The majority of healthcare data breaches reported in the past few years are due to hacking incidents but many of these security incidents do not involve the exploitation of vulnerabilities in software and operating systems for initial access. Far more common is the exploitation of human vulnerabilities, where healthcare workers are tricked into providing cyber actors with access to internal systems and sensitive data. According to the Verizon 2024 Data Breach Investigations Report, more than two-thirds of breaches involve the human element rather than the exploitation of weaknesses and vulnerabilities in technology.

One of the most common methods used is phishing, where a cyber actor makes contact with a healthcare employee and convinces them to visit a malicious website where they are asked to enter their credentials or are convinced to download a malicious file, both of which give the cyber actor the access they need. With phishing, the initial contact is often via email, although an increasing number of phishing attacks are now occurring via SMS (smishing), instant messaging platforms, social media networks, and over the telephone (vishing).

Phishing usually involves deception and impersonation. A trusted individual, company, or institution is impersonated, and the targeted individual is provided with a seemingly legitimate reason for taking the requested action. This could be a request for collaboration on a report, a notification about a failed delivery, a missed payment of an invoice, or a security warning. There is often a threat of negative consequences if no action is taken, commonly a pressing matter such as impending loss of service, a significant charge that will soon be applied to an account, or unauthorized account access that warrants immediate steps to secure the account.

The techniques used in phishing are known as social engineering – manipulation, influencing, or deceiving someone into taking a certain action, which in cybersecurity terms involves gaining unauthorized access to computer systems, financial accounts, or sensitive data. While phishing is one of the best-known attack methods that uses social engineering techniques, cyber actors use social engineering in other types of attacks to achieve similar goals. There is baiting, where social engineering is used to trick someone into taking an action to obtain something of value, such as to be entered into a free prize draw or get an amazingly low purchase price on goods and services. In order to get what is promised, sensitive information must be disclosed such as credentials, a credit/debit card number, or personal information.

Advances in artificial intelligence (AI) technology have provided cyber actors with a new way of manipulating individuals – deepfakes. Deepfakes take impersonation and deception to a new level, where trusted individuals are impersonated via audio or video. Deepfakes of authority figures can be created that are incredibly realistic, using synthesized facial images and speech or manipulated videos, photos, and audio recordings to trick people into taking any number of actions. Deepfakes can even be created in real-time, such as impersonating a CEO in a call to a help desk to request credentials be reset or to add an attacker-owned device to receive multifactor authentication codes, or in Zoom meetings where the meeting participants are convinced they are conversing with the genuine person.

Social engineering is the subject of the October 2024 cybersecurity newsletter from the HHS’ Office for Civil Rights. In the newsletter, OCR explains how social engineering is used in attacks on healthcare organizations and how to identify and avoid social engineering attacks. The newsletter also explains how compliance with the HIPAA Security Rule can help HIPAA-regulated entities improve their defenses against social engineering and mitigate threats.

“Attackers have learned how to convincingly imitate our loved ones and our business partners, meaning that nothing can be assumed or taken at face value. Attackers continue to refine their manipulation through social engineering tradecraft. All of these threats have a common theme; they all attempt to convince an individual to do something they would not otherwise do normally, or to provide details such as credentials someplace other than where they should be used,” explained OCR in the newsletter. “Educating workforce members on these attacks is essential when it comes to an individual’s ability to identify and potentially halt social engineering attacks before they start. Such knowledge is powerful not only to protect individuals in their personal online activities, but also by extension an individual’s employer. This is especially important in the current environment where work is taken home on laptops, smartphones, and through remote work.”

The post OCR Offers Advice on Recognizing, Avoiding, and Mitigating Social Engineering Attacks appeared first on The HIPAA Journal.

Ransomware groups target the healthcare sector because a successful attack gives them access to large amounts of sensitive data that can be easily monetized and used as leverage to get a ransom paid. Healthcare organizations are also heavily reliant on access to data to operate, therefore there is a higher probability that a ransom will be paid to regain access to encrypted data. Attacks on the sector are also increasing. According to Recorded Future, there were 358 ransomware attacks on healthcare organizations in 2023, a year-on-year increase of 46%.

