A new report from Sophos on healthcare cybersecurity trends indicates data encryption occurred in 75% of ransomware attacks on healthcare organizations. Only 24% of surveyed healthcare organizations were able to detect an attack in progress and disrupt it before files were encrypted. Sophos says this is the highest rate of encryption and the lowest rate of disruption the company has seen in the past 3 years. Last year, healthcare organizations disrupted 34% of attacks before files were encrypted.

“To me, the percentage of organizations that successfully stop an attack before encryption is a strong indicator of security maturity. For the healthcare sector, however, this number is quite low—only 24%. What’s more, this number is declining, which suggests the sector is actively losing ground against cyberattackers and is increasingly unable to detect and stop an attack in progress,” said Chester Wisniewski, director, field CTO, Sophos.

Many ransomware gangs use double-extortion tactics, where files are encrypted after data exfiltration and a ransom must be paid to decrypt files and prevent the release of the stolen data. 37% of healthcare ransomware attacks involved these double extortion tactics – an increase from previous years. Ransomware attacks are continuing to grow in sophistication, threat actors are constantly changing and improving their tactics, and attack timelines are speeding up, giving network defenders less time to detect and block attacks. Sophos says the median time from the start of an attack to detection has now fallen to just 5 days. The majority of attacks are also scheduled to occur outside of office hours when staffing levels are lower. Only 10% of attacks were conducted during regular business hours.

The sophisticated nature of attacks has increased the time taken to recover. Only 47% of healthcare organizations were able to recover from a ransomware attack within a week, compared to 54% last year. Recently, the Department of Health and Human Services’ Office for Civil Rights said there has been a 278% increase in ransomware attacks on healthcare organizations over the past four years; however, Sophos’s data indicates there has been a slight reduction in attacks, from 66% of surveyed organizations in 2022 to 60% in 2023. There has also been a sizeable reduction in the number of healthcare organizations paying ransoms. Last year, 61% of healthcare organizations paid a ransom payment following an attack, with just 42% choosing to pay in 2023.

“The ransomware threat has simply become too complex for most companies to go at it alone. All organizations, especially those in healthcare, need to modernize their defensive approach to cybercrime, moving from being solely preventative to actively monitoring and investigating alerts 24/7 and securing outside help in the form of services like managed detection and response (MDR),” said Wisniewski.

Sophos recommends strengthening defenses by using security tools such as end-point protection solutions with strong anti-ransomware and anti-exploit capabilities, implementing zero trust network access to prevent the abuse of compromised credentials, using adaptive technologies that can respond automatically to attacks in progress to buy network defenders more time, and to implement 24/7 threat detection, investigation, and response, whether that is conducted in-house or by a specialized MDR provider.

It is also important to maintain good security hygiene, such as updating software and patching promptly, regularly reviewing security tool configurations, and regularly backing up, practicing recovering data from backups, and maintaining an up-to-date incident response plan.

The post Data Successfully Encrypted in 75% of Healthcare Ransomware Attacks appeared first on HIPAA Journal.

The Cyber Division of the Federal Bureau of Investigation (FBI) has issued a private industry notification that includes details of emerging techniques that are being used by ransomware gangs to gain initial access to victims’ networks. The FBI has identified several ransomware trends that are emerging or continuing and have been used in multiple attacks since July 2023 to gain initial access to networks. Several attacks have involved the exploitation of vulnerabilities in vendor-controlled remote access to casino servers, and companies have been victimized through legitimate system management tools to elevate network permissions.

The Silent Ransom Group (aka Lunar Moth) has been conducting phishing attacks using messages containing a phone number that must be called to prevent a pending charge to an account. This type of attack is known as callback phishing and has been popular with ransomware gangs since 2022. Since the emails contain no malicious content other than a phone number, the emails are not blocked by email security solutions and often reach their intended targets. To stop the pending account charge, the victim is required to download and install a legitimate system management tool, which is used by the threat actor to access their device. The threat actor can then access local files and shared drives and exfiltrate data. The victim is then extorted.

The FBI recommends all organizations implement the suggested mitigations to harden their defenses against these attacks. The key to defending against these attacks is preparation. Organizations should ensure they maintain offline backups of data, encrypt their backup data, and implement an incident response and recovery plan. Reviews should be conducted of the security posture of all third-party vendors, with priority given to those that have network access. The FBI recommends implementing listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy, and to document and monitor external remote connections.

