The Google-owned cybersecurity firm Mandiant has released its M-Trends 2023 report. The report provides insights into the rapidly evolving cyber threat landscape and can help network defenders better protect their systems and data from malicious actors. The data for the report came from Mandiant’s investigations and remediation of cyberattacks worldwide, including some of the most high-impact attacks in the past 12 months. The data suggests that organizations have managed to strengthen their defenses; however, cybercriminals have been conducting increasingly sophisticated attacks and in many cases have managed to stay one step ahead.

One of the key findings from this year’s report is malicious actors are spending far less time in victims’ environments, with 2022 seeing another year-over-year drop in dwell time from 21 days in 2021 to just 16 days, which is the shortest average dwell time in any of the 14 years that Mandiant has been producing its M-Trends reports. Victims have even less time to detect a compromise and they are already struggling to identify these intrusions. In the Americas, 55% of incidents Mandiant investigated saw the victim notified about a compromise by an external third party, up from 40% in 2021. Mandiant notes that this is the highest percentage of external notifications in the past 6 years.

The investigations revealed increasing numbers of malware families in 2022, which continues a trend observed in 2021. Mandiant started tracking 588 new malware families in 2022 of which backdoors were the most common malware type (34%) followed by downloaders (14%), droppers (11%), ransomware (7%), and launchers (5%), with the BEACON backdoor the most commonly detected malware family.

While malware families increased, ransomware attacks declined. In 2021, 23% of Mandiant’s investigations involved ransomware. In 2022 the percentage fell to 18%. While Mandiant cannot be certain about the reason for the fall in attacks, the researchers suggest it is likely a combination of factors including changes in the operating environment and the break up of large ransomware groups, the war in Ukraine, more effective disruption efforts by law enforcement, and organizations getting better at detecting ransomware.

The most common initial infection vector in the incidents Mandiant responded to was exploits of vulnerabilities in software and operating systems, which accounted for 32% of incidents, down from 37% in 2021. Phishing was the second most common initial access vector, accounting for 22% of intrusions, up from 12% in 2021.

Mandiant identified an increase in the use of information stealers and credential purchasing, and there was an increase in cyberattacks involving data theft, which occurred in 40% of incidents. Mandiant also observed an increase in destructive cyberattacks in Ukraine and a notable increase in attacks by hackers in the Democratic People’s Republic of Korea targeting cryptocurrency, which have proven to be incredibly lucrative.

The post Mandiant Shares Threat Intelligence from 2022 Cyber Incident Investigations appeared first on HIPAA Journal.

The Department of Health and Human Services’ Cybersecurity Task Force has shared new resources to help healthcare and public health (HPH) sector organizations combat the growing number of cyberattacks targeting the sector and improve their cybersecurity posture.

The new resources include a new online educational platform that delivers free cybersecurity training that can be used by HPH organizations to raise the security awareness of the workforce, an updated edition of the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, which details the top cyber threats faced by the HPH sector, and a report on the current state of cybersecurity preparedness of hospitals, measured against the NIST Cybersecurity Framework.

The online training platform – Knowledge on Demand – is the first free cybersecurity training platform to be offered by the HHS. The platform includes training material on the most pertinent threats to the HPH sector and, at launch, includes training on five cybersecurity topics – Social engineering, ransomware, loss/theft of computer equipment and data, accidental and malicious insider data loss, and attacks on network-connected medical devices. The platform includes videos, job aids, and PowerPoint presentations. The training materials can be used to help HPH organizations comply with the security awareness training requirements of the HIPAA Security Rule.

The updated HCIP publication has been developed to be appropriate for healthcare organizations of all sizes and includes security best practices and resources to help healthcare organizations prepare for and defend against cybersecurity threats that impact patient safety, including the same five key threats that are covered in the Knowledge on Demand training material. The 47-page document was developed by the 405(d) Task Group and was updated by more than 150 industry and federal professionals and includes the most cost-effective measures to protect against HPH sector cybersecurity threats and protect patients.