A recent study by the cybersecurity firm Rubrik assessed the impact of ransomware attacks and found that attacks on healthcare providers impact more data than other industry sectors. Researchers at Rubrik Zero Labs determined that 20% of a healthcare organization’s sensitive data holdings are affected by a ransomware encryption event, compared to 6% in other industry sectors. That means 20% of healthcare data is encrypted, deleted, or stolen in an attack.

Healthcare organizations generally hold more sensitive data than other industry sectors. According to Rubrik’s analysis, healthcare organizations typically need to secure 50% more data than the global average, with healthcare organizations holding an average of 42 million sensitive data records compared to the global average of 28 million sensitive records.  The amount of data stored grows at a faster rate than other industries. In 2023, a typical healthcare organization saw its data estate grow by 27% compared to 23% for a typical global organization, and the number of sensitive data records in healthcare grew by 63% in the past year compared to the global average of 13%.

The data for Rubrik’s report – The State of Data Security: Measuring Your Data’s Risk – came from telemetry across the company’s customer base of 6,100 organizations and a study conducted by the Wakefield Research of more than 1,600 IT and security leaders. Across all industry sectors, 94% of IT security leaders said they had experienced a significant cyberattack in 2023, and an average of 30 attacks in the past year. One-third of IT security leaders said they had been affected by at least one ransomware attack, and 93% of organizations paid a ransom, with 58% of those paying to prevent the leaking of stolen data.

Dependence on the cloud is growing, with cloud architecture used to store 13 % of an organization’s data on average, compared to 9% the previous year. According to Rubrik’s telemetry, cloud storage has inherent risks as there are security blind spots. Rubrik reports that 70% of all cloud-stored data is in object storage, which typically has much lower security coverage than other areas. 88% of all data stored in object storage is not confirmed as machine-readable or is not covered by prominent security technologies and services, and more than 25% of object storage data is subject to regulatory or legal requirements, such as HIPAA.

“Despite the fallout of cyberattacks dominating headlines, data risk is an issue that continues to be murky — especially in terms of what security teams can actually change and what they cannot,” said Steven Stone, Head of Rubrik Zero Labs. “With this report, we aim to provide quantifiable insights that IT and security leaders can bring back to their organization to drive greater cyber resilience-in particular with their partners in the business and governance teams.”

The post Healthcare Ransomware Attacks Involve 20% of Stored Sensitive Data appeared first on HIPAA Journal.

The exploitation of vulnerabilities in software and operating systems is becoming far more common for initial access to networks, with phishing declining in prevalence, according to Mandiant’s M-Trends 2024 Report. Manidant, part of Google Cloud, is a leading provider of dynamic cyber defense, threat intelligence, and incident response services. The latest report is based on data from Mandiant Consulting investigations of targeted attack activity conducted between January 1, 2023, and December 31, 2023.

Exploited software vulnerabilities were the initial access method in 38% of intrusions investigated by Manidant, up 6% from 2022, with phishing used for initial access in 17% of incidents, down from 22% in 2022. Attackers are increasingly targeting edge devices and are exploiting a wide variety of vulnerabilities. In 2023, Mandiant identified 97 unique zero-day vulnerabilities being exploited in the wild, up 56% from 2022. The exploitation of zero day vulnerabilities used to be limited to a small number of threat actors, typically nation-state cyberespionage groups. While state-sponsored threat actors continue to target zero-day flaws, especially China-nexus threat actors, ransomware and data extortion groups are increasingly acquiring and utilizing 0days, helped by the rise of commercially available turnkey exploit kits.

Threat actors are combining exploits of zero-day flaws with living-off-the-land techniques, which involve native, legitimate tools within a system to allow them to maintain persistence for longer and avoid detection. One of the reasons for the decline in phishing as an initial attack vector is the widespread adoption of multifactor authentication (MFA). While MFA is effective at preventing phishing attacks, Mandiant has identified an increase in the use of web proxies and adversary-in-the-middle phishing pages that can steal credentials and login session tokens to bypass MFA. Defenses can be improved against these attacks by adopting phishing-resistant MFA.

