The Health Sector Cybersecurity Coordination Center (HC3) at the Department of Health and Human Services has issued a DDoS guide for the healthcare sector that includes information on the threat and recommended mitigations to limit the severity and impact of DDoS attacks.

Distributed-Denial-of-Service (DDoS) attacks are a type of resource exhaustion flooding attack that involves consuming the resources of a server, service, or network to prevent legitimate use. These attacks typically involve the use of botnets of compromised computers and IoT devices, which flood the targeted IP address with traffic to cause the server, service, or network to become overwhelmed. These attacks can result in a denial-of-service to normal traffic due to the log jam the huge volume of malicious traffic creates. These attacks typically cause disruption for several hours, although attacks can continue for several days.

These attacks usually only cause temporary disruption to services and do not, by themselves, typically involve data theft or cause hardware damage. Attacks may, however, be conducted as a smokescreen to distract security teams. While the security team is dealing with the DDoS attack, the threat actor attempts a simultaneous attack – for example, port scanning, malware delivery, a phishing attack, or data exfiltration.

DDoS attacks may also be conducted as part of an extortion attack, where a ransom demand is issued and payment is required to stop the attack. HC3 says these ransom DDoS attacks are becoming more common and have increased by 24% quarter-over-quarter and 67% year-over-year. These ransom DDoS attacks are typically conducted on web applications, such as patient portals, webmail, patient monitoring applications, and telehealth services.

The healthcare and public health (HPH) sector is currently being targeted by a pro-Russian hacktivist group called Killnet. Killnet has been conducting DDoS attacks in countries that are providing support to Ukraine, with a particular focus on hospitals and medical organizations. While the group has threatened to steal and publicly release sensitive patient data, these claims may simply be attention-seeking behavior. The DDoS attacks conducted by the group in recent weeks do not appear to have involved any other malicious activity other than causing a denial-of-service on websites and web applications.

While it is difficult to prevent targeted DDoS attacks, several steps can be taken to limit the severity and impact of DDoS attacks. Since these attacks typically target websites and web applications, security controls should be implemented to protect these assets. “Healthcare organizations should sanitize, increase resource availability, implement cross-site scripting (XSS) and cross-site request forgery (XSRF) protections, implement Content Security Policy (CSP), and audit third party code,” suggest HC3. “Additional steps include running static and dynamic security scans against the website code and system, deploying web application firewalls, leveraging content delivery networks to protect against malicious web traffic, and providing load balancing and resilience against high amounts of traffic.” Since threat actors typically use User Data Protocol (UDP), SYN (synchronize), and Transmission Control Protocol (TCP) to perpetuate DDoS attacks, these should also be a focus for network defenders.

The alert includes several other recommendations for preventing attacks, assessing and mitigating attacks in progress, and improving defenses and incident response processes to limit the harm caused by future attacks.

The post HC3 Issues DDoS Guide for the Healthcare Sector appeared first on HIPAA Journal.

The threat intelligence provider, Mandiant, says almost all cybersecurity leaders are happy with the threat intelligence they are consuming, but that intelligence is not always considered when they develop their cyber strategies and make purchasing decisions. The failure to effectively use threat intelligence data prevents organizations from getting the maximum ROI on their investment and reduces the effectiveness of their cybersecurity strategies.

Mandiant commissioned a survey of 1,350 cybersecurity decision-makers at organizations with at least 1,000 employees, across 18 sectors in 13 countries to gain a global perspective on how organizations are leveraging threat intelligence to navigate the global cybersecurity threat landscape. The survey confirmed that organizations typically receive threat intelligence from multiple sources, and 96% of cybersecurity leaders say they are happy with the threat intelligence they were receiving; however, 47% of respondents said they struggle to effectively apply threat intelligence throughout their organization and almost all respondents (98%) said they need to be faster at implementing changes based on the threat intelligence they receive.

A majority of respondents (79%) admitted to making purchasing decisions based on current cyberattack trends, without gaining insights into the attackers that are actually targeting their industry and the tactics they are using. For instance, security teams often implement defenses against advanced persistent threat actors (APT), when these nation-state actors do not actually pose a threat to their organization or sector. Security teams receive huge numbers of alerts about software vulnerabilities yet fail to use threat intelligence to identify which vulnerabilities are actually being exploited by the threat actors targeting their sector, or if the threat actors would even be able to exploit the vulnerabilities. While more than 85% of security leaders appreciate the importance of identifying attackers, their tools and techniques, and motivations, only 34% said they consider the source of a potential attack when they test their cybersecurity defenses.

