The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and its international cybersecurity agency partners have issued a cybersecurity advisory about the LockBit ransomware operation, which has extorted $91 million from organizations in the United States since 2020 across 1,700 attacks.

“This joint advisory on LockBit is another example of effective collaboration with our partners to provide timely and actionable resources to help all organizations understand and defend against this ransomware activity,” said CISA Executive Assistant Director for Cybersecurity, Eric Goldstein. “As we look to the future, we must all work together to evolve to a model where ransomware actors are unable to use common tactics and techniques to compromise victims and work to ensure ransomware intrusions are detected and remediated before harm can occur.”

The LockBit ransomware-as-a-service operation is the most prolific RaaS group, having listed more victims on its data leak site than any other ransomware operation. LockBit was behind 16% of ransomware attacks on state, local, tribal, and tribunal (SLTT) governments in 2022 and was the most commonly deployed ransomware variant last year. The group has attacked organizations of all sizes, including critical infrastructure entities such as financial services, food & agriculture, education, and healthcare, and 2023 attacks have continued in high numbers.

There are several reasons why LockBit has become the most prolific RaaS operation. Affiliates are recruited to conduct attacks and receive a share of the ransoms they generate, as is the case with other RaaS operations; however, LockBit pays its affiliates faster and provides them with their cut of ransom payments before payment is received by core members of the group. The group has developed an easy-to-use interface for its affiliates which lowers the bar for new affiliates, who require less technical skill to start conducting ransomware attacks than with other ransomware variants. The group also engages in publicity-generating exercises, disparages other RaaS operations, and has even taken steps to discourage individuals from disclosing the identity of the lead member of the group (LockBitSupp) to law enforcement by offering a $1 million bounty on information that could lead to LockBitSupp’s identification.

Due to the large number of affiliates working within the LockBit operation, the tactics, techniques, and procedures (TTPs) used in attacks are diverse so network defenders face significant challenges defending against attacks. The security advisory details the TTPs that CISA, the FBI, and their international cybersecurity partners have observed in LockBit ransomware attacks over the past 3 years, along with a lengthy list of mitigations to help network defenders take proactive steps to improve their defenses against LockBit attacks. The advisory includes around 30 different freeware and open source tools that have been used by LockBit affiliates, 9 CVEs that are known to have been exploited, and more than 40 MITRE ATT&CK techniques for initial access, discovery, credential access, privilege escalation, lateral movement, persistence, defense evasion, collection, command and control, data exfiltration, and execution.

“The FBI encourages all organizations to review this CSA and implement the recommended mitigation measures to better defend against threat actors using LockBit,” said Bryan Vorndran, Assistant Director of the FBI’s Cyber Division, and encouraged all victims of cybercrime to report incidents to their local FBI field office.

The post Comprehensive LockBit Ransomware Cybersecurity Advisory Issued by CISA & Partners appeared first on HIPAA Journal.

The Health Sector Cybersecurity and Coordination Center (HC3) has compiled a profile of the FIN11 threat group (TA505/Lace Tempest/Hive0065) which is known to target organizations in the healthcare and public health (HPH) sector. Historically, FIN11 has conducted phishing campaigns but has now migrated to other attack vectors against companies in North America and Europe. The group is financially motivated and often engages in data theft for extortion, with or without ransomware.

Recent attacks include the exploitation of zero day vulnerabilities in file transfer solutions to gain access to sensitive data, which is stolen and threatened to be released if a ransom is not paid. FIN11 often deploys CLOP ransomware in its attacks, although it is unclear exactly how many CLOP ransomware attacks FIN11 has conducted. The ransom demands in these attacks vary based on the perceived ability of the victim to pay and typically range from a few hundred thousand dollars to $10 million.

FIN11 phishing and spear phishing campaigns have used a combination of malicious attachments and hyperlinks, and fake download pages have been used to trick people into downloading malware. FIN11 is thought to have been involved in the mass exploitation of vulnerabilities in the MOVEit and Accellion FTA file transfer solutions, the PaperCut MF and NG vulnerability in 2023, the Windows ZeroLogon vulnerability in October 2020, and several other vulnerabilities. FIN11 also targeted HPH sector organizations during the COVID-19 pandemic.