The Hospital Cyber Resiliency Landscape Analysis was conducted by the 405(d) Program and is a review of the current state of cybersecurity at the hundreds of participating hospitals and assesses their preparedness to deal with cyber threats and their cybersecurity capabilities and level of cyber resiliency. The document explores the tactics, techniques, and procedures that cyber adversaries are currently using to compromise U.S. hospitals and disrupt operations for financial gain, and benchmarks the results against specific practices outlined in the HCIP. The document identifies best practices and opportunities to improve cyber resiliency.

The post HHS Provides New Resources and Cybersecurity Training Program to Combat Healthcare Cyber Threats appeared first on HIPAA Journal.

The healthcare industry continues to experience high numbers of cyberattacks and data breaches and healthcare organizations have responded by strengthening their cybersecurity programs, but they continue to face significant challenges, the biggest of which is a lack of cybersecurity staff. That was cited as the main barrier to robust cybersecurity by 61% of respondents to the 2022 HIMSS Healthcare Cybersecurity Survey of healthcare cybersecurity professionals responsible for day-to-day operations or oversight of healthcare cybersecurity programs.

The biggest problem is hiring talent. There is a global shortage of cybersecurity professionals, and with the demand for staff high, qualified cybersecurity professionals can afford to pick and choose employers carefully. Almost 84% of respondents said they struggle to attract skilled staff. Unsurprisingly, given the high demand for staff, an insufficient budget for hiring staff was a problem for 55% of respondents, with non-competitive compensation cited as a problem for 43% of respondents.

When skilled cybersecurity professionals are hired, retention is a problem. Almost 67% of respondents said retaining qualified cybersecurity professionals is a problem, which is unsurprising given that cybersecurity professionals are such a precious commodity. The survey revealed that there is a lack of training for cybersecurity staff to keep them up to date on the latest threats, with 61% of respondents saying there simply isn’t time to provide ongoing cybersecurity training. 42% of respondents said employers didn’t subsidize the cost (22%) or did not subsidize the cost enough (20%). Worryingly, given the extent to which phishing is used in healthcare cyberattacks, only 89% of cybersecurity professionals are provided with training on the detection and mitigation of phishing attacks, and only 47% are trained on how to detect and mitigate insider threats.

Cybersecurity is not just about the IT department, in fact, that is one of the biggest cybersecurity myths that needs busting. Everyone has a role to play in the cybersecurity of their organization, yet the data suggest that training for the workforce is nowhere near comprehensive enough. 91.8% of respondents said security awareness training is provided to information technology staff, but only 69% said security awareness training is provided to clinicians, and the figure fell to just 44% for contractors, and 29% for vendors.

Aside from staffing difficulties, a lack of budget is hampering cybersecurity improvements for 51% of respondents, and the problem is deepening. Only 51% of respondents said they got a cybersecurity budget increase from 2021 to 2022, with almost 7% seeing their budget decline. While there are healthcare organizations that devote around 10% of their IT budget to cybersecurity, typically only 6% or less of the IT budget goes on cybersecurity.

Other key barriers to robust cybersecurity were a lack of a data inventory showing the data held and where it is located (45%), a lack of data classification (38%), a lack of cooperation with other people in the organization (31%), policies and procedures do not reflect current practices (31%), and a lack of executive buy-in (23%).

One of the biggest security wins when it comes to phishing defense is implementing phishing-resistant multi-factor authentication (passwordless), yet despite the calls from CISA to implement phishing-resistant multi-factor authentication, only 9.4% of respondents who had implemented some form of multi-factor authentication used this gold standard. 57% of respondents were still reliant on basic single-factor authentication.

While the survey suggests improvements are being made to cybersecurity at healthcare organizations in response to the high threat level, there are still many challenges to overcome and while the problem of recruitment is unlikely to be resolved in the near future, healthcare organizations could do more and provide the cybersecurity staff they have with more support.

You can access the 2022 HIMSS Healthcare Cybersecurity report here.