If threat intelligence is not factored into purchasing decisions, solutions may be purchased that fail to provide the optimum level of protection against the most pertinent threats to their sector, which could weaken their cybersecurity strategy. Organizations that factor threat intelligence into purchasing decisions and cybersecurity strategies can achieve optimal protection against the tactics, techniques, and procedures used by the threat actors that are actually targeting their organization.

Even though security decisions are made without insights into the threat actors that are attacking them, security decision-makers were still confident in their cybersecurity defenses, especially against financially motivated threats such as ransomware. 91% of respondents were confident about their ability to protect against ransomware attacks, 89% were confident about defending against attacks by hacktivists, 83% were confident about defending against nation-state threat actors, and almost all respondents (95%) were confident they could prove to their senior leadership that they had a moderate to highly effective cybersecurity strategy.

More than two-thirds of cybersecurity decision-makers said they believe their senior leadership teams underestimate the cyber threat posed to their organization and 68% said their organization needs to improve its understanding of the threat landscape. While security teams understand the importance of threat intelligence, 79% of respondents admitted that they could focus more time and energy on identifying critical trends. The survey also revealed threat intelligence is not shared frequently enough throughout the organization. For example, Cybersecurity is only discussed on average once every four or five weeks with various departments within organizations, and only 38% of security teams share threat intelligence with a wider group of employees for risk awareness.

“A conventional, check-the-box mindset isn’t enough to defend against today’s well-resourced and dynamic adversaries. Security teams are outwardly confident, but often struggle to keep pace with the rapidly changing threat landscape. They crave actionable information that can be applied throughout their organization,” said Sandra Joyce, Vice President, Mandiant Intelligence at Google Cloud. “As our ‘Global Perspectives on Threat Intelligence’ report demonstrates, security teams are concerned that senior leaders don’t fully grasp the nature of the threat. This means that critical cyber security decisions are being made without insights into the adversary and their tactics.”

One of the problems highlighted by the survey is information overload. Organizations receive vast amounts of threat data that needs to be processed and there is concern that important information may be missed. 84% said they were concerned that they may be missing vital threat intelligence due to the number of alerts and data they have to process, and 69% of respondents said they feel overwhelmed by the threat intelligence data they receive. In healthcare, 79% of respondents said they feel somewhat or completely overwhelmed by the amount of data and alerts they have to deal with.

Mandiant offers several suggestions that can help security leaders maximize their investment and effectively operationalize their cyber threat intelligence. Organizations should regularly evaluate the data received to make sure it is timely, trustworthy, and accurate. It is important to learn about the threat actors that are actually targeting the organization and sector, adapt defenses accordingly, then test defenses and the organization’s response to the attack tactics that have been identified and track improvements over time. Threat intelligence also needs to be leveraged across all security systems and processes to proactively protect against all potential threats. Organizations should also ensure that threat intelligence is communicated effectively with stakeholders to allow that intelligence to be factored in when making purchasing decisions.

The post Mandiant: Organizations Are Not Getting the Maximum ROI from Threat Intelligence appeared first on HIPAA Journal.

Cyberattacks on business associates of healthcare organizations have increased to the point where attacks on business associates now outnumber attacks on healthcare providers. In addition to an increase in cyberattacks on third-party suppliers, the impact and destruction caused by those attacks have also increased, according to a recent report from the vendor risk management company, Black Kite.

Each year, Black Kite analyzes the impact of third-party cyberattacks and data breaches and publishes the findings in its Third-Party Breach Reports. For the 2023 report, Black Kite analyzed 63 third-party breaches which affected at least 298 companies, and reports a doubling of the impact and destruction caused by those breaches. In 2021, an average of 2.46 companies were affected by each third-party breach with the number of affected companies increasing to an average of 4.73 per breach in 2022.

The most common root cause of third-party data breaches in 2022 was unauthorized network access, which accounted for 40% of cyberattacks on third parties. Black Kite attributes the increase in these types of intrusions to the continued high numbers of employees working remotely, which introduces vulnerabilities that cybercriminals can exploit.  Ransomware continues to be extensively used in cyberattacks on third parties and was involved in 27% of third-party breaches in 2022; however, there was a slight year-over-year decrease in ransomware attacks. Black Kite attributes the decrease to Russian sanctions, which have hampered the ability of Russian cybercriminals to conduct ransomware attacks. 9.5% of breaches were due to unsecured servers, 6.3% of breaches were due to human error, 3.2% were caused by phishing, and 3.2% involved malware.