FIN11 is known to deploy a range of different malware variants after gaining initial access to networks. In addition to CLOP ransomware, the group has deployed the LEMURLOOT web shell, P2P RAT, FlawedAmmyy and FlawedGrace remote access Trojans, and Cobalt Strike, along with a host of other tools to allow the group to achieve its objectives.

Due to the range of different attack vectors, mitigations are varied and involve strong email security measures, prompt patching of known vulnerabilities, endpoint detection solutions, and active monitoring of security alerts for signs of compromise. HC3 recommends that healthcare organizations consider FIN11 a top priority for their security teams, as the group poses a significant threat to the HPH sector.

The post HPH Sector Urged to Make FIN11 Threat Group a Priority for Security Teams appeared first on HIPAA Journal.

A critical vulnerability in Fortinet’s FortiOS and FortiProxy SSL VPN has potentially already been exploited by malicious actors. The vulnerability, tracked as CVE-2023-27997, is a heap buffer overflow issue in FortiOS and FortiProxy SSL-VPN which can be exploited remotely, pre-authentication, to execute code via malicious requests to vulnerable devices. The flaw can be exploited even if multifactor authentication has been enabled.

Fortinet firewalls and VPNs are widely used and vulnerabilities are actively sought by malicious actors and have been rapidly exploited in the past. A search on the Shodan search engine indicates around 250,000 Fortinet firewalls are accessible over the Internet and the majority of those are thought to be vulnerable. Fortinet said the vulnerability was identified during a code audit conducted in response to a series of attacks exploiting a separate zero-day vulnerability – CVE-2022-42475 – in FortiOS SSL VPN that was disclosed in January. Those attacks were linked to the Chinese state-sponsored threat group, Volt Typhoon, which has been active since mid-2021 and has previously targeted critical infrastructure entities in the United States. Fortinet has not linked exploits of the most recently disclosed vulnerability to Volt Typhoon, but said the threat actor and other threat groups will likely target the vulnerability and that there may already have been limited attacks against government, manufacturing, and critical infrastructure.

Fortinet issued a security advisory on June 12 about the vulnerability, which affects virtually all versions of FortiOS and FortiProxy. Patches have been released to fix the vulnerability and customers have been urged to update their firmware to the latest version. Fortinet said the vulnerability is mitigated if customers are not operating SSL-VPN; however, all users have been recommended to update to the latest firmware version regardless.

While there is only believed to have been limited exploitation of the flaw, now that patches have been released threat actors will compare the new releases with previous firmware versions to work out what has changed and will likely rapidly discover and develop exploits for the vulnerability, so immediate patching is strongly recommended.  All users should ensure they have updated to the following firewall and VPN versions:

FortiOS-6K7K

• FortiOS-6K7K version 7.0.12 or above
• FortiOS-6K7K version 6.4.13 or above
• FortiOS-6K7K version 6.2.15 or above
• FortiOS-6K7K version 6.0.17 or above

FortiOS

• FortiOS version 7.4.0 or above
• FortiOS version 7.2.5 or above
• FortiOS version 7.0.12 or above
• FortiOS version 6.4.13 or above
• FortiOS version 6.2.14 or above
• FortiOS version 6.0.17 or above

FortiProxy

• FortiProxy version 7.2.4 or above
• FortiProxy version 7.0.10 or above

The post Immediate Patching Recommended for Critical Fortinet FortiOS & FortiProxy Vulnerability appeared first on HIPAA Journal.

The HHS’ Health Sector Cybersecurity Coordination Center has issued a threat brief to highlight the types of cyber threat actors that target the health and public health sector (HPH), and their differing objectives, tactics, techniques, and procedures.

The HPH sector is a relatively easy target for cybercriminals compared to other industry sectors. There is a complex supply chain involving many different vendors, a large attack surface with many IoT and IoMT-connected devices that are difficult to secure, reliance on outdated software and operating systems that have reached end-of-life, and HPH sector organizations often find it difficult to recruit and retain skilled cybersecurity staff.

