The Health Sector Cybersecurity Coordination Center has issued a security advisory warning about data exfiltration in healthcare cyberattacks, highlighting the extent of the practice and sharing several recommended mitigations. Data exfiltration typically occurs once a threat actor has gained access to a network, elevated privileges, and moved laterally. Data exfiltration is one of the last stages of the cyber kill-chain and the primary objective in many cyberattacks.

There are several reasons for data theft. Nation-state actors often steal data for espionage purposes, cybercriminal groups steal healthcare data as it can be easily monetized and as leverage for extortion, and insiders steal data for financial gain, competitive advantage, and blackmail. When ransomware first started to be used by cybercriminal groups, files were simply encrypted; however, data exfiltration is now common. Data theft allows ransomware actors to profit from attacks when ransoms are not paid, and oftentimes it is the threat of publication of stolen data that prompts victims to pay up. Such is the incentive to pay to prevent data exposure that ransomware gangs are even dispensing with file encryption and are conducting extortion-only attacks.

In the security advisory, HC3 draws attention to the extent to which data exfiltration is occurring. HC3 explains that breach notifications to the HHS show 28.5 million records were exposed in the second half of 2022, up 21.1 million records from 2019. Across all 588 reported data breaches in 2022, more than 44 million patient records were exposed. At least 24 healthcare ransomware attacks occurred in 2022 impacting operators of 289 U.S. hospitals, and sensitive data were exfiltrated in 70% of those attacks.

Data exfiltration is not limited to ransomware attacks. Data theft is common in attacks involving other types of malware, such as information stealers, and several cyber threat groups have emerged that concentrate on data exfiltration and extortion, including the Donut Leaks, Karakurt, and the Lapsus$ threat groups. Nation-state-sponsored Advanced Persistent Threat Actors often gain persistent access to networks and remain undetected for years in order to exfiltrate sensitive data over extended periods. One attack, identified by WithSecure, saw the Lazarus APT group steal more than 100GB of sensitive data from the medical research and technology sector before being detected. As more organizations move from on-premises to cloud storage, threat actors have also been increasingly targeting cloud resources to steal data, and often delete cloud backups to prevent recovery from ransomware attacks.

Data exfiltration is often the most harmful aspect of a healthcare cyberattack. In addition to hardening defenses to prevent initial access to networks, network defenders should be monitoring for attempted data exfiltration and should take steps to prevent, block, and limit data exfiltration. HC3 has made several recommendations in the alert, including high-level mitigations such as integrating security awareness and security best practices, evaluating risks associated with every interaction with computers, applications, and data, and conducting periodic audits to verify that security best practices are being followed.

HC3 also recommends implementing monitoring systems that generate alerts about unusual data access, data movement, unsanctioned software and hardware (shadow IT), and unauthorized data access, and ensuring logs are generated by networks, workstations, servers, email, databases, web applications, firewalls, authentication services, and cloud resources. Those logs should be managed centrally and closely monitored. While data exfiltration by cyber actors is commonplace, employees should be monitored closely, especially departing employees. Access to resources should be promptly terminated and extra attention should be paid to the activities of those individuals in the lead-up to their departure.

The post HC3 Sheds Light on Data Exfiltration Trends in Healthcare Cyberattacks appeared first on HIPAA Journal.

A joint cybersecurity advisory has been published by CISA and the FBI, sharing details of the tactics, techniques, and procedures (TTPs) used by the Royal ransomware gang and Indicators of Compromise (IoCs) to help network defenders better protect against attacks.

Royal Ransomware is a relatively new threat actor that was first observed conducting attacks in 2022. The group is believed to consist of highly experienced cybercriminals who are well-versed in conducting ransomware attacks, including operators that were once part of Conti Team One. Conti was one of the most prolific ransomware groups over the past 3 years and was formed by the group behind Ryuk ransomware. Royal has previously used the encryptors of other ransomware operations, then switched to using its own – Royal – in September 2022, and has now overtaken Lockbit to become the main player in the ransomware market.