Other notable findings include an increase in the time taken to notify the companies affected by these breaches, which increased by around 50% year-over-year to an average of 108 days from the date of the attack to the disclosure date. The delay in notifications means cybercriminals are given more time to misuse stolen data, resulting in even greater damage. Technical service vendors were the most targeted third parties, accounting for 30% of all data breaches, followed by vendors of software services and healthcare services. Healthcare organizations were the most common victims of third-party breaches, accounting for 34.9% of third-party incidents in 2022 – up 1% from 2021 – followed by finance (14%), and government (14%).

“Global business ecosystems continue to get more complex, with every organization increasingly impacted by the cybersecurity posture of their partners, and their partners’ partners, and so on,” said Jeffrey Wheatman, Senior Vice President, and Cyber Risk Evangelist at Black Kite. “The reality is your attack surface is much bigger than the stuff you can control. But the good news is, you can assess and monitor your extended ecosystem to spot vulnerabilities, take action and avoid catastrophe.”

The post Healthcare Organizations Most Common Victims in 3rd Party Data Breaches appeared first on HIPAA Journal.

A joint cybersecurity advisory has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Department of Health and Human Services (HHS), and the Republic of Korea’s Defense Security Agency and National Intelligence Service warning of state-sponsored North Korean (DPRK) ransomware attacks on U.S. critical infrastructure organizations. The agencies have gathered increasing evidence that DPRK threat actors are conducting the attacks to obtain ransom payments to support DPRK national-level priorities and objectives, and the U.S. healthcare and public health (HPH) sector is one of the primary targets.

“The North Korean actor behind these incidents, best known as Andariel, has been carrying out a targeted global ransomware campaign against hospitals and healthcare providers. Hospitals that are already under enormous pressure have experienced major disruptions, most of which have gone unnoticed to the public,” John Hultquist, Head of Mandiant Intelligence Analysis – Google Cloud, told the HIPAA Journal. “In many cases, hospitals have quietly recovered their systems or paid out the ransom without ever reporting the incident or even knowing they were dealing with North Korean spies. This suits the North Koreans who can’t be legally paid due to sanctions. They often hide their identity by claiming to be known ransomware operators.”

Andariel has used multiple ransomware variants in their attacks, especially strains such as Maui and H0lyGh0st, although the authoring agencies have identified DPRK involvement with attacks using BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom. Exploits for a range of common vulnerabilities and exposures (CVEs) are used to gain initial access to networks and escalate privileges, with recent exploits including the Log4Shell vulnerability in Apache Log4j software library (CVE 2021-44228), and unpatched vulnerabilities in SonicWall appliances (CVE-2021-20038) and TerraMaster NAS devices (CVE-2022-24990).

There are sanctions risks for organizations paying ransom demands to North Korean threat groups. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has designated numerous malicious actors under its cyber-related sanctions program, including Andariel. To get around these restrictions, the DPRK threat actors obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments. Virtual private networks (VPNs), virtual private servers (VPSs), and third-country IP addresses are used to make it appear that the attacks did not originate in the DPRK.

“Andariel’s core mission is to gather intelligence for the North Korean state, targeting the government, the defense sector, journalists, among others. In contrast to some of their peers who are solely focused on filling state coffers, Andariel appears to use crime as a means to self-fund their operations,” explained Hultquist. “Cybercrime is a lifeline for the North Korean regime and necessary to keep their cyber capabilities afloat. They are unlikely to be deterred anytime soon, so the impetus is on us to step up and defend our hospitals, before someone gets hurt.”

The cybersecurity advisory includes details of the tactics, techniques, and procedures used by the DPRK threat actors, along with Indicators of compromise (IoCs) and recommended mitigations.

The post Warning Issued About North Korean Ransomware Attacks on Healthcare Organizations appeared first on HIPAA Journal.