HPH sector organizations also store large quantities of data that can be easily monetized and used for a range of nefarious purposes such as identity theft, blackmail, and insurance fraud. Since the sector is highly regulated, there are often costly legal ramifications for healthcare organizations that suffer data breaches, and successful attacks can cause significant reputational damage which makes the HPH sector an ideal target for extortion. Nation-state actors often target HPH sector organizations to steal research data to gain a technological advantage and collect sensitive data and cause disruption in line with national priorities.

The HPH sector is targeted by financially motivated cybercriminals, politically motivated hacktivists and nation-state actors, malicious insiders for financial gain or retaliation, cyberterrorists who wish to cause harm, and script kiddies who seek attention, want to create chaos, gain kudos within the hacking community, or simply have fun. Regardless of the threat actor, the attacks can have serious financial and reputational implications and often put patient safety at risk.

While the motivations behind healthcare cyberattacks are varied, there are common initial access vectors that are used by the different types of threat actors. Phishing and social engineering attacks exploit human weaknesses to gain initial access to healthcare networks and sensitive data. Vulnerabilities in software and operating systems are targeted for initial access, man-in-the-middle attacks intercept sensitive data, and Distributed-Denial-of-Service attacks and wiper malware are used to cause disruption to critical systems. Attacks often involve malware that steals data and provides persistent access to networks, adware is used for tracking, information theft, and driving traffic to websites, and ransomware is often deployed for data theft and extortion.

The threat brief provides information on the different types of threat actors and their motivations to help network defenders gain a better understanding of their adversaries, and includes information on the most active threat groups that are known to target the HPH sector.

The post HC3 Raises Awareness of Diverse Threat Actors Targeting the HPH Sector appeared first on HIPAA Journal.

A zero-day vulnerability in the MOVEit file transfer service (CVE-2023-34362) started to be exploited by a cyber threat actor at scale over the Memorial Day weekend. Progress Software issued an advisory about the vulnerability on May 31, 2023, and rapidly released patches to fix the flaw, but not in time to prevent mass exploitation of the vulnerability. Remote exploitation of the flaw allowed access to be gained to the MOVEit server database, providing access to customer data.

A few days later, several major companies confirmed they had been impacted by the attacks, including the airlines British Airways and Aer Lingus, the UK drugstore chain Boots, the University of Rochester in New York, and the Nova Scotia provincial government, which had all fallen victim and had data exfiltrated through their payroll and HR service provider, Zellis. Nova Scotia Health has confirmed that the personal information of up to 100,000 employees was stolen in the attack.

The Clop ransomware gang and associated FIN11 threat group were suspected of involvement in the mass exploitation of the vulnerabilities as they had previously targeted vulnerabilities in file transfer solutions, exploiting zero-day vulnerabilities in the Accellion FTA and Fortra’s GoAnywhere MFT. Microsoft, Mandiant, and others attributed the attacks to Clop/FIN11, with Microsoft attributing the attacks to a Clop affiliate it tracks as Lace Tempest, and Mandiant attributed the attacks to a newly created threat cluster it tracks as UNC4857, also linked to Clop/FIN11. Mandiant confirmed to The HIPAA Journal that it has seen evidence of data exfiltration at multiple companies and that targeted applications were infected with a webshell called LEMURLOOT. Shodan scans revealed more than 2,500 instances of MOVEit software are exposed to the Internet and Censys reported more than 3,000 hosts running the service, all of which were potentially vulnerable.

Clop Ransomware Group Claims Responsibility for the Attacks

Around a week after the news broke about the exploits, the Clop ransomware gang claimed responsibility for the attacks and confirmed that ransom demands had been issued along with threats to release the stolen data if the ransoms are not paid, giving breached firms until June 14 to pay up or face data exposure. While the Clop group uses ransomware, these attacks involved data theft and exploitation without encryption, as was the case with the attacks on the Accellion FTA and GoAnywhere MFT.

On June 7, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint security advisory and provided a list of recommended mitigations to reduce the impact of Clop exploits. A few days earlier, on June 2, the Health Sector Cybersecurity Coordination Center (HC3) issued a sector alert, warning that the health and public health sector was potentially at risk from the vulnerability.

The number of victims has yet to be determined, and in contrast to the GoANywhere MFT attacks, the Clop group has not publicly stated how many attacks were conducted but did say it was in the hundreds. The scale of the attacks should start to become clearer from June 14 if Clop is true to its word and starts publishing stolen data, although it may take several weeks or months before the full extent of the exploitation of the vulnerability is known.