Like Conti and Ryuk before it, the Royal ransomware group is focused on attacks in the United States, especially critical infrastructure entities, including those operating in the healthcare and public health sector. The group uses a variety of methods to gain initial access to victims’ networks, with phishing the most common initial access vector. Phishing has been used in 67% of known attacks, where employees at victim organizations are tricked into installing a malware loader via emails with PDF attachments, which deliver the Royal ransomware payload. The group is also known to use malicious adverts – malvertising – to direct traffic to websites where malware is downloaded.

Remote Desktop Compromise (RDP) has been used in around 13% of attacks and, to a lesser extent, the group also gains access to networks through public-facing applications and buys access through initial access brokers who harvest virtual private network credentials from stealer logs.  Once access is gained, the group downloads a range of tools to strengthen the foothold in victims’ networks, then escalates privileges and moves laterally, including leveraging PsExec for lateral movement. The group is known to maintain persistence using various remote monitoring and management tools, including AnyDesk, LogMeIn, and Atera, and has been observed using the penetration testing tool, Cobalt Strike, and Ursnif/Gozi for data exfiltration. The group uses Windows Restart Manager to identify where targeted files are in use or are blocked by other applications, uses the Windows Volume Shadow Copy service to delete shadow copies to hamper attempts to recover files without paying the ransom, and exfiltrates data to a U.S. IP address before triggering the encryption routine.

CISA and the FBI strongly recommend taking immediate action to improve defenses against attacks, including prioritizing and remediating known exploited vulnerabilities, training the workforce how to identify phishing attempts, and enabling and enforcing multifactor authentication. Full IoCs and TTPs are detailed in the cybersecurity alert. An Analyst Note on Royal Ransomware has also been published by the Health Sector Cybersecurity Coordination Sector.

The post Feds Share Technical Details of Royal Ransomware appeared first on HIPAA Journal.

In what is believed to be a first, the BlackCat ransomware gang has published naked images of patients that were stolen in one of its attacks on a healthcare organization in an attempt to pressure the victim into paying the ransom. Lehigh Valley Health Network (LVHN) recently announced that it was dealing with a ransomware attack that was detected on February 6, 2023. LVHN confirmed that the BlackCat ransomware group was behind the attack and had issued a ransom demand, payment of which would see the decryption keys provided and would prevent the release of data stolen in the attack. Brian A. Nester, LVHN President and CEO, confirmed that LVHN refused to pay the ransom and operations were unaffected.

Nester said the attack was on the network supporting a physician practice in Lackawanna County and the computer system involved stored clinically appropriate patient images for radiation oncology treatment and other sensitive patient information. “Attacks like this are reprehensible and we are dedicating appropriate resources to respond to this incident,” said Nester.

In an attempt to pressure LVHN into paying the ransom, BlackCat started leaking some of the stolen data on its data leak site. While data leaks are now common when victims of ransomware attacks refuse to pay the ransom, BlackCat took matters a step further and published patient images stolen in the attack. Images of three breast cancer patients, naked from the waist up, were published on the data leak site along with screenshots of patient data showing diagnoses. “This unconscionable criminal act takes advantage of patients receiving cancer treatment, and LVHN condemns this despicable behavior,” said LVHN spokesperson, Brian Downs.

The HHS recently issued a security advisory about the Blackcat ransomware group which actively targets organizations in the healthcare and public health sector and warned that the group engages in aggressive triple extortion tactics. While many ransomware groups use double extortion involving data theft and threats to release stolen data in addition to file encryption, BlackCat uses a third tactic – threatening to conduct Distributed Denial of Service Attacks (DDoS) on victims until they pay up.

BlackCat is not the only ransomware gang to try new tactics to get victims to pay up. The Medusa ransomware gang recently attacked the Minneapolis Public Schools (MPS) District, stole sensitive data, then encrypted files. When payment was not made, MPS was added to the group’s data leak site and a threat was issued to publish the entire trove of data stolen in the attack. The group issued a ransom demand of $1 million, with the data leak site also offering the stolen data to anyone willing to pay the same amount. In a novel twist, the group also published a video showing the data stolen in the attack. The video, which is 51 minutes long, was added as proof of the extent of the data exfiltrated from MPS’s systems.