Malicious actors used a variety of methods to gain initial access to victims’ networks but in 2022, cybercriminal groups appeared to focus on Remote Desktop Protocol and attacking cloud databases, according to cyber insurer Coalition. RDP is one of the most common ways that initial access brokers (IABs) and ransomware gangs gain access to victims’ networks and RDP is by far the most common remote-scanning by malicious actors. RDP scanning traffic was very high in 2022, with data collected from Coalition’s honeypots indicating RDP scans accounted for 37.67% of all detected scans. Whenever a new vulnerability is identified in RDP, scans soar as cybercriminals rush to identify targets that can be attacked.

Ransomware continues to be an enormous problem. In 2022, the gangs increasingly targeted cloud databases, especially Elasticsearch and MongoDB databases, a large number of which have been captured by ransomware gangs. The team identified 68,423 hacked MongoDB databases in 2022, and 22,846 Elasticsearch databases that had been ransomed.

The number of new software vulnerabilities has been growing steadily over the past 6 years. In 2022, more than 23,000 new common IT vulnerabilities and exposures (CVEs) were discovered, the highest number of any year to date. Coalition predicts this trend will continue in 2023 and expects more than 1,900 new CVEs to appear each month – a predicted increase of 13% from 2022. Each month Coalition expects an average of 270 high-severity vulnerabilities and 155 critical vulnerabilities to be disclosed and stressed that organizations need to remain vigilant and keep on top of patching and quickly close these security gaps.

With so many vulnerabilities now being reported, keeping on top of patching can be a major challenge. Given the huge number of vulnerabilities security teams need to address, patching is often slow, and that gives hackers a significant window of opportunity to exploit the flaws. Prompt patching is essential, as a majority of newly disclosed CVEs are exploited by cybercriminals within 30 days of the vulnerabilities being made public, with most exploited within 90 days. Exploitation can occur incredibly quickly. For instance, the Fortinet vulnerability, CVE-2022-40684, was exploited within 2 days of the announcement.

Malicious actors typically focus on exploiting a limited set of vulnerabilities. When they discover new vulnerabilities that can be exploited, they tend to stick with their tried and tested exploits and attack as many businesses as possible. While the goal of security teams should be to ensure all vulnerabilities are patched promptly, the huge number of reported vulnerabilities can make that an almost impossible task. The greatest gains can be made by prioritizing patching and ensuring the most commonly exploited vulnerabilities are patched first. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a catalog of known exploited vulnerabilities, and each year publishes a list of the most commonly exploited flaws. All vulnerabilities on these lists should be prioritized and patched first.

Effective prioritization of patching can be a challenge as it is not always clear which vulnerabilities are most likely to be exploited. IT teams often assess vulnerabilities using the Exploit Prediction Scoring System (EPSS) and CVSS severity score, yet this information is not always available when vulnerabilities are first disclosed. Coalition has gotten around this problem by developing the Coalition Exploit Scoring System (CESS), which acts as a scoring system for vulnerabilities. The system uses deep learning models that can predict the CVSS score for a vulnerability based on its description, the likelihood of an exploit being developed quickly based on past exploit availability for CVEs, and the likelihood of exploit usage against Coalition policyholders by modeling past attacks.

“With so many vulnerabilities to address, systems often go unpatched for years, leaving huge swaths of the internet unprotected,” said Coalition in the report.  “Leaders responsible for protecting network security need the most accurate and insightful information to act upon — and they need an effective way to prioritize which CVEs to respond to. We have attempted to provide that necessary context and the CVSS/CESS framework to help cybersecurity leaders and practitioners make informed decisions about their digital risk and react quickly to harmful vulnerabilities.”

The post RDP and Cloud Databases Most Common Targets of Threat Actors appeared first on HIPAA Journal.

Healthcare organizations have been investing in cybersecurity to improve their defenses against increasingly numerous and sophisticated cyberattacks; however, while an organization’s security posture can be improved, it can only be as good as the weakest link.

Cybercriminals are increasingly targeting the supply chain in their attacks, as these are usually the weakest links in the security chain. Healthcare organizations typically contract with many different vendors which are often provided with sensitive data or privileged access to healthcare networks. In 2022, data breaches at business associates increased to the point where reported data breaches with business associate involvement outnumbered the data breaches at healthcare providers. Many of the data breaches at business associates affected dozens of healthcare clients. Assessing and managing supply chain risk is now one of the biggest cybersecurity challenges in healthcare.

A recent study conducted by SecurityScorecard and the Cyentia Institute explored the reasons why data breaches at third parties and fourth parties are now so common. The report –Close Encounters of the Third (and Fourth) Party Kind – was based on data from more than 230,000 primary organizations and 73,000 vendors and products used by those organizations.

