The Health Sector Cybersecurity and Coordination Center (HC3) has compiled a profile of the FIN11 threat group (TA505/Lace Tempest/Hive0065) which is known to target organizations in the healthcare and public health (HPH) sector. Historically, FIN11 has conducted phishing campaigns but has now migrated to other attack vectors against companies in North America and Europe. The group is financially motivated and often engages in data theft for extortion, with or without ransomware.

Recent attacks include the exploitation of zero day vulnerabilities in file transfer solutions to gain access to sensitive data, which is stolen and threatened to be released if a ransom is not paid. FIN11 often deploys CLOP ransomware in its attacks, although it is unclear exactly how many CLOP ransomware attacks FIN11 has conducted. The ransom demands in these attacks vary based on the perceived ability of the victim to pay and typically range from a few hundred thousand dollars to $10 million.

FIN11 phishing and spear phishing campaigns have used a combination of malicious attachments and hyperlinks, and fake download pages have been used to trick people into downloading malware. FIN11 is thought to have been involved in the mass exploitation of vulnerabilities in the MOVEit and Accellion FTA file transfer solutions, the PaperCut MF and NG vulnerability in 2023, the Windows ZeroLogon vulnerability in October 2020, and several other vulnerabilities. FIN11 also targeted HPH sector organizations during the COVID-19 pandemic.

FIN11 is known to deploy a range of different malware variants after gaining initial access to networks. In addition to CLOP ransomware, the group has deployed the LEMURLOOT web shell, P2P RAT, FlawedAmmyy and FlawedGrace remote access Trojans, and Cobalt Strike, along with a host of other tools to allow the group to achieve its objectives.

Due to the range of different attack vectors, mitigations are varied and involve strong email security measures, prompt patching of known vulnerabilities, endpoint detection solutions, and active monitoring of security alerts for signs of compromise. HC3 recommends that healthcare organizations consider FIN11 a top priority for their security teams, as the group poses a significant threat to the HPH sector.

The post HPH Sector Urged to Make FIN11 Threat Group a Priority for Security Teams appeared first on HIPAA Journal.

A critical vulnerability in Fortinet’s FortiOS and FortiProxy SSL VPN has potentially already been exploited by malicious actors. The vulnerability, tracked as CVE-2023-27997, is a heap buffer overflow issue in FortiOS and FortiProxy SSL-VPN which can be exploited remotely, pre-authentication, to execute code via malicious requests to vulnerable devices. The flaw can be exploited even if multifactor authentication has been enabled.

Fortinet firewalls and VPNs are widely used and vulnerabilities are actively sought by malicious actors and have been rapidly exploited in the past. A search on the Shodan search engine indicates around 250,000 Fortinet firewalls are accessible over the Internet and the majority of those are thought to be vulnerable. Fortinet said the vulnerability was identified during a code audit conducted in response to a series of attacks exploiting a separate zero-day vulnerability – CVE-2022-42475 – in FortiOS SSL VPN that was disclosed in January. Those attacks were linked to the Chinese state-sponsored threat group, Volt Typhoon, which has been active since mid-2021 and has previously targeted critical infrastructure entities in the United States. Fortinet has not linked exploits of the most recently disclosed vulnerability to Volt Typhoon, but said the threat actor and other threat groups will likely target the vulnerability and that there may already have been limited attacks against government, manufacturing, and critical infrastructure.

Fortinet issued a security advisory on June 12 about the vulnerability, which affects virtually all versions of FortiOS and FortiProxy. Patches have been released to fix the vulnerability and customers have been urged to update their firmware to the latest version. Fortinet said the vulnerability is mitigated if customers are not operating SSL-VPN; however, all users have been recommended to update to the latest firmware version regardless.

While there is only believed to have been limited exploitation of the flaw, now that patches have been released threat actors will compare the new releases with previous firmware versions to work out what has changed and will likely rapidly discover and develop exploits for the vulnerability, so immediate patching is strongly recommended.  All users should ensure they have updated to the following firewall and VPN versions:

FortiOS-6K7K

• FortiOS-6K7K version 7.0.12 or above
• FortiOS-6K7K version 6.4.13 or above
• FortiOS-6K7K version 6.2.15 or above
• FortiOS-6K7K version 6.0.17 or above

FortiOS

• FortiOS version 7.4.0 or above
• FortiOS version 7.2.5 or above
• FortiOS version 7.0.12 or above
• FortiOS version 6.4.13 or above
• FortiOS version 6.2.14 or above
• FortiOS version 6.0.17 or above

FortiProxy

• FortiProxy version 7.2.4 or above
• FortiProxy version 7.0.10 or above

The post Immediate Patching Recommended for Critical Fortinet FortiOS & FortiProxy Vulnerability appeared first on HIPAA Journal.