Mandiant has also observed an increase in malware, with 626 new malware families identified in 2023, more than any other year to date. The most common malware families were backdoors (33%), downloaders (16%), droppers (15%), credential stealers (7%) and ransomware (5%). The industries most commonly targeted by threat actors were financial services (17%), business and professional services (13%), high technology (12%), retail and hospitality (9%), and healthcare (8%), with attacks increasingly targeting cloud environments, as more organizations transition to the cloud. The most likely reason for targeting these sectors is they store a wealth of sensitive information, including proprietary business data, personally identifiable information, protected health information, and financial records.

Mandiant’s data show that organizations are getting better at identifying intrusions. Last year, attackers were present in networks for a median of 10 days before the intrusions were detected, down from a median of 16 days in 2022. “Defenders should be proud, but organizations must remain vigilant. A key theme throughout M-Trends 2024 is that attackers are taking steps to evade detection and remain on systems for longer, and one of the ways they accomplish this is through the use of zero-day vulnerabilities,” Jurgen Kutscher, Vice President, Mandiant Consulting at Google Cloud, told The HIPAA Journal. “This further highlights the importance of an effective threat hunt program, as well as the need for comprehensive investigations and remediation in the event of a breach.”

The post Threat Actors Increasingly Targeting Vulnerabilities for Initial Access appeared first on HIPAA Journal.

According to the Q1, 2024 ransomware report from the ransomware remediation firm Coveware, ransom payments have fallen to a record low with only 28% of victims opting to pay the ransom to recover files and/or prevent the exposure of stolen data. In Q1, 2019, more than 80% of victims of ransomware attacks paid the ransom, but the percentage has been steadily falling, with only 29% of victims paying up in Q4, 2023, and just 28% in Q1, 2024.

Coveware suggests several reasons for the decline in payments, including better preparation and more advanced protective measures that allow victims to recover files without having to pay the ransom, legal pressure on victims not to give in to demands, and growing distrust of ransom groups. There have been an increasing number of attacks where payment has been made only for the attackers to continue to leak data or trade stolen data with other groups. For instance, the recent Blackcat ransomware attack on Change Healthcare saw the operators pocket the $22 million ransom payment and not pay the affiliate, who switched to the RansomHub group, which started leaking the data to pressure Change Healthcare into paying another ransom payment.

Coveware also reports that the confidence of ransomware affiliates has been shaken by recent law enforcement operations against LockBit and BlackCat. While groups were able to recover from the takedowns, the operations demonstrated that ransomware groups are not beyond the reach of Western law enforcement agencies. Further, the actions of the groups following the attacks have not helped to restore affiliates’ confidence. Both groups have had public disputes with affiliates and refused to pay them their cut of the ransoms, and coupled with the risk of having their identities discovered by law enforcement, many have chosen to quit conducting attacks for those groups and potentially quit ransomware altogether.

Based on the attacks where Coveware has been engaged to assist with recovery, Akira is now the dominant group with a market share of 21%, followed by Blackbasta and Lockbit which each have a 9% share, medusa, Phobos, and BlackCat with 6%, and Rhysida, BlackSuit and Inc Ransom with a 4% market share. BlackBasta has returned to the list of top ransomware groups, which suggests that affiliates have been leaving BlackCat and Lockbit, while the increase in Phobos attacks suggests that some affiliates are choosing to set up their own operations.

There has been a trend for increasing ransom payments since 2019 and a sharp increase in payments in Q1, 2023; however, by Q3, 2024, ransom payments started to fall. That fall has continued, with Q1, 2024 seeing an average payment of $381,980, down 32% from the previous quarter. Median payments have been increasing slowly and jumped by 25% to $250,000 in Q1, 2024. This is due to ransomware groups demanding more reasonable payments to increase the likelihood of being paid.