Third parties and fourth parties introduce risk but managing and reducing those risks to an acceptable level can be a monumental challenge due to the complex interconnected web of third- and fourth-party relationships. For example, SecurityScorecard looked at one small company – a website code developer that provides code that determines how website visitors interact with websites. Approximately 12,500 organizations use that company’s code on their websites, and there are 232,000 fourth parties with relationships with those organizations. While those 232,000 organizations do not have a direct relationship with the company, 98.7% have an indirect, once-removed relationship with the website code developer. If the company’s code were to be compromised, almost 229,000 companies would experience some level of exposure.

Third and Fourth Parties Much More Likely to Have Poor Security Ratings

SecurityScorecard investigated the extent to which third-party vendors are used. The analysis showed that, on average, organizations use around 10 third-party vendors. In healthcare, the average was 15.5.  That calculation is based on third-party vendors that are visible from outside-in scanning of an organization’s Internet-facing infrastructure using SecurityScorecard’s Automatic Vendor Detection. While these numbers are relatively low, there are expansive fourth-party relationships. Each organization typically has indirect relationships with between 60 and 90 times the number of fourth parties as third parties.

Third and fourth-party data breaches are incredibly common. More than 98% of primary organizations said they had a business relationship with a vendor that experienced a data breach in the past 2 years, and almost half of the organizations had indirect links to at least 200 fourth-party vendors that had experienced a data breach in the past 2 years. Security Scorecard also assessed the relative security of first parties and third parties. Twice the number of primary organizations (38.4%) had the highest security rating of A compared to third parties (17.7%), but more concerning is third parties were almost five times as likely to receive a security rating of F as primary organizations. An examination of fourth parties found that they were 10x more likely to have a failing security grade than an A. Poor security ratings do not necessarily mean an organization will experience a data breach, but SecurityScorecard’s analysts determined that firms with poor security ratings were 7.7% more likely to experience a data breach.

“Many organizations are still unaware of the dependencies and exposures inherent to third-party relationships, and simply focus on managing their own security posture. Others are aware of those issues, but don’t make vendor decisions based on security and/or require vendors to meet certain standards. Even firms that do establish third-party security requirements can struggle to continually monitor compliance and progress,” explained SecurityScorecard in the report. The good news is that organizations are now paying much greater attention to vendor risk, with Gartner reporting that 60% of companies now use cyber risk as a significant determinant when conducting third-party transactions.

As cyber actors focus their efforts on the supply chain, managing third and fourth-party risk has never been more important. While this can be a challenge, the first step is to gain visibility into your entire vendor ecosystem, as without that visibility it is not possible to accurately assess risk and make informed decisions. Once those third and fourth parties have been identified, the security posture of those organizations needs to be assessed. SecurityScorecard also recommends collaborating with those vendors and helping them to improve their security, and using automation to continuously monitor vendors’ cyber risk and generate alerts when there are notable changes to their security posture. That then allows organizations to be more proactive and help their vendors address vulnerabilities before they are exploited.

The post 98% of Organizations Use a Vendor That Had a Data Breach in the Past 2 Years appeared first on HIPAA Journal.

The French Computer Emergency Response Team (CERT-FR) has warned about an ongoing ransomware campaign targeting VMware ESXi hypervisors that have not been patched against the critical heap-overflow vulnerability tracked as CVE-2021-21974.

VMware issued a patch on February 3, 2021, to fix the vulnerability; however, hundreds of VMware ESXi virtual machines are still vulnerable to the exploit and are now being attacked. The vulnerability affects the Open Service Location Protocol (OpenSLP) service and can be exploited by an unauthenticated attacker in a low-complexity attack to remotely execute code.

According to CERT-FR, the campaign targets ESXi hypervisors in version 6.x and prior to 6.7 through OpenSLP port 427, and warns that the following versions are vulnerable to the exploit:

• ESXi 7.x versions earlier than ESXi70U1c-17325551
• ESXi versions 6.7.x earlier than ESXi670-202102401-SG
• ESXi versions 6.5.x earlier than ESXi650-202102101-SG

A workaround has been provided by CERT-FR in the alert for any organizations unable to immediately apply the patch, but CERT-FR strongly recommends patching to address the issue. CERT-FR has warned that patching the vulnerability or applying the workaround is not sufficient to protect against attacks, as the vulnerability may already have been exploited to deliver malicious code. After applying the mitigations, system scans should be performed to detect signs of compromise. VMware said the attacks involve a new ransomware variant dubbed ESXiArgs, which appends encrypted files with the .args extension. While it has yet to be confirmed, these attacks do not appear to involve data exfiltration, only file encryption.