Identity and access management controls are vital. All accounts that require passwords should comply with National Institute of Standards and Technology (NIST) password standards and phishing-resistant multifactor authentication should be implemented for webmail, virtual private networks, and accounts that access critical systems. Domain controllers, servers, workstations, and active directories should be reviewed for unrecognized accounts, user accounts should be audited, and time-based access should be set for accounts at the admin level and higher.

Protective controls and architecture should include the segmenting of networks, the identification, detection, and investigation of abnormal activity and potential traversal with a networking monitoring tool, antivirus tools capable of real-time detection of threats, and close monitoring of the use of remote desktop protocol (RDP).

It is important to ensure that all software, operating systems, and firmware are kept up to date, unused ports and protocols are disabled, command-line and scripting activities and permissions are disabled, devices are properly configured with security features enabled, and for Server Message Block (SMB) Protocol to be restricted. Controls should also be implemented to improve email security, such as adding a banner to all external emails and disabling hyperlinks in emails.

The post FBI Shares Intel on Emerging Initial Access Techniques Used by Ransomware Gangs appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has published an analyst note about BlackSuit ransomware, a new ransomware group believed to pose a credible threat to the healthcare and public health (HPH) sector.

Security researchers have identified several similarities between BlackSuit ransomware and Royal ransomware, with the latter group having actively targeted the HPH sector like the Conti ransomware group that Royal is believed to have replaced. BlackSuit has already been used in at least one attack on the HPH sector in October this year, so it is fair to assume that BlackSuit will be used in further attacks on the sector. That attack was on a provider of medical scans and radiology services to more than 1,000 hospitals in 48 states.

Like many other ransomware operations, BlackSuit ransomware is used in double extortion attacks, where sensitive data is exfiltrated before file encryption and ransoms must be paid to prevent the release of the stolen data as well as to decrypt the encrypted files. So far, BlackSuit ransomware has only been used in a limited number of attacks; however, activity could be ramped up at any point.

BlackSuit ransomware is believed to be a private group rather than a ransomware-as-a-service operation, and the operation is thought to be run by individuals with experience in conducting ransomware attacks due to the links with Royal and Conti. Some cybersecurity researchers have suggested BlackSuit may be a rebrand of Royal ransomware, which conducted a major attack on a Texas city in May 2023 which attracted considerable media and law enforcement attention. BlackSuit first appeared shortly after that attack but Royal is still operational, although BlackSuit has not been extensively used to date so that conclusion has not been discounted.

Windows and Linux variants of BlackSuit have been detected, and like Royal ransomware, use OpenSSL’s AES for encryption. The ransomware uses intermittent encryption techniques, which are more efficient and allow files to be encrypted faster. Given the low number of detected attacks, it is difficult to tell which attack methods are favored by the group. The distribution methods that are most likely used are email attachments containing macros, embedding the ransomware in torrent files, malicious adverts (malvertising), and delivery via other malware variants such as Trojans, droppers, and downloaders, which are commonly distributed via compromised websites, fake software updates and phishing emails.

The HC3 Analyst Note details the MITRE ATT&CK techniques used by the group, Indicators of Compromise (IoCs), and recommended mitigations for hardening defenses. HC3 has also recommended reporting any suspected attacks to the local Federal Bureau of Investigation (FBI) field office and FBI Internet Crime Compliant Center (IC3).

The post BlackSuit Ransomware Poses a Credible Threat to the HPH Sector appeared first on HIPAA Journal.

Advanced cyberattacks on cloud environments often make headline news, but these attacks occur in small numbers. The majority of cyberattacks on cloud environments are conducted using well-known threat actor attack techniques such as using stolen credentials and exploiting security weaknesses such as misconfigurations. As such, the best defense against cloud intrusions is to focus on simple cloud security hygiene as this will raise the bar for attackers and will dramatically reduce the risk of a cloud compromise.

According to the recently published Q3, 2023 Google Cloud Threat Horizons Report, a majority of cloud compromises saw initial access gained by exploiting poor password practices. 54.3% of cloud compromises were due to weak or no passwords, with a large percentage of those attacks involving brute forcing default accounts, Secure Shell (SSH), and the Remote Desktop Protocol (RDP). 15.2% of attacks saw initial access gained as a result of misconfigurations, and the same percentage of attacks were due to sensitive UI or API exposure. 10.9% of attacks saw initial compromise achieved by exploiting vulnerable software.