The threat of publication of stolen data is often enough to get victims to pay up. 23% of victims who were only faced with the threat of publication of their data chose to pay the ransom in Q1; however, there is no guarantee that the stolen data will be deleted. The law enforcement disruption of LockBit confirmed that the group still held a lot of data from attacks where the victims had paid to have their data deleted. There have been several cases where payment has been made to one group, only for the data to be provided to another ransomware group for re-extortion.

Coveware tracks the ransomware vectors used to gain initial access to networks; although that is becoming increasingly difficult, with the initial access vector unclear in more than 40% of Q1, 2024 attacks. Remote access compromise is the most common of the confirmed attack vectors, with software vulnerabilities and phishing both in decline. It is also common for multiple attack vectors to be used to achieve an extortion-level impact. While few sectors have escaped ransomware attacks, in Q1, 2024, healthcare was the worst affected industry, accounting for 18.7% of attacks, followed by professional services (17.8%), the public sector (11.2%), and consumer services (10.3%).

The post Only 28% of Ransomware Victims Choose to Pay Ransom appeared first on HIPAA Journal.

The Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) have issued a joint cybersecurity advisory about the Akira ransomware operation, which has conducted more than 250 attacks and has been paid around $42 million in ransom payments. The group’s operators are highly skilled and are associated with the infamous Conti ransomware operation.

Akira is a relatively new ransomware group that emerged in April 2023 that mostly targets small- to medium-sized businesses and demands ransom payments from around $200,000 to millions of dollars. The group has attacked many verticals including finance, real estate, manufacturing, and healthcare. Attacks on healthcare targets prompted the Health Sector Cybersecurity Coordination Center to issue a Sector Alert about Akira ransomware in September 2023. The latest cybersecurity advisory from CISA and Partners shares information on the latest tactics, techniques, and procedures (TTPs) used by the group, updated indicators of compromise (IoCs), and recommended mitigations for network defenders.

Akira has been observed gaining initial access to victims’ networks through a Virtual Private Network (VPN) service without multifactor authentication, primarily through the exploitation of the Cisco vulnerabilities CVE-20203259 and CVE-2023-20269. The group also targets external facing services including Remote Desktop Protocol (RDP), abuses valid credentials, and conducts spear phishing attacks.

When a corporate network has been breached, the group moves laterally and attempts to obtain Windows domain credentials, then deploys ransomware to encrypt files. The group engages in double extortion tactics, stealing sensitive data from victims and demanding payment to prevent stolen data from being leaked and for the keys to decrypt files. Initially, the group only attacked Windows systems but has developed a Linux encryptor and now also targets VMware ESXi virtual machines. The group uses Kerberoasting techniques and Mimikatz to obtain credentials, LaZagne to help with privilege escalation, PowerTool to exploit the Zemana AntiMalware driver and terminate antivirus-related processes, and FileZilla, WinRAR, WinSCP, and RClone for data exfiltration.

The cybersecurity advisory includes several recommended mitigations to prevent and reduce the impact of Akira ransomware attacks, some of the most important of which are ensuring that patches are applied to fix known exploited vulnerabilities – especially CVE-20203259 and CVE-2023-20269, enforcing phishing-resistant multifactor authentication across the organizations in particular for VPNs, webmail, and accounts linked to critical systems, and ensuring that software is kept up to date.

The post CISA & Partners Share New Threat Intelligence on Akira Ransomware appeared first on HIPAA Journal.

Exploitation of a recently disclosed zero-day vulnerability affecting Palo Alto Networks firewalls has grown since proof-of-concept exploits were released, and a previously recommended mitigation is ineffective at preventing exploitation of the flaw.

The vulnerability, tracked as CVE-2024-3400, is a command injection flaw in versions 10.2, 11.0, and 11.1 of the PAN-OS operating system that powers its firewalls. The vulnerability is thought to have been exploited since March 26, 2024, initially by a nation-state-affiliated group tracked as Operation MidnightEclipse; however, Palo Alto Networks has detected an additional 20 IP addresses attempting to exploit the flaw.