The post Survey Highlights Ongoing Healthcare Cybersecurity Challenges appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA) has released an updated version of its Zero Trust Maturity Model, the purpose of which is to help federal agencies adopt zero trust security. While the guidance is primarily intended for federal agencies, it can be used by any organization looking to improve its security posture through zero trust.

The traditional approach to security involves perimeter defenses to keep unauthorized individuals out of protected internal networks, where anyone inside the network is trusted. The perimeter security model has served organizations well for many years, but it is only effective when there is a border to protect and the vast majority of IT resources and critical assets are inside that border. Today, most networks are not entirely on-premises and remote working is now common, so many trusted individuals are outside of the border. Further, with perimeter security, if the perimeter is breached, an attacker could compromise large parts of the network, IT resources, and critical data. Zero trust is based on the assumption that a network has already been compromised and limits access to data, networks, and infrastructure to the minimum level, then constantly assesses the legitimacy of access through continuous verification.

CISA’s Zero Trust Maturity Model is based on 5 pillars – identity, devices, network, data, and applications and workloads – and can be used to assess the current level of zero trust maturity. Version 2 of the Zero Trust Security Model incorporates recommendations collected through the public comment period and sees the addition of a new maturity stage. There are now four maturity stages in the model – traditional, initial, advanced, and optimal. ‘Initial’ was added as CISA recognizes that organizations have different starting points on their journey to zero trust.

The updated Model also includes several new functions and updates to existing functions, which organizations should consider when they plan and make decisions about zero trust architecture implementation. The updated maturity model also provides a gradient of implementation across each of the five pillars to facilitate the implementation of zero trust, supporting organizations as they make minor advancements on their journey toward the full implementation of zero trust architecture.

“CISA has been acutely focused on guiding agencies, who are at various points in their journey, as they implement zero trust architecture,” said Chris Butera, Technical Director for Cybersecurity, CISA. “As one of many roadmaps, the updated model will lead agencies through a methodical process and transition towards greater zero trust maturity.

The post CISA Updates its Zero Trust Maturity Model appeared first on HIPAA Journal.

Microsoft has announced that its Digital Crimes Unit, the Health Information Sharing and Analysis Center (Health-ISAC), and the cybersecurity firm Fortra are taking action to prevent the legitimate red team post-exploitation tool, Cobalt Strike, from being illegally used by malicious actors for delivering malware and ransomware.

Cobalt Strike is a collection of tools used for adversary simulation that can be used to replicate the tactics and techniques of advanced threat actors in a network and emulate quiet, long-term actors with persistent access to networks. The tool was first developed in 2012 and fast became one of the most widely adopted tools among penetration testers. Cobalt Strike has grown in sophistication over the years, its functionality has been significantly enhanced, and it is part of Fortra’s cybersecurity portfolio.

While the tool is incredibly useful for red team operations, cracked copies of the tool have been circulated within the cybercriminal community and malicious use of the tool by cybercriminals is now increasing. Cobalt Strike is used by multiple ransomware gangs, including Lockbit and Conti, before the group split in 2022. Microsoft reports that Cobalt Strike has been used in more than 68 ransomware attacks on healthcare providers in more than 19 countries around the world. The attacks have prevented access to electronic health records, disrupted critical patient care services, resulted in delays to diagnosis and treatment, and have cost healthcare organizations millions of dollars in recovery and repair costs. The tool was also used in the devastating attack on the Health Service Executive in Ireland and the recent attack on the Government of Costa Rica.

Fortra has taken action to prevent the illegal use of Cobalt Strike, including stringent vetting processes for new customers; however, malicious actors have been using older, cracked versions of the tool to gain backdoor access to machines for distributing malware and accelerating the deployment of ransomware. Microsoft says the exact identities of the malicious actors using the tool are not known, but malicious infrastructure used by those threat actors has been detected in Russia, China, and the United States. In addition to misuse of the tool by financially motivated cybercriminals, advanced persistent threat actors from Russia, China, Vietnam, and Iran are known to have used cracked versions of Cobalt Strike.

