Ransomware groups have accelerated their attacks and are now spending less time inside victims’ networks before triggering file encryption, according to the 2023 Active Adversary Report from Sophos. The data for the report came from the first 6 months of 2023 and was gathered and analyzed by the Sophos X-Ops team.

The median dwell time for ransomware groups fell from 9 days to 5 days in the first half of 2023, which the researchers believe is close to the limit of what is possible for hackers. They do not expect the median dwell time to fall below 5 days due to the time it typically takes for the hackers to achieve their objectives. On average, it took 16 hours from initial access for attackers to gain access to Microsoft Active Directory and escalate privileges to allow broad access to internal systems. The majority of ransomware groups do not rely on encryption alone and also exfiltrate data so they can apply pressure to get victims to pay up. Oftentimes, backups of data exist so recovery is possible without paying the ransom, but if there is a threat of data exposure, ransoms are often paid. On average, it takes around 2 days for ransomware gangs to exfiltrate data.

The reduction in dwell time is understandable. The longer hackers remain in networks, the greater the probability that their presence will be detected, especially since intrusion detection systems are getting better at detecting intrusions and malicious activity. One of the ways ransomware groups have accelerated their attacks is by opting for intermittent encryption, where only parts of files are encrypted. The encryption process is far quicker, which means there is less time to detect and stop an attack in progress, but the encryption is still sufficient to prevent access to files.

Ransomware gangs often time their attacks to reduce the risk of detection. In 81% of attacks analyzed by the researchers, the encryption process was triggered outside normal business hours such as at the weekend or during holidays when staffing levels are lower. 43% of ransomware attacks were detected on a Friday or Saturday. While the dwell time for ransomware actors has reduced, there was a slight increase in the dwell time for non-ransomware incidents, which increased from an average of 11 days to 13 days in H1 2023.

In many cyberattacks, a vulnerability was exploited that allowed hackers to use a remote service for initial access, such as vulnerabilities in firewalls or VPN gateways. The exploitation of vulnerabilities in public-facing applications has been the leading root cause of attacks for some time followed by external remote services; however, in H1, 2023, these were reversed and compromised credentials were the root cause in 50% of attacks, with vulnerability exploitation the root cause of 23% of attacks.

Compromised credentials make attacks easy for hackers especially when there is no multi-factor authentication. Implementing and enforcing phishing-resistant MFA should be a priority for all organizations, but the researchers found that in 39% of cases investigated, MFA was not configured. Prompt patching should also be a goal as this reduces the window of opportunity for hackers. The researchers suggest following CISA’s timeline for patching in its Binding Operational Directive 19-02 of 15 days for critical vulnerabilities and 30 days for high-severity vulnerabilities as it will force attackers into a narrower set of techniques by removing the low-hanging fruit.

Previous reports have highlighted the extent to which Remote Desktop Protocol (RDP) is abused. in H1, 2023, RDP was used in 95% of attacks, up from 88% in 2022. In 77% of attacks involving RDP, the tool was used for internal access and lateral movement, up from 65% in 2022. Only 1% of attacks involved RDP for external access. Due to the extent to which RDP is abused, securing RDP should be a priority for security teams. If attackers are forced to break MFA or import their own tools for lateral movement, it will cause attackers to expend more time and effort, which provides defenders with more time to detect intrusions and increases the probability of malicious activity being detected.

The post Ransomware Groups are Accelerating Their Attacks with Dwell Time Falling to Just 5 Days appeared first on HIPAA Journal.

The healthcare industry is actively targeted by financially motivated cybercriminal gangs; however, state-sponsored hacking groups also seek access to healthcare networks and are actively targeting healthcare providers and other entities in the healthcare and public health sector.

In a recently published security advisory, the Health Sector Cybersecurity Coordination Center (HC3) provides a threat profile of some of the most capable Chinese hacking groups that are known to target U.S. healthcare organizations. While at least one Chinese state-sponsored hacking group is known to conduct cyberattacks for financial gain, most groups conduct attacks for espionage purposes and to obtain intellectual property (IP) of interest to the government of the People’s Republic of China, such as IP related to medical technology and medicine. For instance, Chinese hackers targeted pharmaceutical firms during the pandemic seeking COVID-19 vaccine research data.

One of the most active threat groups is known as APT41 (also BARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, and Double Dragon). The group has been active since at least 2007 and is known to target U.S. healthcare organizations, most commonly with the goal of obtaining intellectual property to pass to the Chinese government, which operationalizes the technology to bring it to market. The group also engages in espionage and digital extortion and is known to conduct financially motivated cyberattacks, although those operations may be for personal gain rather than at the request of the Chinese government. APT41 aggressively exploits known vulnerabilities, often within hours after public disclosure, as was the case with the ProxyLogon and Log4J vulnerabilities. Once initial access has been gained, the group moves laterally within networks and establishes persistent access, often remaining in networks undetected for long periods while data of interest is exfiltrated. The group has an extensive arsenal of malware and uses well-known security tools in its attacks, such as a customized version of Cobalt Strike, Acunetix, Nmap, JexBoss, and Sqlmap.

