The U.S. Food and Drug Administration (FDA) has published a report it commissioned that makes recommendations on how to manage the cybersecurity risks of legacy medical devices. Legacy medical devices are classed as devices that can no longer be reasonably protected against current cybersecurity threats, even though they may still adequately perform their primary function and have a useful life beyond the declared end-of-support or end-of-life date.

When medical devices reach end-of-life, patches stop being released to fix vulnerabilities, and unpatched vulnerabilities can be exploited to gain access to the devices and networks to which they are connected. In many cases, the vendors of the devices cannot continue to issue software patches due to outdated technology and compatibility issues and healthcare delivery organizations (HDOs) may not be able to replace them due to the high cost of doing so. If the devices were to be removed from use, it could have serious implications for patient safety and clinical operations.

Medical devices are regulated by the FDA, which was tasked by Congress in 2022 to ensure the cybersecurity of medical devices. The FDA has already issued final guidance on premarket submissions for medical devices, which must now meet minimum standards for cybersecurity in order to be approved for use in the United States by the FDA. While the final guidance addresses cybersecurity risks associated with new medical devices that come onto the market, it does nothing to address the cybersecurity of the millions of devices that are already in use at hospitals across the United States.

In November 2023, the FDA contracted with MITRE to produce a report on legacy medical devices, which were legally sold and had cybersecurity controls that were effective at the point of purchase but can no longer be reasonably protected. In an ideal world, these devices should be replaced; however, the issue is complex, and it must be managed in a way that minimizes negative impacts on patient care and safety.

To produce the report, Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks, MITRE interviewed medical device manufacturers, healthcare providers, and cybersecurity experts to identify potential solutions for reducing the cybersecurity risks associated with legacy devices, and the report includes recommendations for reducing cyber risks for hospitals that do not have the resources and budgets to replace the devices. The recommendations address the challenges of shared responsibility over the medical device lifecycle, vulnerability management, workforce development, and mutual aid for less well-resourced healthcare delivery organizations (HDOs).

The 8 recommendations made in the report are:

• Collection of quantitative and qualitative data to allow HDOs and medical device manufacturers (MDMs) to make informed decisions about the risks and costs of replacement versus the continued use of legacy devices.
• Development of information sharing agreement templates to increase transparency and ensure appropriate expectations are included for managing legacy medical device security risks.
• Establishment of a security architecture working group including a broad range of stakeholders to identify and prioritize security controls that may be implemented within an HDO’s infrastructure to improve cyber risk management.
• Development of a research program in modular design for medical devices. If medical devices were designed to be modular, HDOs could have the option of replacing legacy software or hardware components rather than having to totally replace devices.
• Conduction of a study on vulnerability management coordination to explore approaches to streamline and improve vulnerability management processes, which are often costly and resource-intensive.
• Development of competency models for roles related to legacy cyber risk management to help less well-resourced HDOs and support workforce training.
• Participation in mutual aid partnerships, including ad-hoc relationships, private sector partnerships, and state/local government partnerships.

The post FDA Releases Guidance on Managing Legacy Medical Device Cybersecurity Risks appeared first on HIPAA Journal.

A joint cybersecurity advisory has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) about Rhysida ransomware.

Rhysida ransomware is a ransomware-as-a-service (RaaS) operation that first emerged in May 2023. The group engages in double extortion tactics, involving data theft and encryption, with ransom payment required to obtain the keys to decrypt files and prevent the public release of stolen data. Researchers at Check Point identified significant similarities between Rhysida ransomware and Vice Society, one of the most prolific ransomware groups since 2021 that aggressively targeted the education and healthcare sectors.

In August 2023, the HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued its own advisory about Rhysida ransomware following several attacks on the healthcare sector, including the attack on Prospect Medical Holdings, which affected 17 hospitals and 166 clinics across the United States. The latest cybersecurity advisory includes an update on the tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IoCs) from malware analyses and recent incident response investigations to help network defenders and incident response teams detect and block attacks in progress.