The Google Cloud research and analysis team has identified persistent threat actor activity targeting cloud-hosted Software-as-a-Service (SaaS) systems. Organizations are increasingly using SaaS applications, which increases the attack surface considerably. According to the Thales 2023 Cloud Security Report, there was a 41% increase in the mean number of SaaS applications used by organizations between 2021 and 2023. 55% of surveyed security executives say they have experienced data breaches, leaks, malicious applications, ransomware, espionage, or insider attacks related to SaaS applications in the past 2 years, which indicates organizations are failing to adequately protect SaaS data. This is particularly worrying since SaaS data is the least likely data to be recovered in a ransomware attack.

There is a growing trend where malicious actors abuse public cloud services to host their command-and-control infrastructure, rather than using their own infrastructure or leasing it from other threat actors. The threat actors benefit from cheap, reliable infrastructure that is trusted by enterprises and consumers, and they can hide their activity by blending into high volumes of legitimate traffic. Threat actors have long abused Microsoft Azure, Amazon Web Service, and Dropbox but they may also be abusing Google Calandar. Proof-of-concept code has been published on GitHub for a Google Calendar Remote Access Trojan (RAT), and researchers at Mandiant note that the code has been actively shared on underground forums, indicating threat actors’ interest in the Google Calendar RAT. Since the malware communicates with legitimate infrastructure operated by Google, it is difficult for defenders to detect suspicious activity.

Typosquatting has long been used by threat actors in their campaigns. This tactic involves registering domains similar to the brand being targeted to catch out careless typists. Typosquatting is now being used in attacks on cloud storage platforms such as Google Cloud Storage, Amazon S3, and Azure Blob. A random sample of ten Fortune 100 companies found that 60% had one or more typosquatted cloud storage URLs.

The Q3, 2023 Google Cloud Threat Horizons Report includes a review of cloud services adoption in the healthcare industry and identifies some of the common security issues. An analysis of cloud security incidents between 2021-2023 found cloud services are increasingly being targeted in attacks on healthcare organizations and cloud services are being increasingly used as a platform for staging attacks. While the majority of these attacks were not new, the team found that the attacks are increasingly negatively affecting patient safety, such as by degrading healthcare organizations’ operational capacity, causing patients to be redirected to more distant facilities, and delaying diagnosis and treatment.

The attacks studied by Google and Mandiant revealed that most attacks on the healthcare industry are conducted by financially motivated threat actors who most commonly use stolen credentials for initial access, and to a lesser extent, phishing, third-party vulnerabilities, denial of service attacks, web exploits, and misconfigurations. By far the most common follow-on compromises were ransomware and data extortion attacks, where the attackers attempt to find and capture PHI for extortion purposes, with or without accompanying data encryption. Credentials and data are commonly extracted by targeting Outlook Web Access application and AWS resources such as S3. In the report, the Google Cloud team offers several mitigations that can reduce the risk of attacks on cloud services and prevent credential and session abuse, data exfiltration and extortion, ransomware and data destruction, web exploits, third-party software vulnerability exploitation, DoS attacks, malware delivery, and social engineering attacks.

“The healthcare sector is a prime target for cyber attackers. It is imperative that healthcare-driven organizations recognize that patient data and medical device vulnerabilities demand urgent attention and protection,” Taylor Lehmann, Director, Office of the CISO, Google Cloud told The HIPAA Journal. “Cybersecurity must be integrated into the core of healthcare operations to safeguard clinical and personal data, as well as patient safety. This requires a collective effort, where cooperation between healthcare providers, industry leaders, and government becomes the linchpin of defense against these relentless cyber adversaries.”

The post Malicious Actors Increasingly Targeting Cloud Services in Healthcare Cyberattacks appeared first on HIPAA Journal.

Ransomware groups stepped up their attacks in September according to data recently published by NCC Group. At least 514 ransomware attacks are known to have been conducted in September, which represents a 32% month-over-month increase in attacks.

Every month in 2023 has seen more attacks conducted than the corresponding month in 2022, with September’s attacks conducted in record numbers, even more than the 502 attacks in July and the March 2023 spike in activity, which included the Clop group’s mass exploitation of the zero-day vulnerability in Fortra’s GoAnywhere MFT solution. To add some perspective, September saw a 153% increase in attacks from September 2022. NCC Group had previously predicted that 2023 could end with more than 4,000 known ransomware/data leak-extortion attacks, but the high number of September attacks could see that total surpassed well before the end of the year.

