The Health Sector Cybersecurity Coordination Center (HC3) has shared information on the Clop (Cl0p) ransomware-as-a-service operation, the affiliates of which are known to conduct attacks on the healthcare and public health (HPH) sector.

Clop ransomware was first detected in February 2019 and is the successor to CryptoMix ransomware. The group is highly active and was apparently unaffected by the arrest of six operators of the ransomware in 2021, with activity continuing despite the arrests. The group was active throughout 2022, with one month seeing the group conduct attacks on 21 organizations.  The group typically targets organizations with annual revenues in excess of $10 million, which allows large ransom payments, to be demanded although attacks have been conducted on smaller healthcare organizations such as doctors’ and dentists’ offices with revenues over $5 million.

The group uses double extortion tactics, where sensitive data are stolen prior to file encryption and a ransom payment is necessary to prevent the publication of the stolen data and to obtain the keys to decrypt files. Some attacks linked to the group have only involved data theft and extortion. The group follows through on its threats to publish stolen data when the ransom is not paid, as was the case with the attack on the pharmaceutical giant ExecuPharm, where emails, financial records, documents, and database backups were posted on the group’s leak site.

The group works with several other cybercriminal groups, including the financially-motivated threat group tracked as FIN11. A threat group with ties to the Clop ransomware group was behind a series of attacks that exploited a vulnerability in the Accellion File Transfer Appliance (FTA) in December 2020. Several healthcare providers were affected and had sensitive data leaked.

The tactics, techniques, and procedures used by affiliates of the Clop ransomware gang are highly varied and are constantly changing. Initial access is known to have been gained to victims’ networks through phishing, remote desktop compromise, credential abuse, and the exploitation of unpatched vulnerabilities. In late 2022, several attacks were conducted using TrueBot malware to gain initial access to networks.

The group has a good understanding of healthcare IT systems and workflows which has helped the threat actor to conduct several successful attacks on the HPH sector. In 2022, the group allegedly started having difficulties collecting ransom payments which led to a change in tactics. Intercepted communications between group members revealed it had started targeting medical practices that offer telehealth services. In these attacks, the affiliates register as new patients online and request telehealth consultations. Emails are then sent ahead of the appointments with file attachments masquerading as medical images that contain malicious code, in the hope that the files will be opened ahead of the arranged appointments.

The Clop ransomware gang is highly capable, well-funded, and prolific, and is considered to pose a significant threat to the HPH sector.

The post HPH Sector Warned About Clop Ransomware-as-a-Service Operation appeared first on HIPAA Journal.

Vulnerabilities have been discovered in Citrix solutions, Netgear routers, and Zoho ManageEngine products that require immediate patching. One of the Citrix vulnerabilities is being actively exploited by an APT actor, and it is likely that attempts will be made to exploit the Netgear and Zoho flaws on unpatched devices.

Citrix Gateway and Citrix ADC Vulnerabilities Being Actively Exploited

In mid-December, organizations that use the Citrix Gateway remote access and/or Citrix ADC load balancing solutions were advised to urgently update to the latest software versions to fix two critical vulnerabilities, CVE-2022-27510 and CVE-2022-27518. Both the National Security Agency (NSA) and the Health Sector Cybersecurity Coordination Center (HC3) issued security alerts about the flaws, one of which is known to have been exploited by a Chinese APT actor to achieve remote code execution on vulnerable servers.

Despite active exploitation, a concerning number of servers remain vulnerable to the flaw, most of which are located in the United States, according to a recent scan by Fox-IT. Since at least one of the vulnerabilities has been actively targeted for several weeks, any organizations that have not yet upgraded to the latest version should do so immediately and also check for potential compromise, per the NSA and HC3 security advisories.

Critical Zoho ManageEngine Vulnerability Requires Immediate Patching

Zoho is urging all users of its ManageEngine Password Manager Pro, PAM360, and Access Manager Plus solutions to update the software to the latest version as soon as possible to fix a critical SQL injection vulnerability. The vulnerability, CVE-2022-47523, could be exploited by an adversary to gain unauthenticated access to the backend database and execute custom queries.

The patches, which were released in late December, add proper validation and escaping special characters to prevent exploitation of the flaw. Users should upgrade to Password Manager Pro v12210, PAM360 v 5801, and Access Manager Plus v4309.

ManageEngine vulnerabilities have previously been targeted by nation-state threat actors, with a 2021 vulnerability suspected of being exploited on Internet-facing servers by a Chinese APT actor, according to a security advisory from CISA and the FBI, so exploitation of the recently disclosed flaw can be expected. Around 11,000 servers are running the affected solutions and will be vulnerable if not updated to the latest versions.

