Multiple vulnerabilities have been identified in the popular open source electronic health record and medical practice management software, OpenEMR. OpenEMR is used by healthcare organizations around the world for recording and managing sensitive patient data, and patients used the software for scheduling appointments online, communicating with their healthcare providers, and paying medical bills. OpenEMR is used by more than 100,000 healthcare providers worldwide that serve more than 200 million patients.

Three vulnerabilities were discovered last year by security researcher Dennis Brinkrolf. Brinkrolf analyzed the open source code using Sonar’s static application security testing (SAST) engine. Three vulnerabilities were identified that could be chained together to achieve remote code execution, take control of vulnerable OpenEMR instances, and steal sensitive patient data.

The first vulnerability – an unauthenticated file read vulnerability – could be exploited by a malicious actor using a rogue MySQL server to read arbitrary files in OpenEMR systems. Those files contain certificates, passwords, tokens, and backups. The other two vulnerabilities – an authenticated local file inclusion flaw and authenticated reflected XSS vulnerability – can be exploited in combination with the first vulnerability to execute arbitrary code on any vulnerable OpenEMR server and steal sensitive data. In the worst-case scenario, the attacker would be able to compromise the entire critical infrastructure of an organization.

For instance, the reflected XSS vulnerability could be exploited to upload a malicious PHP file to the server. The attacker could then use path traversal via the Local File Inclusion bug to execute the PHP file. While it may take several attempts to determine the appropriate Unix timestamp, the attacker would eventually be able to achieve remote code execution and could configure the system in a way to allow data exfiltration.

Brinkrolf reported the vulnerabilities to OpenEMR on October 24, 2022, and patches were released to fix all three vulnerabilities within a week. Medical practices that use OpenEMR should check to make sure they are running the latest version of the software, and if they are running any version prior to 7.0.0 they should update the software immediately.

The post Multiple Vulnerabilities Identified in OpenEMR Health Record and Practice Management Software appeared first on HIPAA Journal.

While the Hive ransomware operation was infiltrating servers, exfiltrating data, and demanding ransom payments from their victims, their activities were being observed from within. The FBI has had access to Hive’s ransomware servers since July 2022 and was learning about the group’s methods and has been helping victims recover without paying the ransom. The FBI was biding time until the ideal moment to strike and strike it did. The Department of Justice (DOJ) has announced that the Hive ransomware gang’s digital infrastructure has been seized, including the group’s Tor payment site, data leak site, and the infrastructure used by the group’s leadership and affiliates for communications.

The Hive ransomware gang was one of the most active and aggressive ransomware-as-a-service (RaaS) operations, having conducted more than 1,500 attacks on entities in over 80 countries in less than two years. While some ransomware actors have terms and conditions preventing their affiliates from conducting attacks on the healthcare sector, that was not the case with Hive, which has conducted many attacks on hospitals and health systems, along with schools, financial firms, and critical infrastructure entities.  Healthcare victims include Consulate Health, Lake Charles Memorial Health, Tift Regional Medical Center, Greenway Health, Johnson Memorial Health, Partnership HealthPlan, First Choice Community Healthcare, and Missouri Delta Medical Center.

The Hive gang has been active since at least June 2021 and is believed to have generated in excess of $100 million in ransom payments. The group is known to gain initial access to networks through a range of techniques, including phishing, stolen credentials, remote desktop protocol, VPNs, and by exploiting vulnerabilities in Internet-exposed devices. After gaining access to networks, the group moves laterally, identifies data of interest, exfiltrates files, and then demands payment for the decryption keys and to prevent the publication of stolen data. If victims refuse to pay, the stolen data are publicly released on its data leak site.

The takedown of the group’s infrastructure came at the end of a months-long infiltration of its infrastructure, with assistance provided by Europol, the U.S. Secret Service, the U.S. Attorney’s Office for the Eastern District of Virginia, the U.S. Attorney’s Office for the Central District of California, and law enforcement agencies in Germany, the Netherlands. The FBI gained access to two dedicated servers and one virtual server hosted by a Californian hosting provider, which were being leased by the gang, and law enforcement in the Netherlands assisted with the seizure of two backup servers hosted in the country. The servers were being used to host the main data leak site, negotiation site, and the Internet interfaces used by the members and affiliates.

