Last year, Microsoft started blocking macros by default in Office files delivered via the Internet to make it harder for malicious actors to use macros for delivering malware. In response, threat actors have been looking for alternative methods for malware delivery, such as OneNote files.

OneNote is a digital note-taking application that is part of the Microsoft Office suite and it has been proving popular for malware distribution because executable files can be embedded in OneNote documents. These files are usually hidden behind design elements in the documents, such as buttons instructing users to click to view the content. The user is informed that they need to double-click the button, but doing so executes the hidden embedded executable file behind the button. If executed, the hidden executable file downloads a malicious payload from a remote server. In recent weeks, several campaigns have been detected that use OneNote attachments for distributing malware, including AsyncRat, Emotet, and QBot.

In response to the increasing misuse of OneNote files in phishing campaigns, Microsoft announced last month that it would be augmenting security for OneNote. OneNote currently generates a warning that opening attachments in OneNote files is potentially dangerous; however, these dialog boxes can be closed, allowing the embedded attachments to be opened.

Microsoft provided an update this month on the security update and confirmed that users will no longer be able to close the dialog box and open the embedded files. When the update is applied, 120 dangerous file types will be blocked in OneNote. The blocked file types will be the same as those that are currently blocked by Word, Excel, PowerPoint, and Outlook. If a user attempts to open one of these dangerous file types, a dialog window will be generated that warns the user that “Your administrator has blocked your ability to open this file type in OneNote.”

Dangerous file types will be blocked in OneNote documents from April 2023.

Microsoft will be rolling out the security updates later this month starting with OneNote Version 2304, which will protect users of OneNote for Microsoft 365 on Windows devices. The update will also be applied to the retail versions of Office 2021, Office 2019, and Office 2016 (Current Channel), followed by Version 2304 for the Enterprise Channel in June 2023. The update will be applied to Version 2308 for the Semi-Annual Enterprise Channel (Preview) in September 2023, and the Semi-Annual Enterprise Channel in January 2024. Microsoft said the update will not affect OneNote on the web, OneNote for Windows 10, OneNote for MacOS, or OneNote for Android or iOS devices.

The post Microsoft Will Block Dangerous File Types in OneNote Documents appeared first on HIPAA Journal.

Ransomware and phishing continue to be the biggest cybersecurity concerns for healthcare organizations according to the February 2023 Current and Emerging Healthcare Cyber Threat Landscape report from Health-ISAC. The report, a collaboration between Health-ISAC and Booz Allen Hamilton Cyber Threat Intelligence (CTI), identified the key threats to the healthcare sector and is based on responses to a November 2022 survey of executives across Health-ISAC, CHIME, and the Health Sector Coordinating Council.

Biggest Cybersecurity Concerns in Healthcare

Survey participants were asked to rank the biggest cybersecurity concerns for their organizations retroactively for 2022 and looking forward for the remainder of the year. Ransomware was the biggest concern for 2022 and 2023 with phishing and spear phishing in second. Third-party/partner breaches, data breaches, and social engineering rounded out the top 5, with social engineering now replacing insider threats as the 5th biggest concern, compared to 2022 when the report was last published.

Ransomware is expected to be the biggest threat for years to come, as while more is now being done to disrupt ransomware gangs and bring threat actors to justice, the returns for cybercriminal gangs from conducting attacks far outweigh the costs. Attacks will continue to be conducted for as long as they are profitable, although with fewer victims paying ransoms cybercriminal groups are starting to diversify their income streams. Phishing is also likely to continue to be a major threat for years due to the low cost and effectiveness of these attacks for gaining initial access to healthcare networks.

Medical device cybersecurity is of significant concern as the number of devices used by hospitals continues to increase. Medical devices often have multiple vulnerabilities and run on outdated operating systems and provide an easy access point into healthcare networks. Healthcare organizations with a higher percentage of connected medical devices experience more cyberattacks and are more likely to experience multiple attacks. Healthcare organizations need to improve medical device security and the best place to start is by ensuring risk assessments are regularly conducted, patches and updates are applied promptly, and devices with weak or default credentials are identified and updated.

The report draws attention to threats related to geopolitical activity such as the Russia-Ukraine war, which has seen increasing numbers of cyberattacks on organizations with links to Ukraine. In addition to attacks on the Ukraine government, Russian hackers have been targeting companies that are perceived to be supporting Ukraine, conducting business in the country, and even targeting companies that have withdrawn operations from Russia. Chinese hackers are conducting attacks on behalf of the Communist Party of China (CPC) to obtain intellectual property aligned with Chin’s 5-Year Plan, and North Korean hackers have been targeting U.S. healthcare organizations for financial gain – through ransomware attacks – and for espionage purposes.

