There is justifiable fear that malicious actors will leverage generative AI to facilitate their malicious activities; however, the adoption of generative AI by threat actors appears to be limited, certainly for intrusion operations. Mandiant reports that it has been tracking threat actor interest in generative AI, but its research and open source accounts indicate generative AI is only currently being used to a significant extent for social engineering and misinformation campaigns.

Mandiant has found evidence indicating generative AI is being used to create convincing lures for phishing and business email compromise (BEC) attacks. Malicious actors can create text output reflecting natural human speech patterns for phishing lures and enhance the complexity of language in their existing operations. Threat actors have used generative AI to manipulate video and voice content in BEC scams and to manipulate images to defeat know-your-customer (KYC) requirements. Evidence has also been obtained indicating financially motivated threat actors are using the malicious WormGPT tool to create convincing phishing and BEC lures.

Mandiant has previously demonstrated how malicious actors can use AI-based tools to support their operations, such as for processing open source information and stolen data for reconnaissance purposes. For example, state-sponsored intelligence services can use machine learning and data science tools on massive quantities of stolen and open-source data to improve data processing and analysis, improving the speed and efficiency of operationalizing collected information.  In 2016, a system was demonstrated that can identify high-value targets from previous Twitter activity and generate convincing lures targeting individuals based on past tweets. Mandiant has also found evidence indicating a North Korean cyber espionage actor (APT43) has an interest in large language models (LLMs) and is using LLM tools, although it has yet to be established why the LLMs are being used.

Currently, one of the most effective uses of generative AI is for information operations. AI tools help information operation actors with limited resources and capabilities produce higher quality content at scale, and the tools increase their ability to create content that may have a stronger persuasive effect on their targeted audiences than was previously possible. “We believe that AI-generated images and videos are most likely to be employed in the near term; and while we have not yet observed operations using LLMs, we anticipate that their potential applications could lead to their rapid adoption,” suggest the researchers.

While there is limited evidence of threat actors leveraging LLMs for creating new malware and improving existing malware, this is an area that is expected to see significant growth. Mandiant reports that several threat actors are advertising services on underground forums on how to bypass restrictions on LLMs to get them to assist with malware development.

“While we expect the adversary to make use of generative AI, and there are already adversaries doing so, adoption is still limited and primarily focused on social engineering,” John Hultquist, Chief Analyst, Mandiant Intelligence, Google Cloud told The HIPAA Journal. “There’s no doubt that criminals and state actors will find value in this technology, but many estimates of how this tool will be used are speculative and not grounded in observation.”

While threat actors are expected to increasingly use generative AI for offensive purposes, AI-based tools currently offer far more benefits to defenders. “AI has been around for a while, but this is the inflection point where the general public has taken notice. Like any technological innovation, we expect adversaries are going to find applications for these tools. However, there is far greater promise for defenders who have the ability to direct the development of it,” said Sandra Joyce, VP, Mandiant Intelligence, Google Cloud. “We still own the technology. There are going to be people who will use AI for ill intent, but that shouldn’t stop us from leapfrogging ahead to out innovate the adversaries.”

The post Mandiant: Malicious Actors Use of Generative AI Remains Limited appeared first on HIPAA Journal.

Hackers have been conducting a mass exploitation campaign targeting Citrix NetScalers to exploit a critical vulnerability tracked as CVE-2023-3519. The automated exploitation campaign compromises NetScalers and installs web shells to provide a persistent backdoor into systems. The web shell allows the threat actor to execute arbitrary commands on compromised systems, even when the patch is applied to fix the vulnerability.

The vulnerability affects Citrix Application Delivery Controller and Gateway appliances configured as gateway servers and was disclosed by Citrix on July 18, 2023. A patch was released to fix the vulnerability and Citrix warned at the time that there had been limited exploitation of the vulnerability in the wild, although no details were released about the extent of the exploitation. Since then, several security firms have reported cases of exploitation of the flaw.

Researchers at the cybersecurity company Fox-IT, part of NCC Group, in collaboration with the Dutch Institute of Vulnerability Disclosure (DIVD), have been trying to identify the compromised systems and alert the affected companies. The researchers report that at the time of the exploitation campaign, 31,127 NetScalers were found to be vulnerable to the CVE-2023-3519 vulnerability and as of August 14, 2023, 1,900 NetScalers were discovered to have been compromised and backdoored. 1,248 of those NetScalers had been patched to fix the vulnerability, and even though patched, access was still possible through the web shell.