The HHS’ Health Sector Cybersecurity Coordination Center has issued a threat brief to highlight the types of cyber threat actors that target the health and public health sector (HPH), and their differing objectives, tactics, techniques, and procedures.

The HPH sector is a relatively easy target for cybercriminals compared to other industry sectors. There is a complex supply chain involving many different vendors, a large attack surface with many IoT and IoMT-connected devices that are difficult to secure, reliance on outdated software and operating systems that have reached end-of-life, and HPH sector organizations often find it difficult to recruit and retain skilled cybersecurity staff.

HPH sector organizations also store large quantities of data that can be easily monetized and used for a range of nefarious purposes such as identity theft, blackmail, and insurance fraud. Since the sector is highly regulated, there are often costly legal ramifications for healthcare organizations that suffer data breaches, and successful attacks can cause significant reputational damage which makes the HPH sector an ideal target for extortion. Nation-state actors often target HPH sector organizations to steal research data to gain a technological advantage and collect sensitive data and cause disruption in line with national priorities.

The HPH sector is targeted by financially motivated cybercriminals, politically motivated hacktivists and nation-state actors, malicious insiders for financial gain or retaliation, cyberterrorists who wish to cause harm, and script kiddies who seek attention, want to create chaos, gain kudos within the hacking community, or simply have fun. Regardless of the threat actor, the attacks can have serious financial and reputational implications and often put patient safety at risk.

While the motivations behind healthcare cyberattacks are varied, there are common initial access vectors that are used by the different types of threat actors. Phishing and social engineering attacks exploit human weaknesses to gain initial access to healthcare networks and sensitive data. Vulnerabilities in software and operating systems are targeted for initial access, man-in-the-middle attacks intercept sensitive data, and Distributed-Denial-of-Service attacks and wiper malware are used to cause disruption to critical systems. Attacks often involve malware that steals data and provides persistent access to networks, adware is used for tracking, information theft, and driving traffic to websites, and ransomware is often deployed for data theft and extortion.

The threat brief provides information on the different types of threat actors and their motivations to help network defenders gain a better understanding of their adversaries, and includes information on the most active threat groups that are known to target the HPH sector.

The post HC3 Raises Awareness of Diverse Threat Actors Targeting the HPH Sector appeared first on HIPAA Journal.

A zero-day vulnerability in the MOVEit file transfer service (CVE-2023-34362) started to be exploited by a cyber threat actor at scale over the Memorial Day weekend. Progress Software issued an advisory about the vulnerability on May 31, 2023, and rapidly released patches to fix the flaw, but not in time to prevent mass exploitation of the vulnerability. Remote exploitation of the flaw allowed access to be gained to the MOVEit server database, providing access to customer data.

A few days later, several major companies confirmed they had been impacted by the attacks, including the airlines British Airways and Aer Lingus, the UK drugstore chain Boots, the University of Rochester in New York, and the Nova Scotia provincial government, which had all fallen victim and had data exfiltrated through their payroll and HR service provider, Zellis. Nova Scotia Health has confirmed that the personal information of up to 100,000 employees was stolen in the attack.

The Clop ransomware gang and associated FIN11 threat group were suspected of involvement in the mass exploitation of the vulnerabilities as they had previously targeted vulnerabilities in file transfer solutions, exploiting zero-day vulnerabilities in the Accellion FTA and Fortra’s GoAnywhere MFT. Microsoft, Mandiant, and others attributed the attacks to Clop/FIN11, with Microsoft attributing the attacks to a Clop affiliate it tracks as Lace Tempest, and Mandiant attributed the attacks to a newly created threat cluster it tracks as UNC4857, also linked to Clop/FIN11. Mandiant confirmed to The HIPAA Journal that it has seen evidence of data exfiltration at multiple companies and that targeted applications were infected with a webshell called LEMURLOOT. Shodan scans revealed more than 2,500 instances of MOVEit software are exposed to the Internet and Censys reported more than 3,000 hosts running the service, all of which were potentially vulnerable.