Rhysida ransomware actors have been observed using a variety of techniques for gaining initial access to victims’ networks, including leveraging external-facing remote services such as virtual private networks (VPNs), commonly through the use of compromised credentials. These attacks have proven successful against organizations that have failed to implement multi-factor authentication for VPN connections. Rhysida ransomware actors have also exploited unpatched vulnerabilities, such as the Zerologon (CVE-2020-1472) vulnerability in Microsoft’s Netlogon Remote Protocol, and commonly use phishing emails. Once initial access has been achieved, the group often creates Remote Desktop Protocol (RDP) connections for lateral movement, establishes VPN access, and uses PowerShell and native network administration tools to perform operations, which helps them to evade detection by hiding their activity within normal Windows systems and network activities.

The FBI, CISA, and the MS-ISAC suggest several mitigations for hardening security, including steps that can be taken to block the main attack vectors, restrict lateral movement, and detect attacks in progress. These include enabling phishing-resistant multifactor authentication, especially for webmail, VPNs, and accounts that access critical systems; disabling command-line and scripting activities and permissions; restricting the use of PowerShell; enhancing PowerShell logging and logging within processes; restricting the use of RDP; and securing remote access through application controls.

The post Feds Issue Updated Mitigations for Blocking Rhysida Ransomware Attacks appeared first on HIPAA Journal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an updated cybersecurity advisory about Royal ransomware, which is thought to be about to shut down and rebrand.

Royal ransomware first emerged in September 2022 and is thought to have split from the Conti ransomware operation, with a brief spell operating as Quantum in between. Royal ransomware has been a prolific ransomware operation, having conducted more than 350 attacks since September 2022 and has issued ransom demands in excess of $275 million, according to the FBI. Royal ransomware is a private ransomware group that has targeted organizations in healthcare and public health (HPH), education, manufacturing, and communications. The number of attacks on HPH sector organizations prompted an earlier cybersecurity advisory from CISA, the FBI, and the HHS, which shared the latest tactics, techniques, and procedures (TTPs) used by the group and Indicators of Compromise (IoCs). They have been updated in the latest advisory.

In May 2023, a new ransomware variant was detected that had several coding similarities to Royal ransomware, and similar intrusion techniques were used. Researchers at Trend Micro found the two ransomware variants were almost identical, with 98% similar functions, 98.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff. The two groups have been observed using similar software and open source tools in their attacks such as Chisel and Cloudflared for network tunneling, Secure Shell (SSH) Client, OpenSSH, and MobaXterm for SSH connections, Mimikatz and Nirsoft for credential harvesting, and the attacks involved similar remote access tools.

Along with those similarities was the timing of the emergence of the new ransomware variant – Blacksuit – which led security researchers to believe that Royal was about to rebrand. Royal has just conducted a major attack on the city of Dallas which attracted considerable attention from law enforcement and, as is common after major attacks, ransomware groups often rebrand. Royal did not rebrand immediately, and it has been suggested that all did not go well with the new ransomware variant, and the rebrand was delayed. Alternatively, Blacksuit could be a spinoff variant of Royal. CISA and the FBI are convinced that the two ransomware variants are linked.

LockBit 3.0 Exploiting Citrix Bleed Vulnerability

The LockBit 3.0 group has been exploiting the critical Citrix Bleed vulnerability that affects Citrix NetScaler ADC and Gateway to gain access to the systems of its victims. The vulnerability, tracked as CVE-2023-4966, was patched by Citrix in October 2023; however, many organizations have been slow to patch and are running vulnerable appliances.

According to Security researcher Kevin Beaumont, who has been tracking the group’s attacks, several of the group’s recent victims had exposed Citrix servers that were vulnerable to the Citrix Bleed flaw, and that appears to have been exploited using a publicly available exploit.

