The Health Sector Cybersecurity Coordination Center (HC3) has published an analyst note about BlackSuit ransomware, a new ransomware group believed to pose a credible threat to the healthcare and public health (HPH) sector.

Security researchers have identified several similarities between BlackSuit ransomware and Royal ransomware, with the latter group having actively targeted the HPH sector like the Conti ransomware group that Royal is believed to have replaced. BlackSuit has already been used in at least one attack on the HPH sector in October this year, so it is fair to assume that BlackSuit will be used in further attacks on the sector. That attack was on a provider of medical scans and radiology services to more than 1,000 hospitals in 48 states.

Like many other ransomware operations, BlackSuit ransomware is used in double extortion attacks, where sensitive data is exfiltrated before file encryption and ransoms must be paid to prevent the release of the stolen data as well as to decrypt the encrypted files. So far, BlackSuit ransomware has only been used in a limited number of attacks; however, activity could be ramped up at any point.

BlackSuit ransomware is believed to be a private group rather than a ransomware-as-a-service operation, and the operation is thought to be run by individuals with experience in conducting ransomware attacks due to the links with Royal and Conti. Some cybersecurity researchers have suggested BlackSuit may be a rebrand of Royal ransomware, which conducted a major attack on a Texas city in May 2023 which attracted considerable media and law enforcement attention. BlackSuit first appeared shortly after that attack but Royal is still operational, although BlackSuit has not been extensively used to date so that conclusion has not been discounted.

Windows and Linux variants of BlackSuit have been detected, and like Royal ransomware, use OpenSSL’s AES for encryption. The ransomware uses intermittent encryption techniques, which are more efficient and allow files to be encrypted faster. Given the low number of detected attacks, it is difficult to tell which attack methods are favored by the group. The distribution methods that are most likely used are email attachments containing macros, embedding the ransomware in torrent files, malicious adverts (malvertising), and delivery via other malware variants such as Trojans, droppers, and downloaders, which are commonly distributed via compromised websites, fake software updates and phishing emails.

The HC3 Analyst Note details the MITRE ATT&CK techniques used by the group, Indicators of Compromise (IoCs), and recommended mitigations for hardening defenses. HC3 has also recommended reporting any suspected attacks to the local Federal Bureau of Investigation (FBI) field office and FBI Internet Crime Compliant Center (IC3).

The post BlackSuit Ransomware Poses a Credible Threat to the HPH Sector appeared first on HIPAA Journal.

Advanced cyberattacks on cloud environments often make headline news, but these attacks occur in small numbers. The majority of cyberattacks on cloud environments are conducted using well-known threat actor attack techniques such as using stolen credentials and exploiting security weaknesses such as misconfigurations. As such, the best defense against cloud intrusions is to focus on simple cloud security hygiene as this will raise the bar for attackers and will dramatically reduce the risk of a cloud compromise.

According to the recently published Q3, 2023 Google Cloud Threat Horizons Report, a majority of cloud compromises saw initial access gained by exploiting poor password practices. 54.3% of cloud compromises were due to weak or no passwords, with a large percentage of those attacks involving brute forcing default accounts, Secure Shell (SSH), and the Remote Desktop Protocol (RDP). 15.2% of attacks saw initial access gained as a result of misconfigurations, and the same percentage of attacks were due to sensitive UI or API exposure. 10.9% of attacks saw initial compromise achieved by exploiting vulnerable software.

The Google Cloud research and analysis team has identified persistent threat actor activity targeting cloud-hosted Software-as-a-Service (SaaS) systems. Organizations are increasingly using SaaS applications, which increases the attack surface considerably. According to the Thales 2023 Cloud Security Report, there was a 41% increase in the mean number of SaaS applications used by organizations between 2021 and 2023. 55% of surveyed security executives say they have experienced data breaches, leaks, malicious applications, ransomware, espionage, or insider attacks related to SaaS applications in the past 2 years, which indicates organizations are failing to adequately protect SaaS data. This is particularly worrying since SaaS data is the least likely data to be recovered in a ransomware attack.