Ransomware gangs have had to adopt more aggressive tactics as fewer victims are paying ransom demands. According to Coveware, in Q4, 2022, only 37% of victims paid a ransom following a ransomware attack, compared to 76% of victims in 2019. Coveware says several factors are driving the reduction in the profitability of ransomware attacks. Greater investment in security and incident response planning means organizations are better prepared for attacks and are less likely to suffer a material impact from a successful attack. The FBI and other law enforcement agencies are still pursuing the perpetrators of these attacks, but they are also now putting more resources into helping victims recover. Coveware also points out that as revenues fall, operating costs to carry out attacks increase, which means fewer ransomware actors can make a living from distributing ransomware and even large ransomware groups are feeling the effect, hence the need to adopt new tactics to pressure victims into paying up and improve the profitability of attacks.

The post Ransomware Gang Ups the Ante by Publishing Naked Images of Patients appeared first on HIPAA Journal.

A new guide has been published by the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group and the U.S. Department of Health and Human Services (HHS) to help healthcare organizations align their cybersecurity programs with the NIST Framework for Improving Critical Infrastructure Cybersecurity.

The NIST Cybersecurity Framework is one of the most widely adopted frameworks for identifying and managing cybersecurity risks. The framework was released by NIST in 2015, updated in 2018, and the NIST CSF 2.0 is due for release later this year. The NIST CSF is based on five core functions – Identify, Protect, Detect, Respond, and Recover – and suggests cybersecurity controls that can be implemented in all five functional areas. The framework also includes four tiers against which organizations can rate their adoption of the framework, which allows them to communicate how there are achieving their cybersecurity objectives in a standardized way. The NIST CSF has become the standard cybersecurity framework for government agencies and private sector companies for managing cybersecurity risks.

The healthcare industry is extensively targeted by cybercriminal groups and nation-state actors and must defend against increasingly sophisticated and numerous threats. Healthcare organizations typically have fragmented infrastructures, legacy systems, huge numbers of applications, and must protect an ever-increasing number of network-connected medical devices. Consequently, many healthcare organizations struggle with managing cybersecurity effectively.

“Healthcare cyberattacks are among the fastest growing type of cybercrime – jeopardizing patient care, damaging the integrity of health care systems, and threatening the U.S. economy,” said Dawn O’Connell, HHS  Assistant Secretary for Preparedness and Response. “Health care organizations must safeguard their information technology systems to help prevent attacks and create a culture of cyber safety in the health care industry.”

According to the HSCC, a comprehensive cybersecurity framework – such as the NIST CSF – will “provide a common language and structure for discussions around risk and the methods and tools used to manage risk to a level that is not only acceptable to the organization but to other stakeholders such as business partners, customers, and industry and governmental regulators.” Healthcare organizations that base their cybersecurity programs on the NIST CSF can better direct capital, operational, and resource allocations to lines of business generating the greatest return on protecting assets/information and minimizing risk exposure.

While the NIST CSF has been developed to be suitable for organizations of all sizes in all industry sectors, some healthcare organizations have struggled to adopt the framework. The Cybersecurity Framework Implementation Guide is intended to help healthcare organizations adopt the NIST CSF and details specific steps that can be taken to immediately manage cyber risks to their IT systems and better protect against the full range of cyber threats. The guide will help healthcare organizations to assess their current cybersecurity practices and risks and identify gaps for remediation.

“With data breaches having doubled over the past five years and ransomware attacks reaching almost 400 in the same period, it is clear that the healthcare industry needs to up its game, said Bryan Cline, industry lead for the guide and Chief Research Officer for HITRUST. “Health industry stakeholders of all sizes and subsectors can reduce their cyber risk exposure by implementing this resource and many others produced by the HSCC and government partners.”

The Cybersecurity Framework Implementation Guide was jointly developed by the HSCC and the HHS, and NIST and other federal agencies contributed substantially to its content. “The guide supplements an earlier joint publication of the HHS/HSCC 405(d) Program – the ‘Health Industry Cybersecurity Practices’ –which is aligned with the NIST Cybersecurity Framework.  With this toolkit, organizations of all sizes can implement cybersecurity best practices, protect their patients, and make the sector more resilient,” said HSCC Cybersecurity Working Group Chair and Intermountain Healthcare CISO Erik Decker.

