Healthcare Cybersecurity

HSCC & HHS Release Guide to Help Healthcare Organizations Adopt the NIST Cybersecurity Framework

Posted by HIPAA Journal

A new guide has been published by the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group and the U.S. Department of Health and Human Services (HHS) to help healthcare organizations align their cybersecurity programs with the NIST Framework for Improving Critical Infrastructure Cybersecurity.

The NIST Cybersecurity Framework is one of the most widely adopted frameworks for identifying and managing cybersecurity risks. The framework was released by NIST in 2015, updated in 2018, and the NIST CSF 2.0 is due for release later this year. The NIST CSF is based on five core functions – Identify, Protect, Detect, Respond, and Recover – and suggests cybersecurity controls that can be implemented in all five functional areas. The framework also includes four tiers against which organizations can rate their adoption of the framework, which allows them to communicate how there are achieving their cybersecurity objectives in a standardized way. The NIST CSF has become the standard cybersecurity framework for government agencies and private sector companies for managing cybersecurity risks.

The healthcare industry is extensively targeted by cybercriminal groups and nation-state actors and must defend against increasingly sophisticated and numerous threats. Healthcare organizations typically have fragmented infrastructures, legacy systems, huge numbers of applications, and must protect an ever-increasing number of network-connected medical devices. Consequently, many healthcare organizations struggle with managing cybersecurity effectively.

“Healthcare cyberattacks are among the fastest growing type of cybercrime – jeopardizing patient care, damaging the integrity of health care systems, and threatening the U.S. economy,” said Dawn O’Connell, HHS  Assistant Secretary for Preparedness and Response. “Health care organizations must safeguard their information technology systems to help prevent attacks and create a culture of cyber safety in the health care industry.”

According to the HSCC, a comprehensive cybersecurity framework – such as the NIST CSF – will “provide a common language and structure for discussions around risk and the methods and tools used to manage risk to a level that is not only acceptable to the organization but to other stakeholders such as business partners, customers, and industry and governmental regulators.” Healthcare organizations that base their cybersecurity programs on the NIST CSF can better direct capital, operational, and resource allocations to lines of business generating the greatest return on protecting assets/information and minimizing risk exposure.

While the NIST CSF has been developed to be suitable for organizations of all sizes in all industry sectors, some healthcare organizations have struggled to adopt the framework. The Cybersecurity Framework Implementation Guide is intended to help healthcare organizations adopt the NIST CSF and details specific steps that can be taken to immediately manage cyber risks to their IT systems and better protect against the full range of cyber threats. The guide will help healthcare organizations to assess their current cybersecurity practices and risks and identify gaps for remediation.

“With data breaches having doubled over the past five years and ransomware attacks reaching almost 400 in the same period, it is clear that the healthcare industry needs to up its game, said Bryan Cline, industry lead for the guide and Chief Research Officer for HITRUST. “Health industry stakeholders of all sizes and subsectors can reduce their cyber risk exposure by implementing this resource and many others produced by the HSCC and government partners.”

The Cybersecurity Framework Implementation Guide was jointly developed by the HSCC and the HHS, and NIST and other federal agencies contributed substantially to its content. “The guide supplements an earlier joint publication of the HHS/HSCC 405(d) Program – the ‘Health Industry Cybersecurity Practices’ –which is aligned with the NIST Cybersecurity Framework.  With this toolkit, organizations of all sizes can implement cybersecurity best practices, protect their patients, and make the sector more resilient,” said HSCC Cybersecurity Working Group Chair and Intermountain Healthcare CISO Erik Decker.

The post HSCC & HHS Release Guide to Help Healthcare Organizations Adopt the NIST Cybersecurity Framework appeared first on HIPAA Journal.

Cybercriminals Adopt Corporate Tactics to Address Declining Revenues

Posted by HIPAA Journal

Cybercriminal groups have been experiencing declining revenues. Just like the businesses they attack, when profits start to fall, changes need to be made. Cybercriminal groups appear to be mirroring legitimate businesses and are using similar tactics when faced will falling profits, according to a recent report from Trend Micro.