There is a growing trend where malicious actors abuse public cloud services to host their command-and-control infrastructure, rather than using their own infrastructure or leasing it from other threat actors. The threat actors benefit from cheap, reliable infrastructure that is trusted by enterprises and consumers, and they can hide their activity by blending into high volumes of legitimate traffic. Threat actors have long abused Microsoft Azure, Amazon Web Service, and Dropbox but they may also be abusing Google Calandar. Proof-of-concept code has been published on GitHub for a Google Calendar Remote Access Trojan (RAT), and researchers at Mandiant note that the code has been actively shared on underground forums, indicating threat actors’ interest in the Google Calendar RAT. Since the malware communicates with legitimate infrastructure operated by Google, it is difficult for defenders to detect suspicious activity.

Typosquatting has long been used by threat actors in their campaigns. This tactic involves registering domains similar to the brand being targeted to catch out careless typists. Typosquatting is now being used in attacks on cloud storage platforms such as Google Cloud Storage, Amazon S3, and Azure Blob. A random sample of ten Fortune 100 companies found that 60% had one or more typosquatted cloud storage URLs.

The Q3, 2023 Google Cloud Threat Horizons Report includes a review of cloud services adoption in the healthcare industry and identifies some of the common security issues. An analysis of cloud security incidents between 2021-2023 found cloud services are increasingly being targeted in attacks on healthcare organizations and cloud services are being increasingly used as a platform for staging attacks. While the majority of these attacks were not new, the team found that the attacks are increasingly negatively affecting patient safety, such as by degrading healthcare organizations’ operational capacity, causing patients to be redirected to more distant facilities, and delaying diagnosis and treatment.

The attacks studied by Google and Mandiant revealed that most attacks on the healthcare industry are conducted by financially motivated threat actors who most commonly use stolen credentials for initial access, and to a lesser extent, phishing, third-party vulnerabilities, denial of service attacks, web exploits, and misconfigurations. By far the most common follow-on compromises were ransomware and data extortion attacks, where the attackers attempt to find and capture PHI for extortion purposes, with or without accompanying data encryption. Credentials and data are commonly extracted by targeting Outlook Web Access application and AWS resources such as S3. In the report, the Google Cloud team offers several mitigations that can reduce the risk of attacks on cloud services and prevent credential and session abuse, data exfiltration and extortion, ransomware and data destruction, web exploits, third-party software vulnerability exploitation, DoS attacks, malware delivery, and social engineering attacks.

“The healthcare sector is a prime target for cyber attackers. It is imperative that healthcare-driven organizations recognize that patient data and medical device vulnerabilities demand urgent attention and protection,” Taylor Lehmann, Director, Office of the CISO, Google Cloud told The HIPAA Journal. “Cybersecurity must be integrated into the core of healthcare operations to safeguard clinical and personal data, as well as patient safety. This requires a collective effort, where cooperation between healthcare providers, industry leaders, and government becomes the linchpin of defense against these relentless cyber adversaries.”

The post Malicious Actors Increasingly Targeting Cloud Services in Healthcare Cyberattacks appeared first on HIPAA Journal.

Ransomware groups stepped up their attacks in September according to data recently published by NCC Group. At least 514 ransomware attacks are known to have been conducted in September, which represents a 32% month-over-month increase in attacks.

Every month in 2023 has seen more attacks conducted than the corresponding month in 2022, with September’s attacks conducted in record numbers, even more than the 502 attacks in July and the March 2023 spike in activity, which included the Clop group’s mass exploitation of the zero-day vulnerability in Fortra’s GoAnywhere MFT solution. To add some perspective, September saw a 153% increase in attacks from September 2022. NCC Group had previously predicted that 2023 could end with more than 4,000 known ransomware/data leak-extortion attacks, but the high number of September attacks could see that total surpassed well before the end of the year.

