Generative AI tools such as ChatGPT and Google Bard have restrictions in place to prevent abuse by malicious actors; however, security researchers have demonstrated these control measures can be bypassed and there is considerable chatter on hacking forums about how the ethics filters of tools such as ChatGPT can be circumvented to get the AI tools to write phishing emails and malware code. While inputs can be crafted to generate malicious outputs, there is now a much easier way to use generative AI for malicious purposes.

Research conducted by SlashNext has uncovered an alternative AI tool that is being offered on hacking forums. The tool, WormGPT, has no restrictions in place and can easily be used by malicious actors to craft convincing phishing emails and business email compromise (BEC) attacks. The tool is billed as a blackhat alternative to ChatGPT which has been specifically trained to provide malicious output.

Without the restrictions of ChatGPT and Bard, users are free to craft phishing emails and BEC scams with convincing lures and perfect grammar. The emails created using this tool can be easily customized to tailor attacks to specific organizations and emails can be crafted with little effort or technical skill and there is no language barrier, allowing attacks to be conducted by virtually anyone at speed and scale.

WormGPT is based on the GPT-J language model and includes an impressive range of features, such as chat memory retention, unlimited character support, and code formatting capabilities. The developers claim to have trained the algorithm on a diverse array of data sources and concentrated on malware-related data. SlashNext researchers put the tool to the test and instructed it to generate an email to pressure an account manager into paying a fraudulent invoice. “The results were unsettling,” wrote the researchers. “WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks.”

Researchers have demonstrated that AI-based tools are far better than humans at creating phishing and other scam emails and the emails have a high success rate. It is therefore vital for organizations to take steps to improve their defenses against AI-enabled attacks. This week, the Health Sector Cybersecurity Coordination Center (HC3) published a brief explaining the benefits of AI, how the technology can easily be abused by malicious actors, and provided recommendations for healthcare organizations to improve their defenses against AI-enabled attacks. SlashNext recommends developing extensive training programs for cybersecurity personnel on how to detect and block AI-enabled attacks and educating all employees on phishing and BEC threats. While detecting AI-generated malicious emails can be difficult even for advanced security solutions, flagging emails that originate from outside the organization will alert employees about potential threats. SlashNext also recommends flagging emails that contain specific keywords often used in phishing and BEC attacks.

The post Generative AI Tool Without Ethical Restrictions Offered on Hacking Forums appeared first on HIPAA Journal.

Becton, Dickinson, and Co. and the Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories about 8 recently identified vulnerabilities in BD Alaris Guardrails Suite MX, which could be exploited by malicious actors to gain access to sensitive data and impact the availability of devices. The flaws were identified by BD during routine internal security testing and were shared with CISA, the FDA, and Information Sharing and Analysis Organizations (ISAOs) under its responsible disclosure policy. BD performed risk assessments and determined that while there is a potential safety impact, the risks associated with all 8 of the vulnerabilities can be effectively mitigated by implementing the recommended control measures.

The 8 vulnerabilities affect the BD Alaris System v12.1.3 and earlier versions and include 1 high-severity, 5 medium-severity, and 2 low-severity vulnerabilities. BD said no evidence has been found to indicate any of the vulnerabilities have been exploited to date; however, there is a low attack complexity so the recommended steps should be taken to reduce the risk of exploitation.

The most serious vulnerability – CVE-2023-30563 (CVSS 8.2) – is a cross-site scripting issue due to improper neutralization of input during web page generation. A malicious actor could exploit the flaw to upload a malicious file to the BD Alaris Systems Manager user import function and hijack a session.

CVE-2023-30564 (CVSS 6.9) is a cross-site scripting vulnerability due to the failure of the Alaris Systems Manager to perform input validation during the device import function, and could be exploited to load a malicious payload and therefore has an impact beyond Systems Manager; however, an attacker would need to be on an adjacent network to exploit the vulnerability.

CVE-2023-30560 (CVSS 6.8) is due to a lack of authentication for PCU configuration which has a high impact to confidentiality, integrity, and availability; however, exploitation is only possible with physical access to the BD Alaris PCU. Successful exploitation would allow the configuration to be modified without authentication.

CVE-2023-30562 (CVSS 6.7) is due to a lack of dataset integrity checking and allows a GRE dataset file within Systems Manager to be tampered with and distributed to PCUs. An attacker would need to be on an adjacent network to exploit the flaw and would need generalized permissions.

