The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an updated cybersecurity advisory about Royal ransomware, which is thought to be about to shut down and rebrand.

Royal ransomware first emerged in September 2022 and is thought to have split from the Conti ransomware operation, with a brief spell operating as Quantum in between. Royal ransomware has been a prolific ransomware operation, having conducted more than 350 attacks since September 2022 and has issued ransom demands in excess of $275 million, according to the FBI. Royal ransomware is a private ransomware group that has targeted organizations in healthcare and public health (HPH), education, manufacturing, and communications. The number of attacks on HPH sector organizations prompted an earlier cybersecurity advisory from CISA, the FBI, and the HHS, which shared the latest tactics, techniques, and procedures (TTPs) used by the group and Indicators of Compromise (IoCs). They have been updated in the latest advisory.

In May 2023, a new ransomware variant was detected that had several coding similarities to Royal ransomware, and similar intrusion techniques were used. Researchers at Trend Micro found the two ransomware variants were almost identical, with 98% similar functions, 98.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff. The two groups have been observed using similar software and open source tools in their attacks such as Chisel and Cloudflared for network tunneling, Secure Shell (SSH) Client, OpenSSH, and MobaXterm for SSH connections, Mimikatz and Nirsoft for credential harvesting, and the attacks involved similar remote access tools.

Along with those similarities was the timing of the emergence of the new ransomware variant – Blacksuit – which led security researchers to believe that Royal was about to rebrand. Royal has just conducted a major attack on the city of Dallas which attracted considerable attention from law enforcement and, as is common after major attacks, ransomware groups often rebrand. Royal did not rebrand immediately, and it has been suggested that all did not go well with the new ransomware variant, and the rebrand was delayed. Alternatively, Blacksuit could be a spinoff variant of Royal. CISA and the FBI are convinced that the two ransomware variants are linked.

LockBit 3.0 Exploiting Citrix Bleed Vulnerability

The LockBit 3.0 group has been exploiting the critical Citrix Bleed vulnerability that affects Citrix NetScaler ADC and Gateway to gain access to the systems of its victims. The vulnerability, tracked as CVE-2023-4966, was patched by Citrix in October 2023; however, many organizations have been slow to patch and are running vulnerable appliances.

According to Security researcher Kevin Beaumont, who has been tracking the group’s attacks, several of the group’s recent victims had exposed Citrix servers that were vulnerable to the Citrix Bleed flaw, and that appears to have been exploited using a publicly available exploit.

Currently, there are more than 3,000 Citrix servers in the United States that are exposed to the Internet and vulnerable to the Citrix Bleed flaw which can be exploited remotely with no user interaction. Immediate patching is strongly recommended to prevent exploitation of the flaw.

Hunters International Ransomware Group Takes over from Hive

Hive, one of the most notorious ransomware groups in recent years, was shut down in January this year following an international law enforcement operation. The group had obtained more than $100 million in ransom payments and conducted more than 1,500 attacks worldwide, including many attacks on healthcare organizations.

Following law enforcement takedowns, ransomware groups often go quiet and then reemerge months later with a new ransomware variant. A new threat group, Hunters International, has since emerged and several similarities have been found with Hive, including coding overlaps and a 60% match between the group’s code, according to security researcher BushidoToken.

According to a recent report from Martin Zugec, technical solutions director at Bitdefender, a member of the Hunter’s International group issued a statement confirming that Hive and Hunter’s International are two separate groups and Hive’s source code and infrastructure were acquired. The Hive spokesperson said Hive sold their source code, website, and old Goland and C versions, and Hunter’s purchased them. The spokesperson for Hunter’s said encryption isn’t its primary goal, which is why the group didn’t develop everything from scratch. Bitdefender’s research uncovered evidence to suggest the adoption of Hive’s code rather than a rebrand, thus corroborating the Hunter’s International statement. Bitdefender’s analysis, recommendations, and IoCs can be found here.

The post Updates on Royal Ransomware, LockBit 3.0 and Hunters International Ransomware Groups appeared first on HIPAA Journal.

A zero-day vulnerability in the SysAid IT service management solution is being exploited by the Lace Tempest (aka FIN11, DEV-0950, TA505) threat group to gain access to SysAid servers, steal data, and deploy Clop ransomware.

