Remote access software is used by organizations and their vendors to improve efficiency and productivity and cut costs; however, the same remote access tools can be leveraged by cyber threat actors for a range of malicious purposes while evading detection by security solutions.

Benefits and Risks of Remote Access Software

Remote access software is used for a wide range of purposes and is especially useful for remotely managing and monitoring IT systems and devices. IT support teams use the software to troubleshoot IT issues, provide IT helpdesk support, perform backups and data recovery, reconfigure devices, install new software, apply patches to fix vulnerabilities, and monitor for suspicious network activity. Managed Service Providers (MSPs) extensively use these tools to access clients’ networks to perform a wide range of contracted services.

While the software can improve efficiency and productivity and reduce costs, there is considerable potential for misuse of the software, and remote access solutions are actively targeted by cyber threat actors. By abusing these tools, cyber threat actors can gain broad access to internal systems, and since these tools are legitimately used by members of the workforce and third-party contractors, connections are often not flagged as malicious by security solutions which means malicious actors can hide their activities.

Remote access software is used to gain access to internal networks and maintain persistence, and it is common for threat actors to leverage the software and tools that are already present on the compromised system to sustain their malicious activities. By using these living-off-the-land (LOTL) techniques malicious actors do not need to download additional software, scripts, and tools, which makes intrusions, lateral movement, and data exfiltration difficult to detect.

Remote access software is one of the main ways that ransomware actors gain initial access to victims’ networks and evade security solutions. Cyber threat actors may also exploit vulnerabilities to gain access to systems then install legitimate remote access software or use social engineering techniques to trick individuals into installing the software to provide access to victims’ devices and the networks to which they connect.

Guidance on Securing Remote Access Software

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Israel National Cyber Directorate (INCD), have recently published a guide for all organizations that use remote access software for regular business purposes, especially managed service providers, to help them defend against malicious use of the software.

The guide includes best practices, protections, and mitigations developed by CISA and the National Institute of Standards and Technology (NIST) based on existing cybersecurity frameworks to help organizations protect against the most common cyber threats and tactics, techniques, and procedures used by cybercriminal groups and nation-state threat actors. The guidance can be used by organizations of all types and sizes and includes specific best practices and recommendations for IT support teams and managed service providers.

Guide to Securing Remote Access Software – PDF

The post Guide Released on Securing Remote Access Software appeared first on HIPAA Journal.

The eagerly anticipated Verizon 2023 Data Breach Investigations Report (DBIR) has been published – An annual report that provides insights into the current threat landscape and data breach trends. This year, the report is based on an analysis of 16,312 security incidents, where the integrity, confidentiality, or availability of an information asset was compromised, and 5,199 data breaches, where there was a confirmed disclosure of sensitive data to an unauthorized third party. All incidents included in the report occurred between November 1, 2021, and October 31, 2022.

Last year, the report indicated the human element was involved in 82% of all breaches, down from 85% in 2021. That downward trend has continued with the human element involved in 74% of breaches in 2022. These include mistakes by employees such as misconfigurations and responses to pretexting attacks, as well as deliberate actions by malicious insiders. In around half of all incidents (49%), initial access to victims’ networks was gained through stolen credentials, with phishing the next most common method, accounting for 12% of breaches, and the exploitation of vulnerabilities, which accounted for 5% of breaches. The Log4j vulnerability was the most cited exploited vulnerability and was stated as the exploited vulnerability in 90% of exploit incidents, although only 20.6% of incidents stated the vulnerability that was exploited in the attack.

Social Engineering Attacks Continue to Increase

This year’s report highlights a continuing upward trend in pretexting incidents, which are a type of social engineering attack where the victim is manipulated into divulging sensitive information. These attacks typically involve impersonation and include business email compromise attacks, which almost doubled in a year and now account for more than 50% of social engineering incidents, overtaking phishing for the first time, although phishing remains the most common social engineering method in confirmed data breaches. Losses to BEC attacks have been steadily increasing, jumping from a little over $30,000 in 2018 to a median of $50,000 in 2022. 98% of social engineering attacks involved email as the initial vector, with the remainder involving telephone-based incidents (vishing) and SMS and instant messaging (smishing).

One of the problems highlighted in the report is the lack of protection against social engineering attacks, especially the accounts of senior leadership. These individuals are often targeted as they have the most valuable accounts with extensive access to systems and data, as the accounts of senior leadership are often excepted from standard security controls. Detecting these attacks can be difficult and blocking them requires a combination of measures including email security solutions, end-user training, and multifactor authentication, with greater protections implemented for the most valuable accounts with the highest levels of privileges.