Clop May Have Known About Vulnerability for 2 Years

Cybersecurity firm GreyNoise reports that it traced scanning activity associated with the vulnerability to March 3, 2023, and security experts at Kroll said they found evidence to indicate Clop was testing ways to exploit the vulnerability and obtain data in April 2023; however, they also found evidence of similar manual activity related to the exploit as early as July 2021, suggesting the Clop actors have known about the vulnerability for almost two years. The researchers suggest they waited until they had the automation tools available to allow exploitation at scale.

The post Update on MOVEit Vulnerability Exploitation and Extortion: Victims Given Until June 11 to Pay Ransoms appeared first on HIPAA Journal.

Remote access software is used by organizations and their vendors to improve efficiency and productivity and cut costs; however, the same remote access tools can be leveraged by cyber threat actors for a range of malicious purposes while evading detection by security solutions.

Benefits and Risks of Remote Access Software

Remote access software is used for a wide range of purposes and is especially useful for remotely managing and monitoring IT systems and devices. IT support teams use the software to troubleshoot IT issues, provide IT helpdesk support, perform backups and data recovery, reconfigure devices, install new software, apply patches to fix vulnerabilities, and monitor for suspicious network activity. Managed Service Providers (MSPs) extensively use these tools to access clients’ networks to perform a wide range of contracted services.

While the software can improve efficiency and productivity and reduce costs, there is considerable potential for misuse of the software, and remote access solutions are actively targeted by cyber threat actors. By abusing these tools, cyber threat actors can gain broad access to internal systems, and since these tools are legitimately used by members of the workforce and third-party contractors, connections are often not flagged as malicious by security solutions which means malicious actors can hide their activities.

Remote access software is used to gain access to internal networks and maintain persistence, and it is common for threat actors to leverage the software and tools that are already present on the compromised system to sustain their malicious activities. By using these living-off-the-land (LOTL) techniques malicious actors do not need to download additional software, scripts, and tools, which makes intrusions, lateral movement, and data exfiltration difficult to detect.

Remote access software is one of the main ways that ransomware actors gain initial access to victims’ networks and evade security solutions. Cyber threat actors may also exploit vulnerabilities to gain access to systems then install legitimate remote access software or use social engineering techniques to trick individuals into installing the software to provide access to victims’ devices and the networks to which they connect.

Guidance on Securing Remote Access Software

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Israel National Cyber Directorate (INCD), have recently published a guide for all organizations that use remote access software for regular business purposes, especially managed service providers, to help them defend against malicious use of the software.

The guide includes best practices, protections, and mitigations developed by CISA and the National Institute of Standards and Technology (NIST) based on existing cybersecurity frameworks to help organizations protect against the most common cyber threats and tactics, techniques, and procedures used by cybercriminal groups and nation-state threat actors. The guidance can be used by organizations of all types and sizes and includes specific best practices and recommendations for IT support teams and managed service providers.

Guide to Securing Remote Access Software – PDF

The post Guide Released on Securing Remote Access Software appeared first on HIPAA Journal.

The eagerly anticipated Verizon 2023 Data Breach Investigations Report (DBIR) has been published – An annual report that provides insights into the current threat landscape and data breach trends. This year, the report is based on an analysis of 16,312 security incidents, where the integrity, confidentiality, or availability of an information asset was compromised, and 5,199 data breaches, where there was a confirmed disclosure of sensitive data to an unauthorized third party. All incidents included in the report occurred between November 1, 2021, and October 31, 2022.

Last year, the report indicated the human element was involved in 82% of all breaches, down from 85% in 2021. That downward trend has continued with the human element involved in 74% of breaches in 2022. These include mistakes by employees such as misconfigurations and responses to pretexting attacks, as well as deliberate actions by malicious insiders. In around half of all incidents (49%), initial access to victims’ networks was gained through stolen credentials, with phishing the next most common method, accounting for 12% of breaches, and the exploitation of vulnerabilities, which accounted for 5% of breaches. The Log4j vulnerability was the most cited exploited vulnerability and was stated as the exploited vulnerability in 90% of exploit incidents, although only 20.6% of incidents stated the vulnerability that was exploited in the attack.