The threat group is well known for exploiting zero-day vulnerabilities. Before the latest campaign, the group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution, stole data, and attempted to extort more than 2,000 victims. Earlier this year, a zero-day vulnerability was exploited in another file transfer solution, Fortra’s GoAnywhere MFT, and before that in 2021, the group exploited a zero-day vulnerability in the Accellion FTA.

The SysAid vulnerability was identified on November 2, 2023, after it had been exploited. The vulnerability, tracked as CVE-2023-47246, was identified by Microsoft, which notified SysAid. The attacks detected by Microsoft were attributed to the Lace Tempest group.

CVE-2023-47246 is a path traversal vulnerability in SysAid’s on-premises software that can be exploited to execute unauthorized code. In one of the attacks, the threat actor exploited the flaw to upload a Web Application Resource (WAR) archive containing a webshell to the webroot of the SysAid Tomcat web service. The webshell allowed the threat actor to execute PowerShell scripts to load GraceWire malware into a legitimate process such as spoolsv.exe, msiexec.exe, or svchost.exe. The malware checks for Sophos security software, and if not present, will be used to deploy additional scripts. In one attack, a Cobalt Strike listener was deployed on compromised hosts. After exfiltrating sensitive data, Clop ransomware was deployed and executed.

Given the speed at which the group has exploited vulnerabilities in the past, immediate action is required to fix the flaw. SysAid has released a patch and all SysAid users are being strongly encouraged to update to version 23.3.36 or later as soon as possible to prevent exploitation. After upgrading to the latest version, servers should be checked for signs of compromise. SysAid has published a list of Indicators of Compromise (IoCs) in its recent report on the attacks exploiting the flaw. SysAid also recommends reviewing any credentials or other information that would have been available to someone with full access to the SysAid server an to check any relevant activity logs for suspicious behavior.

The post SysAid Zero-Day Vulnerability Exploited to Deploy Clop Ransomware appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, Office of the Director of National Intelligence, and partners have released guidance on software bill of materials (SBOM) generation and consumption, as part of ongoing efforts to better secure the software supply chain.

The guidance was developed by the Software Supply Chain Working Panel, which was established by the Enduring Security Framework (ESF) and is a collaborative partnership across private industry, academia, and government. The Working Panel has developed a three-part Recommended Practices Guide series, that covers best practices to help ensure a more secure software supply chain for developers, suppliers, and customer stakeholders.

The latest guidance is aimed at software developers and suppliers, and includes industry best practices and principles, including managing open source software and SBOM to maintain and provide awareness about the security of software.

Cyber actors are increasingly targeting the software supply chain and are searching for software vulnerabilities that can be exploited to allow them to attack all users of the software, such as the 2020 cyberattack on the SaaS provider SolarWinds. The attack is believed to have been conducted by the Russian state-sponsored hacking group Cozy Bear, which compromised the SolarWinds Orion IT performance and monitoring solution and added a backdoor. When a software update was rolled out to customers, so was the backdoor, resulting in the compromising of an estimated 18,000 systems. The hackers then conducted follow on activities on selected high value targets.

Cyber actors also take advantage of vulnerabilities in open source software and third-party components, such as the Log4Shell vulnerability in the Log4j logging tool, which is used by millions of computers worldwide. When a critical vulnerability was identified and patches were released, they could only be applied if it was known that Log4j was used. Because Log4j was a component of many different software solutions, the vulnerability went unaddressed as many users were unaware that they were vulnerable.

One of the ways that the security of the software supply chain can be improved is by having a complete SBOM that includes all software components and dependencies. The SBOM can be rapidly queried to determine if a vulnerable software component is used and steps can then be taken to address the problem. The latest guidance document is part of the ESF Software Supply Chain Working Panel’s second phase of guidance, which provides further details on the SBOMs that were recommended in the Phase 1 Recommended Practices Guides.

According to CISA, the guidance can be used as a basis for describing, assessing, and measuring security practices relative to the software lifecycle and the suggested practices can be applied across the acquisition, deployment, and operational phases of a software supply chain. The guidance includes recommendations in line with industry best practices and principles which software developers and software suppliers are encouraged to reference, and includes managing open source software and SBOMs to maintain and provide awareness about the security of software.