Ransomware gangs in particular have seen profits take a nosedive, with ransom payments decreasing by 38% year-over-year as victims refuse to pay up, even when there is the threat of publication of stolen data. The gangs have responded by changing their tactics and are becoming more professional. When their brand image becomes tarnished, they simply rebrand. This helps them to stay under the radar but also deals with the image crisis. Conti, one of the most prominent, active, and professional ransomware groups, disbanded when the brand became toxic, with its members splitting into several smaller groups such as Black Basta, Karakurt, Royal, and BlackByte.

Cybercriminal groups have started diversifying their portfolios, placing less reliance on the ransomware attacks that are becoming less profitable. Several ransomware gangs have developed ransomware variants in Rust, which allows them to expand their attacks from Windows and MacOS to Linux systems. Trend Micro also reports that ransomware groups have shifted their focus to monetizing exfiltrated data and are moving to other criminal business models such as BEC attacks, stock fraud, cryptocurrency theft, and money laundering.

While cybercriminals are working on ways to maximize profits once access to victims’ networks has been gained, the methods used to gain initial access have largely remained unchanged. The most common method of access is targeting remote services, often using valid accounts for services that accept remote connections such as telnet, SSH, and VNC. Once access is gained, they proceed as the logged-in user and attempt to expand their footprint by escalating privileges and moving laterally.

Cybercriminals are relying less on phishing as an initial access method following the move by Microsoft to start disabling macros in Office documents by default in documents downloaded from the Internet. Following that move, cybercriminals have started exploring alternative initial access vectors such as malvertising and HTML smuggling.

Trend Micro reports an increase in the use of malicious adverts for key business search terms, with the adverts directing users to malicious sites. HTML smuggling involves HTML attachments to emails, with the HTML file smuggling a ZIP file with an ISO file that has a LNK file that loads a malicious payload. There has also been an increase in living-off-the-land techniques, such as abusing penetration testing tools such as Cobalt Strike and Brute Ratel.

The number of critical vulnerabilities reported in 2022 doubled from 2021, due to the rapidly evolving attack surface. Trend Micro also reports a sizeable increase in the number of failed patches, which the company attributes to vendors rapidly releasing patches to fix a problem, without investing the time to investigate and fix the underlying issue.

In 2022, threat actors switched from exploiting Microsoft Exchange vulnerabilities to Log4J vulnerabilities to gain access to networks. Threat actors are staying up to date on the latest vulnerabilities and are rapidly adding new exploits to their arsenals and are conducting their attacks before organizations can implement the patches. There was also a notable rise in attacks on cloud infrastructure, notably for crypto mining attacks.

SonicWall reported a 2% year-over-year increase in malware detections in 2022; however, Trend Micro’s data suggest a much more alarming increase of 55%. The company reports a 242% increase in blocked malicious files, an 86% increase in backdoor malware detections, and a 103% increase in web shell detections, which are now the most common malware.

In 2022, ransomware attacks were still common, with LockBit and BlackCat the top ransomware families. Rather than target large organizations, there has been growth in attacks on small and mid-sized organizations, where the attacks are likely to have the biggest impact. More than 79% of all attacks were conducted on small or mid-sized organizations (under 10,000 employees), with 51% of attacks on organizations with fewer than 200 employees.

“Threat actors are leaning into more legitimate business tactics and professional operations, employing the same kinds of programs and corporate strategies as their victims. Not only are they innovating in terms of tools and targets, but they are also building resilient organizations that do not rely on singular methods of attack or a particular target pool. They can exploit multiple areas of the attack surface in a single campaign,” explained Trend Micro in the report.

Implementing an effective security strategy can be a challenge, especially due to the current shortage of cybersecurity professionals. Trend Micro suggests in the report that organizations should ensure they cover asset management, secure their cloud infrastructure, implement proper security protocols to minimize the potential for vulnerability exploitation, and ensure they gain visibility into the full attack surface and put systems in place to protect all potential access points.

The post Cybercriminals Adopt Corporate Tactics to Address Declining Revenues appeared first on HIPAA Journal.

Suspected DoppelPaymer Ransomware Core Members Arrested in Europol-Led Operation

Posted by HIPAA Journal

Two individuals suspected of being core members of the DoppelPaymer ransomware gang have been arrested by police officers in Germany and Ukraine German Regional Police and Ukrainian Police officers as part of a coordinated law enforcement operation involving the Dutch Police (Politie), the Federal Bureau of Investigation (FBI), and coordinated by Europol.