Microsoft, Fortra, and Health-ISAC have joined forces to increase efforts to disrupt cracked, legacy copies of Cobalt Strike and abused Microsoft software. In contrast to Microsoft’s typical efforts to combat cybercrime by disrupting the command-and-control infrastructure of malware families, efforts are being made to remove illegal, legacy copies of Cobalt Strike to prevent further use by malicious actors.

On March 31, 2023, the U.S. District Court for the Eastern District of New York issued a court order allowing Microsoft, Fortra, and Health-ISAC to disrupt the infrastructure used by criminals to facilitate attacks in more than 19 countries. Relevant Internet Service Providers (ISPs) will be notified about the malicious use of the tool and computer emergency readiness teams (CERTs) will assist in taking the infrastructure offline and disrupting cracked, legacy copies of Cobalt Strike and compromised Microsoft software. Microsoft, Fortra, and Health-ISAC will also be collaborating with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF), and Europol’s European Cybercrime Centre (EC3) to prevent misuse of Cobalt Strike.

“Disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics,” explained Microsoft. “Today’s action also includes copyright claims against the malicious use of Microsoft and Fortra’s software code which are altered and abused for harm.”

The post Microsoft, Fortra, and Health-ISAC Join Forces to Disrupt Malicious Use of Cobalt Strike appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has issued a warning about a threat actor that is conducting targeted distributed denial of service (DDoS) attacks on the U.S. healthcare sector. The attacks involve flooding networks and servers with fake Domain Name Server (DNS) requests for non-existent domains (NXDOMAINs), which overloads DNS servers and prevents legitimate DNS requests. These attacks have been conducted since at least November 2022.

DNS servers are used to locate web resources and identify the IP addresses of the requested resources to allow a connection to be made. A DNS Proxy Server will contact the DNS Authoritative Server when a request is received, and if the IP address of that resource is identified, it will be relayed back allowing a connection to be made. In a DNS NXDOMAIN flood DDoS attack, the DNS Proxy Server will be flooded with requests for non-existent domains and the server’s resources will be consumed querying the NXDOMAIN requests with the DNS Authoritative server, and the DNS Authoritative Server will use its resources dealing with the queries.

These requests are usually sent to the DNS Proxy server by a botnet – an army of malware-infected devices under the control of the attacker. Depending on the scale of the attack, legitimate DNS requests will be slowed down or may even be completely prevented, thus stopping legitimate users from accessing a website or web application.

These attacks tend to be relatively short-lived, lasting several hours to a few days. During an attack on a healthcare provider’s domain, patients may be prevented from accessing appointment scheduling applications and patient portals, and a healthcare provider’s website may be rendered inaccessible. Staff may also be prevented from accessing web applications.

These attacks are typified by large amounts of DNS queries for non-existent hostnames under legitimate domains, UDP packets encapsulated in IPv4 and IPv6, widely distributed source IPs, potentially spoofed source IPs, and DNS servers generating lots of NXDOMAIN errors.

Blocking these attacks is difficult as the devices that are part of the botnet are often widely distributed and the botnet may consist of several thousand devices. While it may not be possible to block an attack in progress, there are mitigations that can limit the impact of these attacks. These include blackhole routing/ filtering out suspected domains and servers, implementing DNS Response Rate Limiting, blocking further requests from the client’s IP address for a limited period, ensuring cache refresh takes place, reducing the timeout for recursive name lookup to free up resources in the DNS resolver, increasing the time-to-live (TTL) on existing records, and applying rate limiting on traffic to overwhelmed servers.

While HC3 did not confirm the source of these attacks, the healthcare sector is being targeted by the hacktivist group, Killnet, in response to U.S. Congress’ support for Ukraine. Killnet has been active since at least January 2022, and has stepped up its attacks on the U.S healthcare sector in recent months.

The post HC3 Warns of DNS NXDOMAIN DDoS Attacks on the Healthcare Sector appeared first on HIPAA Journal.