Over the weekend, security researchers have been reporting hundreds of machines have been attacked, which likely involves the automated or semi-automated exploitation of the vulnerability. Over 500 machines are believed to have been targeted, with The Stack reporting that attacks are being conducted at a rate of around 20 per hour. OVHcloud customers are the worst affected, although attacks are now more widespread and are hitting customers of other hosting companies. OVH issued a security advisory on Friday warning customers about the campaign, urging them to patch immediately. While the attacks appeared to initially target vulnerable VMware ESXi hypervisors in Europe, the attacks are now more widespread and SingCERT in Singapore has now issued an advisory warning about the ransomware campaign.

There have been reports that earlier versions of VMware ESXi hypervisors are also being targeted by ransomware gangs, although VMware says the vulnerability is restricted to the above 6.x and 7.x versions. That could indicate CVE-2021-21974 is not the only vulnerability being exploited. What is clear is multiple ransomware gangs have released Linux versions of their ransomware specifically to target ESXi hypervisors, with the Royal ransomware group one of the latest to release a new Linux version for attacks on ESXi.

The post VMware ESXi Servers Targeted in Large-Scale Ransomware Campaign appeared first on HIPAA Journal.

The pro-Russian hacking group, Killnet, is conducting a campaign of Distributed Denial of Service (DDoS) attacks on U.S. hospitals in apparent retaliation for U.S. support of Ukraine. The attacks started a few days after the United States and other countries agreed to provide tanks to Ukraine to help with the fight against the Russian invasion.

Killnet is a hacktivist group that has been active since at least January 2022 and its activities are connected to the Russian invasion of Ukraine. While the group’s views align with Russia, connections to the Russian Federal Security Service (FSB) and Russian Foreign Intelligence Service (SVR) have not been confirmed. The group is known for conducting denial of service (DoS) and DDoS attacks on government institutions and private organizations in countries providing support to Ukraine.

The attacks involve flooding hospital servers and websites with thousands of connection requests and packets per minute, causing the systems to slow down. In some cases, the attacks have rendered servers and websites temporarily unavailable. DDoS attacks are generally short-lived, but disruption can continue for several hours or days. While these attacks cause disruption, it has been suggested that Killnet is attempting to create fear, uncertainty, and doubt in the ability of governments to protect against cyberattacks.

In 2022, the group conducted DDoS attacks on government websites and private companies in Romania, Germany, Georgia, Italy, the Czech Republic, and Japan. In the United States, the group attacked the American defense firm Lockheed in retaliation for the provision of the HIMARS systems to Ukraine, and several attacks were conducted on U.S. airports in October. A senior member of the group, known as Killmilk, issued a threat to the U.S. government claiming attacks would be conducted on healthcare providers to obtain the sensitive personal data of Americans in retaliation for the policy of the U.S. Congress with respect to Ukraine.

While those threats do not appear to have materialized, the group’s latest DDoS campaign has seen at least 15 hospitals and health systems targeted, including University of Michigan Health, Stanford Healthcare, Banner Health, Anaheim Regional Medical Center, Atrium Health, Hollywood Presbyterian Medical Center, University of Pittsburg Medical Center, Jefferson Health, Abrazo Health, Duke University Hospital, Buena Vista Regional Medical Center, Heart of the Rockies Regional Medical Center, and Cedars-Sinai Hospital.

University of Michigan Health said the websites of U-M hospital and Mott Children’s Hospital were attacked on Monday but are now back up and running. The affected websites were hosted by a third-party vendor and did not contain any patient information. A third-party vendor has been providing assistance to mitigate the attack. The wave of attacks prompted the Health Sector Cybersecurity Coordination Center (HC3) to issue an analyst note about the group and provide mitigations that can help to reduce the severity of DDoS attacks, but warned that it is not possible to fully mitigate against the risk of DDoS attacks.

The post Pro-Russian Hacking Group Conducting DDoS Attacks on U.S. Hospitals appeared first on HIPAA Journal.