Concern is growing about the use of generative artificial intelligence (AI) models for malicious purposes. Security researchers have demonstrated that generative AI can write code for polymorphic malware and create convincing lures for phishing emails and the the guardrails put in place to prevent generative IT tools such as ChatGPT from being used for malicious purposes can be easily circumvented. Further, alternative tools such as WormGPT and FraudGPT are available specifically for use by cybercriminals. What is largely unknown is to what extent cybercriminals are taking advantage of generative AI. Mandiant has found evidence to suggest that cybercriminals have been using generative AI, although only for limited purposes such as phishing, business email compromise (BEC) attacks, and image manipulation to defeat know-your-customer (KYC) requirements

AI and Social Engineering Experts Go Head-to-Head

Researchers at IBM Security’s X-Force Red team have shown how effective generative AI tools are at generating convincing phishing emails that appear to have been written by humans. So good were the emails that they decided to create a test that squared off AI against humans to see who was better at phishing.

Stephanie Carruthers, Chief People Hacker for IBM X-Force Red, said her team was able to circumvent the guardrails of ChatGPT and develop convincing phishing emails with five simple prompts. The campaign took just 5 minutes to create from start to finish, not including the time it would take to set up the infrastructure. The prompts her team used were concerned with identifying the top areas of concern for employees in the healthcare industry, determining the best social engineering techniques to use, identifying the individuals and companies that should be impersonated for the best results, and generating a phishing email template based on that information. Carruthers writes phishing emails for a living and said it would typically take her team around 16 hours to develop a phishing campaign. At just 5 minutes, ChatGPT saves phishers almost two days of work.

For the head-to-head test, a team of seasoned X-Force Red social engineers was tasked with creating a campaign. Through Open-Source Intelligence (OSINT) acquisition, the team identified the launch of an employee wellness program that would serve as an ideal lure, and the team got to work constructing their phishing email. The two emails were then compared through A/B testing and the results were measured by click rates and reporting rates.

Humans Still have the Edge but the Margins are Small

The good news is that humans still have the edge when it comes to phishing, achieving a click rate of 14% compared to 11% for the AI-generated emails. The AI-generated emails were also more likely to be reported as suspicious, with a reporting rate of 59% compared to 52% for the human-generated emails. The bad news is the margins were small. Seasoned phishers may be able to outperform AI, but the AI-generated emails had a perfectly acceptable click rate and reporting rate, plus the campaign only took 5 minutes to create rather than 16 hours.

The test showed humans still have the upper hand when it comes to social engineering because they are better than AI at emotional manipulation. “Humans understand emotions in ways that AI can only dream of. We can weave narratives that tug at the heartstrings and sound more realistic, making recipients more likely to click on a malicious link. For example, humans chose a legitimate example within the organization, while AI chose a broad topic, making the human-generated phish more believable,” explained Carruthers. The human emails also had greater personalization and used shorter and more succinct subject lines.

Carruthers said her team has not observed wide-scale use of generative AI in current campaigns but cybercriminal use of generative AI is increasing. AI is also improving and will reach parity and outperform humans at some point in the future. Carruthers offers five tips for preparing for AI-generated phishing emails: If in doubt, call the sender; don’t assume phishing emails will have poor grammar; revamp and improve social engineering programs to account for AI; strengthen identity and access management controls; and constantly adapt and innovate as that is what cybercriminals are doing.

“We have seen, as predicted, Generative AI being used to perfect the content distributed through phishing emails. The focus must remain on the impersonation aspect of phishing which renders the content irrelevant. We need to verify senders and embedded links which will eliminate the need to worry about how convincing the text might be,” Dror Liwer, co-founder of cybersecurity company Coro, told the HIPAA Journal.

While the bad guys can take advantage of AI, AI can also be leveraged to improve defenses, as Roger Grimes, data-driven defense evangelist at KnowBe4 explained. “KnowBe4 has been using AI-enabled technology for over 10 years. We know that our AI-enabled technology improves the educational experience for customers and decreases cybersecurity risk. It isn’t like AI is just being used by the bad guys. The good guys invented it and have been using it even longer. The question is how the increased use of AI by the good side ends up compared to the increase in AI used by the bad side? Who gets the bigger benefit? I wouldn’t absolutely bet that AI only benefits the attacker.”

Further information on AI-Augmented Phishing and the Threat to Healthcare

On October 26, 2023, The Health Sector Cybersecurity Coordination Center published a white paper outlining the risks to the healthcare and public health (HPH) sector from AI-augmented phishing and offers advice on countermeasures and mitigations that HPH organizations can implement to improve their defenses – HC3: White Paper: AI-Augmented Phishing and the Threat to the Health Sector

The post AI Can Save Phishers 2 Days Per Campaign appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) have collaborated and produced a cybersecurity toolkit for the U.S. healthcare and public health (HPH) sector.

