The Health Sector Cybersecurity and Coordination Center (HC3) has issued a fresh ransomware warning to the healthcare and public health (HPH) sector following a spate of attacks on the HPH sector in April by the Clop and LockBit ransomware groups.

HC3 has issued multiple alerts about the Clop and LockBit ransomware-as-a-service groups which have conducted multiple attacks on the healthcare sector. Clop was behind the attacks on Fortra’s GoAnywhere MFT solution in January/February 2023 and the 2022 attacks on the Accellion File Transfer Application (FTA), both of which exploited zero-day vulnerabilities in those solutions. The latest alert about LockBit was issued in December 2022 following multiple attacks on HPH sector organizations.

The Clop group exploited the GoAnywhere MFT vulnerability (CVE-2023-0669) and stole data from around 130 organizations, and both groups have been observed exploiting two other recently disclosed vulnerabilities – CVE-2023-27350 and CVE-2023-27351 – which are authentication bypass vulnerabilities in the widely used print management software, PaperCut MF/NG. Those two vulnerabilities were disclosed by the developer on April 19, 2023, and were corrected in PaperCut versions 20.1.7, 21.2.11, and 22.0.9 and later.

On April 26, 2023, Microsoft announced that a threat actor known as Lace Tempest was exploiting the PaperCut flaws and that the activity overlapped with the FIN11 and TA505 threat groups,  both of which have ties to Clop. After exploiting the vulnerabilities, TrueBot malware was deployed, which is known to be used by the Clop ransomware operation. LockBit ransomware was deployed in some of the attacks.

Network defenders have been advised to promptly patch their servers by updating to the latest versions of PaperCut. If that is not possible, there is a recommended workaround, which involves blocking all traffic to the web management port (9191) from external IP addresses on edge devices and blocking all traffic to default port 9191 on the server’s firewall. Users of Fortra’s GoAnywhere MFT solution should rotate the Master Encryption Key, reset all credentials, review audit logs, and delete suspicious administrator and user accounts.

Further recommended mitigations against attacks by Clop, LockBit, and other cybercriminal groups are detailed in the HC3 alert.

The post HC3: Ransomware Groups are Exploiting GoAnywhere and PaperCut Vulnerabilities appeared first on HIPAA Journal.

Ransomware actors continue to target the U.S. healthcare sector, cybercriminals are increasingly using malware to steal data and provide persistent access to healthcare networks, and legitimate penetration tools are being used to mask malicious activity amongst genuine use of these tools by red teams.

These are some of the findings from the latest Global Threat Intelligence Report from Blackberry, which is based on threats detected by its Cylance Endpoint Security solution over 90 days from December 2022 to February 2023. During that time, Blackberry detected up to 12 cyberattacks per minute and identified a massive increase in unique attacks using new malware samples, which increased by 50% from 1 per minute to 1.5 per minute in the most recent reporting period.

The United States remains the most targeted country, although there has been a change in focus elsewhere, with Brazil now the second most targeted country followed by Canada. The same industry sectors are favored, with financial services, healthcare, and food/staples accounting for 60% of all malware-based attacks. The most commonly detected malware were droppers, downloaders, remote access tools (RATs), and ransomware.

Blackberry detected an increase in cyberattacks using the Agent Tesla RAT, RedLine initial access and information stealer, Emotet downloader, and BlackCat ransomware, all of which have been used in attacks on the healthcare sector. Over the 90 days, BlackBerry detected and blocked 5,246 unique malware samples that had been used in attacks on its healthcare provider clients, with an average of 59 new, unique malware samples blocked each day. Over the 90 days, BlackBerry blocked 93,000 individual attacks on its healthcare clients.

The biggest malware threat faced by the healthcare industry was Emotet. While Emotet started out as a banking Trojan, it is now primarily a botnet-driven malware dropper that is used to deliver a range of malicious payloads for other cybercriminal groups. Emotet is capable of self-propagation and lateral movement and is used to deliver malware and ransomware payloads. The RedLine information stealer was also a top threat to the healthcare sector.

Ransomware gangs continue to pose a major threat, with BlackCat and Royal both aggressively targeting the healthcare sector. BlackCat is believed to include former affiliates of the DarkSide and BlackMatter ransomware operations and has been active since November 2021 and there are indications that attacks are widening. Royal ransomware is a relatively new ransomware group that first appeared in September 2022. The group is thought to include some highly capable and experienced individuals, including members of the now-defunct Conti ransomware operation.