The FBI obtained information on planned attacks and contacted victims to warn them, and during the past 6 months has prevented approximately $130 million in ransom payments. The FBI has obtained the decryption keys for approximately 300 victims that were currently under attack and has distributed approximately 1,000 decryption keys to previous victims. The FBI also obtained records of communications, malware file hash values, and information on 250 affiliates that were conducting attacks for the gang, along with a list of past victims. The websites used by the gang now display a notice rotating in English and Russian warning that the sites have been seized.

“The Department of Justice’s disruption of the Hive ransomware group should speak as clearly to victims of cybercrime as it does to perpetrators,” said Deputy Attorney General Lisa O. Monaco. “In a 21st century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million dollars in ransomware payments. We will continue to strike back against cybercrime using any means possible and place victims at the center of our efforts to mitigate the cyber threat.”

The Hive group communicates in Russian and is believed to operate out of the country. There is no extradition treaty between Russia and the United States, and Russia has previously been reluctant to take action against ransomware gangs operating within its borders. The information obtained on members and the gang and affiliates is likely to lead to indictments, although it may prove difficult to bring those individuals to justice. While the operation has caused considerable disruption to the Hive operation, the group is well-resourced and has obtained significant sums in ransom payments so it is probable that the infrastructure will be rebuilt and operations will recommence under a different name. Even so, this is a major achievement and has prevented many damaging attacks on the healthcare sector.

“The disruption of the Hive service won’t cause a serious drop in overall ransomware activity but it is a blow to a dangerous group that has endangered lives by attacking the healthcare system. Unfortunately, the criminal marketplace at the heart of the ransomware problem ensures a Hive competitor will be standing by to offer a similar service in their absence, but they may think twice before allowing their ransomware to be used to target hospitals.” John Hultquist, Head of Mandiant Threat Intelligence, Google Cloud explained to HIPAA Journal. “Actions like this add friction to ransomware operations. Hive may have to regroup, retool, and even rebrand. When arrests aren’t possible, we’ll have to focus on tactical solutions and better defense. Until we can address the Russian safehaven and the resilient cybercrime marketplace, this will have to be our focus.”

The post Hive Ransomware Operation Disrupted as FBI Seizes the Gang’s Infrastructure appeared first on HIPAA Journal.

Blackberry has recently published its Global Threat Intelligence Report, which provides actionable and contextualized intelligence that can be used to improve cyber resilience. The report is based on data collected by Blackberry and threat intelligence provided by third parties, gathered over 90 days between September and November 2022.

Throughout the reporting period, downloaders were among the most commonly observed threats. Downloaders are malicious software that often masquerade as legitimate digital documents and executables and are used to download a range of other malicious software. Once installed, these downloaders often remain undetected for long periods and form large botnets of infected devices. The operators of these botnets partner with other threat groups to deliver third-party payloads. One of the most commonly used downloaders is Emotet, which first emerged in 2014 as a banking Trojan. An international law enforcement operation successfully shut down the Emotet botnet in April 2021 but it was eventually rebuilt and started to be used again at the end of 2021. After a 4-month hiatus in 2022, activity resumed, with the botnet grown via phishing emails with malicious Office attachments. Emotet commonly drops the IcedID banking Trojan, which in turn often delivers ransomware payloads.

Qakbot is another common downloader that is similarly distributed in phishing emails. The emails typically have a LNK hyperlink that directs the user to a malicious domain where a ZIP file is downloaded. The ZIP files contain an executable file that delivers QakBot. QakBot is able to hijack existing message threads for propagation, targeting individuals in the victims’ contact list, making it appear that the emails have been sent in response to a previous conversation. The QakBot operators provide initial access to networks for several ransomware operations. The Blackberry researchers also detected an increase in GuLoader, which is often used to deliver information stealers such as Redline and Racoon, with the malicious payloads often hosted on cloud services such as Google Cloud and OneDrive, as well as malicious Telegram bots. Throughout 2022, LockBit was the most commonly used ransomware variant and remained so throughout the 90-day analysis period. RedLine and Racoon were the most commonly observed information stealers, and njRAT and FlawedAmmyy were the most commonly identified remote access Trojans.