While a small number of threat actors usually account for the vast majority of attacks, that was not the case in September. NCC Group reports a significant increase in the number of active ransomware groups, with several new groups conducting large numbers of attacks. There were 76% more active ransomware groups in September 2023 compared to September 2022, which suggests ransomware attacks continue to be profitable and are unlikely to reduce any time soon.

One of the main threat groups that typically features in the top 3 is Clop, and while the group has been highly active in 2023, it only conducted 3 known attacks in August and there were no known attacks in September. While it is not unusual to see a lull in activity, especially after such a major mass exploitation campaign, it is unlikely to last long. NCC Group expects the group to return with another mass exploitation campaign soon. Two notable new ransomware groups appeared in September that hit the ground running. LostTrust was behind 9% of the month’s attacks, and RansomedVC accounted for 10%.

RansomedVC, like 8base, claims to consist of penetration testers that only attack organizations that demonstrate a lack of attention to security. In addition to attacking organizations, RansomedVC threatens to report any vulnerabilities it exploits to data protection authorities in the EU as violations of the General Data Protection Regulation (GDPR) to pile pressure on victims to pay up.

As was the case in August, Industrials was the most targeted sector, accounting for 33% of all known attacks, followed by consumer cyclicals, and technology, with healthcare in fourth place. There was a significant increase in attacks on healthcare organizations in September, with 18 more attacks than the previous month – an increase of 86%. The most active ransomware groups in September were Lockbit 3.0, LostTrust, BlackCat, RansomedVC, and Cactus. Play, BianLian, Noescape, 8base, and Trigona rounded out the top 10. North America is still the most targeted region, where 50% of the attacks were conducted, followed by Europe (30%) and Asia (9%).

The increase in attacks shows the need for an international effort to target ransomware gangs, disrupt their operations and cut off their financing.  One potential solution is for countries to introduce bans on ransom payments, which the U.S. is pushing for. 40 countries attending the third annual International Counter Ransomware Initiative (CRI) in Washington this week have pledged to do just that, although a ban could spell disaster for companies that are unable to recover their data from backups.

The post September Saw Record Number of Ransomware Attacks appeared first on HIPAA Journal.

The 8Base hacking group has been active since March 2022 and while the group does not appear to actively target the healthcare sector, its indiscriminate attacks have included multiple healthcare organizations, with recent victims including the cosmetic and reconstructive plastic surgery practice of Eduardo G. Barrosso MD in October, and attacks on Kansas Medical Center, Stockdale Podiatry, Oregon Sports Medicine, Dental One Craigiebur, Redwood Lab Services, and ClearMedi Healthcare. The recent attacks on healthcare and public health (HPH) sector organizations have prompted the Health Sector Cybersecurity Coordination Center (HC3) to publish an analyst note about the group.

First and foremost, 8Base is a data extortion group although the group has also conducted ransomware attacks using multiple ransom stains. The primary purpose of the attacks is to steal sensitive data, which the group threatens to publish to extort money from victims. The group stepped up operations in May and June this year and was one of the top three data extortion and ransomware groups in July 2023. The group’s dark web data leak site currently lists more than 225 victims from late May to November 2023.

8base claims on its data leak site that they are honest penetration testers who only attack companies that have neglected the importance of employee and customer privacy. Despite having conducted many attacks, relatively little is known about the group such as whether it operates as a ransomware-as-a-service operation. The rapid scaling up of activity this year has led security researchers to believe that members of the group are experienced, and 8base may be the new name for a well-established, mature threat group. Similarities between the RansomHouse and Phobos groups have been identified. 8base is known to have used Phobos ransomware in some of its attacks.

The primary methods the group uses for access to victims’ networks are phishing, exploit kits, and drive-by downloads. Its victims spam a broad range of sectors and include law firms, accountants, manufacturers, scientific companies, construction firms, and healthcare organizations. While organizations in multiple countries have been attacked, the group appears to mostly focus on attacks in the United States, Brazil, and the United Kingdom.

While not appearing to actively target healthcare organizations, the group does pose a threat to the HPS sector. HC3 has shared MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) associated with the group, Indicators of Compromise (IOCs), and recommended defense measures and mitigations in its analyst note. “8Base may be new to the cyber threat landscape, but in its short existence, it has proven to be a formidable adversary. Any disruption to an organization’s operations can lead to severe consequences, especially to the HPH sector,” wrote HC3 in its analyst note. “Whether it is affiliated to or an off-shoot of other threat actors, 8Base’s focus on data exfiltration instead of file encryption highlights the need to prioritize cyber security best practices, and prevent unauthorized access to an organization’s systems and networks.”

