Cybercriminal groups have been experiencing declining revenues. Just like the businesses they attack, when profits start to fall, changes need to be made. Cybercriminal groups appear to be mirroring legitimate businesses and are using similar tactics when faced will falling profits, according to a recent report from Trend Micro.

Ransomware gangs in particular have seen profits take a nosedive, with ransom payments decreasing by 38% year-over-year as victims refuse to pay up, even when there is the threat of publication of stolen data. The gangs have responded by changing their tactics and are becoming more professional. When their brand image becomes tarnished, they simply rebrand. This helps them to stay under the radar but also deals with the image crisis. Conti, one of the most prominent, active, and professional ransomware groups, disbanded when the brand became toxic, with its members splitting into several smaller groups such as Black Basta, Karakurt, Royal, and BlackByte.

Cybercriminal groups have started diversifying their portfolios, placing less reliance on the ransomware attacks that are becoming less profitable. Several ransomware gangs have developed ransomware variants in Rust, which allows them to expand their attacks from Windows and MacOS to Linux systems. Trend Micro also reports that ransomware groups have shifted their focus to monetizing exfiltrated data and are moving to other criminal business models such as BEC attacks, stock fraud, cryptocurrency theft, and money laundering.

While cybercriminals are working on ways to maximize profits once access to victims’ networks has been gained, the methods used to gain initial access have largely remained unchanged. The most common method of access is targeting remote services, often using valid accounts for services that accept remote connections such as telnet, SSH, and VNC. Once access is gained, they proceed as the logged-in user and attempt to expand their footprint by escalating privileges and moving laterally.

Cybercriminals are relying less on phishing as an initial access method following the move by Microsoft to start disabling macros in Office documents by default in documents downloaded from the Internet. Following that move, cybercriminals have started exploring alternative initial access vectors such as malvertising and HTML smuggling.

Trend Micro reports an increase in the use of malicious adverts for key business search terms, with the adverts directing users to malicious sites. HTML smuggling involves HTML attachments to emails, with the HTML file smuggling a ZIP file with an ISO file that has a LNK file that loads a malicious payload. There has also been an increase in living-off-the-land techniques, such as abusing penetration testing tools such as Cobalt Strike and Brute Ratel.

The number of critical vulnerabilities reported in 2022 doubled from 2021, due to the rapidly evolving attack surface. Trend Micro also reports a sizeable increase in the number of failed patches, which the company attributes to vendors rapidly releasing patches to fix a problem, without investing the time to investigate and fix the underlying issue.

In 2022, threat actors switched from exploiting Microsoft Exchange vulnerabilities to Log4J vulnerabilities to gain access to networks. Threat actors are staying up to date on the latest vulnerabilities and are rapidly adding new exploits to their arsenals and are conducting their attacks before organizations can implement the patches. There was also a notable rise in attacks on cloud infrastructure, notably for crypto mining attacks.

SonicWall reported a 2% year-over-year increase in malware detections in 2022; however, Trend Micro’s data suggest a much more alarming increase of 55%. The company reports a 242% increase in blocked malicious files, an 86% increase in backdoor malware detections, and a 103% increase in web shell detections, which are now the most common malware.

In 2022, ransomware attacks were still common, with LockBit and BlackCat the top ransomware families. Rather than target large organizations, there has been growth in attacks on small and mid-sized organizations, where the attacks are likely to have the biggest impact. More than 79% of all attacks were conducted on small or mid-sized organizations (under 10,000 employees), with 51% of attacks on organizations with fewer than 200 employees.

“Threat actors are leaning into more legitimate business tactics and professional operations, employing the same kinds of programs and corporate strategies as their victims. Not only are they innovating in terms of tools and targets, but they are also building resilient organizations that do not rely on singular methods of attack or a particular target pool. They can exploit multiple areas of the attack surface in a single campaign,” explained Trend Micro in the report.

Implementing an effective security strategy can be a challenge, especially due to the current shortage of cybersecurity professionals. Trend Micro suggests in the report that organizations should ensure they cover asset management, secure their cloud infrastructure, implement proper security protocols to minimize the potential for vulnerability exploitation, and ensure they gain visibility into the full attack surface and put systems in place to protect all potential access points.