Currently, there are more than 3,000 Citrix servers in the United States that are exposed to the Internet and vulnerable to the Citrix Bleed flaw which can be exploited remotely with no user interaction. Immediate patching is strongly recommended to prevent exploitation of the flaw.

Hunters International Ransomware Group Takes over from Hive

Hive, one of the most notorious ransomware groups in recent years, was shut down in January this year following an international law enforcement operation. The group had obtained more than $100 million in ransom payments and conducted more than 1,500 attacks worldwide, including many attacks on healthcare organizations.

Following law enforcement takedowns, ransomware groups often go quiet and then reemerge months later with a new ransomware variant. A new threat group, Hunters International, has since emerged and several similarities have been found with Hive, including coding overlaps and a 60% match between the group’s code, according to security researcher BushidoToken.

According to a recent report from Martin Zugec, technical solutions director at Bitdefender, a member of the Hunter’s International group issued a statement confirming that Hive and Hunter’s International are two separate groups and Hive’s source code and infrastructure were acquired. The Hive spokesperson said Hive sold their source code, website, and old Goland and C versions, and Hunter’s purchased them. The spokesperson for Hunter’s said encryption isn’t its primary goal, which is why the group didn’t develop everything from scratch. Bitdefender’s research uncovered evidence to suggest the adoption of Hive’s code rather than a rebrand, thus corroborating the Hunter’s International statement. Bitdefender’s analysis, recommendations, and IoCs can be found here.

The post Updates on Royal Ransomware, LockBit 3.0 and Hunters International Ransomware Groups appeared first on HIPAA Journal.

A zero-day vulnerability in the SysAid IT service management solution is being exploited by the Lace Tempest (aka FIN11, DEV-0950, TA505) threat group to gain access to SysAid servers, steal data, and deploy Clop ransomware.

The threat group is well known for exploiting zero-day vulnerabilities. Before the latest campaign, the group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution, stole data, and attempted to extort more than 2,000 victims. Earlier this year, a zero-day vulnerability was exploited in another file transfer solution, Fortra’s GoAnywhere MFT, and before that in 2021, the group exploited a zero-day vulnerability in the Accellion FTA.

The SysAid vulnerability was identified on November 2, 2023, after it had been exploited. The vulnerability, tracked as CVE-2023-47246, was identified by Microsoft, which notified SysAid. The attacks detected by Microsoft were attributed to the Lace Tempest group.

CVE-2023-47246 is a path traversal vulnerability in SysAid’s on-premises software that can be exploited to execute unauthorized code. In one of the attacks, the threat actor exploited the flaw to upload a Web Application Resource (WAR) archive containing a webshell to the webroot of the SysAid Tomcat web service. The webshell allowed the threat actor to execute PowerShell scripts to load GraceWire malware into a legitimate process such as spoolsv.exe, msiexec.exe, or svchost.exe. The malware checks for Sophos security software, and if not present, will be used to deploy additional scripts. In one attack, a Cobalt Strike listener was deployed on compromised hosts. After exfiltrating sensitive data, Clop ransomware was deployed and executed.

Given the speed at which the group has exploited vulnerabilities in the past, immediate action is required to fix the flaw. SysAid has released a patch and all SysAid users are being strongly encouraged to update to version 23.3.36 or later as soon as possible to prevent exploitation. After upgrading to the latest version, servers should be checked for signs of compromise. SysAid has published a list of Indicators of Compromise (IoCs) in its recent report on the attacks exploiting the flaw. SysAid also recommends reviewing any credentials or other information that would have been available to someone with full access to the SysAid server an to check any relevant activity logs for suspicious behavior.

The post SysAid Zero-Day Vulnerability Exploited to Deploy Clop Ransomware appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, Office of the Director of National Intelligence, and partners have released guidance on software bill of materials (SBOM) generation and consumption, as part of ongoing efforts to better secure the software supply chain.