For its latest report, Blackberry analyzed attacks on the healthcare sector, which the researchers say is particularly vulnerable to attacks due to the widespread use of medical technology with a long service life, the complex and often interconnected nature of healthcare systems, and the vast amounts of sensitive data that are routinely collected and stored. Ransomware still poses the biggest threat to the healthcare sector, and all of the threat groups that rely on ransomware are actively targeting the healthcare industry. While some ransomware-as-a-service operations claim to have operating rules prohibiting attacks on the healthcare sector, those promises cannot be guaranteed and there have been many cases where healthcare organizations have been attacked despite these rules being in place.

Qakbot was the most commonly observed Trojan in attacks on the healthcare sector, most commonly to provide access to healthcare networks for ransomware affiliates and initial access brokers. Emotet was not very active over the analysis period, although attacks are expected to increase. Meterpreter, a payload delivered via Metasploit, and BloodHound were active during the analysis period and had been used in attacks on the healthcare sector. One attack used Meterpreter along with SharpHound, a collector for BloodHound often used for lateral movement. The researchers echoed the advice of CISA and recommend network and system administrators intentionally execute BloodHound to understand possible attack paths.

Several attacks on the sector involved TinyNuke, which was used to deliver the Netwire RAT, and some attacks involved the PlugX RAT, which is commonly used by nation-state actors such as Mustang Panda, which suggests nation-state actors and cybercriminals are actively targeting the sector. Information stealers such as RedLine and Racoon have been extensively used in attacks in 2022; however, these malware variants do not appear to have been used specifically to attack the sector.

The financially motivated threat group, TA505, remains highly active and has targeted the healthcare sector. The group is known to use Clop ransomware, the FlawedAmmyy RAT, and banking Trojans. ALPHV is a relatively new cybercriminal group that has been conducting attacks on the healthcare sector. The group often deploys BlackCat ransomware and is known for using innovative extortion tactics and unconventional attack methods. ALPHV claimed responsibility for the recent attack on NextGen Healthcare. The Vietnam-based threat actor, APT32, the Chinese APT group, Mustang Panda, the Russian threat actor, APT29, and the cybercriminal group, TA542, have also been highly active and have a history of attacking healthcare organizations.

The researchers believe the healthcare industry will continue to be targeted throughout 2023 and ransomware will remain one of the biggest threats. They also predict more targeted attacks on cloud infrastructure as threat actors seek to gain additional visibility into the organizations that they seek to undermine or extract profit.

“The growth of targeted attacks in the automotive, healthcare, and financial industries cast a harsh light on the critical need to protect these sectors’ expansive and vulnerable threat surfaces,” said the researchers. “Defending your organization against malware and cyberattacks requires in-depth knowledge of how threat actors are targeting your industry, the tools that they use, and their possible motivations. This detailed knowledge provides contextual, anticipative, and actionable cyberthreat intelligence that can reduce the impact of threats on your organization.”

The post Healthcare Industry Most Commonly Attacked with Downloaders and Ransomware appeared first on HIPAA Journal.

Ransomware gangs are finding it much harder to profit from their attacks as fewer victims are ransoms to obtain the decryption keys and prevent the exposure of stolen data, according to two recently released reports from the ransomware remediation firm, Coveware, and blockchain analysis firm, Chainalysis.

Coveware reports that in Q1, 2019, 85% of ransomware victims paid the ransom following an attack. Since then, the percentage making payments has been steadily declining, with just 37% of ransomware victims paying up in the last two quarters of 2022. Coveware said around 50% of organizations paid ransoms in 2021, compared to 41% in 2022. Chainalysis said total ransomware revenue fell by 40.3% year-over-year, dropping from $765.6 million in 2021 to $456.8 million in 2022. While ransomware victims do not always publicly disclose attacks or if a ransom has been paid, the figures strongly suggest there is an increasing unwillingness of victims to pay up.