The operation saw coordinated raids on multiple locations in Germany and Ukraine resulting in two arrests and the seizure of IT equipment suspected of being used in multiple worldwide attacks. The equipment is currently under forensic investigation.

DoppelPaymer ransomware first appeared in 2019. Since then, the ransomware has been used in dozens of attacks on critical infrastructure organizations and industries, and private companies. The ransomware is based on BitPaymer ransomware, which is part of the Dridex malware family. The DoppelPaymer gang worked closely with the operators of Emotet malware and used the botnet for distributing their ransomware payloads. The group was also known to use phishing emails with malicious attachments for gaining initial access to victims’ networks. The DoppelPaymer gang engaged in double extortion tactics, where sensitive data were exfiltrated before files were encrypted and ransom demands were issued to prevent the release of data on the group’s data leak sites and for the decryption keys to recover encrypted data.

DoppelPaymer rebranded as Grief in July 2021 and since then attacks have been conducted at a much lower level. Peak activity occurred in late 2019 and early 2020, then attack volume reduced to just a few attacks a month. In recent months, attacks have been conducted at a very low level.

While DoppelPaymer was not one of the most prolific ransomware operations, German authorities said they are aware of at least 37 attacks in the country, including an attack on University Hospital in Düsseldorf. The FBI said attacks in the United States resulted in ransom payments of at least $42 million between May 2019 and March 2021. The group was behind attacks on Kia Motors America, Compal, Foxconn, and Delaware County in Pennsylvania. The group’s primary targets were believed to be organizations in healthcare, the emergency services, and education.

The individual arrested in Germany is believed to be a core member of the group. At the same time, law enforcement authorities in Ukraine interrogated another suspected core member, which led to raids on two addresses in Kyiv and Kharkiv where IT equipment was seized.

Europol said the information gathered during this operation is likely to lead to further investigative activities. Authorities in Germany believe the DoppelPaymer operation had five core members who were responsible for maintaining the group’s infrastructure and data leak sites, deploying the ransomware, and handling ransom negotiations. Arrest warrants have been released for those three individuals.

They are Igor Garshin/Garschin, who is suspected of being involved in reconnaissance, breaching victim networks, and deploying DoppelPayme ransomware. Igor Olegovich Turashev is suspected of playing a major role in attacks in Germany and was an admin for the infrastructure and malware, and Irina Zemlianikina is believed to be responsible for the initial stage of the attacks, including sending phishing emails, as well as maintaining the chat system and data leak sites and publishing stolen data.

Turashev, a Russian national, is also wanted by the FBI for his role in the administration of the Dridex malware. Turashev was indicted in November 2019 and charged with conspiracy, conspiracy to commit fraud, wire fraud, bank fraud, and intentional damage to a computer, and a warrant for his arrest was issued by the FBI in December 2019.

The post Suspected DoppelPaymer Ransomware Core Members Arrested in Europol-Led Operation appeared first on HIPAA Journal.

Losses to Phishing Attacks Increased by 76% in 2022

Posted by HIPAA Journal

Losses to phishing attacks increased by 76% last year, with almost one-third of companies losing money to successful phishing attacks according to Proofpoint’s recently published 2023 State of the Phish Report. In 2022, more than 4 out of 5 surveyed organizations experienced at least one successful phishing attack, with more than half of those organizations experiencing at least three successful phishing attacks. The data for the report came from a global survey of 7,500 working adults, 1,050 IT security professionals, and the results of more than 135 million simulated phishing emails over 12 months.

Phishing is one of the most commonly used initial access vectors in cyberattacks, commonly leading to costly account compromises, data breaches, and ransomware attacks. Phishing is usually associated with email, but 2022 saw a marked increase in telephone-oriented attack delivery (TOAD). These attacks typically involve emails urging the recipient to call a customer service hotline to resolve a security or account issue. Call centers are established – often in India – and the operators convince victims to install remote access software, install malware, or instruct them to transfer money.  Proofpoint says during peak times, more than 6000,000 TOAD messages were sent per day last year, with message volume averaging between 300,000  and 400,000 per day. TOAD attacks have increased steadily since 2021 due to the success of this technique. Since the initial contact occurs via email with no hyperlinks or attachments, email security solutions fail to quarantine or reject the messages ensuring a high delivery rate.