APT10 (also known as Menupass Team, Stone Panda, Red Apollo, Cicada, CVNX, HOGFISH, and Cloud Hopper) engages in cyberespionage and cyberwarfare activities and has a focus on military and intelligence data. The group is known to leverage zero-day vulnerabilities to gain access to the networks of targets of interest and uses a variety of custom and public tools to achieve its aims. APT10 conducts highly targeted attacks, with initial access often achieved through spear phishing. The group is also known to target managed service providers (MSPs) in order to attack their downstream clients. The group often engages in living-of-the-land tactics, using tools already installed in victims’ environments.

APT18 (also known as Wekby, TA-428, TG-0416, Scandium, and Dynamite Panda) is a little-known APT group that is believed to work closely with the Chinese military and often targets human rights groups, governments, and a range of sectors, including pharmaceutical and biotechnology firms. The group is known to develop its own zero-day exploits, as well as adapt the exploits of others to meet its operational needs, and uses sophisticated malware such as Gh0st RAT, HTTPBrowser, pisloader, and PoisonIvy. APT18 is believed to be behind a 2014 attack on a healthcare provider in which the data of 4.5 million patients was stolen. The group is thought to have exploited the OpenSSL Heartbleed vulnerability to gain access to the network.

APT22 (also known as Barista, Group 46, and Suckfly) appears to be focused on targeting political entities and the healthcare sector, especially biomedical and pharmaceutical firms. The group is known to identify vulnerable public-facing web servers on victim networks and upload web shells, and uses complex malware such as PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, and LOGJAM.

In addition to outlining some of the tactics, techniques, and procedures used by each group, HC3 has shared mitigations to improve security against the most commonly used infection vectors.

The post Know Your Adversary: HC3 Shares Details of Chinese APT Groups Targeting the Healthcare Sector appeared first on HIPAA Journal.

The U.S. Department of Health and Human Services’ Advanced Research Projects Agency for Health (ARPA-H) has announced the launch of the Digital Health Security (DIGIHEALS) project which seeks to improve the electronic infrastructure of the U.S. healthcare industry. ARPA-H is a funding agency that was created in 2022 to support biomedical and health research, specifically research that has the potential to advance aspects of medicine and health that cannot be achieved through more traditional research and commercial activity.

Over the past few years, cybercriminals have been targeting the healthcare sector and have been using ransomware to prevent access to critical systems and data. In many attacks, hospitals have been forced to divert ambulances, cancel appointments, and delay care. Many attacks have caused disruption for months and some attacks have resulted in the permanent closure of healthcare facilities.

“The DIGIHEALS project comes when the U.S. healthcare system urgently requires rigorous cybersecurity capabilities to protect patient privacy, safety, and lives,” said ARPA-H Director Dr. Renee Wegrzyn. “Currently, off-the-shelf software tools fall short in detecting emerging cyber threats and protecting our medical facilities, resulting in a technical gap we seek to bridge with this initiative.”

The project aims to reduce the ability of malicious actors to attack digital systems and prevent large-scale cyberattacks and will focus on cutting-edge security protocols, vulnerability detection, and automatic patching to address cybersecurity vulnerabilities and software-related weaknesses.

“By adapting and extending security, usability, and software assurance technologies, this digital health security effort will play a crucial role in addressing vulnerabilities in health systems,” said ARPA-H Program Manager Andrew Carney. “This project will also help us identify technical limitations of future technology deployments and contribute to the development of new innovations in digital security to better keep our health systems and patients’ information secure.”

Through a Broad Agency Announcement, the DIGIHEALS project is soliciting proposals for proven technologies developed for national security and will apply them to civilian health systems, clinical care facilities, and personal health devices to ensure that in the event of a widespread cyberattack, patients will be able to continue to receive the care they need. Proposals should be submitted through the Scaling Health Applications Research for Everyone (SHARE) BAA. ARPA-H anticipates issuing multiple awards.

The post Digital Health Security Initiative Launched by the HHS appeared first on HIPAA Journal.

Researchers at ESET have identified a largescale and ongoing phishing campaign targeting Zimbra Collaboration email servers at small- and medium-sized businesses and government agencies. The campaign has been active since at least April and is being conducted globally, with Poland, Ecuador, and Italy the most targeted countries. The campaign does not appear to be targeted on any specific vertical.