There are several reasons for the decline in profits. Organizations have improved their defenses, are monitoring their networks more closely for signs of compromise, and have developed incident response plans for ransomware attacks that allow quicker recovery, so fewer organizations find themselves in a position where they have little alternative other than paying the ransom. Insurance companies have played a key role in improving defenses against ransomware. Bill Siegel, CEO, and co-founder of Coveware, said following large losses in 2019 from ransomware attacks, insurance companies updated their terms and conditions for their cyber insurance policies, requiring their customers to ensure that cybersecurity standards were maintained, including following best practices for backups, implementing multi-factor authentication, and developing and testing an incident response plan.

Chainalysis suggests that the legal risk from paying ransoms has increased and that this could also be a factor. Payment of a ransom to any ransomware group that has been sanctioned by the Department of the Treasury’s Office of Foreign Assets Control (OFAC) risks a significant financial penalty. If there is any potential connection between an attack and an entity on the OFAC sanctions list, paying a ransom is incredibly risky.

Faced with dwindling profits, ransomware groups have changed their tactics, with some opting to target larger organizations in the hope of getting sizeable ransom payments, while others have started targeting smaller organizations due to the difficulty of getting larger organizations to pay up. According to Coveware, in the last quarter of 2022, the average ransom payment increased by 58% to $408,644 and the median payment increased by 342% to $185,972, which Coveware attributes to the decline in revenues forcing gangs to increase their ransom demands.

While it is becoming harder for cybercriminals to profit from ransomware attacks, that does not mean fewer attacks are being conducted. The data vary but suggest that the number of attacks has remained fairly constant or declined only slightly. There also appears to have been an increase in re-extortion, whether ransomware gangs demand further payments from victims after the ransom is paid. While this tactic was more common in attacks on smaller organizations, it is increasingly being used by ransomware groups that target medium- and large-size companies. Of course, one of the problems with this approach is victims will be even less likely to pay up.

The Federal Bureau of Investigation (FBI) discourages organizations from paying ransoms, but payment is not prohibited. The FBI encourages victims to report attacks even when the ransom is paid and provides assistance to victims. This approach appears to be working. By increasing the support provided to victims, organizations get the help they need to quickly mitigate attacks and the FBI gains valuable insights into how the groups are operating, allowing the agency to predict who the groups may target next. Threat intelligence can then be shared with those organizations to help them better defend against attacks.

With ransomware attacks becoming less profitable, this could prompt cybercriminals to abandon ransomware; however, with profits dwindling, ransomware gangs may get even more aggressive and could pile even more pressure on victims or conduct more destructive attacks. The advice from the FBI is to invest in defenses, implement an incident response plan, and call the FBI immediately in the event of an attack. Bryan A. Vorndran, assistant director of the FBI’s Cyber Division, said the FBI can put a cyber-trained agent on the doorstep of virtually any organization in the country within an hour of the incident being reported. That agent will then be able to provide timely assistance and help organizations recover quickly.

The post Ransomware Profits Decline as Victims Refuse to Pay Ransoms appeared first on HIPAA Journal.

There are many benefits of using AI in healthcare, including the acceleration of drug development and medical image analysis, but the same AI systems that benefit healthcare could also be used for malicious purposes such as malware development. The Health Sector Cybersecurity Coordination Center (HC3) recently published an analyst note summarizing the potential for artificial intelligence tools to be used by hackers for this purpose and evidence is mounting that AI tools are already being abused.

AI systems have evolved to a stage where they can be used to write human-like text with a very high degree of fluency and creativity, including valid computer code. One AI tool that has proven popular in recent weeks is ChatGPT. The OpenAI-developed chatbot is capable of producing human-like text in response to queries and had more than 1 million users in December. The tool has been used for a myriad of purposes, including writing poems, songs, reports, web content, and emails.

In response to the incredible popularity of ChatGPT, security researchers started testing its capabilities to determine how easily the tool could be used for malicious purposes. Multiple security researchers found that despite the terms of use prohibiting the chatbot from being used for potentially harmful purposes, they were able to get it to craft convincing phishing emails, devoid of the spelling mistakes and grammatical errors that are often found in these emails. ChatGPT and other AI tools could be used for phishing and social engineering, opening up these attacks to a much broader range of individuals while also helping to increase the effectiveness of these attacks.