While the guidance provides recommendations for SBOM generation and consumption processes, implementing these recommendations will be a challenge for many organizations as it will require considerable investment and resources that many organizations currently lack.

The post CISA Issues Software Bill of Materials Guidance appeared first on HIPAA Journal.

A new report from Sophos on healthcare cybersecurity trends indicates data encryption occurred in 75% of ransomware attacks on healthcare organizations. Only 24% of surveyed healthcare organizations were able to detect an attack in progress and disrupt it before files were encrypted. Sophos says this is the highest rate of encryption and the lowest rate of disruption the company has seen in the past 3 years. Last year, healthcare organizations disrupted 34% of attacks before files were encrypted.

“To me, the percentage of organizations that successfully stop an attack before encryption is a strong indicator of security maturity. For the healthcare sector, however, this number is quite low—only 24%. What’s more, this number is declining, which suggests the sector is actively losing ground against cyberattackers and is increasingly unable to detect and stop an attack in progress,” said Chester Wisniewski, director, field CTO, Sophos.

Many ransomware gangs use double-extortion tactics, where files are encrypted after data exfiltration and a ransom must be paid to decrypt files and prevent the release of the stolen data. 37% of healthcare ransomware attacks involved these double extortion tactics – an increase from previous years. Ransomware attacks are continuing to grow in sophistication, threat actors are constantly changing and improving their tactics, and attack timelines are speeding up, giving network defenders less time to detect and block attacks. Sophos says the median time from the start of an attack to detection has now fallen to just 5 days. The majority of attacks are also scheduled to occur outside of office hours when staffing levels are lower. Only 10% of attacks were conducted during regular business hours.

The sophisticated nature of attacks has increased the time taken to recover. Only 47% of healthcare organizations were able to recover from a ransomware attack within a week, compared to 54% last year. Recently, the Department of Health and Human Services’ Office for Civil Rights said there has been a 278% increase in ransomware attacks on healthcare organizations over the past four years; however, Sophos’s data indicates there has been a slight reduction in attacks, from 66% of surveyed organizations in 2022 to 60% in 2023. There has also been a sizeable reduction in the number of healthcare organizations paying ransoms. Last year, 61% of healthcare organizations paid a ransom payment following an attack, with just 42% choosing to pay in 2023.

“The ransomware threat has simply become too complex for most companies to go at it alone. All organizations, especially those in healthcare, need to modernize their defensive approach to cybercrime, moving from being solely preventative to actively monitoring and investigating alerts 24/7 and securing outside help in the form of services like managed detection and response (MDR),” said Wisniewski.

Sophos recommends strengthening defenses by using security tools such as end-point protection solutions with strong anti-ransomware and anti-exploit capabilities, implementing zero trust network access to prevent the abuse of compromised credentials, using adaptive technologies that can respond automatically to attacks in progress to buy network defenders more time, and to implement 24/7 threat detection, investigation, and response, whether that is conducted in-house or by a specialized MDR provider.

It is also important to maintain good security hygiene, such as updating software and patching promptly, regularly reviewing security tool configurations, and regularly backing up, practicing recovering data from backups, and maintaining an up-to-date incident response plan.

The post Data Successfully Encrypted in 75% of Healthcare Ransomware Attacks appeared first on HIPAA Journal.

The Cyber Division of the Federal Bureau of Investigation (FBI) has issued a private industry notification that includes details of emerging techniques that are being used by ransomware gangs to gain initial access to victims’ networks. The FBI has identified several ransomware trends that are emerging or continuing and have been used in multiple attacks since July 2023 to gain initial access to networks. Several attacks have involved the exploitation of vulnerabilities in vendor-controlled remote access to casino servers, and companies have been victimized through legitimate system management tools to elevate network permissions.

The Silent Ransom Group (aka Lunar Moth) has been conducting phishing attacks using messages containing a phone number that must be called to prevent a pending charge to an account. This type of attack is known as callback phishing and has been popular with ransomware gangs since 2022. Since the emails contain no malicious content other than a phone number, the emails are not blocked by email security solutions and often reach their intended targets. To stop the pending account charge, the victim is required to download and install a legitimate system management tool, which is used by the threat actor to access their device. The threat actor can then access local files and shared drives and exfiltrate data. The victim is then extorted.