The post HSCC & HHS Release Guide to Help Healthcare Organizations Adopt the NIST Cybersecurity Framework appeared first on HIPAA Journal.

A new guide has been published by the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group and the U.S. Department of Health and Human Services (HHS) to help healthcare organizations align their cybersecurity programs with the NIST Framework for Improving Critical Infrastructure Cybersecurity.

The NIST Cybersecurity Framework is one of the most widely adopted frameworks for identifying and managing cybersecurity risks. The framework was released by NIST in 2015, updated in 2018, and the NIST CSF 2.0 is due for release later this year. The NIST CSF is based on five core functions – Identify, Protect, Detect, Respond, and Recover – and suggests cybersecurity controls that can be implemented in all five functional areas. The framework also includes four tiers against which organizations can rate their adoption of the framework, which allows them to communicate how there are achieving their cybersecurity objectives in a standardized way. The NIST CSF has become the standard cybersecurity framework for government agencies and private sector companies for managing cybersecurity risks.

The healthcare industry is extensively targeted by cybercriminal groups and nation-state actors and must defend against increasingly sophisticated and numerous threats. Healthcare organizations typically have fragmented infrastructures, legacy systems, huge numbers of applications, and must protect an ever-increasing number of network-connected medical devices. Consequently, many healthcare organizations struggle with managing cybersecurity effectively.

“Healthcare cyberattacks are among the fastest growing type of cybercrime – jeopardizing patient care, damaging the integrity of health care systems, and threatening the U.S. economy,” said Dawn O’Connell, HHS  Assistant Secretary for Preparedness and Response. “Health care organizations must safeguard their information technology systems to help prevent attacks and create a culture of cyber safety in the health care industry.”

According to the HSCC, a comprehensive cybersecurity framework – such as the NIST CSF – will “provide a common language and structure for discussions around risk and the methods and tools used to manage risk to a level that is not only acceptable to the organization but to other stakeholders such as business partners, customers, and industry and governmental regulators.” Healthcare organizations that base their cybersecurity programs on the NIST CSF can better direct capital, operational, and resource allocations to lines of business generating the greatest return on protecting assets/information and minimizing risk exposure.

While the NIST CSF has been developed to be suitable for organizations of all sizes in all industry sectors, some healthcare organizations have struggled to adopt the framework. The Cybersecurity Framework Implementation Guide is intended to help healthcare organizations adopt the NIST CSF and details specific steps that can be taken to immediately manage cyber risks to their IT systems and better protect against the full range of cyber threats. The guide will help healthcare organizations to assess their current cybersecurity practices and risks and identify gaps for remediation.

“With data breaches having doubled over the past five years and ransomware attacks reaching almost 400 in the same period, it is clear that the healthcare industry needs to up its game, said Bryan Cline, industry lead for the guide and Chief Research Officer for HITRUST. “Health industry stakeholders of all sizes and subsectors can reduce their cyber risk exposure by implementing this resource and many others produced by the HSCC and government partners.”

The Cybersecurity Framework Implementation Guide was jointly developed by the HSCC and the HHS, and NIST and other federal agencies contributed substantially to its content. “The guide supplements an earlier joint publication of the HHS/HSCC 405(d) Program – the ‘Health Industry Cybersecurity Practices’ –which is aligned with the NIST Cybersecurity Framework.  With this toolkit, organizations of all sizes can implement cybersecurity best practices, protect their patients, and make the sector more resilient,” said HSCC Cybersecurity Working Group Chair and Intermountain Healthcare CISO Erik Decker.

The post HSCC & HHS Release Guide to Help Healthcare Organizations Adopt the NIST Cybersecurity Framework appeared first on HIPAA Journal.

Cybercriminal groups have been experiencing declining revenues. Just like the businesses they attack, when profits start to fall, changes need to be made. Cybercriminal groups appear to be mirroring legitimate businesses and are using similar tactics when faced will falling profits, according to a recent report from Trend Micro.