Clop Ransomware Group Claims Responsibility for the Attacks

Around a week after the news broke about the exploits, the Clop ransomware gang claimed responsibility for the attacks and confirmed that ransom demands had been issued along with threats to release the stolen data if the ransoms are not paid, giving breached firms until June 14 to pay up or face data exposure. While the Clop group uses ransomware, these attacks involved data theft and exploitation without encryption, as was the case with the attacks on the Accellion FTA and GoAnywhere MFT.

On June 7, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint security advisory and provided a list of recommended mitigations to reduce the impact of Clop exploits. A few days earlier, on June 2, the Health Sector Cybersecurity Coordination Center (HC3) issued a sector alert, warning that the health and public health sector was potentially at risk from the vulnerability.

The number of victims has yet to be determined, and in contrast to the GoANywhere MFT attacks, the Clop group has not publicly stated how many attacks were conducted but did say it was in the hundreds. The scale of the attacks should start to become clearer from June 14 if Clop is true to its word and starts publishing stolen data, although it may take several weeks or months before the full extent of the exploitation of the vulnerability is known.

Clop May Have Known About Vulnerability for 2 Years

Cybersecurity firm GreyNoise reports that it traced scanning activity associated with the vulnerability to March 3, 2023, and security experts at Kroll said they found evidence to indicate Clop was testing ways to exploit the vulnerability and obtain data in April 2023; however, they also found evidence of similar manual activity related to the exploit as early as July 2021, suggesting the Clop actors have known about the vulnerability for almost two years. The researchers suggest they waited until they had the automation tools available to allow exploitation at scale.

The post Update on MOVEit Vulnerability Exploitation and Extortion: Victims Given Until June 11 to Pay Ransoms appeared first on HIPAA Journal.

Remote access software is used by organizations and their vendors to improve efficiency and productivity and cut costs; however, the same remote access tools can be leveraged by cyber threat actors for a range of malicious purposes while evading detection by security solutions.

Benefits and Risks of Remote Access Software

Remote access software is used for a wide range of purposes and is especially useful for remotely managing and monitoring IT systems and devices. IT support teams use the software to troubleshoot IT issues, provide IT helpdesk support, perform backups and data recovery, reconfigure devices, install new software, apply patches to fix vulnerabilities, and monitor for suspicious network activity. Managed Service Providers (MSPs) extensively use these tools to access clients’ networks to perform a wide range of contracted services.

While the software can improve efficiency and productivity and reduce costs, there is considerable potential for misuse of the software, and remote access solutions are actively targeted by cyber threat actors. By abusing these tools, cyber threat actors can gain broad access to internal systems, and since these tools are legitimately used by members of the workforce and third-party contractors, connections are often not flagged as malicious by security solutions which means malicious actors can hide their activities.

Remote access software is used to gain access to internal networks and maintain persistence, and it is common for threat actors to leverage the software and tools that are already present on the compromised system to sustain their malicious activities. By using these living-off-the-land (LOTL) techniques malicious actors do not need to download additional software, scripts, and tools, which makes intrusions, lateral movement, and data exfiltration difficult to detect.

Remote access software is one of the main ways that ransomware actors gain initial access to victims’ networks and evade security solutions. Cyber threat actors may also exploit vulnerabilities to gain access to systems then install legitimate remote access software or use social engineering techniques to trick individuals into installing the software to provide access to victims’ devices and the networks to which they connect.

Guidance on Securing Remote Access Software

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Israel National Cyber Directorate (INCD), have recently published a guide for all organizations that use remote access software for regular business purposes, especially managed service providers, to help them defend against malicious use of the software.

The guide includes best practices, protections, and mitigations developed by CISA and the National Institute of Standards and Technology (NIST) based on existing cybersecurity frameworks to help organizations protect against the most common cyber threats and tactics, techniques, and procedures used by cybercriminal groups and nation-state threat actors. The guidance can be used by organizations of all types and sizes and includes specific best practices and recommendations for IT support teams and managed service providers.

Guide to Securing Remote Access Software – PDF

The post Guide Released on Securing Remote Access Software appeared first on HIPAA Journal.

The eagerly anticipated Verizon 2023 Data Breach Investigations Report (DBIR) has been published – An annual report that provides insights into the current threat landscape and data breach trends. This year, the report is based on an analysis of 16,312 security incidents, where the integrity, confidentiality, or availability of an information asset was compromised, and 5,199 data breaches, where there was a confirmed disclosure of sensitive data to an unauthorized third party. All incidents included in the report occurred between November 1, 2021, and October 31, 2022.