High-Severity Vulnerability Identified in Netgear Routers

Netgear has issued a security advisory about a high-severity pre-authentication buffer overflow vulnerability affecting several models of its routers, which could be exploited by an adversary to trigger a denial-of-service condition. The vulnerability is tracked as PSV-2019-0104 and has a CVSS v3 severity score of 7.4.

The vulnerability affects the company’s RAX40, RAX35, R6400v2, R6400v3, R6900P, R7000P, R7000, R7960P, and R8000P routers. Users should update the firmware as soon as possible to prevent exploitation of the flaws. The updated firmware versions are:

• RAX40 + RAX35 – Version 1.0.2.60
• R6400v2 + R6700v3 – Version 1.0.4.122
• R6900P + R7000P – Version 1.3.3.152
• R7000 – Version 1.0.11.136
• R7960P + R8000P – Version 1.4.4.94

The post Urgent Patching Required to Fix Critical Citrix, Netgear, and Zoho ManageEngine Vulnerabilities appeared first on HIPAA Journal.

Ransomware attacks continue to be conducted on healthcare organizations in high numbers but determining the extent to which healthcare organizations are being targeted by ransomware gangs is a challenge. Victims of ransomware attacks do not always report the incidents as involving ransomware, and ransomware gangs do not publicly disclose attacks when ransoms are paid.

The nature of the attacks conducted by ransomware gangs is also changing, with some ransomware gangs opting to conduct extortion-only attacks, where sensitive data is exfiltrated from networks and a ransom demand is issued to prevent its publication or sale, but malware is not used to encrypt files. The decision whether or not to encrypt appears to be taken on an attack-by-attack basis.

The cybersecurity firm Emsisoft tracks ransomware attacks and produces annual reports that provide insights into the extent to which ransomware is used in cyberattacks, but Emsisoft admits that it is difficult to produce reliable statistics. This year’s report shows more than 200 large organizations in the United States have been attacked in the government, education, and healthcare verticals. Attacks in the education sector have remained fairly consistent over the past 4 years with between 84 and 89 attacks conducted each year, as has the number of attacks on state and local governments – 105 in 2022 with an average of 102 attacks a year.

Compiling meaningful data on attacks on healthcare organizations has been particularly challenging as while there are reporting requirements under HIPAA, it is not necessary to disclose the exact nature of the attacks or release details. For this reason, and due to the volume of reports, for the 2022 report, Emsisoft did not compile data for healthcare organizations and instead focused on hospitals and multi-hospital health systems.

For the report, Emsisoft’s researchers compiled data from public breach notices, reports, dark web data leak sites, and from third-party intelligence, with its data confirming that at least 105 counties, 45 school districts, 44 universities, and 25 healthcare providers suffered ransomware attacks in 2022. The true figure is likely to be significantly higher due to the lack of detailed reporting.

Across all ransomware attacks and verticals, hackers stole data prior to using encryption in around half of the attacks, but data theft was much more common in ransomware attacks on hospitals. Out of the 24 confirmed attacks on hospitals, data theft occurred in 17 of those attacks (68%). Due to the lack of accurate data released by healthcare organizations and their business associates, it is not possible to definitively determine whether ransomware attacks have plateaued, are increasing, or declining. What is clear is that the healthcare sector continues to be targeted and a great many patients have been affected by the attacks.

Several of the attacks were conducted on multi-hospital health systems, with 290 hospitals across the country potentially affected by the attacks. That includes the 150 hospitals operated by CommonSpirit Health, which recently confirmed that the protected health information of 623,774 patients was compromised in the attack. CommonSpirit Health has recently confirmed that only a small number of the hospitals it operates were affected.

These attacks often result in the theft of patient data, which can negatively affect patients and put them at risk of identity theft and fraud, but the most serious consequences are to patient health. Studies have been conducted that indicate an increase in mortality following a ransomware attack and a negative impact on patient outcomes due to delays in receiving test results, postponed appointments, and canceled surgeries. While no deaths have been attributed to ransomware attacks, patient outcomes are affected by the delays in receiving treatment. Emsisoft draws attention to one attack that resulted in a computer system used for calculating medication doses being taken offline, which caused a 3-year-old patient to be given a massive overdose of pain medication.

The post 290 Hospitals Potentially Affected by Ransomware Attacks in 2022 appeared first on HIPAA Journal.