Ransomware gangs in particular have seen profits take a nosedive, with ransom payments decreasing by 38% year-over-year as victims refuse to pay up, even when there is the threat of publication of stolen data. The gangs have responded by changing their tactics and are becoming more professional. When their brand image becomes tarnished, they simply rebrand. This helps them to stay under the radar but also deals with the image crisis. Conti, one of the most prominent, active, and professional ransomware groups, disbanded when the brand became toxic, with its members splitting into several smaller groups such as Black Basta, Karakurt, Royal, and BlackByte.

Cybercriminal groups have started diversifying their portfolios, placing less reliance on the ransomware attacks that are becoming less profitable. Several ransomware gangs have developed ransomware variants in Rust, which allows them to expand their attacks from Windows and MacOS to Linux systems. Trend Micro also reports that ransomware groups have shifted their focus to monetizing exfiltrated data and are moving to other criminal business models such as BEC attacks, stock fraud, cryptocurrency theft, and money laundering.

While cybercriminals are working on ways to maximize profits once access to victims’ networks has been gained, the methods used to gain initial access have largely remained unchanged. The most common method of access is targeting remote services, often using valid accounts for services that accept remote connections such as telnet, SSH, and VNC. Once access is gained, they proceed as the logged-in user and attempt to expand their footprint by escalating privileges and moving laterally.

Cybercriminals are relying less on phishing as an initial access method following the move by Microsoft to start disabling macros in Office documents by default in documents downloaded from the Internet. Following that move, cybercriminals have started exploring alternative initial access vectors such as malvertising and HTML smuggling.

Trend Micro reports an increase in the use of malicious adverts for key business search terms, with the adverts directing users to malicious sites. HTML smuggling involves HTML attachments to emails, with the HTML file smuggling a ZIP file with an ISO file that has a LNK file that loads a malicious payload. There has also been an increase in living-off-the-land techniques, such as abusing penetration testing tools such as Cobalt Strike and Brute Ratel.

The number of critical vulnerabilities reported in 2022 doubled from 2021, due to the rapidly evolving attack surface. Trend Micro also reports a sizeable increase in the number of failed patches, which the company attributes to vendors rapidly releasing patches to fix a problem, without investing the time to investigate and fix the underlying issue.

In 2022, threat actors switched from exploiting Microsoft Exchange vulnerabilities to Log4J vulnerabilities to gain access to networks. Threat actors are staying up to date on the latest vulnerabilities and are rapidly adding new exploits to their arsenals and are conducting their attacks before organizations can implement the patches. There was also a notable rise in attacks on cloud infrastructure, notably for crypto mining attacks.

SonicWall reported a 2% year-over-year increase in malware detections in 2022; however, Trend Micro’s data suggest a much more alarming increase of 55%. The company reports a 242% increase in blocked malicious files, an 86% increase in backdoor malware detections, and a 103% increase in web shell detections, which are now the most common malware.

In 2022, ransomware attacks were still common, with LockBit and BlackCat the top ransomware families. Rather than target large organizations, there has been growth in attacks on small and mid-sized organizations, where the attacks are likely to have the biggest impact. More than 79% of all attacks were conducted on small or mid-sized organizations (under 10,000 employees), with 51% of attacks on organizations with fewer than 200 employees.

“Threat actors are leaning into more legitimate business tactics and professional operations, employing the same kinds of programs and corporate strategies as their victims. Not only are they innovating in terms of tools and targets, but they are also building resilient organizations that do not rely on singular methods of attack or a particular target pool. They can exploit multiple areas of the attack surface in a single campaign,” explained Trend Micro in the report.

Implementing an effective security strategy can be a challenge, especially due to the current shortage of cybersecurity professionals. Trend Micro suggests in the report that organizations should ensure they cover asset management, secure their cloud infrastructure, implement proper security protocols to minimize the potential for vulnerability exploitation, and ensure they gain visibility into the full attack surface and put systems in place to protect all potential access points.

The post Cybercriminals Adopt Corporate Tactics to Address Declining Revenues appeared first on HIPAA Journal.