Targets are sent an email with an HTML attachment. The email warns the user about an email server update or another Zimbra issue, such as a security update. The From field indicates the email has been sent by an email server administrator. The user is told that they need to download the HTML attachment, which will have a URL pointing to a local file patch. The HTML attachment includes the targeted organization’s logo, the organization’s name, and a fake login page, with the username prefilled. The user is only required to enter their password. If the password is entered, the credentials are transmitted by HTTPS POST request to an adversary-controlled server.

The ESET researchers observed waves of phishing emails being transmitted from some of the organizations targeted in the campaign which suggests the threat actor obtained administrator credentials and was able to set up new mailboxes on the server. The researchers suggest that in these cases, the same password may have been used for email and administration. While this email campaign is not particularly sophisticated, it has proven to be effective. Since the HTML attachments contain legitimate code and only one link pointing to a malicious host, which is contained in the HTML rather than the message body, the emails may not be detected as malicious and are likely to bypass antispam policies, especially since the targeted organizations are mostly small- to medium-sized businesses that are unlikely to have advanced email security defenses. ESET was unable to determine which threat actor is behind the campaign.

The post Largescale Phishing Campaign Targets Zimbra Collaboration Email Servers appeared first on HIPAA Journal.

There is justifiable fear that malicious actors will leverage generative AI to facilitate their malicious activities; however, the adoption of generative AI by threat actors appears to be limited, certainly for intrusion operations. Mandiant reports that it has been tracking threat actor interest in generative AI, but its research and open source accounts indicate generative AI is only currently being used to a significant extent for social engineering and misinformation campaigns.

Mandiant has found evidence indicating generative AI is being used to create convincing lures for phishing and business email compromise (BEC) attacks. Malicious actors can create text output reflecting natural human speech patterns for phishing lures and enhance the complexity of language in their existing operations. Threat actors have used generative AI to manipulate video and voice content in BEC scams and to manipulate images to defeat know-your-customer (KYC) requirements. Evidence has also been obtained indicating financially motivated threat actors are using the malicious WormGPT tool to create convincing phishing and BEC lures.

Mandiant has previously demonstrated how malicious actors can use AI-based tools to support their operations, such as for processing open source information and stolen data for reconnaissance purposes. For example, state-sponsored intelligence services can use machine learning and data science tools on massive quantities of stolen and open-source data to improve data processing and analysis, improving the speed and efficiency of operationalizing collected information.  In 2016, a system was demonstrated that can identify high-value targets from previous Twitter activity and generate convincing lures targeting individuals based on past tweets. Mandiant has also found evidence indicating a North Korean cyber espionage actor (APT43) has an interest in large language models (LLMs) and is using LLM tools, although it has yet to be established why the LLMs are being used.

Currently, one of the most effective uses of generative AI is for information operations. AI tools help information operation actors with limited resources and capabilities produce higher quality content at scale, and the tools increase their ability to create content that may have a stronger persuasive effect on their targeted audiences than was previously possible. “We believe that AI-generated images and videos are most likely to be employed in the near term; and while we have not yet observed operations using LLMs, we anticipate that their potential applications could lead to their rapid adoption,” suggest the researchers.

While there is limited evidence of threat actors leveraging LLMs for creating new malware and improving existing malware, this is an area that is expected to see significant growth. Mandiant reports that several threat actors are advertising services on underground forums on how to bypass restrictions on LLMs to get them to assist with malware development.

“While we expect the adversary to make use of generative AI, and there are already adversaries doing so, adoption is still limited and primarily focused on social engineering,” John Hultquist, Chief Analyst, Mandiant Intelligence, Google Cloud told The HIPAA Journal. “There’s no doubt that criminals and state actors will find value in this technology, but many estimates of how this tool will be used are speculative and not grounded in observation.”

While threat actors are expected to increasingly use generative AI for offensive purposes, AI-based tools currently offer far more benefits to defenders. “AI has been around for a while, but this is the inflection point where the general public has taken notice. Like any technological innovation, we expect adversaries are going to find applications for these tools. However, there is far greater promise for defenders who have the ability to direct the development of it,” said Sandra Joyce, VP, Mandiant Intelligence, Google Cloud. “We still own the technology. There are going to be people who will use AI for ill intent, but that shouldn’t stop us from leapfrogging ahead to out innovate the adversaries.”

The post Mandiant: Malicious Actors Use of Generative AI Remains Limited appeared first on HIPAA Journal.

Hackers have been conducting a mass exploitation campaign targeting Citrix NetScalers to exploit a critical vulnerability tracked as CVE-2023-3519. The automated exploitation campaign compromises NetScalers and installs web shells to provide a persistent backdoor into systems. The web shell allows the threat actor to execute arbitrary commands on compromised systems, even when the patch is applied to fix the vulnerability.