The FBI recommends all organizations implement the suggested mitigations to harden their defenses against these attacks. The key to defending against these attacks is preparation. Organizations should ensure they maintain offline backups of data, encrypt their backup data, and implement an incident response and recovery plan. Reviews should be conducted of the security posture of all third-party vendors, with priority given to those that have network access. The FBI recommends implementing listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy, and to document and monitor external remote connections.

Identity and access management controls are vital. All accounts that require passwords should comply with National Institute of Standards and Technology (NIST) password standards and phishing-resistant multifactor authentication should be implemented for webmail, virtual private networks, and accounts that access critical systems. Domain controllers, servers, workstations, and active directories should be reviewed for unrecognized accounts, user accounts should be audited, and time-based access should be set for accounts at the admin level and higher.

Protective controls and architecture should include the segmenting of networks, the identification, detection, and investigation of abnormal activity and potential traversal with a networking monitoring tool, antivirus tools capable of real-time detection of threats, and close monitoring of the use of remote desktop protocol (RDP).

It is important to ensure that all software, operating systems, and firmware are kept up to date, unused ports and protocols are disabled, command-line and scripting activities and permissions are disabled, devices are properly configured with security features enabled, and for Server Message Block (SMB) Protocol to be restricted. Controls should also be implemented to improve email security, such as adding a banner to all external emails and disabling hyperlinks in emails.

The post FBI Shares Intel on Emerging Initial Access Techniques Used by Ransomware Gangs appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has published an analyst note about BlackSuit ransomware, a new ransomware group believed to pose a credible threat to the healthcare and public health (HPH) sector.

Security researchers have identified several similarities between BlackSuit ransomware and Royal ransomware, with the latter group having actively targeted the HPH sector like the Conti ransomware group that Royal is believed to have replaced. BlackSuit has already been used in at least one attack on the HPH sector in October this year, so it is fair to assume that BlackSuit will be used in further attacks on the sector. That attack was on a provider of medical scans and radiology services to more than 1,000 hospitals in 48 states.

Like many other ransomware operations, BlackSuit ransomware is used in double extortion attacks, where sensitive data is exfiltrated before file encryption and ransoms must be paid to prevent the release of the stolen data as well as to decrypt the encrypted files. So far, BlackSuit ransomware has only been used in a limited number of attacks; however, activity could be ramped up at any point.

BlackSuit ransomware is believed to be a private group rather than a ransomware-as-a-service operation, and the operation is thought to be run by individuals with experience in conducting ransomware attacks due to the links with Royal and Conti. Some cybersecurity researchers have suggested BlackSuit may be a rebrand of Royal ransomware, which conducted a major attack on a Texas city in May 2023 which attracted considerable media and law enforcement attention. BlackSuit first appeared shortly after that attack but Royal is still operational, although BlackSuit has not been extensively used to date so that conclusion has not been discounted.

Windows and Linux variants of BlackSuit have been detected, and like Royal ransomware, use OpenSSL’s AES for encryption. The ransomware uses intermittent encryption techniques, which are more efficient and allow files to be encrypted faster. Given the low number of detected attacks, it is difficult to tell which attack methods are favored by the group. The distribution methods that are most likely used are email attachments containing macros, embedding the ransomware in torrent files, malicious adverts (malvertising), and delivery via other malware variants such as Trojans, droppers, and downloaders, which are commonly distributed via compromised websites, fake software updates and phishing emails.

The HC3 Analyst Note details the MITRE ATT&CK techniques used by the group, Indicators of Compromise (IoCs), and recommended mitigations for hardening defenses. HC3 has also recommended reporting any suspected attacks to the local Federal Bureau of Investigation (FBI) field office and FBI Internet Crime Compliant Center (IC3).

The post BlackSuit Ransomware Poses a Credible Threat to the HPH Sector appeared first on HIPAA Journal.

Advanced cyberattacks on cloud environments often make headline news, but these attacks occur in small numbers. The majority of cyberattacks on cloud environments are conducted using well-known threat actor attack techniques such as using stolen credentials and exploiting security weaknesses such as misconfigurations. As such, the best defense against cloud intrusions is to focus on simple cloud security hygiene as this will raise the bar for attackers and will dramatically reduce the risk of a cloud compromise.