The post Cybercriminals Adopt Corporate Tactics to Address Declining Revenues appeared first on HIPAA Journal.

The Biden Administration has announced a long-awaited new national cybersecurity strategy for tackling the growing threat of cyberattacks on critical infrastructure, disrupting cyber threat operations, and improving cyber resilience against malicious cyber activity from cybercriminal groups and nation-state actors. The aim is to ensure a safe and secure digital ecosystem for all Americans and that requires fundamental shifts in roles, responsibilities, and resources in cyberspace and a shifting of the burden of cyber resilience away from individuals, small businesses, and local governments onto the multi-billion dollar technology companies that provide software and information technology.

The new strategy will involve a more intentional, better coordinated, and more well-resourced approach and a realigning of incentives to favor long-term investments in cybersecurity to achieve a better balance between defending against current threats and planning for and investing in a cyber-resilient future. The new cybersecurity strategy sets a path to address current and future threats to protect investments in rebuilding America’s infrastructure, develop the clean energy sector, and re-shore America’s technology and manufacturing base. The aim is to make the digital ecosystem of the United States more defensible and make cyber defense easier, cheaper, and more effective.

The new cybersecurity strategy is based on five pillars:

• Defend Critical Infrastructure
• Disrupt and Dismantle Threat Actors
• Shape Market Forces to Drive Security and Resilience
• Invest in a Resilient Future
• Forge International Partnerships to Pursue Shared Goals

To better defend critical infrastructure the government will expand minimum cybersecurity requirements in critical sectors and harmonize regulations to reduce the burden of compliance. Public-private collaboration will improve at the speed and scale necessary to defend against cyber threats, federal networks will be modernized, and cyber incident response policies will be improved.

The Biden Administration has already taken steps to accelerate efforts to disrupt cyber threat operations and dismantle the infrastructure used in attacks, and all tools of national power will be used to continue that mission. The private sector will be engaged to assist and provide scalable mechanisms to achieve those aims, and the ransomware threat will be tackled through a comprehensive federal approach, assisted by international partners.

Improving security and resilience will not be possible without comprehensive assistance from vendors, who must shoulder more of the responsibility of protecting against cyber threats. Liability for protecting against threats will shift from individuals and companies to the developers of software products and services, and federal grant programs will be introduced to promote investments in secure and resilient infrastructure.

To ensure a resilient future, strategic investments are required in people and technology. Through coordinated, collaborating action, the United States will lead the world in secure and resilient next-generation technologies and will help to reduce systemic technical Internet vulnerabilities, prioritize cybersecurity R&D for next-generation technologies, and develop a diverse and robust national cyber workforce.

International coalitions and partnerships will be forged with like-minded nations to counter cyber threats, the capacity of partners to defend themselves will be increased, and investments will be made to ensure trustworthy global supply chains for IT and communications technology and OT products and services.

“I’m pleased to see the Biden Administration advocating for the kind of best practices that I’ve long called for, such as building and reinforcing strong partnerships with the private sector, investing in the long-term protection of our nation’s critical infrastructure, being proactive about establishing strong cybersecurity foundations and meeting critical standards,” said Senator Mark R. Warner (D-VA), Chairman of the Senate Intelligence Committee.

“I’m particularly pleased to see the Administration prioritize the coordination of cyber incident reporting requirements, as required by the cyber reporting law I was proud to author. I’m also glad to see the Administration’s renewed focus on protecting the sensitive medical data and safety of Americans as cyber attacks on our health care systems become more frequent and aggressive,” added Warner.

“The latest National Cybersecurity Strategy is a strong signal that industry’s continued partnership and collaboration in building resiliency across U.S. critical infrastructure is needed now more than ever. We recognize the importance of rebalancing and enhancing how we collectively defend national interests, privacy, intellectual property, and critical systems in cyberspace,” said Stacy O’Mara, Senior Leader, Global Government Strategy, Policy, and Partnerships, Mandiant.

“Mandiant looks forward to promoting evolution of the private-public partnership model as outlined in the Strategy to compensate for resource-restricted, at-risk sectors and entities that need collective assistance to defend themselves. We see this call to action as a timely opportunity to better align our collective defense to the threat landscape by taking a risk-based approach to prioritize  threats, capabilities, resources, and investments.”