Ransomware Attacks Remain Steady

Ransomware attacks continue to be conducted in high numbers but the number of attacks has remained steady, accounting for 24% of incidents and 15.5% of data breaches – a slight increase in ransomware incidents from last year and a slight decrease in ransomware-related data breaches.  Verizon reports that ransomware is used in 62% of cyberattacks by organized crime actors and 59% of financially motivated incidents. Email, desktop-sharing software, and web applications were the most common attack vectors in ransomware attacks.

Figures from the FBI indicate 10% of ransomware attacks covered in the 2021 DBIR involved financial losses, with a median loss of $11,500. This year, only 7% of attacks involved financial losses, but the median loss has doubled to $26,000, with the maximum loss jumping from $1.2 million to $2.25 million. The overall cost of remediating ransomware attacks continues to increase despite a continuing fall in median ransom payments.

Other Causes of Security Incidents and Data Breaches

While the majority of attacks were hacking incidents, insider breaches continue to occur. 602 insider incidents were included in the report, out of which 512 involved confirmed data disclosures. The most common cause of these incidents was misdeliveries, which accounted for 43% of insider incidents, followed by misconfigurations (23%) and publishing errors (21%). Social engineering, phishing, and ransomware attacks dominate the headlines, but by far the most common type of attack is denial-of-service, which was behind 6,248 of the 16,312 security incidents. While these attacks do not tend to carry the same costs as data breaches, they can still cause considerable disruption to business operations as they prevent access to the Internet and business-critical systems.

2,091 incidents involved lost and stolen assets, with loss incidents accounting for the vast majority of these incidents. typically lost mobile phones, laptops, and printed documents. These incidents were numerous but often did not figure in the breach data, as the data on lost devices was not confirmed as being breached, only being at risk. These incidents have remained at a similar level to last year, accounting for around 10% of all data breaches.

Patterns in Data Breaches. Source: 2023 Verizon Data Breach Investigations Report.

Causes of Healthcare Attacks and Data Breaches

Healthcare was represented in 525 incidents and 436 of those incidents involved confirmed data disclosures. The most common cause of healthcare data breaches was basic web application attacks (164), miscellaneous errors (153), system intrusions (121), privilege misuse (57), social engineering (65), and lost/stolen assets (18). As Verizon points out, many healthcare data breach notification letters state the breach was the result of a highly sophisticated cyberattack; however, basic web application attacks were the most common, which typically involve brute-forcing weak passwords and credential stuffing, which are certainly not complex.

Many of the incidents in healthcare were due to mistakes by employees. Misdelivery – the sending emails or mailing letters to incorrect individuals – was the second biggest cause of data breaches. Privilege misuse, which includes snooping by employees, has been decreasing but is still more prevalent than in many other industries. Protecting against these attacks is difficult, so the focus must be on fast detection to limit the potential for harm, and that means monitoring logs for unusual data access patterns and automating that process as far as possible.

The post Verizon 2023 DBIR: Social Engineering Attacks Increase; Ransomware Plateaus appeared first on HIPAA Journal.

A zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution is being actively exploited by hackers to perform mass downloads of sensitive data from targeted organizations. MOVEit Transfer was developed by the Progress Software Corporation-owned company, Ipswitch, and is provided as an on-premise solution or cloud SaaS platform that is used by enterprises for securely transferring large files.

According to a recent security advisory from Progress, the flaw is an SQL injection vulnerability that affects the MOVEit Transfer web application. If exploited, a remote, unauthenticated attacker can gain access to the MOVEit Transfer database, infer information about the structure and contents of the database, exfiltrate data, and execute SQL statements that alter or delete database elements. Progress has confirmed that the vulnerability affects all MOVEit Transfer versions, including on-prem and MOVEit Cloud. There were many confirmed instances of mass data exfiltration over the Memorial Day weekend when monitoring was reduced, although it appears that the vulnerability was exploited weeks before in many of the cases that have been investigated. At present, it is unclear which threat group is exploiting the flaw as while there has been confirmed data theft, there has been no attempted extortion.