Ransomware and phishing attacks on organizations have increased over the past 12 months as have the costs associated with the attacks. In 2022, the average cost of a data breach increased to $4.35 million and $10.1 million for healthcare data breaches (IBM Security).

Due to the high costs and reputational damage caused by data breaches, cybersecurity teams are being pressured into keeping cyberattacks and data breaches quiet, even though there are often legal requirements for reporting data breaches. The recently published Bitdefender 2023 Cybersecurity Assessment has revealed the extent to which cybersecurity teams are being pressured into staying silent about data breaches. In the United States, 74.7% of respondents said they had experienced a data breach or data leak in the past 12 months and 70.7% of those respondents said they had been told to keep a security breach confidential when it should have been reported. 54.7% of respondents said they did keep a security breach confidential when they knew it should be reported.

Bitdefender’s survey suggests healthcare organizations are failing to report data breaches. 28.6% of healthcare respondents said they were told not to report a security incident that should have been reported and did not report the breach. In the United States, 78.7% of respondents said they are worried that their company will face legal action due to the incorrect handling of a security breach.

Bitdefender also asked IT professionals about the biggest threats that they now face. In the United States, the biggest perceived threats were software vulnerabilities/zero days (80%), supply chain attacks (73.3%) phishing/social engineering (58.7%), insider threats (50.7%), and ransomware (45.3%), with the human factor the biggest concern for business leaders. The biggest security challenges faced by U.S. organizations were extending security capabilities across multiple environments (49.3%), complexity (49.3%), incompatibility with other security solutions (32.1%), and reporting capabilities (40%).

Respondents were also asked about the biggest security myths that they would love to see busted. The biggest bugbear was that the organization is not a target for cybercriminals (42.7%), closely followed by using non-corporate approved apps is not a big deal (40%), that security is the sole responsibility of the IT department (36%), and emails that are delivered to inboxes are always safe to click/open (36%).

Given the increase in cyberattacks on U.S. organizations, it is reassuring that 78.7% of respondents said they are planning to increase their security budgets. 49.3% of respondents said they were planning to cut back on new cybersecurity tech purchases and 38.7% said they were cutting back on new cybersecurity hires, as organizations look to security vendors to provide assistance. 95% of respondents said they are planning on increasing the number of security vendors, and 90% said they are looking for holistic, all-in-one security solutions to ease the burden and avoid compatibility issues.

The survey for the report was conducted by Censuswide on 400 IT professionals from junior IT managers to CISOs, in organizations with 1000+ employees in the USA, UK, Germany, France, Italy, and Spain.

The post Security Teams Pressured into Keeping Quiet About Security Breaches appeared first on HIPAA Journal.

Almost all organizations experienced at least one cyberattack in the past 12 months, according to new research published by Sophos in its State of Cybersecurity 2023 Report. The findings come from an independent study of 3,000 leaders with responsibility for cybersecurity across 14 countries, including the United States. 94% of respondents said they had to deal with at least one cyberattack on their organization in the past 12 months.

Malicious actors are increasingly using automation and cybercrime-as-a-service offerings to conduct sophisticated cyberattacks at scale, and network defenders are finding it increasingly difficult to defend against these threats. The problem has been compounded by a shortage of expertise due to the global lack of cybersecurity professionals.

The extent to which IT teams are having to investigate and respond to potential intrusions is limiting their ability to complete other IT projects and dedicate time to strategic projects, and IT teams are overworked and overwhelmed. The survey confirmed that IT teams feel they are constantly on the back foot and that they are unable to get ahead and proactively improve their defenses and reduce their workload. It is no surprise that 93% of respondents admitted that executing essential security operations was challenging.