The post HPH Sector Warned About 8Base Data Extortion Group appeared first on HIPAA Journal.

Forty counties have committed to sign a pledge never to pay money to digital extortionists such as ransomware gangs. In an October 31, 2023, press briefing ahead of the third annual International Counter Ransomware Initiative (CRI) in Washington D.C., Anne Neuberger, the White House Deputy National Security Adviser for Cyber and Emerging Technology confirmed the ongoing international efforts to combat the ransomware threat by eliminating the main source of funding for ransomware gangs.

According to the U.S. government, economic losses to ransomware attacks reached $20 billion in 2021, and annual losses are expected to increase to $71.5 billion by 2026, and 46% of all ransomware attacks are conducted on organizations in the United States. As the HHS’ Office for Civil Rights (OCR) recently announced, the healthcare industry has seen a 278% increase in ransomware attacks in the past 4 years. A recent study by Comparitech determined that there had been 539 ransomware attacks on healthcare organizations since 2016, including at least 66 attacks so far in 2023. Since 2016, Comparitech estimated these attacks have cost healthcare organizations more than $77.5 billion.

Ransomware and cyber extortion groups are based in safe havens and conduct attacks on organizations in other countries. These cyber threat actors are paid millions in cryptocurrencies in response to their criminal activities. While the Biden-Harris Administration has made concerted efforts to fight the scourge of ransomware, the U.S. alone cannot combat a threat that knows no borders. Combatting the ransomware threat requires cooperation on a global scale, and at the CGI summit, several initiatives will be discussed, but the single most important step is to stop financing ransomware gangs through ransom payments. “As long as there is money flowing to ransomware criminals, this is a problem that will continue to grow,” said Neuberger.

Forty of the 48 countries attending the CRI summit have already agreed to pledge not to pay ransoms, and the U.S. is working on getting a commitment from the remaining countries to do likewise. What has yet to be established is how this pledge will work in practice, as many victims of ransomware attacks are unable to recover the data encrypted in ransomware attacks and have no option other than paying a ransom.

New initiatives are also being launched to prevent ransom payments to ransomware gangs through better information sharing about ransom payment accounts. Neuberger said one platform will be created by Lithuania and another will be jointly created by Israel and the UAE. The CRI also plans to create a blacklist of cryptocurrency wallets that are known to move ransom payments through the cryptocurrency ecosystem, which can be used to block and freeze transactions.

The post 40 Countries Pledge to Never Pay Ransomware Gangs appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA) has launched a new logging tool for simplifying log management. The ‘Logging Made Easy’ (LME) tool is available free of charge and is ideal for organizations with limited resources that are looking to strengthen security and reduce their log management burden.

CISA based its LME tool on technology developed by the United Kingdom’s National Cyber Security Centre (NCSC) which was decommissioned in March 2023. The technology is now being maintained by CISA and made available to a much wider audience. According to CISA, the LME is “a self-install tutorial for small organizations to gain a basic level of centralized security logging for Windows clients and provide functionality to detect attacks.” The version released by CISA includes pre-built elastic security detection rules to allow security teams to quickly respond to cyber incidents and can show users where administrative commands are being run on enrolled devices, who is using machines, and allows queries can be run based on published Tactics, Techniques, and Procedures (TTPs) to identify the presence of an attacker.

CISA describes the current release of the LME tool as a “homebrew way of gathering logs and querying for attacks,” that can be used by organizations that have previously used the service when the NCSC maintained it; however, new users can also download the tool and start using it to monitor logs for signs of unauthorized activity. CISA says the tool is still being developed and stresses that the LME is not a professional tool and should not be used as a Security Information and Event Management (SIEM) solution.

The tool is ideal for organizations that do not currently have an Information Security Operations Center (SOC) or a SIEM, that lack the necessary budget and resources to set up their own logging systems, and that recognize the importance of gathering and monitoring logs and are aware of the limitations of the tool. Additionally, the tool may be of use on small, isolated networks where current corporate monitoring tools do not reach.

The LME tool can be downloaded here, where an overview is also provided along with installation and usage instructions and guidance on logging. CISA said it will consider developing the tool in the future for use on other operating systems.

The post CISA Releases Log Management Tool for Organizations with Limited Cybersecurity Resources appeared first on HIPAA Journal.