While a small number of threat actors usually account for the vast majority of attacks, that was not the case in September. NCC Group reports a significant increase in the number of active ransomware groups, with several new groups conducting large numbers of attacks. There were 76% more active ransomware groups in September 2023 compared to September 2022, which suggests ransomware attacks continue to be profitable and are unlikely to reduce any time soon.

One of the main threat groups that typically features in the top 3 is Clop, and while the group has been highly active in 2023, it only conducted 3 known attacks in August and there were no known attacks in September. While it is not unusual to see a lull in activity, especially after such a major mass exploitation campaign, it is unlikely to last long. NCC Group expects the group to return with another mass exploitation campaign soon. Two notable new ransomware groups appeared in September that hit the ground running. LostTrust was behind 9% of the month’s attacks, and RansomedVC accounted for 10%.

RansomedVC, like 8base, claims to consist of penetration testers that only attack organizations that demonstrate a lack of attention to security. In addition to attacking organizations, RansomedVC threatens to report any vulnerabilities it exploits to data protection authorities in the EU as violations of the General Data Protection Regulation (GDPR) to pile pressure on victims to pay up.

As was the case in August, Industrials was the most targeted sector, accounting for 33% of all known attacks, followed by consumer cyclicals, and technology, with healthcare in fourth place. There was a significant increase in attacks on healthcare organizations in September, with 18 more attacks than the previous month – an increase of 86%. The most active ransomware groups in September were Lockbit 3.0, LostTrust, BlackCat, RansomedVC, and Cactus. Play, BianLian, Noescape, 8base, and Trigona rounded out the top 10. North America is still the most targeted region, where 50% of the attacks were conducted, followed by Europe (30%) and Asia (9%).

The increase in attacks shows the need for an international effort to target ransomware gangs, disrupt their operations and cut off their financing.  One potential solution is for countries to introduce bans on ransom payments, which the U.S. is pushing for. 40 countries attending the third annual International Counter Ransomware Initiative (CRI) in Washington this week have pledged to do just that, although a ban could spell disaster for companies that are unable to recover their data from backups.

The post September Saw Record Number of Ransomware Attacks appeared first on HIPAA Journal.

The 8Base hacking group has been active since March 2022 and while the group does not appear to actively target the healthcare sector, its indiscriminate attacks have included multiple healthcare organizations, with recent victims including the cosmetic and reconstructive plastic surgery practice of Eduardo G. Barrosso MD in October, and attacks on Kansas Medical Center, Stockdale Podiatry, Oregon Sports Medicine, Dental One Craigiebur, Redwood Lab Services, and ClearMedi Healthcare. The recent attacks on healthcare and public health (HPH) sector organizations have prompted the Health Sector Cybersecurity Coordination Center (HC3) to publish an analyst note about the group.

First and foremost, 8Base is a data extortion group although the group has also conducted ransomware attacks using multiple ransom stains. The primary purpose of the attacks is to steal sensitive data, which the group threatens to publish to extort money from victims. The group stepped up operations in May and June this year and was one of the top three data extortion and ransomware groups in July 2023. The group’s dark web data leak site currently lists more than 225 victims from late May to November 2023.

8base claims on its data leak site that they are honest penetration testers who only attack companies that have neglected the importance of employee and customer privacy. Despite having conducted many attacks, relatively little is known about the group such as whether it operates as a ransomware-as-a-service operation. The rapid scaling up of activity this year has led security researchers to believe that members of the group are experienced, and 8base may be the new name for a well-established, mature threat group. Similarities between the RansomHouse and Phobos groups have been identified. 8base is known to have used Phobos ransomware in some of its attacks.

The primary methods the group uses for access to victims’ networks are phishing, exploit kits, and drive-by downloads. Its victims spam a broad range of sectors and include law firms, accountants, manufacturers, scientific companies, construction firms, and healthcare organizations. While organizations in multiple countries have been attacked, the group appears to mostly focus on attacks in the United States, Brazil, and the United Kingdom.