The guidance was developed by the Software Supply Chain Working Panel, which was established by the Enduring Security Framework (ESF) and is a collaborative partnership across private industry, academia, and government. The Working Panel has developed a three-part Recommended Practices Guide series, that covers best practices to help ensure a more secure software supply chain for developers, suppliers, and customer stakeholders.

The latest guidance is aimed at software developers and suppliers, and includes industry best practices and principles, including managing open source software and SBOM to maintain and provide awareness about the security of software.

Cyber actors are increasingly targeting the software supply chain and are searching for software vulnerabilities that can be exploited to allow them to attack all users of the software, such as the 2020 cyberattack on the SaaS provider SolarWinds. The attack is believed to have been conducted by the Russian state-sponsored hacking group Cozy Bear, which compromised the SolarWinds Orion IT performance and monitoring solution and added a backdoor. When a software update was rolled out to customers, so was the backdoor, resulting in the compromising of an estimated 18,000 systems. The hackers then conducted follow on activities on selected high value targets.

Cyber actors also take advantage of vulnerabilities in open source software and third-party components, such as the Log4Shell vulnerability in the Log4j logging tool, which is used by millions of computers worldwide. When a critical vulnerability was identified and patches were released, they could only be applied if it was known that Log4j was used. Because Log4j was a component of many different software solutions, the vulnerability went unaddressed as many users were unaware that they were vulnerable.

One of the ways that the security of the software supply chain can be improved is by having a complete SBOM that includes all software components and dependencies. The SBOM can be rapidly queried to determine if a vulnerable software component is used and steps can then be taken to address the problem. The latest guidance document is part of the ESF Software Supply Chain Working Panel’s second phase of guidance, which provides further details on the SBOMs that were recommended in the Phase 1 Recommended Practices Guides.

According to CISA, the guidance can be used as a basis for describing, assessing, and measuring security practices relative to the software lifecycle and the suggested practices can be applied across the acquisition, deployment, and operational phases of a software supply chain. The guidance includes recommendations in line with industry best practices and principles which software developers and software suppliers are encouraged to reference, and includes managing open source software and SBOMs to maintain and provide awareness about the security of software.

While the guidance provides recommendations for SBOM generation and consumption processes, implementing these recommendations will be a challenge for many organizations as it will require considerable investment and resources that many organizations currently lack.

The post CISA Issues Software Bill of Materials Guidance appeared first on HIPAA Journal.

A new report from Sophos on healthcare cybersecurity trends indicates data encryption occurred in 75% of ransomware attacks on healthcare organizations. Only 24% of surveyed healthcare organizations were able to detect an attack in progress and disrupt it before files were encrypted. Sophos says this is the highest rate of encryption and the lowest rate of disruption the company has seen in the past 3 years. Last year, healthcare organizations disrupted 34% of attacks before files were encrypted.

“To me, the percentage of organizations that successfully stop an attack before encryption is a strong indicator of security maturity. For the healthcare sector, however, this number is quite low—only 24%. What’s more, this number is declining, which suggests the sector is actively losing ground against cyberattackers and is increasingly unable to detect and stop an attack in progress,” said Chester Wisniewski, director, field CTO, Sophos.

Many ransomware gangs use double-extortion tactics, where files are encrypted after data exfiltration and a ransom must be paid to decrypt files and prevent the release of the stolen data. 37% of healthcare ransomware attacks involved these double extortion tactics – an increase from previous years. Ransomware attacks are continuing to grow in sophistication, threat actors are constantly changing and improving their tactics, and attack timelines are speeding up, giving network defenders less time to detect and block attacks. Sophos says the median time from the start of an attack to detection has now fallen to just 5 days. The majority of attacks are also scheduled to occur outside of office hours when staffing levels are lower. Only 10% of attacks were conducted during regular business hours.