Progress has released a patch to fix the vulnerability in all supported versions, which are available here. Users have been recommended to immediately disable all HTTP and HTTPs traffic to the MOVEit Transfer environment by modifying firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. Simply blocking HTTP and HTTPs traffic will not prevent data exfiltration, which can still occur through SFTP and FTP protocols. After disabling traffic, a review should be conducted to identify any unauthorized files and user accounts, which should be deleted, then credentials should be reset. The patch can then be applied and HTTP and HTTPs traffic can be enabled after confirming that all unauthorized files and accounts have been successfully deleted.

According to Rapid7, there are approximately 2,500 instances of MOVEit that are exposed to the public Internet, the majority of which are located in the United States. All cases of exploitation have seen the same webshell (human2.asp) added to the c:\MOVEit Transfer\wwwroot\ public HTML folder. After patching, organizations should conduct a forensic analysis to look for Indicators of Compromise over the past 30 days to determine if the flaw has already been exploited and data exfiltrated.

The Clop ransomware gang is a prime suspect as the group was behind the exploitation of zero-day vulnerabilities in two other MFT solutions, Fortra’s GoAnywhere MFT in January 2023 and the Accellion FTA in December 2020.

The post Mass Exploitation of MOVEit Transfer Zero-day Vulnerability Confirmed appeared first on HIPAA Journal.

An updated version of the StopRansomware Guide has been published that includes further recommendations on actions that can be taken to reduce the risk of ransomware attacks. The StopRansomware Guide is a one-stop resource developed by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) that details best practices for detecting, preventing, responding to, and recovering from ransomware attacks and provides step-by-step approaches for addressing potential attacks. The updated guide was produced through the Joint Ransomware Task Force (JRTF), which was set up by Congress in 2022 to deal with the growing threat of ransomware attacks.

The StopRansomware Guide can be used by government agencies and organizations and businesses of all sizes to ensure appropriate defenses are in place to block attacks and can help with the development, implementation, and maintenance of incident response plans to ensure the fastest possible recovery in the event of an attack. The updated guide includes new recommendations for hardening defenses against the most common initial access vectors that are used by ransomware gangs and initial access brokers for gaining a foothold in networks, including compromised credentials, brute force attempts to obtain passwords, phishing, and advanced social engineering, along with information on securing cloud backups and tips for threat hunting.

The StopRansomware Guide is divided into two parts. The first part provides comprehensive, relevant, and proven best practices that can be adopted to reduce risk, including identifying critical data that needs protecting and proactive steps that can help with ransomware attack mitigation. The second part of the guide provides detailed information on detection, analysis, containment, eradication, and post-incident recovery, and includes a checklist to guide organizations through a methodical, measured, and properly managed incident response approach.

“With our FBI, NSA and MS-ISAC partners, we strongly encourage all organizations to review this guide and implement recommendations to prevent potential ransomware incidents,” wrote CISA. “In order to address the ransomware epidemic, we must reduce the prevalence of ransomware intrusions and reduce their impacts, which include applying lessons learned from ransomware incidents that have affected far too many organizations.”

The updated StopRansomware Guide can be downloaded from CISA on this link.

The post CISA & Partners Release Updated StopRansomware Guide appeared first on HIPAA Journal.

A recent study has confirmed that healthcare cyberattacks not only cause disruption at the organization that experiences an attack but also at emergency departments at neighboring hospitals, where patients face longer wait times due to increased patient numbers which place a strain on resources.

The study involved a retroactive analysis of two academic emergency departments operated by a healthcare delivery organization (HDO) in San Diego, which were in the vicinity of an unrelated HDO that experienced a ransomware attack. The researchers looked at adult and pediatric patient volume, emergency medical services diversion data, and emergency department stroke care metrics for four weeks prior to the attack, during the attack, and four weeks after the attack.

The ransomware attack in question occurred on May 1, 2021, and affected an HDO with 4 acute care hospitals, 19 outpatient facilities, and more than 1,300 combined acute inpatient beds. The attack prevented access to electronic medical records and imaging systems and affected the HDO’s telehealth capabilities. Staff were forced to use pen and paper to record patient information and emergency traffic was redirected to unaffected facilities. The attack caused disruption for 4 weeks, and around 150,000 patient records were compromised.

An attack on one hospital will often see patient numbers increase at neighboring hospitals, and the increased volume of patients and resource constraints impact time-sensitive care for health conditions such as acute stroke. The researchers found there were significant disruptions to services at the neighboring healthcare facilities, even though they were not targeted or directly affected by the ransomware attack. Compared to the period before the attack, there was a 15.1% increase in the daily mean emergency department census, a 35.2% increase in mean ambulance arrivals, a 6.7% increase in mean admissions, a 127.8% increase in patients leaving without being seen, a 50.4% increase in visits where patients left against medical advice, and a 47.6% increase in median waiting room times.