According to the recently published Q3, 2023 Google Cloud Threat Horizons Report, a majority of cloud compromises saw initial access gained by exploiting poor password practices. 54.3% of cloud compromises were due to weak or no passwords, with a large percentage of those attacks involving brute forcing default accounts, Secure Shell (SSH), and the Remote Desktop Protocol (RDP). 15.2% of attacks saw initial access gained as a result of misconfigurations, and the same percentage of attacks were due to sensitive UI or API exposure. 10.9% of attacks saw initial compromise achieved by exploiting vulnerable software.

The Google Cloud research and analysis team has identified persistent threat actor activity targeting cloud-hosted Software-as-a-Service (SaaS) systems. Organizations are increasingly using SaaS applications, which increases the attack surface considerably. According to the Thales 2023 Cloud Security Report, there was a 41% increase in the mean number of SaaS applications used by organizations between 2021 and 2023. 55% of surveyed security executives say they have experienced data breaches, leaks, malicious applications, ransomware, espionage, or insider attacks related to SaaS applications in the past 2 years, which indicates organizations are failing to adequately protect SaaS data. This is particularly worrying since SaaS data is the least likely data to be recovered in a ransomware attack.

There is a growing trend where malicious actors abuse public cloud services to host their command-and-control infrastructure, rather than using their own infrastructure or leasing it from other threat actors. The threat actors benefit from cheap, reliable infrastructure that is trusted by enterprises and consumers, and they can hide their activity by blending into high volumes of legitimate traffic. Threat actors have long abused Microsoft Azure, Amazon Web Service, and Dropbox but they may also be abusing Google Calandar. Proof-of-concept code has been published on GitHub for a Google Calendar Remote Access Trojan (RAT), and researchers at Mandiant note that the code has been actively shared on underground forums, indicating threat actors’ interest in the Google Calendar RAT. Since the malware communicates with legitimate infrastructure operated by Google, it is difficult for defenders to detect suspicious activity.

Typosquatting has long been used by threat actors in their campaigns. This tactic involves registering domains similar to the brand being targeted to catch out careless typists. Typosquatting is now being used in attacks on cloud storage platforms such as Google Cloud Storage, Amazon S3, and Azure Blob. A random sample of ten Fortune 100 companies found that 60% had one or more typosquatted cloud storage URLs.

The Q3, 2023 Google Cloud Threat Horizons Report includes a review of cloud services adoption in the healthcare industry and identifies some of the common security issues. An analysis of cloud security incidents between 2021-2023 found cloud services are increasingly being targeted in attacks on healthcare organizations and cloud services are being increasingly used as a platform for staging attacks. While the majority of these attacks were not new, the team found that the attacks are increasingly negatively affecting patient safety, such as by degrading healthcare organizations’ operational capacity, causing patients to be redirected to more distant facilities, and delaying diagnosis and treatment.

The attacks studied by Google and Mandiant revealed that most attacks on the healthcare industry are conducted by financially motivated threat actors who most commonly use stolen credentials for initial access, and to a lesser extent, phishing, third-party vulnerabilities, denial of service attacks, web exploits, and misconfigurations. By far the most common follow-on compromises were ransomware and data extortion attacks, where the attackers attempt to find and capture PHI for extortion purposes, with or without accompanying data encryption. Credentials and data are commonly extracted by targeting Outlook Web Access application and AWS resources such as S3. In the report, the Google Cloud team offers several mitigations that can reduce the risk of attacks on cloud services and prevent credential and session abuse, data exfiltration and extortion, ransomware and data destruction, web exploits, third-party software vulnerability exploitation, DoS attacks, malware delivery, and social engineering attacks.

“The healthcare sector is a prime target for cyber attackers. It is imperative that healthcare-driven organizations recognize that patient data and medical device vulnerabilities demand urgent attention and protection,” Taylor Lehmann, Director, Office of the CISO, Google Cloud told The HIPAA Journal. “Cybersecurity must be integrated into the core of healthcare operations to safeguard clinical and personal data, as well as patient safety. This requires a collective effort, where cooperation between healthcare providers, industry leaders, and government becomes the linchpin of defense against these relentless cyber adversaries.”

The post Malicious Actors Increasingly Targeting Cloud Services in Healthcare Cyberattacks appeared first on HIPAA Journal.