The sophisticated nature of attacks has increased the time taken to recover. Only 47% of healthcare organizations were able to recover from a ransomware attack within a week, compared to 54% last year. Recently, the Department of Health and Human Services’ Office for Civil Rights said there has been a 278% increase in ransomware attacks on healthcare organizations over the past four years; however, Sophos’s data indicates there has been a slight reduction in attacks, from 66% of surveyed organizations in 2022 to 60% in 2023. There has also been a sizeable reduction in the number of healthcare organizations paying ransoms. Last year, 61% of healthcare organizations paid a ransom payment following an attack, with just 42% choosing to pay in 2023.

“The ransomware threat has simply become too complex for most companies to go at it alone. All organizations, especially those in healthcare, need to modernize their defensive approach to cybercrime, moving from being solely preventative to actively monitoring and investigating alerts 24/7 and securing outside help in the form of services like managed detection and response (MDR),” said Wisniewski.

Sophos recommends strengthening defenses by using security tools such as end-point protection solutions with strong anti-ransomware and anti-exploit capabilities, implementing zero trust network access to prevent the abuse of compromised credentials, using adaptive technologies that can respond automatically to attacks in progress to buy network defenders more time, and to implement 24/7 threat detection, investigation, and response, whether that is conducted in-house or by a specialized MDR provider.

It is also important to maintain good security hygiene, such as updating software and patching promptly, regularly reviewing security tool configurations, and regularly backing up, practicing recovering data from backups, and maintaining an up-to-date incident response plan.

The post Data Successfully Encrypted in 75% of Healthcare Ransomware Attacks appeared first on HIPAA Journal.

The Cyber Division of the Federal Bureau of Investigation (FBI) has issued a private industry notification that includes details of emerging techniques that are being used by ransomware gangs to gain initial access to victims’ networks. The FBI has identified several ransomware trends that are emerging or continuing and have been used in multiple attacks since July 2023 to gain initial access to networks. Several attacks have involved the exploitation of vulnerabilities in vendor-controlled remote access to casino servers, and companies have been victimized through legitimate system management tools to elevate network permissions.

The Silent Ransom Group (aka Lunar Moth) has been conducting phishing attacks using messages containing a phone number that must be called to prevent a pending charge to an account. This type of attack is known as callback phishing and has been popular with ransomware gangs since 2022. Since the emails contain no malicious content other than a phone number, the emails are not blocked by email security solutions and often reach their intended targets. To stop the pending account charge, the victim is required to download and install a legitimate system management tool, which is used by the threat actor to access their device. The threat actor can then access local files and shared drives and exfiltrate data. The victim is then extorted.

The FBI recommends all organizations implement the suggested mitigations to harden their defenses against these attacks. The key to defending against these attacks is preparation. Organizations should ensure they maintain offline backups of data, encrypt their backup data, and implement an incident response and recovery plan. Reviews should be conducted of the security posture of all third-party vendors, with priority given to those that have network access. The FBI recommends implementing listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy, and to document and monitor external remote connections.

Identity and access management controls are vital. All accounts that require passwords should comply with National Institute of Standards and Technology (NIST) password standards and phishing-resistant multifactor authentication should be implemented for webmail, virtual private networks, and accounts that access critical systems. Domain controllers, servers, workstations, and active directories should be reviewed for unrecognized accounts, user accounts should be audited, and time-based access should be set for accounts at the admin level and higher.

Protective controls and architecture should include the segmenting of networks, the identification, detection, and investigation of abnormal activity and potential traversal with a networking monitoring tool, antivirus tools capable of real-time detection of threats, and close monitoring of the use of remote desktop protocol (RDP).

It is important to ensure that all software, operating systems, and firmware are kept up to date, unused ports and protocols are disabled, command-line and scripting activities and permissions are disabled, devices are properly configured with security features enabled, and for Server Message Block (SMB) Protocol to be restricted. Controls should also be implemented to improve email security, such as adding a banner to all external emails and disabling hyperlinks in emails.

The post FBI Shares Intel on Emerging Initial Access Techniques Used by Ransomware Gangs appeared first on HIPAA Journal.