The healthcare and public health (HPH) sector has been warned about the risk of cyberattacks by a pro-Russian hacktivist group dubbed KillNet, following a recent attack on a U.S. healthcare organization. KillNet is believed to have started operating around the time that Russia invaded Ukraine, between January and March 2022. Since then, the hacktivist group has targeted government institutions and private sector organizations in countries that are providing support to Ukraine, especially NATO countries.

KillNet primarily conducts distributed denial of service (DDoS) attacks. DDoS attacks involve flooding servers and websites with thousands of connection requests from compromised devices to deny access to legitimate users of those servers and websites. These attacks can last for several hours or even days, during which time the servers/websites will run slowly, with prolonged attacks causing outages that can last for several days. Generally, these attacks do not cause any major damage to hardware.

Members of the group have threatened to target organizations in the U.S. healthcare sector in response to the U.S. policy of providing support to Ukraine. Those threats include cyberattacks, data theft, and the publication of the health data of Americans. In December 2022, KillNet claimed responsibility for a cyberattack on a large U.S. healthcare organization that provides healthcare to members of the U.S. military and claims to have stolen a large amount of user data.

Members of the group have threatened to conduct attacks on organizations in other countries if their demands are not met. For instance, in response to the arrest of a suspected member of the KillNet group in Romania in May 2022, a member of the group threatened to target the UK Ministry of Health and claimed attacks would be conducted on life-saving ventilators in British hospitals.

The Health Sector Cybersecurity Coordination Center (HC3) says the group has a tendency to exaggerate, so any claims made by the group should be taken with a pinch of salt. HC3 says it is possible that some of the claims made by members of the group have been to garner attention from the public and across the cybercriminal underground. That said, the group is considered to be a threat to government and critical infrastructure organizations, including organizations in the HPH sector. HC3 has suggested some practical steps for HPH sector organizations to take to mitigate the risk of DDoS attacks, which are detailed in the KillNet Analyst Note.

The post HPH Sector Warned About Threat of DDoS Attacks by Pro-Russian Hacktivist Group appeared first on HIPAA Journal.

The text of a $1.7 trillion omnibus appropriations bill has been released by the House and Senate Appropriations Committees which, if passed, will ensure that the government remains funded until September 30, 2023. The Senate has already started debating the bill and the House is due to consider the bill this week. The bill must be signed by the president on Friday this week, when government funding is set to expire.

The 4,155-page bill includes many healthcare provisions that will help hospitals and health systems provide better care for patients. These include the prevention of the 4% Medicare PAYGO cuts to providers, financial support for rural hospitals to ensure they can continue to operate, measures to help states prepare for Medicaid eligibility changes when the COVID-19 Public Health Emergency comes to an end, and extensions and expansions of telehealth flexibilities until December 31, 2024. This will help to ensure that telehealth and hospital-at-home programs can continue to provide convenient and accessible medical treatment for patients. The bill will also provide funding for essential behavioral health programs and several provisions that will help to increase the healthcare workforce.

The bill proposes $120.7 billion in funding for the Department of Health and Human Services, increasing HHS funds by a further $9.9 billion from last year. Funding for the Centers for Medicare and Medicaid Services will increase by $100 million, the National Institutes of Health will receive an additional $2.5 billion to focus on research on a range of diseases and medical conditions, the Centers for Disease Control and Prevention will receive a further $760 million, primarily to fund fundamental public health activities and emergency preparedness, and the Substance Abuse and Mental Health Services Administration will receive an additional $970 million for mental health programs and for expanding access to its services.

In September, the Food and Drug Administration (FDA) appropriations bill was passed to ensure the FDA continued to be funded, but in order for the bill to be passed, the FDA was forced to drop its proposed medical device cybersecurity requirements, many of which were taken from The Protecting and Transforming Cyber Health Care (PATCH) Act. Those requirements were blocked by the Senate Republican leadership.

There is good news in this regard, as the omnibus appropriations bill includes new requirements for medical device manufacturers to ensure that their devices meet certain minimum standards for cybersecurity. Those requirements will take effect 90 days after the bill is enacted. These include submitting a plan to the Secretary of the FDA to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures, and they must ensure their devices and associated systems are secure and must release postmarket software and firmware updates and patches. Medical device manufacturers will also be required to provide a Software Bill of Materials (SBOM) to the Secretary of the FDA that includes all off-the-shelf, open source, and critical components used by the devices.