Emerging Threats to the Healthcare Sector

The report highlights two emerging risks that are expected to plague the healthcare industry in 2023 and beyond – product abuse and synthetic accounts. Internet-facing products such as web login portals and APIs are easy targets for threat actors using compromised credentials, and billions of credentials that have been captured through malware, phishing, and data breaches are freely available on criminal forums. These credentials are being used to gain access to healthcare networks for ransomware attacks and obtain patient data for financial gain.

Synthetic accounts have been a problem in several sectors for many years but there is growing evidence that synthetic accounts are being used for healthcare fraud. Synthetic accounts can be created using the huge amount of PII available on dark web forums and are typically strengthened over months or years to increase the success rate of attacks. These accounts are used to fraudulently obtain loans and make large purchases but are also being used for paying for medical billing and other health-related activity. Cybercriminals are creating fake medical providers and other business accounts to bill insurers and the government for services that are never received and this form of fraud is likely to increase throughout 2023.

“Customer-facing products are routinely targeted by attacks designed to extract data with crimeware that threat actors have customized to look and feel like a legitimate customer—whether a consumer, industry practitioner, or third party,” said Health-ISAC in the report. “Preparing for these attacks require properly aligned controls at the network, application, authentication, and risk layers to protect organizational data and reduce the risk of credential stuffing, account takeovers, carding attacks, and unhealthy account creation.”

Health-ISAC members can download the TLP: Green report for more detailed information and a TLP: White summary has also been released, both of which can be downloaded on this link.

The post Health-ISAC Report Explores Current and Emerging Cyber Threats to the Healthcare Sector appeared first on HIPAA Journal.

Ensuring medical devices are cybersecure is one of the biggest security challenges in healthcare. Medical devices often have unpatched vulnerabilities, run on outdated software that has reached end-of-life, and lack appropriate security features. As such, they are a security weak point that can be exploited by malicious actors to gain access to healthcare networks and sensitive patient data.

According to the FBI, more than half of all medical devices used by hospitals have critical vulnerabilities that have not been addressed and, on average, medical devices have more than 6 vulnerabilities that could potentially be exploited by malicious actors. More than 40% of medical devices are at end-of-life and have little to no opportunities for security patches or upgrades.

Steps are being taken to improve the cybersecurity of medical devices. Device manufacturers will soon be required to incorporate adequate cybersecurity measures and will need to develop and implement a plan for addressing vulnerabilities throughout the lifecycle of the devices otherwise the U.S. Food and Drug Administration (FDA) will not authorize their use.

On Wednesday, March 29, 2023, the medical device cybersecurity requirements of the $1.7 trillion omnibus spending bill – The Consolidated Appropriations Act, 2023 – took effect and the FDA now requires all regulatory submissions for medical devices to include information about the cybersecurity measures that have been implemented for the devices. Section 3305 of the Omnibus bill — Ensuring Cybersecurity of Medical Devices — amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, Ensuring Cybersecurity of Devices. This requirement took effect 90 days after the enactment of the Act on December 29, 2022, which means premarket submissions submitted to the FDA after March 29, 2023, require information to be included about the cybersecurity of medical devices.

In a guidance document for FDA staff, the FDA said it does not intend to issue refuse to accept (RTA) decisions for premarket submissions that fail to include the required information on cybersecurity until after October 1, 2023. This will give sponsors of medical devices sufficient time to prepare the necessary information; however, after that date, the FDA will no longer accept applications and submissions that lack the required cybersecurity elements.  In the meantime, the FDA will work with applicants to fix any defects in their documentation.

The sponsor of an application or submission must confirm compliance with four core cybersecurity requirements:

1. A plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.
2. Processes and procedures that ensure devices are cybersecure, which includes issuing updates and patches promptly when the devices are on the market to address known unacceptable vulnerabilities and critical vulnerabilities that could cause uncontrolled risks.
3. A software bill of materials, including commercial, open-source, and off-the-shelf software components.
4. Comply with such other requirements that may be added through regulation to demonstrate reasonable assurances that devices and related systems are cybersecure.

The FDA will work with the Cybersecurity and Infrastructure Security Agency (CISA) to update its guidance on cybersecurity for medical devices within the next two years and will update its online resources within 6 months, and then at least annually, on how healthcare providers and device makers can identify and address vulnerabilities and work with the FDA and other government agencies to strengthen the security of medical devices.

The post FDA Cybersecurity Requirements for Medical Devices Now in Effect appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has published a mobile device security checklist to help healthcare organizations address a common cybersecurity weak point and better protect patient data. Healthcare organizations employ a wide range of mobile devices, many of which are networked and collect, store, and transmit patient information. These devices are often a critical part of healthcare operations and may number in the thousands at large hospitals.