CVE-2023-30561 (CVSS 6.1) is due to a lack of cryptographic security of IUI Bus. A threat actor with physical access could potentially read and modify data if a specifically crafted device was attached during infusion.

CVE-2023-30559 (CVSS 5.2) is due to the wireless card firmware being improperly signed, which allows the card to be modified. The flaw could only be exploited with physical access to the BD Alaris PCU.

The two low-severity flaws are a CQI data sniffing issue – CVE-2023-30565 (CVSS 3.5) – that could expose infusion data, and a lack of input validation within Apache Log4Net Calculation Services – CVE-2018-1285 (CVSS 3.0) – which could be exploited to execute malicious commands.

BD has suggested several mitigating and compensating controls in its alert to reduce the potential for exploitation to a low and acceptable level.

The post BD Warns of Vulnerabilities in its Alaris Guardrails Suite MX Infusion Pumps appeared first on HIPAA Journal.

Generative Artificial Intelligence (AI) tools such as ChatGPT can be used as virtual assistants, for customer support, quickly retrieving and summarizing information, and automating repetitive administrative tasks. As such they have tremendous potential in many industries, including healthcare. While there are considerable advantages to AI-based tools, they can also be misused by malicious actors, and there is growing evidence that cyber actors are using these tools to speed up and scale their attacks.

This week, the HHS Health Sector Cybersecurity Coordination Center (HC3) published a brief on AI, the threat AI-powered tools pose to the health sector, and mitigations healthcare organizations can implement to ensure their security strategies evolve to deal with AI-based threats. Tools such as ChatGPT have controls in place to prevent abuse by malicious actors; however, it is possible to circumvent those protections with ease. Artificial Intelligence tools are already being used by malicious actors to accelerate malware and ransomware development and create more complex code that is capable of evading security solutions. AI tools are being used to automate attacks, exploit unpatched vulnerabilities more rapidly, perform deeper reconnaissance of targets, and develop hard-to-detect phishing emails and impersonation attacks.

HC3 demonstrated the ease at which tools such as ChatGPT can be leveraged by malicious actors by creating phishing email templates with perfect spelling and grammar along with convincing lures to trick recipients into opening malicious attachments or clicking hyperlinks to malicious web pages. The emails can easily be customized for highly targeted attacks and customization can be automated for conducting attacks at scale.

Threat actors can also use ChatGPT to write valid malware code. HC3 provides an example of how Hyas created malware code based on leaked BlackMamba code to create malware that is able to repeatedly mutate to evade security solutions. The researchers posed as legitimate security researchers to get around OpenAI’s ethics filters to create the code. AI-based tools such as ChatGPT can be used by threat actors with little technical skill to create malware, opening up attacks to a much broader range of cybercriminals while helping sophisticated cybercriminals automate the creation of different parts of the infection chain.

Defending against the malicious use of artificial intelligence tools can be a challenge for healthcare organizations. HC3 recommends using the Artificial Intelligence Risk Management Framework from the National Institute of Standards and Technology (NIST), the MITRE Atlas knowledgebase of adversary tactics, techniques, and case studies for machine learning (ML) systems, and adopting AI-based tools for defense, including penetration testing, threat detection, threat analysis, and incident response, and to provide AI training for cybersecurity personnel. It may not be possible to prevent the malicious use of AI by cyber threat actors but AI-educated users and AI-enhanced systems will be much more adept at detecting AI-enhanced threats.

The post HC3 Shares Tips for Defending Against AI-Enhanced Cyberattacks appeared first on HIPAA Journal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a new resource that healthcare organizations can use to guide them through the transition from on-premises to cloud and hybrid environments. The fact sheet provides information on the digital tools that can be used to ensure that critical assets are secured and sensitive data is safeguarded. The fact sheet – Free Tools for Cloud Environments – lists open source tools and methods for identifying, detecting, and mitigating threats, vulnerabilities, and anomalies in both cloud and hybrid environments.

Healthcare organizations are actively targeted by cyber threat actors and attacks on cloud-based resources and services are increasing. Cyber threat actors take advantage of organizations that do not possess the proper resources for defending against cyber threats. Successful attacks on poorly defended cloud resources allow threat actors to steal sensitive data and conduct encryption and extortion attacks.

Cloud service platforms and cloud service providers (CSPs) offer a range of security features to help customers protect their assets when operating in cloud environments. These features should be combined with third-party tools, which can help to strengthen security and plug any security gaps, especially for hybrid cloud environments where the responsibility for securing assets is shared by organizations and their CSPs.