In response to the move by Microsoft to disable macros in Internet-delivered Office documents and increasing adoption of multi-factor authentication, cyber threat actors have had to get more creative and develop new techniques for malware delivery and phishing methods capable of bypassing MFA are being adopted at scale. Proofpoint reports an increase in MFA bypass by phishing-as-a-service providers, who now offer that capability in their off-the-shelf phishing kits. Rather than directing users to phishing websites, these adversary-in-the-middle attacks allow threat actors to present legitimate websites to victims and capture credentials and MFA codes/session cookies, allowing access to accounts that are protected by MFA. These attacks were conducted at scale in 2022 and pose a significant threat to organizations of all sizes.

The phishing simulation data highlights continued problems in human defenses and a lack of security awareness among employees. Teaching security best practices and training employees how to recognize threats such as phishing can significantly improve security posture and while more organizations are investing in training for employees, only 55% of organizations have a security awareness program for all employees and despite the benefits of conducting phishing simulations, only 35% of organizations use phishing simulations as part of the training process.

Awareness of cyber threats is improving but there is still a long way to go. For instance, 44% of people think emails are safe if they contain familiar branding, and even basic cybersecurity concepts are still poorly understood. One-third of working adults were unable to define malware, phishing, and ransomware, and there has been little change in understanding since 2021. One-third of people took risky actions such as clicking links in emails, opening attachments, or downloading malware, and alarmingly, 63% of the adults surveyed thought links in emails always direct them to the matching website or brand. Poor password practices also persist. 28% of users admit to reusing passwords for multiple work-related accounts, 26% save work passwords in their browsers, 16% manually rotate 1-4 passwords, and only 18% of respondents use a password manager.

The majority of surveyed organizations said they have implemented at least some form of security awareness training, but many are struggling to make those programs effective. 27% of respondents said failure rates to phishing emails have largely remained unchanged, even after conducting security awareness training. That suggests more time and effort needs to be put into training, especially as 80% of organizations admitted to providing only 2 hours or less of training each year. The full findings and recommendations are available in the Proofpoint report.

The post Losses to Phishing Attacks Increased by 76% in 2022 appeared first on HIPAA Journal.

Biden Administration Announces New National Cybersecurity Strategy

Posted by HIPAA Journal

The Biden Administration has announced a long-awaited new national cybersecurity strategy for tackling the growing threat of cyberattacks on critical infrastructure, disrupting cyber threat operations, and improving cyber resilience against malicious cyber activity from cybercriminal groups and nation-state actors. The aim is to ensure a safe and secure digital ecosystem for all Americans and that requires fundamental shifts in roles, responsibilities, and resources in cyberspace and a shifting of the burden of cyber resilience away from individuals, small businesses, and local governments onto the multi-billion dollar technology companies that provide software and information technology.

The new strategy will involve a more intentional, better coordinated, and more well-resourced approach and a realigning of incentives to favor long-term investments in cybersecurity to achieve a better balance between defending against current threats and planning for and investing in a cyber-resilient future. The new cybersecurity strategy sets a path to address current and future threats to protect investments in rebuilding America’s infrastructure, develop the clean energy sector, and re-shore America’s technology and manufacturing base. The aim is to make the digital ecosystem of the United States more defensible and make cyber defense easier, cheaper, and more effective.

The new cybersecurity strategy is based on five pillars:

  • Defend Critical Infrastructure
  • Disrupt and Dismantle Threat Actors
  • Shape Market Forces to Drive Security and Resilience
  • Invest in a Resilient Future
  • Forge International Partnerships to Pursue Shared Goals

To better defend critical infrastructure the government will expand minimum cybersecurity requirements in critical sectors and harmonize regulations to reduce the burden of compliance. Public-private collaboration will improve at the speed and scale necessary to defend against cyber threats, federal networks will be modernized, and cyber incident response policies will be improved.

The Biden Administration has already taken steps to accelerate efforts to disrupt cyber threat operations and dismantle the infrastructure used in attacks, and all tools of national power will be used to continue that mission. The private sector will be engaged to assist and provide scalable mechanisms to achieve those aims, and the ransomware threat will be tackled through a comprehensive federal approach, assisted by international partners.

Improving security and resilience will not be possible without comprehensive assistance from vendors, who must shoulder more of the responsibility of protecting against cyber threats. Liability for protecting against threats will shift from individuals and companies to the developers of software products and services, and federal grant programs will be introduced to promote investments in secure and resilient infrastructure.