While these devices perform essential functions, they increase the attack surface considerably and they often contain vulnerabilities that can potentially be exploited to gain access to patient data and the healthcare networks to which they connect. The risks associated with the devices vary based on the nature of the devices and their use. Devices can be lost or stolen, they may connect to unsecured Wi-Fi networks, and software and applications may have vulnerabilities that can be exploited, resulting in unauthorized network access or the downloading of malware or ransomware.

HC3 has published a simple and easy-to-use mobile device security checklist that includes recommendations for ensuring the security of these devices, covering all basic elements of security that should be considered for all mobile devices used in healthcare. The checklist suggests limitations be placed on connectivity, including disabling the various wireless communications protocols that mobile devices support, such as 802.11 Wi-Fi, broadband, and cellular connections if they are not absolutely essential.

Users of the devices should be cautious before connecting to any public or untrusted network. If connections need to be made to residential wireless networks, a VPN should be used and access points should have adequate security features. If connecting to corporate enterprise infrastructure, connections should be encrypted. Applications on the devices should be kept to the minimum number required, and whitelists/blacklists should be considered.

Vulnerabilities need to be identified and patched promptly, which means maintaining a comprehensive, accurate, and up-to-date inventory of all devices. Software and applications need to be kept up to date, ideally using automatic updates, unless automatic updates have the potential to interfere with device operations. All devices should be configured for full functionality first and maximum security second.

Strong authentication measures should be implemented, including appropriate levels of password complexity and multi-factor authentication, with device lock enabled after a period of inactivity. HIPAA requires protected health information to be safeguarded in transit, so communications should be encrypted, either through the inherent encryption capabilities of the device or through encryption software.

To protect against data loss, backup processes are required. The 3-2-1 data backup best practice is recommended – At least 3 backups, on two separate media, with one copy stored securely offline. To protect against malware and ransomware, endpoint security solutions should be implemented and remote wiping capability should be considered. Naturally, all devices should be physically secured at all times, and staff trained on security best practices.

You can access/download the HC3 mobile device security checklist here (PDF).

The post Improve Mobile Device Security with this HC3 Checklist appeared first on HIPAA Journal.

Ransomware activity increased in February according to the latest GRIT Ransomware Report from GuidePoint Security. The report is based on data collected by the GuidePoint Research and Intelligence Team, which reports a 51.5% increase in attacks compared to January and a 15.8% increase in attacks compared to February 2022.

The LockBit 3.0 ransomware group was particularly active in February, posting more than twice the number of victims (129) on its leak site as January (50), accounting for virtually all of the monthly increase in attacks. ALPHV/BlackCat also listed more victims (30) on its data leak site than January (21), with Royal and BinLian in the third and fourth spots. Medusa completed the top 5. There was a 21% decrease in Royal ransomware victims compared to January, but a massive 400% increase in BianLian victims. According to the cybersecurity firm Redacted, the BianLian group appears to have changed tactics and is now increasingly monetizing its breaches without using file encryption and is concentrating on extortion after stealing data.

While the healthcare industry is often targeted by ransomware gangs, there was a shift in the industries targeted by ransomware groups in February, with a marked increase in attacks on the food and beverage, banking/financial services, and engineering industries. The GRIT team reports that healthcare was the 7^th most targeted sector out of 10 sectors tracked. While the most active ransomware groups do not appear to be primarily targeting the healthcare industry, there are many smaller ransomware groups that are steadily conducting attacks and GuidePoint Security has warned that these smaller groups, which often break away from larger ransomware groups, are more likely than the larger groups to actively target the healthcare sector.

The researchers also drew attention to the Royal ransomware group, which is a relatively new addition to the threat landscape having only been in operation since September 2022. The group has conducted at least 97 attacks since then but there is concern that activity will increase. Royal is believed to include members from other ransomware operations such as Conti and the group is thought to have considerable experience in conducting ransomware attacks. Recently, the Health Sector Cybersecurity Coordination Center issued a warning about Royal ransomware and said the group poses a threat to the healthcare and public health sector. Royal was behind the recent ransomware attack on the medical device manufacturer Revenetics, although the majority of the group’s victims so far have been in the technology sector

As was the case in January, the majority of attacks were on targets in the United States, which experienced 62 attacks in January and 117 attacks in February, although attacks were more geographically spread last month and occurred in 48 countries compared to 38 in January.

The post Ransomware Attacks Increased by More Than 51% in February appeared first on HIPAA Journal.

Ransomware gangs are increasingly skipping file encryption and are concentrating on data theft and extortion, according to a recent report from Palo Alto Networks’ Unit 42 team. In the second half of 2021 and throughout 2022, around 1 in 10 attacks by ransomware gangs did not involve file encryption, only data theft and extortion.