CISA recommends creating a design phase that incorporates secure-by-design concepts and strategies and identifies the required security solutions that meet the organization’s needs. There are several free-to-use security solutions and open source tools that can help network defenders identify and detect threats, assess security posture, and map threat actor behavior to the MITRE ATT&CK framework. The factsheet details several PowerShell tools that network defenders and incident responders can use, including Memory Forensic on Cloud from the JPCERT Cybersecurity Center, CSET’s Cybersecurity Evaluation Tool, and CISA’s SCuBAGear, Decider, and Untitled Goose Tool.

These tools can be used to evaluate cybersecurity posture, compare configurations against M365 baseline recommendations, detect malicious activity in Microsoft cloud environments, generate MITRE ATT&CK mapping reports, and build memory forensic environments on AWS. While these tools are not all-encompassing nor endorsed by CISA, they can help healthcare organizations significantly improve their security posture as they transition to the cloud.

The post CISA Publishes Factsheet to Help Businesses Securely Transition to Cloud Environments appeared first on HIPAA Journal.

The White House has published a roadmap for implementing President Biden’s March 2023 National Cybersecurity Strategy to ensure transparency and a continued path for coordination. The National Cybersecurity Strategy Implementation Plan (NCSIP) includes more than 65 federal initiatives that aim to improve resilience against cyber threats and disrupt cyber threat operations, and changes how the United States allocates roles, responsibilities, and resources in cyberspace.

Two major shifts include ensuring that the biggest, most capable, and best-positioned entities in both the public and private sectors assume a greater share of the burden for mitigating cyber risk and increasing the incentives to favor long-term investments in cybersecurity. The initiatives are based on five pillars and aim to achieve 27 strategic objectives. The first pillar is concerned with defending critical infrastructure against cyberattacks that are increasing in number and sophistication. Cybersecurity requirements will be established to support national security and public safety across all critical infrastructure sectors, including healthcare. Public-private collaboration will be scaled to drive the development and adoption of secure-by-design and secure-by-default technology, Federal defenses will be modernized, and the Federal incident response plans and processes will be updated.

The second pillar is concerned with the disruption and dismantling of threat actors’ infrastructure. The initiatives include increasing the speed and scale of intelligence sharing and victim notification, the prevention of abuse of U.S. infrastructure, countering cybercrime, and disrupting ransomware. The third pillar is concerned with shaping market forces to drive security and resilience, including initiatives to drive the development of secure IoT devices, shifting liability for insecure software products and services, using grants and other incentives to ensure built-in security, and exploring the need for a Federal cyber insurance backstop for catastrophic cyber events.

The fourth pillar concerns investment in a cyber-resilient future, including securing the technical foundation of the internet, improving federal research and development in cybersecurity, preparing for a post-quantum computing future, and developing a national strategy for strengthening the cyber workforce. The fifth pillar involves forging international partnerships to pursue shared cybersecurity goals, including building coalitions to counter digital threats, strengthening the capabilities of international partners, expanding the ability of the U.S. to assist allies and partners achieve shared goals, and securing global supply chains for information, communications, and operational technology products and services.

The plan will be spearheaded by 18 Federal agencies, with the Office of the National Cyber Director (ONCD) coordinating all activities under the plan. Several of the initiatives are already underway and some have already been completed ahead of schedule.

The post White House Publishes National Cybersecurity Strategy Implementation Plan appeared first on HIPAA Journal.

There has been a sizeable fall in revenues from cryptocurrency-related crimes in the first half of 2023, with scammers seeing a 77% reduction in revenues from the same period in 2022, amassing a little over $1 billion in the first half of the year compared to $3.3 billion in the first half of 2022. While this is certainly good news, ransomware-related cryptocurrency payments increased significantly in H1 2023, and if the trend continues in the second half of the year, ransomware revenues could eclipse those of 2022. At the current rate, transactions related to ransomware attacks can be expected to reach $899 million by the end of the year, only trailing 2021 – a record-breaking year, where $939.9 million in payments were made following ransomware attacks.

The mid-year analysis from Chainalysis shows a 65% decline in cryptocurrency transfers to known darknet marketplaces, scam sites, and fraud shops compared to the same period last year, with high-risk exchanges and mixers also experiencing a notable decline, down 42% on this time last year. The fall has been attributed, in part, to the disappearance of two major investment scam campaigns, VidiLook and Chia Tai Tianqing Pharmaceutical Financial Management.