Social Engineering Attacks Continue to Increase

This year’s report highlights a continuing upward trend in pretexting incidents, which are a type of social engineering attack where the victim is manipulated into divulging sensitive information. These attacks typically involve impersonation and include business email compromise attacks, which almost doubled in a year and now account for more than 50% of social engineering incidents, overtaking phishing for the first time, although phishing remains the most common social engineering method in confirmed data breaches. Losses to BEC attacks have been steadily increasing, jumping from a little over $30,000 in 2018 to a median of $50,000 in 2022. 98% of social engineering attacks involved email as the initial vector, with the remainder involving telephone-based incidents (vishing) and SMS and instant messaging (smishing).

One of the problems highlighted in the report is the lack of protection against social engineering attacks, especially the accounts of senior leadership. These individuals are often targeted as they have the most valuable accounts with extensive access to systems and data, as the accounts of senior leadership are often excepted from standard security controls. Detecting these attacks can be difficult and blocking them requires a combination of measures including email security solutions, end-user training, and multifactor authentication, with greater protections implemented for the most valuable accounts with the highest levels of privileges.

Ransomware Attacks Remain Steady

Ransomware attacks continue to be conducted in high numbers but the number of attacks has remained steady, accounting for 24% of incidents and 15.5% of data breaches – a slight increase in ransomware incidents from last year and a slight decrease in ransomware-related data breaches.  Verizon reports that ransomware is used in 62% of cyberattacks by organized crime actors and 59% of financially motivated incidents. Email, desktop-sharing software, and web applications were the most common attack vectors in ransomware attacks.

Figures from the FBI indicate 10% of ransomware attacks covered in the 2021 DBIR involved financial losses, with a median loss of $11,500. This year, only 7% of attacks involved financial losses, but the median loss has doubled to $26,000, with the maximum loss jumping from $1.2 million to $2.25 million. The overall cost of remediating ransomware attacks continues to increase despite a continuing fall in median ransom payments.

Other Causes of Security Incidents and Data Breaches

While the majority of attacks were hacking incidents, insider breaches continue to occur. 602 insider incidents were included in the report, out of which 512 involved confirmed data disclosures. The most common cause of these incidents was misdeliveries, which accounted for 43% of insider incidents, followed by misconfigurations (23%) and publishing errors (21%). Social engineering, phishing, and ransomware attacks dominate the headlines, but by far the most common type of attack is denial-of-service, which was behind 6,248 of the 16,312 security incidents. While these attacks do not tend to carry the same costs as data breaches, they can still cause considerable disruption to business operations as they prevent access to the Internet and business-critical systems.

2,091 incidents involved lost and stolen assets, with loss incidents accounting for the vast majority of these incidents. typically lost mobile phones, laptops, and printed documents. These incidents were numerous but often did not figure in the breach data, as the data on lost devices was not confirmed as being breached, only being at risk. These incidents have remained at a similar level to last year, accounting for around 10% of all data breaches.

Patterns in Data Breaches. Source: 2023 Verizon Data Breach Investigations Report.

Causes of Healthcare Attacks and Data Breaches

Healthcare was represented in 525 incidents and 436 of those incidents involved confirmed data disclosures. The most common cause of healthcare data breaches was basic web application attacks (164), miscellaneous errors (153), system intrusions (121), privilege misuse (57), social engineering (65), and lost/stolen assets (18). As Verizon points out, many healthcare data breach notification letters state the breach was the result of a highly sophisticated cyberattack; however, basic web application attacks were the most common, which typically involve brute-forcing weak passwords and credential stuffing, which are certainly not complex.

Many of the incidents in healthcare were due to mistakes by employees. Misdelivery – the sending emails or mailing letters to incorrect individuals – was the second biggest cause of data breaches. Privilege misuse, which includes snooping by employees, has been decreasing but is still more prevalent than in many other industries. Protecting against these attacks is difficult, so the focus must be on fast detection to limit the potential for harm, and that means monitoring logs for unusual data access patterns and automating that process as far as possible.

The post Verizon 2023 DBIR: Social Engineering Attacks Increase; Ransomware Plateaus appeared first on HIPAA Journal.