The healthcare industry is being targeted by initial access brokers, who compromise healthcare networks and then sell access to ransomware gangs, with access often gained through credential theft. BlackBerry also detected widespread use of the penetration testing tools Cobalt Strike and Brute Ratel, with malicious use of the former a significant threat to the healthcare sector. Nation-state actors and cybercriminals have been observed using these tools.

BlackBerry expects ransomware affiliates to continue to target hospitals and medical organizations for the foreseeable future, especially in countries that support or provide funding to Ukraine, with BlackCat, Royal, and LockBit 3.0 expected to continue to pose a threat to the healthcare sector. Healthcare, along with other critical infrastructure sectors, will likely be targeted by financially motivated as well as politically motivated actors over the coming months and BlackBerry also warns that AI is likely to be increasingly used for attack automation and deep fake attacks. Deep fake attacks have gained significant traction in recent months.

The post Healthcare Industry Facing Increased Malware and Ransomware Threats appeared first on HIPAA Journal.

The National Institute of Standards and Technology (NIST) is in the process of updating the NIST Cybersecurity Framework (CSF) 1.1 and plans to release the complete draft version 2.0 in the summer. A discussion draft has been published that includes updates to the Core elements of the Framework and NIST is seeking concrete suggestions on how the Framework can be improved ahead of the publication of the complete draft. The NIST CSF 2.0 Core covers the outcomes across the 6 Functions, 21 Categories, and 112 Subcategories and includes a sample of potential new CSF 2.0 Informative Examples. The discussion draft is not complete and is preliminary, and has been released to improve transparency and inform the development of the complete draft.

Modifications have been made to the NIST CSF 1.1 to increase clarity, ensure a consistent level of abstraction, address changes in technologies and risks, and improve alignment with national and international cybersecurity standards and practices. NIST has received comments confirming version 1.1 of the Framework is still effective at addressing cybersecurity risks but felt an update was required to make it easier for organizations to address current risks and future cybersecurity challenges more effectively.

NIST received 92 written responses to its January 2023 CSF 2.0 concept paper, feedback from working sessions and workshops, 134 written responses to its February 2022 NIST Cybersecurity RFI, and suggestions at conferences, webinars, roundtables, and meetings around the world. All feedback has been considered when crafting the update to the Framework.

Specifically, NIST seeks feedback on whether the cybersecurity outcomes detailed in the discussion draft address the current challenges faced by organizations, are aligned with existing cybersecurity practices and resources, and whether the updates address the submitted comments. NIST said suggestions can also be submitted on any aspects of the framework where further improvements can be made, including the content, format, and scope of the implementation examples.

NIST has confirmed that updates will be made to other elements of the Framework and said there is still much work to be done ahead of the planned summer release of the complete draft of NIST CSF 2.0.

The discussion draft can be viewed/downloaded here.

The post NIST Releases Discussion Draft of NIST CSF 2.0 Core appeared first on HIPAA Journal.

Through the Internet of Medical Things (IoMT), an array of medical devices have been connected to the Internet, allowing them to be operated, configured, and monitored remotely. These devices can transmit medical data across the Internet to clinicians allowing rapid action to be taken to adjust treatments and data collected from the devices can be automatically fed into electronic medical records. The use of IoMT devices is growing at an extraordinary rate, with the number of devices used by smart hospitals expected to double from 2021 levels to 7 million IoMT devices by 2026.

While Internet-connected medical devices offer important benefits, they also increase the attack surface considerably. Vulnerabilities in IoMT devices are constantly discovered that can potentially be exploited by malicious actors to gain access to the devices and the networks to which the devices connect. According to a 2022 report from the FBI, 53% of digital medical devices and other Internet-connected devices contain at least one unpatched critical vulnerability.

The asset visibility and security company Armis has recently conducted a comprehensive analysis of data collected from medical and IoT devices to identify the riskiest IoMT and IOT devices. The data came from more than 3 billion assets that are tracked through the Armis Asset Intelligence and Security Platform. The analysis revealed the riskiest connected medical devices were nurse call systems, 39% of which had unpatched critical vulnerabilities and 48% had other unpatched vulnerabilities. A critical vulnerability is a flaw that can be exploited in a direct or indirect attack by a malicious actor that will result in decisive or significant effects. If flaws in medical devices are exploited, hackers could gain access to the networks to which the devices connect, steal sensitive data, or alter the functionality of the devices themselves and put patient safety at risk.