The workload of security teams has become so great that there is simply not enough time to investigate all security alerts. 93% of respondents admitted to only investigating fewer than half of all security alerts that are generated about potential malicious activity, and 71% of organizations said they struggle to identify and prioritize the alerts and events to investigate. The time that must be devoted to investigating high-priority security alerts is considerable, with the full detection, investigation, and response process typically taking 9 hours for organizations with up to 3,000 employees and up to 15 hours for larger organizations. More than half of surveyed IT professionals think cyberthreats are now so sophisticated that they are unable to deal with the threats on their own, with 64% of small businesses feeling that way. Data exfiltration, phishing, ransomware, extortion, and DDoS attacks were the biggest security concerns for 2023, with the biggest security risk perceived to be security tool misconfiguration.

It can be a struggle to get one step ahead of malicious actors, but the researchers suggest this is possible with a comprehensive, but straightforward approach that is focused on optimizing prevention, reducing exposure, and disrupting adversaries to buy defenders time to respond. Sophos recommends creating a scalable incident response process, minimizing the attack surface as far as possible, improving prioritization of the alerts that need to be investigated, and using specialist services to optimize the response time. The researchers recommend implementing adaptive defenses that are able to slow down adversaries to give network defenders time to respond. The last step is to “set up a virtuous cycle that combines technology and human expertise to turbo-charge defenses, enabling an increase in speed, efficacy, and impact.  Together they accelerate the defender flywheel, enabling them to pull ahead.”

The post 94% of Organizations Experienced a Cyberattack in 2022 appeared first on HIPAA Journal.

Hackers are increasingly using cloud apps for malware delivery, according to the latest Netskope Threat Labs Report. Historically, malicious actors have relived on email and malicious URLs for malware delivery and security solutions have been developed to protect against these attack vectors. Secure email gateways can detect and block malicious email attachments and URL filtering blocks access to malicious websites and as defenses against these vectors have improved, threat actors have had to look for alternative ways to deliver their malicious payloads and many are now taking advantage of the increasing popularity of enterprise cloud apps.

As is the case with other industries, cloud apps have proven popular in healthcare for improving productivity and supporting a remote workforce. The average enterprise healthcare user interacts with 22 cloud apps a month, with 94% of enterprise healthcare users downloading data from cloud apps each month. The most popular cloud apps in healthcare are OneDrive, Microsoft Teams, SharePoint, and Google Drive, with OneDrive used by 36% of enterprise healthcare users each day.

These cloud apps are being increasingly used by malicious actors for malware delivery, according to Netskope. Cloud apps were leveraged in 38% of malware infections in March 2022, and 42% of malware infections in February 2023. By utilizing cloud apps for malware delivery, malicious actors are able to bypass standard security solutions such as spam and URL filters, which do not inspect cloud traffic.

OneDrive is the most popular cloud app in healthcare, and it is the one that is most frequently abused by malicious actors for malware delivery, followed by the free web hosting service, Weebly, and the cloud-based content management, file sharing, and collaboration app, Box. Malware infections through Box were 6.6% higher in healthcare than in other industries and accounted for 12% of malware infections.

The malware most commonly delivered through web apps over the past 12 months is Trojans, which provide threat actors with an initial foothold in a network. Trojans are delivered by initial access brokers who sell that access to other cybercriminal groups or use that foothold to deliver other malware or legitimate tools that allow them to move laterally and achieve a much more extensive compromise. Downloaders are also commonly distributed via cloud apps, followed by file-based exploits for exploiting known unpatched vulnerabilities, information stealers, and backdoors.

As cloud apps become more popular and data uploads and downloads from cloud apps increase, abuse of these apps is only likely to increase and they are a potential weak point in security. It is important to inspect all HTTP and HTTPS downloads, including those from cloud apps, and to subject all risky file types – such as executable files – to static and dynamic analysis before they are downloaded. Consider restricting access to or blocking downloads from cloud apps that you do not specifically authorize for use, and block uploads to those apps to limit the potential for data exposure. Netskope also recommends implementing an intrusion prevention system that is capable of identifying and blocking malicious traffic patterns.

The post Hackers Increasingly Targeting Cloud Apps for Distributing Malware appeared first on HIPAA Journal.