The bill calls for the FDA to provide additional resources and information on improving the cybersecurity of medical devices within 180 days, and annually thereafter, including information on identifying and addressing cyber vulnerabilities for healthcare providers, health systems, and device manufacturers. Within one year, the Government Accountability Office is required to issue a report that identifies the challenges faced by healthcare providers, health systems, patients, and device manufacturers in addressing vulnerabilities, and how federal agencies can strengthen coordination to improve the cybersecurity of devices.

HIPAA called for the creation of a unique patient identifier (UPI), but funding has not been provided to date. The appropriations bill continues to prohibit funding for a national patient identifier, even though a UPI would help to ensure that patients can be accurately linked with the correct medical records.

The post Medical Device Cybersecurity Provisions Included in Omnibus Appropriations Bill appeared first on HIPAA Journal.

Cyberattacks have increased in volume and sophistication to the point where it is inevitable that a successful attack will be experienced by all healthcare organizations at some point in their lifespan. Healthcare organizations can hope for the best, but it is vital to plan for the worst and take steps to ensure that the damage caused is kept to a minimum. A major focus for security teams, in addition to reducing risks, is improving cyber resilience. Cyber resilience is the ability of an organization to continue to operate in the event of a cyberattack and to recover quickly.

A recent survey by Cisco indicates executives are aware of the importance of cyber resilience, with 96% of respondents saying cyber resilience is a high priority, and deservedly so, since 62% of respondents said their organization had experienced a security breach in the past two years – a combination of data breaches (51.5%), network/system outages (51.1%), ransomware attacks (46.7%), and DDoS attacks (46.4%). These attacks had severe repercussions for the breached entities, causing disruption to IT systems, communications, supply chains, and internal operations, with four out of 10 breached organizations saying they suffered lasting brand damage.

While the main goal in cybersecurity is still to prevent attacks from occurring, it must be assumed that will not always be possible given the rapidly evolving threat landscape. The cyber resilience lifecycle can be split into five elements: identify, protect, detect, respond, recover, and anticipate. It is important for healthcare organizations of all sizes to address these elements to improve their cyber resilience, and CISCO has identified the most important elements for success.

For CISCO’s Security Outcomes Report, Volume 3: Achieving Security Resilience report, a methodology was developed for scoring organizations on cyber resilience that allowed the researchers to identify seven key factors that are critical to success. All seven of these factors were present in the 90^th percentile of cyber resilient organizations and were all lacking in the bottom 10^th percentile, these were:

• Strong security support from the C-suite
• Excellent security culture
• Internal staffing and resources for incident response
• Mostly on-premises or mostly cloud-based technology infrastructure
• Mature zero trust
• Advanced endpoint detection
• Converging networking and security into a mature, cloud-delivered secure access services edge

Organizations with poor security support from the C-suite scored 39% lower than those with strong C-suite support. Organizations with a strong security culture scored 46% higher than those lacking a security culture, which can be achieved through regular workforce training.  There was a 15% increase in resilient outcomes to security incidents when an internal team and resources were available for incident response. Interestingly, there was no difference in resilience scores between organizations with either most of their technology infrastructure on-premises or in the cloud, but those that were transitioning from on-premises to the cloud had scores reduced by between 8.5% and 14%, depending on how difficult their hybrid environments were to manage.

One of the best approaches to take to improve cyber resilience is to adopt zero trust. This approach to security assumes defenses have already been breached and makes it as hard as possible for malicious actors to move laterally within networks. Implementing zero-trust is not a quick process, but its importance in healthcare is well understood. A recent Okta survey indicates 58% of healthcare organizations have started implementing zero-trust initiatives and 96% of all surveyed healthcare respondents said they had either started implementing zero-trust or plan to in the next 12-18 months. Guidance on implementing zero-trust in healthcare was recently published by Health-ISAC.

Cisco reports that organizations with a mature zero-trust model had 30% higher cyber resilience scores on average than those that had none. The most significant boost came not from zero trust, but from advanced endpoint detection and response capabilities, which improved cyber resilience scores by 45%. Converging networking and security into a mature, cloud-delivered secure access services edge increased security resilience scores by 27%.

“The Security Outcomes Reports are a study into what works and what doesn’t in cybersecurity. The ultimate goal is to cut through the noise in the market by identifying practices that lead to more secure outcomes for defenders,” said Jeetu Patel, executive vice president and general manager of security and collaboration at Cisco. “This year we focused on identifying the key factors that elevate the security resilience of a business to among the very best in the industry.”

The post Most Important Factors for Improving Cyber Resilience appeared first on HIPAA Journal.