The post Biden Administration Announces New National Cybersecurity Strategy appeared first on HIPAA Journal.

The healthcare and public health (HPH) sector has been warned about cyberattacks involving MedusaLocker ransomware – one of the lesser-known ransomware variants used in cyberattacks on the sector. The HPH sector has been extensively targeted by prolific ransomware groups using ransomware variants such as Clop, Royal, and BlackCat, but attacks involving these lesser-known variants can be just as damaging.

The threat actor behind MedusaLocker is believed to run a ransomware-a-service operation, where affiliates are recruited by the group to conduct attacks for a cut of any profits they generate, which is believed to be around 55%-60% of the ransom payment for MedusaLocker ransomware affiliates. The ransomware variant was first detected in September 2019 and the group is thought to primarily target the HPH sector. Since 2019, the majority of attacks have used phishing and spam emails with malicious attachments as the initial access vector. When the attachments are opened, a connection is made to the command-and-control server, and a script and the ransomware payload are downloaded. Propagation is believed to occur via WMI.

In 2022, the group started to leverage vulnerabilities in Remote Desktop Protocol, and this now appears to be the preferred initial access vector. The group exploits vulnerable RDP services and compromises legitimate RDP accounts using brute force tactics to guess weak passwords. After gaining access to victims’ networks, the group establishes persistence through registry entries, escalates privileges, moves laterally, exfiltrates data, then deploys the ransomware. MedusaLocker ransomware uses a hybrid encryption approach, first encrypting files with an AES-256 symmetric encryption algorithm, then encrypting the secret key with RSA-2048 public-key encryption. Backup copies of encrypted files are deleted to prevent recovery without paying the ransom. While the group behind MedusaLocker has a network of Russian hosts for conducting attacks, the group also leverages U.S. infrastructure, including using the compromised infrastructure of data centers and U.S. universities as redirects to obfuscate their attacks.

The Health Sector Cybersecurity Coordination Center (HC3) explained some of the known tactics, techniques, and procedures used by the group and suggests several mitigation measures. Since the group now favors RDP compromise, it is important to ensure that RDP instances have multiple levels of access and authentication controls. HC3 recommends monitoring RDP utilization, flagging and investigating first-time-seen and anomalous behavior such as failed login attempts, and implementing a robust account lockout policy to defend against brute force attacks.

RDP should never be exposed to the Internet, the patching of RDP vulnerabilities should be prioritized, strong passwords should be set, multi-factor authentication implemented on accounts, and if remote users need to access the corporate network via RDP, a VPN should be used. HC3 also recommends restricting access to the Remote Desktop port to trusted IP addresses and changing the default RDP port from 3389 to another port. To protect against phishing attacks, healthcare organizations should consider disabling hyperlinks in emails and adding a banner to all emails that have been received from an external email address.

You can view the HC3 MedusaLocker Ransomware Analyst Note on this link (PDF)

The post Healthcare Organizations Warned About MedusaLocker Ransomware Attacks appeared first on HIPAA Journal.

In Early February, a zero-day vulnerability in Fortra’s GoAnywhere MFT secure file transfer software (CVE-2023-0669) was exploited in attacks on more than 130 organizations, including several in the healthcare industry such as Community Health Systems (CHS) in Tennessee. That attack affected up to 1 million patients. Fortra issued an alert about the vulnerability in early February when it was discovered to have been exploited in attacks and issued workarounds to prevent exploitation ahead of an emergency patch being released, which was made available on February 7.

The attacks have prompted the Health Sector Cybersecurity Coordination Center (HC3) to issue a further warning about the Clop ransomware group, which claimed responsibility for the attacks. According to Clop, the attacks occurred over a period of around 10 days. The group claims to have exploited the vulnerability – a pre-authentication remote code execution vulnerability in the License Response Servlet – allowing the theft of sensitive data. Clop typically uses ransomware to encrypt files after exfiltrating sensitive data, then issues a ransom demand and a threat to publicly release data if payment is not made. In these attacks, the group said it could have deployed ransomware but chose not to do so, instead opting for an extortion-only approach.