The toolkit consolidates key resources such as CISA’s Cyber Hygiene Services, the HHS Health Industry Cybersecurity Practices, and the HHS and Health Sector Coordinating Council’s (HSCC) HPH Sector Cybersecurity Framework Implementation Guide. The toolkit includes resources, tools, training material, and information for HPH sector organizations at every level, from fundamental cybersecurity hygiene best practices to advanced and complex cybersecurity tools for strengthening security posture and keeping up to date on current and emerging threats.

The toolkit was released ahead of a roundtable discussion co-hosted by CISA and the HHS on the threats faced by the U.S. healthcare sector and to identify ways that the federal government and the healthcare industry can work together to close gaps in resources and cyber capabilities.

Cyberattacks on hospitals and health systems have increased significantly in the past few years, both in number and severity. “These attacks expose vulnerabilities in our healthcare system, degrade patient trust, and ultimately endanger patient safety. The more they happen, and the longer they last, the more expensive and dangerous they become,” said HHS Deputy Secretary, Andrea Palm. “HHS is working closely with CISA and our industry partners to deliver the tools, resources, and guidance needed to help healthcare organizations, especially our under-resourced hospitals and health centers, mount a strong cyber defense and protect patient lives.”

Healthcare organizations are heavily reliant on digital technologies, which are used to store and transmit healthcare data, carry out medical procedures, and monitor and communicate with patients. These technologies have massively increased the attack surface and exposed healthcare organizations to greater risk. The healthcare industry has to cope with many challenges and there are competing priorities for resources, which can make it hard to invest the necessary resources into cybersecurity.

CISA, the HHS, and the HSCC Cybersecurity Working Group have been working together over the past year to provide healthcare organizations with the necessary tools, resources, training, and information to help them identify and address vulnerabilities and security gaps before they are exploited by malicious actors and harden their defenses.

“Adversaries see healthcare and public health organizations as high value yet relatively easy targets – or what we call target rich, cyber poor.  Given that healthcare organizations have a combination of personally identifiable information, financial information, health records, and countless medical devices, they are essentially a one-stop shop for an adversary,” said CISA Deputy Director Nitin Natarajan. “We continue to work diligently with our partners at HHS and in the healthcare sector to secure our health organizations not only in the United States, but across the globe through our collaboration tools.”

The post CISA & HHS Release Healthcare Cybersecurity Toolkit appeared first on HIPAA Journal.

The Chattanooga Heart Institute in Texas has confirmed the protected health information of 411,383 individuals was compromised in a cyberattack that was discovered on April 17, 2023. On July 28, 2023, the Chattanooga Heart Institute notified the HHS’ Office for Civil Rights and the Maine attorney general about the cyberattack, which was thought to have involved the protected health information of 170,450 individuals. A supplemental breach notification has now been sent to the Maine Attorney General confirming the data breach was more extensive than the initial investigation suggested.

The investigation into the attack is ongoing, but it has now been confirmed that an unauthorized third party had access to its network between March 8 and March 16, 2023, and exfiltrated files containing patients’ protected health information. While its electronic medical record system remained secure, files were accessed and exfiltrated that contained information such as names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, diagnoses, lab results, conditions, medications, account information, and other clinical, demographic and financial information.

The affected individuals have been offered complimentary credit monitoring services for 12 months and steps have been taken to improve security to prevent further attacks. While the notification letters do not mention the group behind the attack, the Karakurt threat group claimed responsibility.

NoEscape Ransomware Group Leaks Data from Attack on Mulkay Cardiology Consultants

The NoEscape ransomware group has leaked data allegedly stolen from Mulkay Cardiology Consultants in New Jersey. According to the listing, more than 60 GB of confidential and personal data was stolen in the attack, which includes the protected health information of 30,000 patients. The leaked data includes names, dates of birth, addresses, phone numbers, health insurance policy numbers, medical cards, medical records, access cards, driver’s licenses, Covid certificates, diagnostic data, and other confidential information. The listing includes sample images and 2.43 GB of downloadable data.

NoEscape is a relatively new ransomware group that first appeared in May 2023. The Health Sector Cybersecurity Coordination Center recently issued a NoEscape Analyst Note about the group that includes details of its tactics, techniques, and procedures, and best practices for hardening security. Mulkay Cardiology Consultants currently has no breach notice on its website and the attack is not yet showing on the HHS’ Office for Civil Rights breach portal.

The post The Chattanooga Heart Institute Doubles April 2023 Cyberattack Victim Count appeared first on HIPAA Journal.

U.S. plastic surgery offices are being targeted by cybercriminal groups that gain access to their networks, steal data, and attempt to extort the practices and their patients, according to a recent public service announcement from the U.S. Federal Bureau of Investigation (FBI).