One of the biggest concerns is the use of AI tools to accelerate malware development. Researchers at IBM developed an AI-based tool to demonstrate the potential of AI to be used to power a new breed of malware. The tool, dubbed DeepLocker, incorporates a range of ultra-targeted and evasive attack tools that allow the malware to conceal its intent until it reaches a specific victim. The malicious actions are then unleashed when the AI model identifies the target through indicators like facial recognition, geolocation, and voice recognition.

If you ask ChatGPT to write a phishing email or generate malware, the request will be refused as it violates the terms and conditions, but it is possible to make seemingly innocuous requests and achieve those aims. Researchers at Check Point showed it was possible to create a full infection flow using ChatGPT. They used ChatGPT to craft a convincing phishing email impersonating a hosting company for delivering a malicious payload, used OpenAI’s code-writing system, Codex, to create VBA code to add to an Excel attachment, and also used Codex to create a fully functional reverse shell. “Threat actors with very low technical knowledge — up to zero tech knowledge — could be able to create malicious tools [using ChatGPT]. It could also make the day-to-day operations of sophisticated cybercriminals much more efficient and easier – like creating different parts of the infection chain,” said Sergey Shykevich, Threat Intelligence Group Manager at Check Point.

Hackers are already leveraging OpenAI code to develop malware. One hacker used the OpenAI tool to write a Python multi-layer encryption/decryption script that could be used as ransomware and another created an information-stealer capable of searching for, copying, compressing, and exfiltrating sensitive information. While there are many benefits of AI systems, these tools will inevitably be used for malicious purposes. Currently, the cybersecurity community has yet to develop mitigations or a way to defend against the use of these tools for creating malware, and it may not even be possible to prevent the abuse of these tools.

The post Hackers are Using AI Tools such as ChatGPT for Malware Development appeared first on HIPAA Journal.

An inspection of information security at Tuscaloosa VA Medical Center in Alabama by the VA Office of Inspector General (OIG) uncovered deficiencies in three of the four assessed security control areas. The OIG inspection covered configuration management, contingency planning, security management, and access controls, with deficiencies identified in configuration management, security management, and access controls.

Configuration management controls are required to identify and manage security features for all hardware and software components of an information system. OIG found deficiencies in vulnerability management, flaw remediation, and database scans. The Office of Information and Technology (OIT) routinely scans for vulnerabilities, and while OIG and OIT used the same vulnerability-scanning tools, OIT failed to identify all vulnerabilities. OIG identified 119 critical-risk vulnerabilities that OIT failed to detect. OIG also identified 301 vulnerabilities that had not been mitigated within the required 30- or 60-day windows, with 134 critical-risk vulnerabilities identified on 14% of devices, and 134 high-risk vulnerabilities found on 46% of devices. One of the high-risk vulnerabilities had remained unpatched for seven years.

Several devices were discovered to be missing important security patches, which were available but had not been applied, which placed VA systems at risk of unauthorized access, alteration, or destruction. While database scans are performed every quarter, OIT was only able to provide scans for half of the databases, as it was not possible to reach all databases due to a port-filtering issue. Without those completed scans, OIT would be unaware of security control weaknesses that could impact the security posture of databases.

Security management controls were assessed, and OIG found one deficiency: several plans of actions and milestones were discovered to be missing or lacked sufficient details to be actionable. Four access control deficiencies were identified related to network segmentation, audit and monitoring controls, environmental controls, and emergency power. Network segmentation is required for medical devices and special-purpose systems, which should be placed on isolated networks for protection. Several network segments that contained medical and special-purpose systems did not have network segmentation controls in place. 19 network segments containing 221 medical devices and special-purpose systems did not have access control lists applied, which allowed any user to access those devices. Logs need to be monitored to evaluate the effectiveness of security controls, recognize attacks, and investigate during or after any attacks. Half of the databases supporting the Tuscaloosa VAMC were found to be missing. The missing logs were for the databases that had not been subjected to vulnerability scanning.