Clop is a Russia-linked ransomware group that has been active since at least February 2019, when the first observed attack was conducted by a threat group tracked as TA505 – the group behind the infamous Dridex banking Trojan. Clop (or Cl0p) is the name of the ransomware variant deployed in attacks, which have largely been conducted on organizations in the HPH sector and other critical infrastructure operators. A law enforcement operation against Clop saw 6 individuals arrested in Ukraine in June 2021; however, the group has continued to operate, apparently unaffected by those arrests and continues to pose a major threat to the healthcare and public health (HPH) sector.

HC3 first issued a warning about the Clop ransomware group in March 2021, and in January this year issued an updated Analyst Note following continued attacks on the HPH sector. While details of some of the tactics, techniques, and procedures used by the Clop ransomware gang have been shared by HC3, the Clop group continues to evolve its tactics as the latest string of attacks has clearly demonstrated.

Defending against cyberattacks by a highly capable threat group that constantly changes tactics can be a challenge; however, HC3 recommends following the advice of many cybersecurity professionals by “prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations.”

The latest HC3 alert can be found here.

The post HC3 Issues HPH Sector Alert Following Suspected Clop Cyberattacks appeared first on HIPAA Journal.

Security researchers have issued warnings following an increase in cyberattacks distributing a malware variant called GootLoader. GootLoader is a malware loader first identified in 2014 that is now one of the biggest malware threats. The threat group behind the campaign is highly capable and has been evolving its tactics and actively developing the malware to better evade security defenses.

The delivery of GootLoader is the first stage of an attack chain that will see multiple malicious payloads delivered, such as Cobalt Strike Beacon, FoneLaunch, and SnowCone. FoneLaunch is a .NET loader that loads encoded payloads in the memory and SnowCone is a downloader that retrieves and executes payloads that are used in the next stage of the attack, including the IcedID banking Trojan and malware dropper.

According to security researchers at Mandiant, GootLoader appears to be exclusively used by a threat actor it tracks as UNC2565. In 2022, UNC2565 adopted notable new tactics, techniques, and procedures (TTPs) and is actively evolving its TTPs to improve the effectiveness of its campaigns, including adding new components and obfuscations to the infection chain. GootLoader is primarily spread through compromised websites. Traffic is sent to those websites using SEO poisoning, which involves creating web content using search engine optimization tactics to get the sites to appear high in the search engine listings for specific business-related search terms. These can include business-related documents such as contract templates and service-level agreements. When a user arrives on the site they are tricked into downloading a malicious file, which is typically a ZIP archive that includes an obfuscated JavaScript file that masquerades as the document being searched for. If that file is executed, the infection chain is initiated leading to GootLoader being installed and other malicious payloads being delivered and executed.

Mandiant says UNC2565 changed the attack sequence in November 2022 and modified the .js file in the ZIP file to deliver a new variant dubbed GootLoader.PowerShell, which writes a second JavaScript file to the system disk that reaches out to 10 hard-coded URLs and exfiltrates system information. The new variant was used in a wave of attacks on the healthcare sector in Australia in late 2022.

Security researchers at Cybereason have also issued a warning about UNC2565 following an increase in attacks in the United States, United Kingdom, and Australia. In addition to SEO poisoning, Cybereason researchers say the group has started using Google Ads to drive traffic to their malicious websites and is now using Cobalt Strike and SystemBC for data exfiltration. New tactics identified include multiple JavaScript loops that delay the execution process, which they believe have been adopted to evade sandbox mechanisms. They also report that after GootLoader is executed, the threat actors move quickly and manually deploy attack frameworks, elevate privileges, and move laterally within compromised networks. That process typically takes less than 4 hours. While multiple sectors have been targeted, attacks have primarily been focused on organizations in the finance and healthcare sectors, with Cybereason’s researchers considering the threat level to be severe.

Researchers at both companies say UNC2565 is actively developing its TTPs and increasing its capabilities, and organizations in the healthcare sector should be on high alert. Network defenders can obtain further information on the TTPs, Indicators of Compromise (IoCs), and recommended mitigations in the GootLoader reports from Mandiant and Cybereason.

The post Healthcare Sector Warned About Increase in GootLoader Malware Infections appeared first on HIPAA Journal.