There have been several attacks on plastic surgery providers in recent months. While ransomware may be used in these attacks, the primary purpose of the attacks is to steal sensitive patient data, which can include medical records and sensitive pre- and post-surgery photographs. Plastic surgery centers are issued with a ransom demand, payment of which is required to prevent the release of the stolen data. In some cases, sensitive patient data and images have been released online, and the threat actors have attempted to extort the patients directly. One attack on the Hollywood, CA-based plastic surgeon, Gary Motykie, M.D. in May 2023, required payment of a $2.5 million ransom to prevent the release of the stolen data. Some of the practice’s patients were contacted directly and told to pay to have their sensitive information unpublished.

According to the FBI, the threat actors use technology to hide their true phone numbers and email addresses and use phishing emails to distribute malware. The malware provides access to internal protected computers, allowing them to harvest sensitive data, including photographs. The threat actors have been observed enhancing the stolen data with information gathered from social media platforms, and have also used social engineering techniques to enhance the harvested ePHI data of plastic surgery patients. The enhanced data is used as leverage for extortion and for other fraud schemes. The threat actors contact plastic surgery surgeons and their patients via the telephone, email, SMS messages, and social media platforms. Sensitive ePHI is also shared with the patients’ friends, family, colleagues, and contacts, and public-facing websites are created to share the stolen data.

The FBI has shared tips on how to improve security and reduce the risk of falling victim to these attacks. These measures include reviewing the privacy settings of social media accounts and ideally making accounts private to limit what others can see and what can be posted by others on profiles. Care should be taken accepting friend requests, and audits should be conducted of friends to ensure they are all known individuals. Accounts should be configured to make friend lists visible only to known individuals. Strong, unique passwords and MFA should also be used for all accounts, especially email, financial, and social media accounts. A password manager is recommended for generating strong, unique passwords for accounts and storing them securely. Bank accounts and credit reports should also be routinely checked for suspicious activity.

While not mentioned in the announcement, plastic surgery offices should ensure that they follow cybersecurity best practices such as setting strong passwords and enabling multifactor authentication, and they should deploy endpoint detection solutions and robust anti-phishing controls.

The post FBI: Plastic Surgery Offices Targeted by Extortion Groups appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an update on AvosLocker ransomware, which includes known indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods associated with the AvosLocker ransomware variant.

AvosLocker is a relatively new ransomware-as-a-service operation that was first identified in July 2021. While the group is not as prominent as LockBit Clop, and ALPHV (BlackCat), AvosLocker ransomware affiliates have compromised organizations across multiple critical infrastructure sectors. The group engages in exfiltration-based extortion, requiring the payment of a ransom to prevent the release of stolen data and for the keys to decrypt files.

AvosLocker affiliates use legitimate software and open source tools during their ransomware operations. The group has been observed using Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent as backdoor access vectors, the open source networking tunneling tools Ligolo and Chisel, Cobalt Strike for command and control, PowerShell and batch (.bat) scripts for lateral movement, Lazagne and Mimikatz for credential harvesting, and FileZilla and Rclone for data exfiltration. The FBI has also observed affiliates using custom webshells to enable network access.

The cybersecurity advisory updates the joint advisory issued the FBI, CISA, and the Treasury’s Financial Crimes Enforcement Network (FinCEN) in March 2023 and includes a YARA rule that was created by the FBI for detecting a signature for a file identified as enabling malware – NetMonitor.exe. NetMonitor.exe masquerades as a legitimate process but functions like a reverse proxy to allow affiliates to connect to the tool from outside the victim’s network. Indicators of Compromise (IoCs) have also been shared that were obtained from investigations of attacks from January 2023 to March 2023, along with recommended mitigations to reduce the risk of compromise by AvosLocker ransomware.

The post CISA and FBI Update AvosLocker Ransomware Cybersecurity Advisory appeared first on HIPAA Journal.

Microsoft has issued a security alert warning that a Chinese Advanced Persistent Threat (APT) Group has been exploiting a zero-day vulnerability in Atlassian Confluence Data Center and Server products.

The vulnerability, CVE-2023-22515, is a critical privilege escalation vulnerability caused by broken access controls. The vulnerability has a maximum CVSS severity score of 10 and can be exploited by any device with a network connection to a vulnerable application. Successful exploitation of the vulnerability allows unauthorized individuals to create Confluence administrator accounts and access Confluence instances.