The researchers have warned NetScaler administrators to perform a check of Indicators of Compromise (IoCs), regardless of whether the vulnerability has been patched. The Fox-IT researchers have released a Python script that uses Dissect to perform triage on forensic images of NetScalers, and Mandiant has released a bash script that will check for IoCs on live systems.

If a web shell is detected, the researchers recommend making a forensic copy of the disk and the memory of the appliance before any remediation or investigative actions are done, and to investigate whether the web shell has been used to perform any activities. Usage of the web shell should be visible in NetScaler access logs. If there are indications that the web shell has been used, a wider investigation is required to determine if the attackers have moved laterally from the appliance and have compromised other systems.

The post Hackers Backdoor 1,900 Citrix NetScaler Devices appeared first on HIPAA Journal.

A joint research project by Health-ISAC, Finite State, and Securin has revealed exploitable vulnerabilities in medical devices have increased by almost 60% since 2022. The researchers identified almost 1,000 vulnerabilities in 966 medical products, which is a 59% year-over-year increase from 2022. 993 vulnerabilities were identified that could be exploited by malicious actors to gain access to healthcare networks, 160 of the identified vulnerabilities have already been weaponized, and a further 101 are trending in the wild. Advanced Persistent Threat (APT) actors are known to be actively exploiting 9 of the vulnerabilities, and 7 are being actively exploited by ransomware gangs.

A recent study by Akamai found cybercriminal groups, and ransomware gangs in particular, are increasingly exploiting vulnerabilities in software, firmware, and operating systems to gain initial access to networks. Threat actors are devoting resources to in-house research to identify zero-day vulnerabilities in software solutions that can be mass exploited in attacks. The Clop threat group, for example, identified a zero-day vulnerability in Fortra’s GoAnywhere MFT solution and exploited it to gain access to the sensitive data of dozens of organizations, while the zero-day vulnerability in Progress Software’s MOVEit Transfer solution was used to attack at least 621 organizations worldwide. Cyber threat actors are also purchasing exploits for known vulnerabilities and exploiting vulnerabilities before organizations have time to apply the patches and before vendors have released patches.

The increase in high severity and critical vulnerabilities in the software and firmware of connected medical devices is a major cause of concern. The research project found a 437% year-over-year increase in remote code execution and privilege escalation vulnerabilities, which are especially attractive to hackers and particularly dangerous for healthcare organizations. “Our research unveils a disturbing year-over-year increase in firmware vulnerabilities within connected medical products and devices, underscoring an urgent need for robust software supply chain security,” said Larry Pesce, Director of Product Security Research and Analysis at Finite State. “The rise of weaponized exploits demands immediate, collective action to safeguard not only our technological integrity but, ultimately, patient safety.”

The 2023 IBM Security Cost of a Data Breach Report revealed healthcare data breaches now cost almost $11 million, although far more serious than the financial cost is the risk to patient safety. Hackers could alter patient data resulting in a misdiagnosis or incorrect treatment being delivered, treatment is often delayed due to cyberattacks that take electronic medical record systems and other essential IT systems offline, and cyberattacks often cause financial harm to patients, with attacks often leading to identity theft and fraud. There have also been multiple cases recently where highly sensitive medical information of patients has been leaked online, including naked images, and threat actors have been attempting to extort patients directly.

The report makes several recommendations for protecting against attacks that exploit vulnerabilities: ensure a regular penetration testing cadence; prioritize patching based on known risks; incorporate binary analysis tools into the security strategy to generate a Software Bill of Materials (SBOM) and use the results for pen testing; and mandate that all vendors follow a secure-by-design methodology. The report is available on this link: 2023 State of Cybersecurity for Medical Devices and Healthcare Systems,

The post 59% Year-over-year Increase in Exploitable Vulnerabilities in Medical Devices appeared first on HIPAA Journal.

The Cyber Safety Review Board (CSRB) has published an analysis of cyberattacks by the Lapsus$ threat group and has made recommendations for the public and private sectors on how to improve cybersecurity defenses against attacks by Lapsus$ and similar threat actors.

The CSRB was established by President Biden’s Executive Order on Improving the Nation’s Cybersecurity and has been tasked with reviewing major cyber events and making recommendations on improvements that can be made by public and private sector organizations to better defend against attacks. The CSRB consists of 15 cybersecurity leaders from the federal government and private sector and is chaired by Robert Silvers, Under Secretary for Policy at the U.S. Department of Homeland Security.