To ensure a resilient future, strategic investments are required in people and technology. Through coordinated, collaborating action, the United States will lead the world in secure and resilient next-generation technologies and will help to reduce systemic technical Internet vulnerabilities, prioritize cybersecurity R&D for next-generation technologies, and develop a diverse and robust national cyber workforce.

International coalitions and partnerships will be forged with like-minded nations to counter cyber threats, the capacity of partners to defend themselves will be increased, and investments will be made to ensure trustworthy global supply chains for IT and communications technology and OT products and services.

“I’m pleased to see the Biden Administration advocating for the kind of best practices that I’ve long called for, such as building and reinforcing strong partnerships with the private sector, investing in the long-term protection of our nation’s critical infrastructure, being proactive about establishing strong cybersecurity foundations and meeting critical standards,” said Senator Mark R. Warner (D-VA), Chairman of the Senate Intelligence Committee.

“I’m particularly pleased to see the Administration prioritize the coordination of cyber incident reporting requirements, as required by the cyber reporting law I was proud to author. I’m also glad to see the Administration’s renewed focus on protecting the sensitive medical data and safety of Americans as cyber attacks on our health care systems become more frequent and aggressive,” added Warner.

“The latest National Cybersecurity Strategy is a strong signal that industry’s continued partnership and collaboration in building resiliency across U.S. critical infrastructure is needed now more than ever. We recognize the importance of rebalancing and enhancing how we collectively defend national interests, privacy, intellectual property, and critical systems in cyberspace,” said Stacy O’Mara, Senior Leader, Global Government Strategy, Policy, and Partnerships, Mandiant.

“Mandiant looks forward to promoting evolution of the private-public partnership model as outlined in the Strategy to compensate for resource-restricted, at-risk sectors and entities that need collective assistance to defend themselves. We see this call to action as a timely opportunity to better align our collective defense to the threat landscape by taking a risk-based approach to prioritize  threats, capabilities, resources, and investments.”

The post Biden Administration Announces New National Cybersecurity Strategy appeared first on HIPAA Journal.

Survey Reveals a Majority of Americans Are Uncomfortable with AI in Healthcare

Posted by HIPAA Journal

A recent survey conducted by the Pew Research Center found a majority of Americans are uncomfortable with their healthcare providers using artificial intelligence tools to aid the diagnosis and treatment, indicating a need to improve education on the benefits of AI in healthcare.

60% of respondents expressed discomfort with the use of AI in care settings, with 39% of respondents saying they are comfortable with their care providers relying on AI for medical care. 38% of respondents believe AI will lead to better health outcomes, such as faster diagnosis and treatment, with 33% of respondents believing AI would result in worse health outcomes. 27% of respondents said they didn’t think AI would make much difference to patient outcomes.

When probed about the potential benefits of AI in healthcare, 40% of respondents believe AI will reduce the number of mistakes by healthcare providers, such as misdiagnosis or the failure to diagnose a disease, compared to 27% who thought medical mistakes would increase. Out of the respondents who believe there is a problem with racial and ethnic bias in healthcare, 51% believe the situation would improve with AI whereas 15% said they believe the problem would get worse if AI was used to diagnose diseases and recommend treatments.

Other notable concerns about the use of AI include the privacy and security of sensitive health information. 37% of respondents believe AI will make health information less secure, compared to 22% who believe that security would improve. There is also a fear that healthcare providers will adopt AI systems too quickly before the systems have been fully tested and the risks are fully understood. Only 23% of respondents believe adoption will occur too slowly, resulting in missed opportunities.

The biggest perceived problem with AI that was identified by the survey is the potential for patient-provider relationships to deteriorate. 78% of respondents believe relationships between patients and their healthcare providers will get worse if AI is used in the diagnosis and treatment of patients, with only 13% of respondents believing relationships would improve.

The greatest support for AI in healthcare is among younger adults and men, especially individuals with higher levels of education. 46% of men say they are comfortable with AI in healthcare, compared to 33% of women, with the highest support in the 18-29 age range (44%). Support falls to 35% in the over 50 age range. Individuals in the upper-income bracket were most in favor (49%) compared to 36% with HS or lower levels of education. Interestingly, even when individuals have heard a lot about AI, only 50% said they were comfortable with its use in healthcare.