Atlassian issued a security advisory about the vulnerability on October 4, 2023, and released patches to fix the flaw. Fixed versions are 8.3.3 or later, 8.4.3 or later, and 8.5.2 or later. The vulnerability does not affect Atlassian Cloud sites. Microsoft said it has observed the Chinese APT group Storm-0062 (aka DarkShadow/Oro0lxy) exploiting the flaw since September 14, 2023, and identified four malicious IP addresses sending exploit traffic: 192.69.90[.]31 104.128.89[.]92 23.105.208[.]154 199.193.127[.]231. The extent to which the vulnerability has been exploited has not been disclosed, although Atlassian said earlier this month that a handful of customers had been targeted.

Atlassian and Microsoft say urgent action is required to prevent the vulnerability from being exploited and warn that publicly accessible Confluence Data Center and Server instances are at critical risk. Customers should ensure they upgrade their instances to a fixed version and should conduct comprehensive threat detection. After updating their instances, customers should search for unexpected members of the confluence-administrators group, unexpected newly created user accounts, requests to /setup/*.action in network access logs, and look for the presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory.

The post Atlassian Confluence Data Center and Server Vulnerability Actively Exploited by Chinese APT Actor appeared first on HIPAA Journal.

More than 700 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and 2022, and 2023 is on track to become the third successive year with 700+ large healthcare data breaches. Malicious actors continue to target healthcare organizations as they store large amounts of easily monetized data, which can be held to ransom or sold. Cyberattacks on healthcare organizations have financial and human costs. Healthcare organizations are having to pay millions in breach costs and the attacks often cause disruption to patient care, which increases the risk of complications, affects patient outcomes, and causes an increase in patient mortality rates.

A recent survey of 653 healthcare IT and security professionals has confirmed the impact of these attacks on healthcare organizations. The survey was conducted by the Ponemon Institute on behalf of the cybersecurity firm Proofpoint for its Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023 report. The survey confirmed the extent to which healthcare organizations are being attacked. 88% of the surveyed organizations experienced an average of 40 attacks in the past 12 months, with the attacks costing an average of $4.99 million per incident, which is a 13% increase from the previous year.

The four most common types of attacks were cloud compromise, ransomware, supply chain, and business email compromise (BEC), all of which were found to result in disruption to patient care. Two-thirds (66%) of organizations that experienced one or more of these common attacks said they disrupted patient care, 50% reported an increase in medical procedure complications, and 23% said the attacks increased patient mortality rates. The findings are similar to the previous year, indicating healthcare organizations have not made much progress in improving patient safety and well-being following cyberattacks.

Out of the four most common types of attacks, supply chain attacks were the most likely to negatively affect patient care. Supply chain attacks were experienced by 64% of surveyed organizations in the past 2 years and 77% of those organizations said the attacks caused disruption to patient care, up from 70% in 2022. All 653 surveyed organizations said they had experienced at least one incident that involved the loss or exfiltration of sensitive data in the past 2 years, and on average, 19 such incidents occurred at each organization. 43% of respondents said these incidents impacted patient care, 46% of those organizations experienced an increase in patient mortality rates, and 38% saw increased complications from medical procedures.

BEC attacks were most likely to result in poor outcomes due to delayed procedures (71%). BEC attacks also resulted in an increase in medical procedure complications (56%) and longer lengths of stay (55%). 59% of organizations that suffered a ransomware attack said it resulted in poorer outcomes due to delayed procedures, and 68% said a ransomware attack caused disruption to patient care.

Ransomware attacks have increased in 2023.  54% of surveyed organizations said they experienced an attack in the past 12 months, up from 41% in 2022; however, fewer healthcare organizations are paying ransoms to obtain the keys to decrypt files and/or prevent the release of stolen data. 40% of organizations that suffered a ransomware attack paid the ransom, compared to 51% in 2022. Threat actors have responded to the falling ransom payments by increasing their ransom demands. The average total cost for the highest ransom payment spiked 29% to $995,450 in 2023.

When healthcare IT professionals were asked about their biggest concerns about cyberattacks, cloud compromise (74%) was the biggest worry followed by supply chain attacks (63%), BEC (62%), and ransomware (48%). The two biggest cybersecurity challenges were both related to staffing. 58% of respondents said a lack of in-house cybersecurity expertise was keeping their organization’s cybersecurity posture from being fully effective, and 50% said insufficient staffing was a major challenge.

“While the healthcare sector remains highly vulnerable to cybersecurity attacks, I’m encouraged that industry executives understand how a cyber event can adversely impact patient care. I’m also more optimistic that significant progress can be made to protect patients from the physical harm that such attacks may cause,” said Ryan Witt, chair, Healthcare Customer Advisory Board at Proofpoint. “Our survey shows that healthcare organizations are already aware of the cyber risks they face. Now they must work together with their industry peers and embrace governmental support to build a stronger cybersecurity posture—and consequently, deliver the best patient care possible.”

The post 66% of Healthcare Organizations Say Patient Care was Disrupted by a Cyberattack appeared first on HIPAA Journal.