Infusion pumps were the second riskiest connected medical device with 27% of analyzed devices having at least one unpatched critical flaw and 30% having other unpatched vulnerabilities, followed by medication dispensing systems with 4% containing unpatched critical flaws and an astonishing 86% having other unpatched vulnerabilities. Armis notes that 32% of the analyzed medication dispensing systems were running on unsupported Windows versions. Overall, across all connected medical devices, 19% were running on unsupported operating systems, as IoMT devices often have lifespans that exceed the lifespans of the operating systems on which they run.

IoT devices can also introduce considerable risks and provide hackers with an easy opportunity to gain a foothold in healthcare networks. Armis monitors IP cameras in clinical environments and found that 56% have unpatched critical vulnerabilities and 59% had other unpatched vulnerabilities, which makes IP cameras the riskiest IOT devices, followed by printers (37%/30%) and VoIP devices (53%/2%).

Advances in technology are essential to improve the speed and quality of care delivery as the industry is challenged with a shortage of care providers, but with increasingly connected care comes a bigger attack surface,” said Mohammad Waqas, Principal Solutions Architect for Healthcare at Armis. “Protecting every type of connected device, medical, IoT, even the building management systems, with full visibility and continuous contextualized monitoring is a key element to ensuring patient safety.”

The growing number of wireless, Internet- and network-connected devices and increasing cybersecurity threats targeting the healthcare sector prompted the U.S. Food and Drug Administration (FDA) to take action. Manufacturers of medical devices will soon be required to provide information about the cybersecurity of their devices in pre-market submissions as part of a drive to improve medical device cybersecurity. Those requirements include a software bill of materials to allow vulnerable components to be identified and patched, cybersecurity measures to secure the devices and sensitive data, and a plan to issue security updates for the lifespan of the devices.

The post Riskiest Connected Medical Devices Revealed appeared first on HIPAA Journal.

A recent Salesforce survey revealed some of the security gaps that exist in healthcare organizations, even those that have a security-first culture. The survey revealed only one-fifth of healthcare organizations enforce their cybersecurity protocols and only two-fifths of healthcare workers look at their security protocols before using new tools or technology.

The Salesforce survey was conducted on April 13, 2023, on 400 healthcare workers in the United States who were asked questions about cybersecurity and policies and procedures at their organizations. 57% of surveyed workers said their job has become more digitized over the past two years, which means more data than ever now needs to be protected. There is a common myth that cybersecurity is the sole responsibility of the IT department; however, a majority of the respondents were aware that cybersecurity is a shared responsibility. 76% of healthcare respondents agreed that it is their responsibility to keep data safe, yet despite being aware of the need to protect data, many workers admitted to not always following cybersecurity best practices.

22% of respondents said their organization does not strictly enforce cybersecurity protocols, and 31% of respondents said they were unsure what they should do in the event of a breach. While more than two-thirds of workers (67%) said they have a security-first culture at work, 31% of respondents said they are not very familiar with their company’s security policies and processes and only 39% of workers check security protocols before trying new tools or technology.

There appears to be a lack of understanding about security risks associated with connected devices such as phones and laptop computers, with only 40% of surveyed workers believing they pose a security risk and 48% thinking their personal devices were as secure as their work devices. 46% of workers said they have accessed work documents on their personal devices. A large number of healthcare workers implicitly trust their work devices, with 61% of workers saying that if something could be accessed on their work device it must be safe.

These are issues that can be tackled through security awareness training, but the message does not appear to be getting through as 70% of respondents said they are given training on how to keep data safe. While an increasing number of organizations understand the importance of providing security awareness training to the workforce, there is room for improvement as those training courses are not proving to be as effective as they should be. Only 54% of respondents said their training was efficient and 19% said training is generic and not relevant to their job.

One-third of workers (33%) said they use the same passwords for their personal and work accounts, 25% of surveyed workers admitted to clicking a suspicious link in an email at work, only 42% of workers report all suspicious emails to their security team, 19% do not always use VPN when conducting work online, and only 39% of workers always use multi-factor authentication.

The survey shows that while healthcare organizations are taking steps to develop a security culture, more needs to be done to get the message across that security best practices must always be followed. Improving the efficiency of training can help to get employees on board, such as implementing a modular training course and tailoring the training for specific roles to ensure it is relevant. The survey also suggests healthcare organizations could do a lot more when it comes to enforcing security policies.

The post One-Fifth of Healthcare Organizations Do Not Enforce Cybersecurity Protocols appeared first on HIPAA Journal.