Lapsus$ is a cyber threat actor primarily focused on data theft and extortion and has been conducting attacks globally on large companies and government agencies around the world since 2021. The group breaches defenses to gain access to internal networks, steals sensitive data such as source code, and demands payment, although rarely follows up. The group is also known to post political messages in online forums and swiftly moves on to other targets after a successful compromise.

Lapsus$ is thought to be a loosely organized threat group that includes several juveniles. Many of the group’s attacks appear to have been conducted for public notoriety rather than financial gain. The group has successfully breached some of the most well-resourced and well-defended companies and government agencies around the world with apparent ease, using relatively simple techniques without particularly complex or advanced tooling.

The group identifies weak points in systems and then exploits them, and often attacks downstream vendors and telecommunications providers before pivoting to the intended target. The group is particularly adept at targeting individuals using social engineering and tricking them into providing network access. For instance, stealing phone numbers and phishing employees via text and voice calls, The group is also adept at bypassing multi-factor authentication.

The CSRB found commonalities between several different threat groups when investigating Lapsus$. Since the techniques used by the group are also used by other threat groups, cyber intelligence and attribution is fragmented. Similar techniques are used by the ransomware affiliate group, Yanluowang; the financially motivated threat group, Oktapus (Roasted Oktapus); the data extortion group, Karakurt; the financially motivated Lapsus$ splinter group, Nwgen Team; and two groups tracked as #NotLapsus1 and #NotLapsus2. Evidence has been found that proves ties between members of these groups and Lapsus$.

“We uncovered deficiencies in how companies ensure the security of their vendors; how cell phone carriers protect their customers from SIM swapping; and how organizations authenticate users on their system,” said CSRB Chair, Robert Silvers. “The Board put forward specific recommendations to address these issues and more, in line with the Board’s mandate to conduct comprehensive after-action reviews of the most significant cyber incidents.”

Since many of the attacks involve credential theft, one of the most effective defenses is moving to passwordless technologies and, in the meantime, ensuring phishing-resistant multi-factor authentication (MFA) is implemented. The CSRB found the MFA implementations broadly used by companies and individuals are not sufficient to protect against Lapsus$ attacks. The Lapsus$ attacks highlight the importance of implementing zero-trust architectures that assume that there has already been a breach and attackers are inside the network, verifying authentication and authorization for every request.

The group exploits vulnerabilities in the systems of telecommunications providers, who need to implement better processes and systems to prevent attackers from hijacking their mobile phone services. Many of the attacks are conducted via vendors so it is vital for organizations to design their security programs to cover their own information technology environments as well as any vendors that host critical data or maintain direct access to their networks. The CSRB also recommends giving law enforcement the means to disrupt all types of threat actors, and since the group is known to include teenagers, ensuring that young people are given the opportunity to use their technical skills for positive purposes.

“Lapsus$ and related threat actors are using basic techniques to gain an entry point into companies. Their primary attack vectors — SIM swap attacks and phishing employees — can be easily addressed, especially for companies like Microsoft and Okta that are so well resourced,” Rosa Smothers, former CIA cyber threat analyst and current KnowBe4 executive told the HIPAA Journal. “Hardware authentication requires in-person direct engagement preventing remote, phone-based attacks. And training employees to spot and report social engineering attempts like phishing should be the basis of any company’s security awareness training program.”

The CSRB provides 10 actionable recommendations in the report on how to improve defenses against these attacks. The CSRB report on attacks by Lapsus$ and related threat groups can be found here.

The post Even Well-Defended Companies are Vulnerable to Lapsus$ Attacks appeared first on HIPAA Journal.

The National Institute of Standards and Technology (NIST) has published a draft version of an updated version of its popular Cybersecurity Framework (CSF) – version 2.0. This is the first major update to the NIST CSF since its release in 2014.

The NIST CSF helps organizations to understand and reduce cybersecurity risks, improve their security posture, and monitor progress, and has been downloaded more than 2 million times. The NIST CSF was initially released to help critical infrastructure entities improve their security posture and reduce and manage risks; however, the framework has been adopted by a much broader range of entities such as small- and medium-sized organizations that lack internal resources for cybersecurity. The framework is based on five key pillars: identity, protect, detect, respond, and recover, and provides high-level guidance for managing cybersecurity risk. The framework uses a common language and systematic methodology for managing risk and aiding communication between technical and non-technical staff and can easily be tailored to suit the needs of individual organizations.