When asked about specific applications of AI in healthcare, 65% of respondents said they would like AI to be used in their own skin cancer screenings; however, there was far less support for the other uses explored by Pew Research. 67% of respondents are opposed to the use of AI to determine the amount of pain medication prescribed, 59% would not want AI-powered robots conducting surgery, and 79% said they would not want AI chatbots to be used to support mental health.

The survey was conducted on 11,004 adults in the United States between December 12 and December 18, 2022.

The post Survey Reveals a Majority of Americans Are Uncomfortable with AI in Healthcare appeared first on HIPAA Journal.

On-the-Spot Intervention 95% Effective at Preventing Further Unauthorized Medical Record Access

Posted by HIPAA Journal

Defenses need to be put in place to detect and block attempts by cybercriminals to access healthcare networks, but not all threats are external. Each year, many data breaches are reported by hospitals and medical practices that involve unauthorized access to medical records by employees. These data breaches include non-malicious snooping on the medical records of colleagues, friends, family members, and high-profile patients, and insider wrongdoing incidents where patient data is stolen for identity theft and fraud or to take to a new employer. The healthcare industry has historically had a far bigger problem with insider data breaches than other industry sectors.

The study, recently published in the JAMA Open Network, was conducted at a large academic medical center and explored the effectiveness of email warnings in preventing repeated unauthorized access to protected health information by employees. Over a 7-month period in July 2018, the medical center’s PHI access monitoring system flagged 444 instances where employees accessed the medical records of patients when they were not authorized to do so. 49% of those employees (219) were randomly selected and were sent an email warning on the night when the unauthorized access was detected, and the remaining employees received no warnings and served as the control group.

The emails explained that the automated system had detected unauthorized medical record access and advised the employees that this was a privacy violation, as the medical center has a strict policy in place that prohibits accessing the medical records of individuals such as friends, family members, colleagues, and acquaintances unless they have written authorization to do so. No disciplinary action was taken against the employees for the duration of the study, but all employees were later disciplined per the medical center’s sanctions policy.

The study found that only 4 of the 219 employees (2%) who received an email warning repeated the offense, compared to 90 employees in the control group (40%). In the email warning group, the 4 repeat offenses occurred between 20 and 70 days after the initial unauthorized access. 88% of repeat violations by the control group occurred within 10 days of the initial offense, and 17% occurred after 90 days. On-the-spot intervention was found to be 95% effective at preventing further unauthorized access, and email warnings continue to be used by the medical center as a critical access control measure.

The study – Effectiveness of Email Warning on Reducing Hospital Employees’ Unauthorized Access to Protected Health Information – was co-authored by Nick Culbertson, CEO and Co-Founder of Protenus; John Xuefeng Jiang, Ph.D., Professor, Plante Moran Faculty Fellow, Department of Accounting & Information Systems at Michigan State University; and Dr. Ge Bai, Ph.D., CPA, Professor of Accounting at Johns Hopkins Carey Business School.

The post On-the-Spot Intervention 95% Effective at Preventing Further Unauthorized Medical Record Access appeared first on HIPAA Journal.

Healthcare Organizations Warned About MedusaLocker Ransomware Attacks

Posted by HIPAA Journal

The healthcare and public health (HPH) sector has been warned about cyberattacks involving MedusaLocker ransomware – one of the lesser-known ransomware variants used in cyberattacks on the sector. The HPH sector has been extensively targeted by prolific ransomware groups using ransomware variants such as Clop, Royal, and BlackCat, but attacks involving these lesser-known variants can be just as damaging.

The threat actor behind MedusaLocker is believed to run a ransomware-a-service operation, where affiliates are recruited by the group to conduct attacks for a cut of any profits they generate, which is believed to be around 55%-60% of the ransom payment for MedusaLocker ransomware affiliates. The ransomware variant was first detected in September 2019 and the group is thought to primarily target the HPH sector. Since 2019, the majority of attacks have used phishing and spam emails with malicious attachments as the initial access vector. When the attachments are opened, a connection is made to the command-and-control server, and a script and the ransomware payload are downloaded. Propagation is believed to occur via WMI.