Around one-third of incidents responded to by the Unit 42 team are ransomware incidents, 70% of which involve data theft, up from 40% of attacks in mid-2021. Data from Coveware indicates more victims of ransomware attacks are now refusing to pay ransom demands, and that has forced ransomware gangs to adopt more aggressive tactics. The Unit 42 team says, on average, ransomware gangs upload the data of 7 victims a day to their data leak sites, and it is becoming increasingly common for ransomware gangs to harass victims. 20% of the incidents Unit 42 responds to have some degree of victim harassment, compared to around 1% of attacks in mid-2021.

Michael Sikorski, CTO and VP of threat intelligence at Unit 42, said an attack on a hospital that refused to pay the ransom saw the threat actor contact patients and threaten to publish their medical records to pile pressure on the hospital to pay the ransom demand. In another case, the wife of the CEO of a company was sent threatening SMS messages when the ransom was not paid. When patients or customers of companies are contacted and harassed by a threat actor, the reputational damage caused can result in a considerable loss of business. Sikorski said victims of ransomware attacks are increasingly recovering files from backups and refusing to pay ransoms, but the harassment tactics could well see that trend reversed.

Organizations need to develop and practice an incident response plan to ensure the quickest possible recovery from a ransomware attack but Palo Alto Networks suggests it is also now vital to prepare a playbook for multi-extortion and to develop crisis communication protocols. “Having a comprehensive incident response plan with corresponding crisis communication protocols will greatly reduce uncertainty. It’s important to know which stakeholders should be involved, and the process to make decisions promptly (e.g., whether or not to pay, or who is authorized to approve payments).” It is important to know what to do – and not to do – when ransomware gangs start contacting and harassing employees or patients. Employees should be provided with ransomware harassment training and the tools and processes they need to follow during an active harassment incident. Having a playbook for multi-extortion will help to limit the harm that can be caused.

The post 20% of Ransomware Attacks Involve Victim Harassment appeared first on HIPAA Journal.

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) about LockBit 3.0 ransomware, also known as LockBit Black.

The LockBit ransomware group has been in operation since at least September 2019 and is one of the most prolific ransomware groups. The group conducted more attacks than any other ransomware operation in 2022 and it has been estimated that LockBit ransomware is involved in around 40% of all ransomware attacks worldwide.  The group is believed to have conducted more than 1,000 attacks on organizations in the United States and has generated more than $100 million in ransom payments.

LockBit is a ransomware-as-a-service operation that recruits affiliates to conduct attacks in return for a cut of the ransoms they generate. The group engages in double extortion tactics, where files are stolen prior to encryption and threats are issued to publish or sell the stolen data if the ransom is not paid. Victims are usually small- to medium-sized organizations, although attacks on large organizations are not unknown. The ransom demands average at around $85,000 per victim.

The ransomware is actively developed and evolved into LockBit 2.0 in 2021, and LockBit 3.0 in June 2022. LockBoit 3.0 has features similar capabilities to BlackMatter ransomware, and it is possible some of the same code has been used. Initial access to victim networks is gained through a variety of methods, including purchasing access from initial access brokers, insider access, exploiting unpatched and zero-day vulnerabilities, phishing, and Remote Desktop Protocol (RDP) exploitation. Affiliates use a custom data exfiltration tool called Stealbit; the open-source command line cloud storage manage, rclone; and publicly available file sharing services such as MEGA to exfiltrate stolen data.

The group was behind attacks on the NHS vendor, Advanced, which affected 16 customers in the health and social care sector; the German auto parts company, Continental; the IT firm Accenture; the UK’s Royal Mail, and many more. In December 2022, a LockBit affiliate attacked The Hospital for Sick Children (SickKids) in Toronto. The group issued an apology for the attack and provided a free decryptor, and claimed the affiliate was kicked out for violating its terms and conditions which prohibit attacks on “medical institutions” where attacks could result in death, including cardiology centers, neurosurgical departments, and maternity hospitals. The group does, however, permit attacks on pharma firms, dentists, and plastic surgeons. These policies are not always enforced, as LockBit affiliates have conducted attacks on hospitals in the past where free decryptors were not provided, such as the attack on the Center Hospitalier Sud Francilien (CHSF) in France.

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center issued a threat brief about LockBit 3.0 in December 2022 in response to known attacks on the Healthcare and Public Healthcare (HPH) sector, and despite the group’s claims, HC3 believes LockBit 3.0 poses a threat to the HPH sector. The Joint Cybersecurity alert from the FBI, CISA, and MS-ISAC provides details of the latest tactics, techniques, and procedures (TTPs) associated with the group, Indicators of Compromise (IoCs) technical information for network defenders, and recommended mitigations for improving cybersecurity posture.

The post Feds Release Updated Threat Intelligence on LockBit 3.0 Ransomware appeared first on HIPAA Journal.