While not appearing to actively target healthcare organizations, the group does pose a threat to the HPS sector. HC3 has shared MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) associated with the group, Indicators of Compromise (IOCs), and recommended defense measures and mitigations in its analyst note. “8Base may be new to the cyber threat landscape, but in its short existence, it has proven to be a formidable adversary. Any disruption to an organization’s operations can lead to severe consequences, especially to the HPH sector,” wrote HC3 in its analyst note. “Whether it is affiliated to or an off-shoot of other threat actors, 8Base’s focus on data exfiltration instead of file encryption highlights the need to prioritize cyber security best practices, and prevent unauthorized access to an organization’s systems and networks.”

The post HPH Sector Warned About 8Base Data Extortion Group appeared first on HIPAA Journal.

Forty counties have committed to sign a pledge never to pay money to digital extortionists such as ransomware gangs. In an October 31, 2023, press briefing ahead of the third annual International Counter Ransomware Initiative (CRI) in Washington D.C., Anne Neuberger, the White House Deputy National Security Adviser for Cyber and Emerging Technology confirmed the ongoing international efforts to combat the ransomware threat by eliminating the main source of funding for ransomware gangs.

According to the U.S. government, economic losses to ransomware attacks reached $20 billion in 2021, and annual losses are expected to increase to $71.5 billion by 2026, and 46% of all ransomware attacks are conducted on organizations in the United States. As the HHS’ Office for Civil Rights (OCR) recently announced, the healthcare industry has seen a 278% increase in ransomware attacks in the past 4 years. A recent study by Comparitech determined that there had been 539 ransomware attacks on healthcare organizations since 2016, including at least 66 attacks so far in 2023. Since 2016, Comparitech estimated these attacks have cost healthcare organizations more than $77.5 billion.

Ransomware and cyber extortion groups are based in safe havens and conduct attacks on organizations in other countries. These cyber threat actors are paid millions in cryptocurrencies in response to their criminal activities. While the Biden-Harris Administration has made concerted efforts to fight the scourge of ransomware, the U.S. alone cannot combat a threat that knows no borders. Combatting the ransomware threat requires cooperation on a global scale, and at the CGI summit, several initiatives will be discussed, but the single most important step is to stop financing ransomware gangs through ransom payments. “As long as there is money flowing to ransomware criminals, this is a problem that will continue to grow,” said Neuberger.

Forty of the 48 countries attending the CRI summit have already agreed to pledge not to pay ransoms, and the U.S. is working on getting a commitment from the remaining countries to do likewise. What has yet to be established is how this pledge will work in practice, as many victims of ransomware attacks are unable to recover the data encrypted in ransomware attacks and have no option other than paying a ransom.

New initiatives are also being launched to prevent ransom payments to ransomware gangs through better information sharing about ransom payment accounts. Neuberger said one platform will be created by Lithuania and another will be jointly created by Israel and the UAE. The CRI also plans to create a blacklist of cryptocurrency wallets that are known to move ransom payments through the cryptocurrency ecosystem, which can be used to block and freeze transactions.

The post 40 Countries Pledge to Never Pay Ransomware Gangs appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA) has launched a new logging tool for simplifying log management. The ‘Logging Made Easy’ (LME) tool is available free of charge and is ideal for organizations with limited resources that are looking to strengthen security and reduce their log management burden.

CISA based its LME tool on technology developed by the United Kingdom’s National Cyber Security Centre (NCSC) which was decommissioned in March 2023. The technology is now being maintained by CISA and made available to a much wider audience. According to CISA, the LME is “a self-install tutorial for small organizations to gain a basic level of centralized security logging for Windows clients and provide functionality to detect attacks.” The version released by CISA includes pre-built elastic security detection rules to allow security teams to quickly respond to cyber incidents and can show users where administrative commands are being run on enrolled devices, who is using machines, and allows queries can be run based on published Tactics, Techniques, and Procedures (TTPs) to identify the presence of an attacker.

CISA describes the current release of the LME tool as a “homebrew way of gathering logs and querying for attacks,” that can be used by organizations that have previously used the service when the NCSC maintained it; however, new users can also download the tool and start using it to monitor logs for signs of unauthorized activity. CISA says the tool is still being developed and stresses that the LME is not a professional tool and should not be used as a Security Information and Event Management (SIEM) solution.