The researchers chose acute stroke care as an example of a time-sensitive, resource-intensive, technologically dependent, and potentially lifesaving set of complex actions and decisions, that required a readily available multidisciplinary team working in close coordination. The researchers observed a 74.6% increase in stroke code activations and a 113.6% increase in confirmed strokes compared to the pre-attack phase.

Since a ransomware attack on one hospital impacts other non-targeted healthcare facilities, the researchers suggest that ransomware and other cyberattacks should be classed as regional disasters. The researchers report no significant difference in door–to–CT scan or acute stroke treatment times, but suggest the disruptions due to ransomware attacks could easily lead to negative patient outcomes. “These findings support the need for coordinated regional cyber disaster planning, further study on the potential patient care effects of cyberattacks, and continued work to build technical health care systems resilient to cyberattacks such as ransomware,” wrong the researchers, who also suggest this should be made a national priority given the increase in cyberattacks on healthcare organizations in recent years.

The study – Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US – was conducted by Christian Dameff, MD, MS, Jeffrey Tully, MD, and Theodore C. Chan MD, and was published in JAMA Open Network.

The post Cyberattacks on Hospitals Cause Significant Disruption at Neighboring Healthcare Facilities appeared first on HIPAA Journal.

CommonSpirit Health has provided an updated estimate on the cost of its October 2022 ransomware attack, which is expected to increase to $160 million. The ransomware attack was detected by CommonSpirit Health on October 2, 2022, forcing systems to be taken offline. The attack affected over 100 current and former CommonSpirit facilities in 13 states. The forensic investigation determined hackers first gained access to its network on September 16, 2022, and were ejected on October 3, 2022. The attackers stole data from two file servers, although they did not gain access to its medical record system. The stolen files contained the protected health information of almost 624,000 patients.

CommonSpirit Health operates 143 hospitals and around 2,300 other healthcare facilities in 22 states and is the second-largest non-profit health system in the United States. CommonSpirt’s first quarter results show total revenues from the 3 months to March 31, 2023, of $8.3 billion, and $25.6 billion for the 9 months to March 31. In the first quarter of 2023, CommonSpirit reported $648 million in operating losses and $1.1 million in losses for the 9 months to March 31. Net losses of $231 million and $445 million were reported for the 3- and 9-month periods due to improved investment returns. CommonSpirit said the ransomware attack did not have any impact on the current quarter’s operating results.

The ransomware attack was initially estimated to cost around $150 million, but a further $10 million in costs has been added to that figure. The increased cost factors in lost revenues due to business interruption, costs incurred remediating the ransomware attack, and other business-related expenses. In a call with investors, CommonSpirit explained that most of the $160 million is expected to be recovered from underwriters, although recovery of the costs is expected to take some time. CommonSpirit also confirmed in its quarterly report that it is facing a class action lawsuit over the ransomware attack and data breach. The lawsuit was filed in December 2022 in the U.S. District Court for the Northern District of Illinois and alleges negligence due to the failure to implement reasonable and appropriate security measures to protect patient data. The lawsuit seeks damages for the plaintiff and class exceeding $5 million, injunctive relief, and legal costs.

The post CommonSpirit Health Says Ransomware Attack Likely to Cost $160 Million appeared first on HIPAA Journal.

New bipartisan legislation has recently been introduced to help address the current shortage of cybersecurity skills at rural hospitals. The Rural Hospital Cybersecurity Enhancement Act was introduced by Sen. Gary Peters (D-MI), chair of the Senate Homeland Security and Governmental Affairs Committee, and Sen. Josh Hawley (R-MO), committee member.

Cyberattacks on healthcare organizations have increased significantly over the past few years. These attacks cause considerable disruption to patient care and can put lives at risk and while health systems have increased investment in cybersecurity, many small and rural hospitals lack the necessary resources and struggle to hire skilled cybersecurity professionals. At a recent Senate Homeland Security and Governmental Affairs Committee hearing, cybersecurity experts testified about the current healthcare cybersecurity challenges. Kate Pierce, former CIO and CISO at North County Hospital in Vermont and executive at Fortified Health Security said cybercriminals have shifted their focus and are now actively targeting small and rural hospitals. Large health systems have implemented advanced cybersecurity measures and employ large cybersecurity teams to manage their sophisticated defenses, but there is a large disparity in cybersecurity spending at small and rural hospitals, which tend to have much weaker defenses.