The same cannot be said of ransomware-related transfers, which are up at least $175.8 million from H1 2022, with at least $449.1 million paid in ransom payments up to the end of June 2023. Chainalysis attributes the increase to a combination of a return to big game hunting – targeting large organizations with deep pockets – using ransomware strains such as BlackBasta, BlackCat, and Cl0p, and an increase in attacks on smaller entities using ransomware variants such as Dharma and Phobos. The average/median payment size for Dharma was $265/$275 and $1,719/$300 for Phobos, compared to BlackBasta $762,634/$147,106, BlackCat $1,504,579/$305,585 and Cl0p $1,730,486/$1.946,335.

While the attacks on smaller entities yield much lower payments, the attacks are much easier to conduct since smaller firms lack the cybersecurity resources of larger firms.  These smaller attacks tend to be conducted by ransomware affiliates using spray-and-pray tactics, rather than targeted attacks. Since the ransom demands are relatively low, payment is more likely to be made; however, there has been a trend of non-payment of ransoms, especially at larger firms. Chainalysis suggests the non-payment trend could be prompting attackers to issue very high demands for payment in their big game hunting attacks due to the high percentage of firms choosing not to pay ransoms.

The post Return to Big Game Hunting Sees Ransomware Revenues Soar appeared first on HIPAA Journal.

A recent inspection of the Northern Arizona VA Healthcare System by the Department of Veterans Affairs Office of Inspector General (OIG) found deficiencies in all three security control areas that were investigated – configuration management, security management, and access controls.

The Northern Arizona VA Healthcare System includes the Bob Stump Department of Veteran Affairs Medical Center in Prescott and 11 clinics in the state and serves approximately 33,000 veterans. The inspection was performed as the Northern Arizona VA Healthcare System had not previously been visited as part of a Federal Information Security Modernization Act of 2014 (FISMA) audit.

The inspection revealed the Northern Arizona VA Healthcare System had deficiencies in four configuration management controls – vulnerability management, flaw remediation, unsupported components, and baseline configurations. While the VA has a vulnerability management program, the inspectors identified vulnerabilities that the Office of Information and Technology (OIT) had failed to identify, even though the same scanning tools were used. Many of those vulnerabilities were rated critical or high severity.

Several devices were found to be missing security patches. Patches were available to address the critical and high-severity flaws but they had not been applied, leaving the devices at risk of unauthorized access, alteration, or destruction. Components continued to be used despite reaching end-of-life. For instance, 71 of the 80 healthcare system network switches were using operating systems that were no longer supported by the vendor, which means security patches are no longer issued. Consequently, weaknesses and vulnerabilities would not be addressed and could be exploited by malicious actors. Baseline configurations were identified that deviated from the OIT baseline. For instance, a local database had multiple vulnerabilities as a result of baseline configurations that deviated from the OIT baseline. If the OIT baseline configuration is not used, OIT would be unaware of any weaknesses impacting the database.

One deficiency was identified in security management – continuous monitoring of the inventory. The inspectors found almost twice the number of devices on the network than were identified in the VA’s cybersecurity management service for workflow automation and continuous monitoring (eMASS). While OIT had an inventory of devices that contained most of the networked devices, the inventory was not routinely updated in eMASS. As a result of the failure to update the inventory, management was making risk decisions based on inaccurate system information.

The inspectors also found 7 deficiencies in access controls: physical access, video surveillance, environmental controls, equipment installation, emergency power, fire protection controls, and water detection. For instance, the healthcare system had an automated physical access control system where employees use badges to enter buildings and rooms, but it had not been fully deployed, with staff often using keys for access. While key inventories are required every 6 months, they had not been conducted in more than two years due to locksmith turnover and the failure to accurately track key distribution.

The OIG made 11 recommendations, 6 to the assistant secretary for information and technology and chief information officer and five to the Northern Arizona VA Healthcare System director.  VA IT management and the Northern Arizona VA Healthcare System director concurred with all of the recommendations. The recommendations include implementing an effective vulnerability management program, ensuring vulnerabilities are remediated within established time frames, transitioning unmanaged databases to the VA Enterprise Cloud, ensuring all network devices maintain vendor support, implementing an improved inventory process, ensuring network infrastructure is properly installed, and ensuring physical access controls are implemented.

While the findings of the audit were specific to the Northern Arizona VA Healthcare System, similar vulnerabilities are likely to exist in other VA healthcare systems. The OIG recommends all VA healthcare systems review the findings of the inspection and implement the same recommendations if similar security deficiencies are identified.

The post Multiple Security Vulnerabilities Identified at Arizona VA Healthcare System appeared first on HIPAA Journal.