The tool is ideal for organizations that do not currently have an Information Security Operations Center (SOC) or a SIEM, that lack the necessary budget and resources to set up their own logging systems, and that recognize the importance of gathering and monitoring logs and are aware of the limitations of the tool. Additionally, the tool may be of use on small, isolated networks where current corporate monitoring tools do not reach.

The LME tool can be downloaded here, where an overview is also provided along with installation and usage instructions and guidance on logging. CISA said it will consider developing the tool in the future for use on other operating systems.

The post CISA Releases Log Management Tool for Organizations with Limited Cybersecurity Resources appeared first on HIPAA Journal.

Concern is growing about the use of generative artificial intelligence (AI) models for malicious purposes. Security researchers have demonstrated that generative AI can write code for polymorphic malware and create convincing lures for phishing emails and the the guardrails put in place to prevent generative IT tools such as ChatGPT from being used for malicious purposes can be easily circumvented. Further, alternative tools such as WormGPT and FraudGPT are available specifically for use by cybercriminals. What is largely unknown is to what extent cybercriminals are taking advantage of generative AI. Mandiant has found evidence to suggest that cybercriminals have been using generative AI, although only for limited purposes such as phishing, business email compromise (BEC) attacks, and image manipulation to defeat know-your-customer (KYC) requirements

AI and Social Engineering Experts Go Head-to-Head

Researchers at IBM Security’s X-Force Red team have shown how effective generative AI tools are at generating convincing phishing emails that appear to have been written by humans. So good were the emails that they decided to create a test that squared off AI against humans to see who was better at phishing.

Stephanie Carruthers, Chief People Hacker for IBM X-Force Red, said her team was able to circumvent the guardrails of ChatGPT and develop convincing phishing emails with five simple prompts. The campaign took just 5 minutes to create from start to finish, not including the time it would take to set up the infrastructure. The prompts her team used were concerned with identifying the top areas of concern for employees in the healthcare industry, determining the best social engineering techniques to use, identifying the individuals and companies that should be impersonated for the best results, and generating a phishing email template based on that information. Carruthers writes phishing emails for a living and said it would typically take her team around 16 hours to develop a phishing campaign. At just 5 minutes, ChatGPT saves phishers almost two days of work.

For the head-to-head test, a team of seasoned X-Force Red social engineers was tasked with creating a campaign. Through Open-Source Intelligence (OSINT) acquisition, the team identified the launch of an employee wellness program that would serve as an ideal lure, and the team got to work constructing their phishing email. The two emails were then compared through A/B testing and the results were measured by click rates and reporting rates.

Humans Still have the Edge but the Margins are Small

The good news is that humans still have the edge when it comes to phishing, achieving a click rate of 14% compared to 11% for the AI-generated emails. The AI-generated emails were also more likely to be reported as suspicious, with a reporting rate of 59% compared to 52% for the human-generated emails. The bad news is the margins were small. Seasoned phishers may be able to outperform AI, but the AI-generated emails had a perfectly acceptable click rate and reporting rate, plus the campaign only took 5 minutes to create rather than 16 hours.

The test showed humans still have the upper hand when it comes to social engineering because they are better than AI at emotional manipulation. “Humans understand emotions in ways that AI can only dream of. We can weave narratives that tug at the heartstrings and sound more realistic, making recipients more likely to click on a malicious link. For example, humans chose a legitimate example within the organization, while AI chose a broad topic, making the human-generated phish more believable,” explained Carruthers. The human emails also had greater personalization and used shorter and more succinct subject lines.

Carruthers said her team has not observed wide-scale use of generative AI in current campaigns but cybercriminal use of generative AI is increasing. AI is also improving and will reach parity and outperform humans at some point in the future. Carruthers offers five tips for preparing for AI-generated phishing emails: If in doubt, call the sender; don’t assume phishing emails will have poor grammar; revamp and improve social engineering programs to account for AI; strengthen identity and access management controls; and constantly adapt and innovate as that is what cybercriminals are doing.