In 2022, the group started to leverage vulnerabilities in Remote Desktop Protocol, and this now appears to be the preferred initial access vector. The group exploits vulnerable RDP services and compromises legitimate RDP accounts using brute force tactics to guess weak passwords. After gaining access to victims’ networks, the group establishes persistence through registry entries, escalates privileges, moves laterally, exfiltrates data, then deploys the ransomware. MedusaLocker ransomware uses a hybrid encryption approach, first encrypting files with an AES-256 symmetric encryption algorithm, then encrypting the secret key with RSA-2048 public-key encryption. Backup copies of encrypted files are deleted to prevent recovery without paying the ransom. While the group behind MedusaLocker has a network of Russian hosts for conducting attacks, the group also leverages U.S. infrastructure, including using the compromised infrastructure of data centers and U.S. universities as redirects to obfuscate their attacks.

The Health Sector Cybersecurity Coordination Center (HC3) explained some of the known tactics, techniques, and procedures used by the group and suggests several mitigation measures. Since the group now favors RDP compromise, it is important to ensure that RDP instances have multiple levels of access and authentication controls. HC3 recommends monitoring RDP utilization, flagging and investigating first-time-seen and anomalous behavior such as failed login attempts, and implementing a robust account lockout policy to defend against brute force attacks.

RDP should never be exposed to the Internet, the patching of RDP vulnerabilities should be prioritized, strong passwords should be set, multi-factor authentication implemented on accounts, and if remote users need to access the corporate network via RDP, a VPN should be used. HC3 also recommends restricting access to the Remote Desktop port to trusted IP addresses and changing the default RDP port from 3389 to another port. To protect against phishing attacks, healthcare organizations should consider disabling hyperlinks in emails and adding a banner to all emails that have been received from an external email address.

You can view the HC3 MedusaLocker Ransomware Analyst Note on this link (PDF)

The post Healthcare Organizations Warned About MedusaLocker Ransomware Attacks appeared first on HIPAA Journal.

HC3 Issues HPH Sector Alert Following Suspected Clop Cyberattacks

Posted by HIPAA Journal

In Early February, a zero-day vulnerability in Fortra’s GoAnywhere MFT secure file transfer software (CVE-2023-0669) was exploited in attacks on more than 130 organizations, including several in the healthcare industry such as Community Health Systems (CHS) in Tennessee. That attack affected up to 1 million patients. Fortra issued an alert about the vulnerability in early February when it was discovered to have been exploited in attacks and issued workarounds to prevent exploitation ahead of an emergency patch being released, which was made available on February 7.

The attacks have prompted the Health Sector Cybersecurity Coordination Center (HC3) to issue a further warning about the Clop ransomware group, which claimed responsibility for the attacks. According to Clop, the attacks occurred over a period of around 10 days. The group claims to have exploited the vulnerability – a pre-authentication remote code execution vulnerability in the License Response Servlet – allowing the theft of sensitive data. Clop typically uses ransomware to encrypt files after exfiltrating sensitive data, then issues a ransom demand and a threat to publicly release data if payment is not made. In these attacks, the group said it could have deployed ransomware but chose not to do so, instead opting for an extortion-only approach.

Clop is a Russia-linked ransomware group that has been active since at least February 2019, when the first observed attack was conducted by a threat group tracked as TA505 – the group behind the infamous Dridex banking Trojan. Clop (or Cl0p) is the name of the ransomware variant deployed in attacks, which have largely been conducted on organizations in the HPH sector and other critical infrastructure operators. A law enforcement operation against Clop saw 6 individuals arrested in Ukraine in June 2021; however, the group has continued to operate, apparently unaffected by those arrests and continues to pose a major threat to the healthcare and public health (HPH) sector.

HC3 first issued a warning about the Clop ransomware group in March 2021, and in January this year issued an updated Analyst Note following continued attacks on the HPH sector. While details of some of the tactics, techniques, and procedures used by the Clop ransomware gang have been shared by HC3, the Clop group continues to evolve its tactics as the latest string of attacks has clearly demonstrated.

Defending against cyberattacks by a highly capable threat group that constantly changes tactics can be a challenge; however, HC3 recommends following the advice of many cybersecurity professionals by “prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations.”

The latest HC3 alert can be found here.

The post HC3 Issues HPH Sector Alert Following Suspected Clop Cyberattacks appeared first on HIPAA Journal.