Several communication rooms were found to lack temperature or humidity controls, which could have a significant adverse impact on the availability of systems, and uninterruptible power supplies were also discovered to be missing, which means infrastructure equipment would cease to function during power fluctuations or outages, resulting in interruption of data flow and disruption of access to network resources.

OIG made 8 recommendations to address the deficiencies, 6 to the assistant secretary for information and technology and chief information officer related to the security issues and 2 to the Tuscaloosa VAMC director, who must ensure communication rooms have adequate environmental controls and uninterruptible power supplies for infrastructure equipment.

The post Vulnerability Management and Remediation Deficiencies Identified at Alabama VA Medical Center appeared first on HIPAA Journal.

While it is difficult to obtain accurate data on the number of ransomware attacks being conducted on healthcare organizations, the available data suggest there has been a decline in attacks across all industry sectors compared to the high number of attacks reported in 2021. Emsisoft recently reported that attacks are leveling off or declining in the industry sectors it tracks, and now a new survey appears to confirm that decline.

The survey was conducted by Censuswide on behalf of Delinea on 300 IT decision-makers across a broad range of industries in the United States, with the responses suggesting there has been a 60% decline in attacks between 2021 and 2022. In 2021, the survey revealed 64% of organizations had experienced a ransomware attack in the past 12 months, compared to 25% of organizations in 2022.

Ransomware attacks have been reported by small and large healthcare organizations, with the Hive ransomware group known to target smaller medical practices that provide telehealth services, but ransomware gangs appear to still favor attacks on larger organizations, with the Delinea survey revealing 56% of organizations that suffered a ransomware attack in the past 12 months had 100 or more employees.

In 2021, the Conti ransomware operation was the major ransomware player, but in early 2022 the group was disbanded, with its members moving to smaller ransomware operations. While these groups are conducting many attacks, Delinea suggests the shutdown of this large ransomware operation may explain, in part, the decline in attacks. According to GuidePoint Security, there was a 53% decline in attacks by the two main ransomware gangs – Conti and LockBit – last year, yet overall attacks only decreased by around 7%.

Another suggested reason for the decline in attacks is ransomware-preventing security controls are proving to be effective at thwarting attacks. It should also be noted that several ransomware gangs have also started conducting extortion-only attacks, where data are stolen and threats are issued to publish data if the ransom is not paid, but file encryption does not occur. While these attacks are conducted by ransomware gangs, they may not be classed as ransomware attacks, and this could be reflected in the survey data.

In 2022, messages between members of the Hive ransomware gang were intercepted that suggested the group was not having problems compromising organizations but was struggling to force attacked organizations to pay up. The Delinea survey confirmed that fewer organizations are paying up, with 68% of organizations saying they paid the ransom following an attack in 2022 compared to 82% in 2021. The survey also confirmed some of the negative consequences of ransomware attacks, with 56% of companies saying they lost revenue as a result of a successful ransomware attack, with 50% of companies saying they lost customers, although fewer organizations than last year said they suffered reputational damage as a result of an attack – 51% in 2021 compared to 43% in 2022.

Attitudes to ransomware attacks also appear to be changing. In 2021, 88% of organizations said they believed it should be illegal to pay a ransom to cybercriminals following a ransomware attack, but in 2022, 63% of surveyed companies felt that way and believed they should have the choice about whether or not to pay for the keys to recover their data and prevent data exposure.

The reduction in attacks is certainly good news, but it does not mean that they will not increase again. It is therefore concerning that Delinea found investment in ransomware defenses is declining. In 2021, 93% of surveyed organizations said they had allocated funding to combat ransomware attacks, whereas that percentage fell to 68% in 2022. The survey also revealed that only half of the surveyed organizations had implemented best practices to prevent ransomware attacks, such as enforcing password best practices (51%) and multi-factor authentication (50%). There was also a notable decline in the number of companies that had an incident response plan specifically for ransomware attacks, which fell from 94% in 2021 to 71% in 2022.

The post Ransomware Appears to be in Decline, but Don’t Lower your Guard appeared first on HIPAA Journal.