The Google-owned cybersecurity firm Mandiant has released its M-Trends 2023 report. The report provides insights into the rapidly evolving cyber threat landscape and can help network defenders better protect their systems and data from malicious actors. The data for the report came from Mandiant’s investigations and remediation of cyberattacks worldwide, including some of the most high-impact attacks in the past 12 months. The data suggests that organizations have managed to strengthen their defenses; however, cybercriminals have been conducting increasingly sophisticated attacks and in many cases have managed to stay one step ahead.

One of the key findings from this year’s report is malicious actors are spending far less time in victims’ environments, with 2022 seeing another year-over-year drop in dwell time from 21 days in 2021 to just 16 days, which is the shortest average dwell time in any of the 14 years that Mandiant has been producing its M-Trends reports. Victims have even less time to detect a compromise and they are already struggling to identify these intrusions. In the Americas, 55% of incidents Mandiant investigated saw the victim notified about a compromise by an external third party, up from 40% in 2021. Mandiant notes that this is the highest percentage of external notifications in the past 6 years.

The investigations revealed increasing numbers of malware families in 2022, which continues a trend observed in 2021. Mandiant started tracking 588 new malware families in 2022 of which backdoors were the most common malware type (34%) followed by downloaders (14%), droppers (11%), ransomware (7%), and launchers (5%), with the BEACON backdoor the most commonly detected malware family.

While malware families increased, ransomware attacks declined. In 2021, 23% of Mandiant’s investigations involved ransomware. In 2022 the percentage fell to 18%. While Mandiant cannot be certain about the reason for the fall in attacks, the researchers suggest it is likely a combination of factors including changes in the operating environment and the break up of large ransomware groups, the war in Ukraine, more effective disruption efforts by law enforcement, and organizations getting better at detecting ransomware.

The most common initial infection vector in the incidents Mandiant responded to was exploits of vulnerabilities in software and operating systems, which accounted for 32% of incidents, down from 37% in 2021. Phishing was the second most common initial access vector, accounting for 22% of intrusions, up from 12% in 2021.

Mandiant identified an increase in the use of information stealers and credential purchasing, and there was an increase in cyberattacks involving data theft, which occurred in 40% of incidents. Mandiant also observed an increase in destructive cyberattacks in Ukraine and a notable increase in attacks by hackers in the Democratic People’s Republic of Korea targeting cryptocurrency, which have proven to be incredibly lucrative.

The post Mandiant Shares Threat Intelligence from 2022 Cyber Incident Investigations appeared first on HIPAA Journal.

The Department of Health and Human Services’ Cybersecurity Task Force has shared new resources to help healthcare and public health (HPH) sector organizations combat the growing number of cyberattacks targeting the sector and improve their cybersecurity posture.

The new resources include a new online educational platform that delivers free cybersecurity training that can be used by HPH organizations to raise the security awareness of the workforce, an updated edition of the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, which details the top cyber threats faced by the HPH sector, and a report on the current state of cybersecurity preparedness of hospitals, measured against the NIST Cybersecurity Framework.

The online training platform – Knowledge on Demand – is the first free cybersecurity training platform to be offered by the HHS. The platform includes training material on the most pertinent threats to the HPH sector and, at launch, includes training on five cybersecurity topics – Social engineering, ransomware, loss/theft of computer equipment and data, accidental and malicious insider data loss, and attacks on network-connected medical devices. The platform includes videos, job aids, and PowerPoint presentations. The training materials can be used to help HPH organizations comply with the security awareness training requirements of the HIPAA Security Rule.

The updated HCIP publication has been developed to be appropriate for healthcare organizations of all sizes and includes security best practices and resources to help healthcare organizations prepare for and defend against cybersecurity threats that impact patient safety, including the same five key threats that are covered in the Knowledge on Demand training material. The 47-page document was developed by the 405(d) Task Group and was updated by more than 150 industry and federal professionals and includes the most cost-effective measures to protect against HPH sector cybersecurity threats and protect patients.

The Hospital Cyber Resiliency Landscape Analysis was conducted by the 405(d) Program and is a review of the current state of cybersecurity at the hundreds of participating hospitals and assesses their preparedness to deal with cyber threats and their cybersecurity capabilities and level of cyber resiliency. The document explores the tactics, techniques, and procedures that cyber adversaries are currently using to compromise U.S. hospitals and disrupt operations for financial gain, and benchmarks the results against specific practices outlined in the HCIP. The document identifies best practices and opportunities to improve cyber resiliency.

The post HHS Provides New Resources and Cybersecurity Training Program to Combat Healthcare Cyber Threats appeared first on HIPAA Journal.