“We have seen, as predicted, Generative AI being used to perfect the content distributed through phishing emails. The focus must remain on the impersonation aspect of phishing which renders the content irrelevant. We need to verify senders and embedded links which will eliminate the need to worry about how convincing the text might be,” Dror Liwer, co-founder of cybersecurity company Coro, told the HIPAA Journal.

While the bad guys can take advantage of AI, AI can also be leveraged to improve defenses, as Roger Grimes, data-driven defense evangelist at KnowBe4 explained. “KnowBe4 has been using AI-enabled technology for over 10 years. We know that our AI-enabled technology improves the educational experience for customers and decreases cybersecurity risk. It isn’t like AI is just being used by the bad guys. The good guys invented it and have been using it even longer. The question is how the increased use of AI by the good side ends up compared to the increase in AI used by the bad side? Who gets the bigger benefit? I wouldn’t absolutely bet that AI only benefits the attacker.”

Further information on AI-Augmented Phishing and the Threat to Healthcare

On October 26, 2023, The Health Sector Cybersecurity Coordination Center published a white paper outlining the risks to the healthcare and public health (HPH) sector from AI-augmented phishing and offers advice on countermeasures and mitigations that HPH organizations can implement to improve their defenses – HC3: White Paper: AI-Augmented Phishing and the Threat to the Health Sector

The post AI Can Save Phishers 2 Days Per Campaign appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) have collaborated and produced a cybersecurity toolkit for the U.S. healthcare and public health (HPH) sector.

The toolkit consolidates key resources such as CISA’s Cyber Hygiene Services, the HHS Health Industry Cybersecurity Practices, and the HHS and Health Sector Coordinating Council’s (HSCC) HPH Sector Cybersecurity Framework Implementation Guide. The toolkit includes resources, tools, training material, and information for HPH sector organizations at every level, from fundamental cybersecurity hygiene best practices to advanced and complex cybersecurity tools for strengthening security posture and keeping up to date on current and emerging threats.

The toolkit was released ahead of a roundtable discussion co-hosted by CISA and the HHS on the threats faced by the U.S. healthcare sector and to identify ways that the federal government and the healthcare industry can work together to close gaps in resources and cyber capabilities.

Cyberattacks on hospitals and health systems have increased significantly in the past few years, both in number and severity. “These attacks expose vulnerabilities in our healthcare system, degrade patient trust, and ultimately endanger patient safety. The more they happen, and the longer they last, the more expensive and dangerous they become,” said HHS Deputy Secretary, Andrea Palm. “HHS is working closely with CISA and our industry partners to deliver the tools, resources, and guidance needed to help healthcare organizations, especially our under-resourced hospitals and health centers, mount a strong cyber defense and protect patient lives.”

Healthcare organizations are heavily reliant on digital technologies, which are used to store and transmit healthcare data, carry out medical procedures, and monitor and communicate with patients. These technologies have massively increased the attack surface and exposed healthcare organizations to greater risk. The healthcare industry has to cope with many challenges and there are competing priorities for resources, which can make it hard to invest the necessary resources into cybersecurity.

CISA, the HHS, and the HSCC Cybersecurity Working Group have been working together over the past year to provide healthcare organizations with the necessary tools, resources, training, and information to help them identify and address vulnerabilities and security gaps before they are exploited by malicious actors and harden their defenses.

“Adversaries see healthcare and public health organizations as high value yet relatively easy targets – or what we call target rich, cyber poor.  Given that healthcare organizations have a combination of personally identifiable information, financial information, health records, and countless medical devices, they are essentially a one-stop shop for an adversary,” said CISA Deputy Director Nitin Natarajan. “We continue to work diligently with our partners at HHS and in the healthcare sector to secure our health organizations not only in the United States, but across the globe through our collaboration tools.”

The post CISA & HHS Release Healthcare Cybersecurity Toolkit appeared first on HIPAA Journal.