MFA should be a priority for all organizations, but the researchers found that in 39% of cases investigated, MFA was not configured. Prompt patching should also be a goal as this reduces the window of opportunity for hackers. The researchers suggest following CISA’s timeline for patching in its Binding Operational Directive 19-02 of 15 days for critical vulnerabilities and 30 days for high-severity vulnerabilities as it will force attackers into a narrower set of techniques by removing the low-hanging fruit.

Previous reports have highlighted the extent to which Remote Desktop Protocol (RDP) is abused. in H1, 2023, RDP was used in 95% of attacks, up from 88% in 2022. In 77% of attacks involving RDP, the tool was used for internal access and lateral movement, up from 65% in 2022. Only 1% of attacks involved RDP for external access. Due to the extent to which RDP is abused, securing RDP should be a priority for security teams. If attackers are forced to break MFA or import their own tools for lateral movement, it will cause attackers to expend more time and effort, which provides defenders with more time to detect intrusions and increases the probability of malicious activity being detected.

The post Ransomware Groups are Accelerating Their Attacks with Dwell Time Falling to Just 5 Days appeared first on HIPAA Journal.