The Biden Administration has announced a long-awaited new national cybersecurity strategy for tackling the growing threat of cyberattacks on critical infrastructure, disrupting cyber threat operations, and improving cyber resilience against malicious cyber activity from cybercriminal groups and nation-state actors. The aim is to ensure a safe and secure digital ecosystem for all Americans and that requires fundamental shifts in roles, responsibilities, and resources in cyberspace and a shifting of the burden of cyber resilience away from individuals, small businesses, and local governments onto the multi-billion dollar technology companies that provide software and information technology.

The new strategy will involve a more intentional, better coordinated, and more well-resourced approach and a realigning of incentives to favor long-term investments in cybersecurity to achieve a better balance between defending against current threats and planning for and investing in a cyber-resilient future. The new cybersecurity strategy sets a path to address current and future threats to protect investments in rebuilding America’s infrastructure, develop the clean energy sector, and re-shore America’s technology and manufacturing base. The aim is to make the digital ecosystem of the United States more defensible and make cyber defense easier, cheaper, and more effective.

The new cybersecurity strategy is based on five pillars:

• Defend Critical Infrastructure
• Disrupt and Dismantle Threat Actors
• Shape Market Forces to Drive Security and Resilience
• Invest in a Resilient Future
• Forge International Partnerships to Pursue Shared Goals

To better defend critical infrastructure the government will expand minimum cybersecurity requirements in critical sectors and harmonize regulations to reduce the burden of compliance. Public-private collaboration will improve at the speed and scale necessary to defend against cyber threats, federal networks will be modernized, and cyber incident response policies will be improved.

The Biden Administration has already taken steps to accelerate efforts to disrupt cyber threat operations and dismantle the infrastructure used in attacks, and all tools of national power will be used to continue that mission. The private sector will be engaged to assist and provide scalable mechanisms to achieve those aims, and the ransomware threat will be tackled through a comprehensive federal approach, assisted by international partners.

Improving security and resilience will not be possible without comprehensive assistance from vendors, who must shoulder more of the responsibility of protecting against cyber threats. Liability for protecting against threats will shift from individuals and companies to the developers of software products and services, and federal grant programs will be introduced to promote investments in secure and resilient infrastructure.

To ensure a resilient future, strategic investments are required in people and technology. Through coordinated, collaborating action, the United States will lead the world in secure and resilient next-generation technologies and will help to reduce systemic technical Internet vulnerabilities, prioritize cybersecurity R&D for next-generation technologies, and develop a diverse and robust national cyber workforce.

International coalitions and partnerships will be forged with like-minded nations to counter cyber threats, the capacity of partners to defend themselves will be increased, and investments will be made to ensure trustworthy global supply chains for IT and communications technology and OT products and services.

“I’m pleased to see the Biden Administration advocating for the kind of best practices that I’ve long called for, such as building and reinforcing strong partnerships with the private sector, investing in the long-term protection of our nation’s critical infrastructure, being proactive about establishing strong cybersecurity foundations and meeting critical standards,” said Senator Mark R. Warner (D-VA), Chairman of the Senate Intelligence Committee.

“I’m particularly pleased to see the Administration prioritize the coordination of cyber incident reporting requirements, as required by the cyber reporting law I was proud to author. I’m also glad to see the Administration’s renewed focus on protecting the sensitive medical data and safety of Americans as cyber attacks on our health care systems become more frequent and aggressive,” added Warner.

“The latest National Cybersecurity Strategy is a strong signal that industry’s continued partnership and collaboration in building resiliency across U.S. critical infrastructure is needed now more than ever. We recognize the importance of rebalancing and enhancing how we collectively defend national interests, privacy, intellectual property, and critical systems in cyberspace,” said Stacy O’Mara, Senior Leader, Global Government Strategy, Policy, and Partnerships, Mandiant.

“Mandiant looks forward to promoting evolution of the private-public partnership model as outlined in the Strategy to compensate for resource-restricted, at-risk sectors and entities that need collective assistance to defend themselves. We see this call to action as a timely opportunity to better align our collective defense to the threat landscape by taking a risk-based approach to prioritize  threats, capabilities, resources, and investments.”

The post Biden Administration Announces New National Cybersecurity Strategy appeared first on HIPAA Journal.