“A basic security measure like 24/7 monitoring of systems is “pie-in-the-sky” for these organizations,” explained Pierce at the hearing. “Despite all the guidance, recommendations and services provided over the past few years by HSCC, 405(d), H-ISAC, CISA, and other organizations, I have found that the vast majority of small and rural hospitals are unaware of these resources, and too overwhelmed to take advantage of these valuable tools.”

The Rural Hospital Cybersecurity Enhancement Act requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop a comprehensive cybersecurity workforce development strategy for healthcare facilities that provide inpatient and outpatient care services in non-urbanized areas. The strategy should include public-private partnerships, the development of curricula and training resources, and policy recommendations. The bill requires the Director of CISA to create instructional materials for rural hospitals to train staff on fundamental cybersecurity measures, and for the Department of Homeland Security to report annually to congressional committees on updates to the strategy and any programs that have been implemented.

“Ransomware attacks against hospitals and health care systems that compromise sensitive medical information and disrupt patient care must be stopped. Unfortunately, small and rural hospitals often lack the resources to invest in cybersecurity defenses and staff to prevent these breaches,” said Senator Peters. “This bipartisan legislation will require the federal government to ensure our most vulnerable health care providers have the necessary tools to protect patient information and provide lifesaving care even as criminal hackers continue to target their networks.”

The post Bipartisan Legislation Introduced to Address Rural Hospital Cybersecurity Skill Gaps appeared first on HIPAA Journal.

A joint cybersecurity alert has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) about the BianLian ransomware and data extortion group.

The BianLian group has been conducting attacks in the United States since at least June 2022 and has actively targeted critical infrastructure organizations, including the healthcare and public health sector. The BianLian group is a ransomware actor that develops and uses ransomware in its attacks, typically engaging in double extortion tactics, where sensitive private data is exfiltrated from victims’ networks before files are encrypted. The group threatens to leak the stolen data if the ransom is not paid. This year, the group has largely switched to extortion-only attacks where files are not encrypted after exfiltration. These attacks have proven to be effective as the release of stolen data can cause significant damage to an organization’s reputation and legal complications.

The BianLian group primarily gains access to victims’ networks by using Remote Desktop Protocol (RDP) credentials, which may be obtained through brute force attacks to guess weak credentials, purchasing credentials from initial access brokers, or phishing attacks. Once credentials are obtained, the group deploys a custom backdoor specific to each victim, and commercially available remote access tools are downloaded such as TeamViewer, Atera Agent, SplashTop, and AnyDesk. The group uses command-line tools and scripts for network reconnaissance and harvesting more credentials. PowerShell and Windows Command Shell are used to disable antivirus software such as Windows Defender and Anti-Malware Scan Interface (AMSI), and the registry is modified to uninstall services such as Sophos SAVEnabled, SEDenabled, and SAVService services.

Tools typically downloaded onto victims’ networks include Advanced Port Scanner, SoftPerfect Network Scanner, SharpShares, and PingCastle to aid discovery, along with native Windows tools and Windows Command Shell, with PsExec and RDP with valid accounts used for lateral movement. Once sensitive data has been located, data exfiltration occurs via File Transfer Protocol (FTP), Rclone, or Mega. Once data exfiltration has occurred, threats are issued to publish the stolen data.

The best defense against attacks is to limit the use of RDP and other remote desktop services. Audits should be conducted of all remote access tools on the network to identify installed and currently used software. Any remote access tools that are not currently used should be removed or disabled, and RDP should be locked down. Security software should be used to detect instances of remote access software being loaded in the memory, and logs should be reviewed of remote access software to detect any abnormal use.

Authorized remote access solutions should only be used from within the network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs). Inbound and outbound connections on common remote access software ports and protocols should be blocked at the network perimeter. Organizations should also disable command-line services and scripting activities and restrict the use of PowerShell on critical systems, and enhanced PowerShell logging should be enabled. Regular audits of administrative accounts should be conducted, time-based access for accounts should be set at the admin level and higher, and the principle of least privilege should be applied.

The cybersecurity alert includes Indicators of Compromise (IOCs), details of the tactics, techniques, and procedures (TTPs) used by the group, and other recommended mitigations.

The post FBI and CISA Issue Warning About BianLian Ransomware and Extortion Group appeared first on HIPAA Journal.