In February 2022, NIST issued a request for information (RFI) on how to update the framework, in particular, to improve supply chain risk management. More than 130 responses were received in response to the RFI, and the feedback received has been considered when updating the framework. The framework has also been updated to reflect changes in the cybersecurity landscape since its release almost a decade ago and has been revised to make the framework easier to put into practice for organizations of all types and sizes.

The update expands the scope of the framework from protecting critical infrastructure such as hospitals to organizations of all types and sizes. NIST has added a sixth pillar – govern – to help organizations make and execute their own internal decisions to support their cybersecurity strategy, and the update emphasized that cybersecurity is a major source of enterprise risk alongside legal and financial risks. The updated version also includes guidance on implementing the CSF, such as creating profiles tailored to specific situations, and implementation examples have been included for each of the subcategories of each function, specifically to help smaller organizations use the framework effectively.

“With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well,” said NIST’s Cherilyn Pascoe, the framework’s lead developer. “The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.”

The draft version of the NIST CSF 2.0 has been released for public comment and comments will be accepted until November 4, 2023. NIST says it has a workshop planned for the fall – the details of which have yet to be announced – which will provide a further opportunity for the public to give feedback on the updated version. No further drafts will be released by NIST, and the final version is expected to be released in early 2024.

The post NIST Releases Draft Version of Cybersecurity Framework 2.0 for Public Comment appeared first on HIPAA Journal.

Ransomware gangs use a variety of methods for initial access to victims’ networks and while phishing is still one of the most common initial access vectors, researchers at the cybersecurity firm Akamai have identified a trend toward zero-day and day-one vulnerabilities for initial access.  Several threat groups are conducting their own research to find exploitable vulnerabilities or are purchasing exploits from gray-market sources.

Ransomware attacks have increased significantly over the past year. Between Q1, 2022, and Q1, 2023 there was a 143% increase in ransomware attacks and there has been a growing trend of data theft and extortion without the use of ransomware to encrypt files. File encryption can cause massive disruption to business operations; however, file encryption is noisy and more resource intensive. Simply accessing victims’ networks, stealing data, and threatening to publish or sell that data is often enough to prompt the victim to pay up. These attacks require fewer resources and are far faster, and are less likely to be detected and blocked by security teams. While data theft was once secondary to file encryption in ransomware attacks, the reverse now appears to be true, with data theft far more effective for extortion than file encryption.

The Clop ransomware group is one of several threat actors to opt for data theft and extortion without file encryption and is also one of the gangs focussing on vulnerability exploitation. The group mass exploited a zero-day vulnerability in Fortra’s GoAnywhere file transfer solution in February 2023 and attacked dozens of companies. Then a few months later, mass exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution to attack hundreds of companies. When claiming responsibility for the attack, a spokesperson for the group claimed that data encryption was an option, but the decision was taken not to encrypt files. KonBriefing is tracking the MOVEit Transfer attacks and says at least 611 organizations were attacked and the records of between 35.8 million and 40.7 million individuals were stolen by Clop.

The Akamai researchers conducted an analysis of the data leak sites of 90 ransomware groups, where the groups publish the names of their victims and release stolen data when ransoms are not paid. The groups often provide details about whether data was encrypted, the amount of data stolen, and how the attack was conducted. The researchers found that in addition to Clop, several other ransomware groups were favoring zero-day and day-one exploits of vulnerabilities in software and operating systems and, like Clop, were conducting research in-house or were seeking and paying for exploits from third parties. Other ransomware operations that have exploited recently disclosed vulnerabilities include LockBit and ALPHV (BlackCat) which rapidly exploited vulnerabilities before vendors could release patches. For example, the PaperCut vulnerabilities CVE-2023-27350 and CVE-2023-27351 and the VMware ESXi hypervisor vulnerability, CVE-2021-21974.

The main sectors targeted by ransomware gangs in the period studied were manufacturing, healthcare, and financial services. The researchers also identified a much higher percentage of attacks on small- and medium-sized firms compared to larger organizations. 65% of the attacks the researchers analyzed were on small- and medium-sized businesses, compared to 12% on larger organizations. The researchers also found a high probability of a victim experiencing a second attack within 3 months of the first.