Last year, the report indicated the human element was involved in 82% of all breaches, down from 85% in 2021. That downward trend has continued with the human element involved in 74% of breaches in 2022. These include mistakes by employees such as misconfigurations and responses to pretexting attacks, as well as deliberate actions by malicious insiders. In around half of all incidents (49%), initial access to victims’ networks was gained through stolen credentials, with phishing the next most common method, accounting for 12% of breaches, and the exploitation of vulnerabilities, which accounted for 5% of breaches. The Log4j vulnerability was the most cited exploited vulnerability and was stated as the exploited vulnerability in 90% of exploit incidents, although only 20.6% of incidents stated the vulnerability that was exploited in the attack.

Social Engineering Attacks Continue to Increase

This year’s report highlights a continuing upward trend in pretexting incidents, which are a type of social engineering attack where the victim is manipulated into divulging sensitive information. These attacks typically involve impersonation and include business email compromise attacks, which almost doubled in a year and now account for more than 50% of social engineering incidents, overtaking phishing for the first time, although phishing remains the most common social engineering method in confirmed data breaches. Losses to BEC attacks have been steadily increasing, jumping from a little over $30,000 in 2018 to a median of $50,000 in 2022. 98% of social engineering attacks involved email as the initial vector, with the remainder involving telephone-based incidents (vishing) and SMS and instant messaging (smishing).

One of the problems highlighted in the report is the lack of protection against social engineering attacks, especially the accounts of senior leadership. These individuals are often targeted as they have the most valuable accounts with extensive access to systems and data, as the accounts of senior leadership are often excepted from standard security controls. Detecting these attacks can be difficult and blocking them requires a combination of measures including email security solutions, end-user training, and multifactor authentication, with greater protections implemented for the most valuable accounts with the highest levels of privileges.

Ransomware Attacks Remain Steady

Ransomware attacks continue to be conducted in high numbers but the number of attacks has remained steady, accounting for 24% of incidents and 15.5% of data breaches – a slight increase in ransomware incidents from last year and a slight decrease in ransomware-related data breaches.  Verizon reports that ransomware is used in 62% of cyberattacks by organized crime actors and 59% of financially motivated incidents. Email, desktop-sharing software, and web applications were the most common attack vectors in ransomware attacks.

Figures from the FBI indicate 10% of ransomware attacks covered in the 2021 DBIR involved financial losses, with a median loss of $11,500. This year, only 7% of attacks involved financial losses, but the median loss has doubled to $26,000, with the maximum loss jumping from $1.2 million to $2.25 million. The overall cost of remediating ransomware attacks continues to increase despite a continuing fall in median ransom payments.

Other Causes of Security Incidents and Data Breaches

While the majority of attacks were hacking incidents, insider breaches continue to occur. 602 insider incidents were included in the report, out of which 512 involved confirmed data disclosures. The most common cause of these incidents was misdeliveries, which accounted for 43% of insider incidents, followed by misconfigurations (23%) and publishing errors (21%). Social engineering, phishing, and ransomware attacks dominate the headlines, but by far the most common type of attack is denial-of-service, which was behind 6,248 of the 16,312 security incidents. While these attacks do not tend to carry the same costs as data breaches, they can still cause considerable disruption to business operations as they prevent access to the Internet and business-critical systems.

2,091 incidents involved lost and stolen assets, with loss incidents accounting for the vast majority of these incidents. typically lost mobile phones, laptops, and printed documents. These incidents were numerous but often did not figure in the breach data, as the data on lost devices was not confirmed as being breached, only being at risk. These incidents have remained at a similar level to last year, accounting for around 10% of all data breaches.

Patterns in Data Breaches. Source: 2023 Verizon Data Breach Investigations Report.

Causes of Healthcare Attacks and Data Breaches

Healthcare was represented in 525 incidents and 436 of those incidents involved confirmed data disclosures. The most common cause of healthcare data breaches was basic web application attacks (164), miscellaneous errors (153), system intrusions (121), privilege misuse (57), social engineering (65), and lost/stolen assets (18). As Verizon points out, many healthcare data breach notification letters state the breach was the result of a highly sophisticated cyberattack; however, basic web application attacks were the most common, which typically involve brute-forcing weak passwords and credential stuffing, which are certainly not complex.

Many of the incidents in healthcare were due to mistakes by employees. Misdelivery – the sending emails or mailing letters to incorrect individuals – was the second biggest cause of data breaches. Privilege misuse, which includes snooping by employees, has been decreasing but is still more prevalent than in many other industries. Protecting against these attacks is difficult, so the focus must be on fast detection to limit the potential for harm, and that means monitoring logs for unusual data access patterns and automating that process as far as possible.