The vulnerability affects Citrix Application Delivery Controller and Gateway appliances configured as gateway servers and was disclosed by Citrix on July 18, 2023. A patch was released to fix the vulnerability and Citrix warned at the time that there had been limited exploitation of the vulnerability in the wild, although no details were released about the extent of the exploitation. Since then, several security firms have reported cases of exploitation of the flaw.

Researchers at the cybersecurity company Fox-IT, part of NCC Group, in collaboration with the Dutch Institute of Vulnerability Disclosure (DIVD), have been trying to identify the compromised systems and alert the affected companies. The researchers report that at the time of the exploitation campaign, 31,127 NetScalers were found to be vulnerable to the CVE-2023-3519 vulnerability and as of August 14, 2023, 1,900 NetScalers were discovered to have been compromised and backdoored. 1,248 of those NetScalers had been patched to fix the vulnerability, and even though patched, access was still possible through the web shell.

The researchers have warned NetScaler administrators to perform a check of Indicators of Compromise (IoCs), regardless of whether the vulnerability has been patched. The Fox-IT researchers have released a Python script that uses Dissect to perform triage on forensic images of NetScalers, and Mandiant has released a bash script that will check for IoCs on live systems.

If a web shell is detected, the researchers recommend making a forensic copy of the disk and the memory of the appliance before any remediation or investigative actions are done, and to investigate whether the web shell has been used to perform any activities. Usage of the web shell should be visible in NetScaler access logs. If there are indications that the web shell has been used, a wider investigation is required to determine if the attackers have moved laterally from the appliance and have compromised other systems.

The post Hackers Backdoor 1,900 Citrix NetScaler Devices appeared first on HIPAA Journal.

A joint research project by Health-ISAC, Finite State, and Securin has revealed exploitable vulnerabilities in medical devices have increased by almost 60% since 2022. The researchers identified almost 1,000 vulnerabilities in 966 medical products, which is a 59% year-over-year increase from 2022. 993 vulnerabilities were identified that could be exploited by malicious actors to gain access to healthcare networks, 160 of the identified vulnerabilities have already been weaponized, and a further 101 are trending in the wild. Advanced Persistent Threat (APT) actors are known to be actively exploiting 9 of the vulnerabilities, and 7 are being actively exploited by ransomware gangs.

A recent study by Akamai found cybercriminal groups, and ransomware gangs in particular, are increasingly exploiting vulnerabilities in software, firmware, and operating systems to gain initial access to networks. Threat actors are devoting resources to in-house research to identify zero-day vulnerabilities in software solutions that can be mass exploited in attacks. The Clop threat group, for example, identified a zero-day vulnerability in Fortra’s GoAnywhere MFT solution and exploited it to gain access to the sensitive data of dozens of organizations, while the zero-day vulnerability in Progress Software’s MOVEit Transfer solution was used to attack at least 621 organizations worldwide. Cyber threat actors are also purchasing exploits for known vulnerabilities and exploiting vulnerabilities before organizations have time to apply the patches and before vendors have released patches.

The increase in high severity and critical vulnerabilities in the software and firmware of connected medical devices is a major cause of concern. The research project found a 437% year-over-year increase in remote code execution and privilege escalation vulnerabilities, which are especially attractive to hackers and particularly dangerous for healthcare organizations. “Our research unveils a disturbing year-over-year increase in firmware vulnerabilities within connected medical products and devices, underscoring an urgent need for robust software supply chain security,” said Larry Pesce, Director of Product Security Research and Analysis at Finite State. “The rise of weaponized exploits demands immediate, collective action to safeguard not only our technological integrity but, ultimately, patient safety.”

The 2023 IBM Security Cost of a Data Breach Report revealed healthcare data breaches now cost almost $11 million, although far more serious than the financial cost is the risk to patient safety. Hackers could alter patient data resulting in a misdiagnosis or incorrect treatment being delivered, treatment is often delayed due to cyberattacks that take electronic medical record systems and other essential IT systems offline, and cyberattacks often cause financial harm to patients, with attacks often leading to identity theft and fraud. There have also been multiple cases recently where highly sensitive medical information of patients has been leaked online, including naked images, and threat actors have been attempting to extort patients directly.

The report makes several recommendations for protecting against attacks that exploit vulnerabilities: ensure a regular penetration testing cadence; prioritize patching based on known risks; incorporate binary analysis tools into the security strategy to generate a Software Bill of Materials (SBOM) and use the results for pen testing; and mandate that all vendors follow a secure-by-design methodology. The report is available on this link: 2023 State of Cybersecurity for Medical Devices and Healthcare Systems,

The post 59% Year-over-year Increase in Exploitable Vulnerabilities in Medical Devices appeared first on HIPAA Journal.