The post Ransomware Gangs Increasingly Exploiting 0Day and 1Day Vulnerabilities appeared first on HIPAA Journal.

The risk of a data breach at hospitals doubles in the year before and after mergers and acquisitions (M&As), according to a recent study by University of Texas at Dallas PhD candidate, Nan Clement.

Clement analyzed data breach data from the HHS’ Office for Civil Rights (OCR) from 2010 to 2022 and compared the reported data breaches to M&A records over the same period and found that the probability of a data breach was 3% for hospitals that merged over the analyzed period, but the risk doubled to 6% for merger targets, buyers and sellers over a two year period – one year before and one year after the deal was closed. Clement also found that incidents involving hacking and insider misconduct increased when a hospital merger or acquisition was announced and that Google Trends data showed an increase in searches for the target hospital’s name following the announcement, and a connection was found with hacking activity.

Hacking and ransomware attacks at such a sensitive time were found to occur more frequently during the two-year window around M&As. At such a sensitive time, cybercriminals may feel that there is a higher probability that ransom demands will be paid, and there may be an increase in vulnerabilities that can be exploited due to incompatibilities between two hospitals’ information systems and vulnerabilities and mistakes by employees could easily be exploited by cybercriminals. The Federal Bureau of Investigation previously issued a warning to companies that hackers, and especially ransomware groups, often use significant financial events such as M&As to target companies, as it gives them more leverage. Clement also found an increase in insider misconduct during the two-year period around M&As.

According to the recently published Cost of a Data Breach Study by IBM Security, healthcare data breaches now cost almost $11 million per incident – more than data breaches in any other sector and the HHS’ Office for Civil Rights breach portal data shows there has been a massive increase in hacking incidents in the past few years. “Given the significant cost of data breaches, it is crucial for hospital managers, cybersecurity experts, and health, defense, and finance authorities to work together to enhance cybersecurity measures in hospitals,” suggests Clement in the paper. Clement found that mergers involving publicly traded hospitals often experience a decrease in data breaches during mergers. “Hospital managers should consider adopting the risk management processes commonly employed by professional investors and publicly traded hospitals. This integration of risk management practices can lead to improved overall organizational capital for protecting the hospitals.”

The findings from the peer-reviewed paper, M&A Effect on Data Breaches in Hospitals: 2010-2022, were presented at the 22^nd Workshop on the Economics of Information Security in Geneva last month.

The post Healthcare Data Breach Risk Doubles in 2-Year Window Around M&As appeared first on HIPAA Journal.

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a security alert about a new ransomware group – Rhysida – which is conducting high-impact attacks across multiple industry sectors. Attacks have been conducted in North and South America, Western Europe, and Australia, with the United States, Italy, Spain, and the United Kingdom having suffered the most attacks. The primary targets appear to be in the education, government, manufacturing, and technology sectors, although the group has conducted some attacks on the healthcare and public health (HPH) sector.

Rhysida is a ransomware-as-a-service operation that recruits affiliates to conduct attacks using its ransomware variant in exchange for a percentage of any ransom payments they generate. The group was first identified in May 2023, and its ransomware variant appears to still be in the early stages of development as it lacks the advanced features seen in the ransomware variants used by more established threat groups.

Rhysida ransomware is deployed after initial access to victims’ networks has been established through phishing attacks and the exploitation of vulnerabilities in software. The Cobalt Strike attack framework is deployed on compromised systems and used to deliver the ransomware payload. The ransomware uses a 4096-bit RSA key with the ChaCha20 algorithm to encrypt files and a PDF ransom note is dropped on the encrypted drives, which demands payment in Bitcoin for the keys to decrypt data and prevent the publication of stolen data. The ransom amount is not stated in the notes. Victims are required to make contact with the threat group via TOR to negotiate payment. Rhysida was behind a recent attack on the Chilean Army and has listed 8 attacks on its data leak site to date, and published stolen data from five of those attacks.

Security researchers have yet to confirm a connection between the Rhysida ransomware-as-a-service operation and other ransomware or cybercriminal groups, although some security researchers believe there may be a link with the Vice Society group, which also primarily targets the Education sector. HC3 has shared Indicators of Compromise (IoCs) in the alert to help network defenders detect attacks and several proactive steps that healthcare organizations can take to harden their defenses and prevent attacks.

The post HC3 Sounds Alarm About Rhysida Ransomware Group appeared first on HIPAA Journal.