The post Verizon 2023 DBIR: Social Engineering Attacks Increase; Ransomware Plateaus appeared first on HIPAA Journal.

A zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution is being actively exploited by hackers to perform mass downloads of sensitive data from targeted organizations. MOVEit Transfer was developed by the Progress Software Corporation-owned company, Ipswitch, and is provided as an on-premise solution or cloud SaaS platform that is used by enterprises for securely transferring large files.

According to a recent security advisory from Progress, the flaw is an SQL injection vulnerability that affects the MOVEit Transfer web application. If exploited, a remote, unauthenticated attacker can gain access to the MOVEit Transfer database, infer information about the structure and contents of the database, exfiltrate data, and execute SQL statements that alter or delete database elements. Progress has confirmed that the vulnerability affects all MOVEit Transfer versions, including on-prem and MOVEit Cloud. There were many confirmed instances of mass data exfiltration over the Memorial Day weekend when monitoring was reduced, although it appears that the vulnerability was exploited weeks before in many of the cases that have been investigated. At present, it is unclear which threat group is exploiting the flaw as while there has been confirmed data theft, there has been no attempted extortion.

Progress has released a patch to fix the vulnerability in all supported versions, which are available here. Users have been recommended to immediately disable all HTTP and HTTPs traffic to the MOVEit Transfer environment by modifying firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. Simply blocking HTTP and HTTPs traffic will not prevent data exfiltration, which can still occur through SFTP and FTP protocols. After disabling traffic, a review should be conducted to identify any unauthorized files and user accounts, which should be deleted, then credentials should be reset. The patch can then be applied and HTTP and HTTPs traffic can be enabled after confirming that all unauthorized files and accounts have been successfully deleted.

According to Rapid7, there are approximately 2,500 instances of MOVEit that are exposed to the public Internet, the majority of which are located in the United States. All cases of exploitation have seen the same webshell (human2.asp) added to the c:\MOVEit Transfer\wwwroot\ public HTML folder. After patching, organizations should conduct a forensic analysis to look for Indicators of Compromise over the past 30 days to determine if the flaw has already been exploited and data exfiltrated.

The Clop ransomware gang is a prime suspect as the group was behind the exploitation of zero-day vulnerabilities in two other MFT solutions, Fortra’s GoAnywhere MFT in January 2023 and the Accellion FTA in December 2020.

The post Mass Exploitation of MOVEit Transfer Zero-day Vulnerability Confirmed appeared first on HIPAA Journal.

An updated version of the StopRansomware Guide has been published that includes further recommendations on actions that can be taken to reduce the risk of ransomware attacks. The StopRansomware Guide is a one-stop resource developed by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) that details best practices for detecting, preventing, responding to, and recovering from ransomware attacks and provides step-by-step approaches for addressing potential attacks. The updated guide was produced through the Joint Ransomware Task Force (JRTF), which was set up by Congress in 2022 to deal with the growing threat of ransomware attacks.

The StopRansomware Guide can be used by government agencies and organizations and businesses of all sizes to ensure appropriate defenses are in place to block attacks and can help with the development, implementation, and maintenance of incident response plans to ensure the fastest possible recovery in the event of an attack. The updated guide includes new recommendations for hardening defenses against the most common initial access vectors that are used by ransomware gangs and initial access brokers for gaining a foothold in networks, including compromised credentials, brute force attempts to obtain passwords, phishing, and advanced social engineering, along with information on securing cloud backups and tips for threat hunting.

The StopRansomware Guide is divided into two parts. The first part provides comprehensive, relevant, and proven best practices that can be adopted to reduce risk, including identifying critical data that needs protecting and proactive steps that can help with ransomware attack mitigation. The second part of the guide provides detailed information on detection, analysis, containment, eradication, and post-incident recovery, and includes a checklist to guide organizations through a methodical, measured, and properly managed incident response approach.

“With our FBI, NSA and MS-ISAC partners, we strongly encourage all organizations to review this guide and implement recommendations to prevent potential ransomware incidents,” wrote CISA. “In order to address the ransomware epidemic, we must reduce the prevalence of ransomware intrusions and reduce their impacts, which include applying lessons learned from ransomware incidents that have affected far too many organizations.”

The updated StopRansomware Guide can be downloaded from CISA on this link.

The post CISA & Partners Release Updated StopRansomware Guide appeared first on HIPAA Journal.