The vulnerability affects the GlobalProtect gateway or portal VPN feature on certain PAN-OS devices, and can be exploited by an unauthenticated attacker to execute arbitrary code with root privileges. The vulnerability has a maximum CVSS v3 severity score of 10. According to security researchers at Rapid7, the vulnerability is being exploited as part of an exploit chain, along with a second vulnerability that has yet to have a CVE assigned. The second vulnerability is a file creation vulnerability in the GlobalProtect web server.

Initially, Palo Alto Networks said PAN-OS firewalls are vulnerable to attack if GlobalProtect gateway and device telemetry are both enabled. Palo Alto Networks released an initial security advisory about the flaw on Friday, along with recommended mitigations. A secondary mitigation action suggested by Palo Alto Networks was disabling device telemetry; however, Palo Alto has now confirmed that the mitigation is no longer effective, as vulnerable firewalls do not need device telemetry to be enabled to be exposed to attacks.

According to SharowServer, around 156,000 vulnerable Palo Alto Networks devices are exposed to the Internet, although it is unclear how many of those devices have been patched. To remediate the vulnerability, customers should ensure a hotfix is applied. Rapid7 has confirmed that the hotfixes released by Palo Alto networks are effective at preventing the exploitation of CVE-2024-3400.

The hotfixes are PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later versions. On Thursday and Friday, Palo Alto Networks released hotfixes for other commonly deployed maintenance releases, as detailed in an updated HC3 Sector Alert from the Health Sector Cybersecurity Coordination Center (HC3).

The post Palo Alto Networks Updates Mitigations as Exploitation of 0Day Firewall Vulnerability Grows appeared first on HIPAA Journal.

An analysis of ransomware activity by GuidePoint Security’s Research and Intelligence Team (GRIT) shows a 55% year-over-year increase in active ransomware groups and an almost 20% increase in ransomware victims (1,024) compared to Q1, 2023.

According to Guidepoint Security’s Q1 2024 Ransomware Report, the industries most impacted by ransomware attacks were manufacturing, retail and wholesale, and healthcare. While there was a 7.4% increase in posted victims from February to March, there was a decline in attacks on healthcare organizations, which fell from 32 new additions to data leak sites in February to just 20 in March. There was a similar reduction in attacks on law firms, which decreased from 20 in February to 10 in March. In Q1, 2024, more than half of all victims (537 attacks) were based in the United States – The first time since Q2, 2023, that more than 50% of attacks were conducted in the US. The United Kingdom was the second most targeted country (60 attacks).

In Q1, 2023, GRIT identified 29 distinct, active ransomware groups whereas 45 groups were detected in Q1, 2024. The most active ransomware group in Q1, 2024 was LockBit. Even with the law enforcement disruption of the LockBit ransomware group in February 2024, LockBit retained the top spot claiming 219 victims in the quarter, although this was below the typical number of attacks the group conducts. Prior to the law enforcement operation that disrupted its operation on February 20, 2024, LockBit was averaging 3 attacks a day. From February 24 through the end of March, the group dropped to an average of 2 attacks a day. The group now appears to be back up to full speed, claiming 97 victims in March alone. The next most active group was Blackbasta which conducted 73 attacks in Q1, 2024, up 151% from the previous quarter, followed by Play with 71 attacks, down 37% from Q4, 2023. While the Qilin ransomware-as-a-service group conducted relatively few attacks (44) in 2023, it has increased activity considerably in 2024 claiming 34 victims in the quarter.

There has been significant law enforcement activity against ransomware groups in recent months. LockBit survived the attempted takedown by the Operation Cronos Task Force, which only caused a few days of severe disruption but ransomware attacks have been conducted at a lower volume in the weeks since. In late December, law enforcement disrupted the ALPHV/Blackcat ransomware group, which was the second most prolific ransomware group in 2023. The group responded by removing virtually all restrictions for affiliates and actively encouraged attacks on healthcare organizations until the attack on Change Healthcare, after which the group appeared to pocket the full ransom payment as part of an exit scam and shut down its operation.

Even with the disruption of LockBit and the ALPHV shutdown, there was still a 19.2% increase in reported victims in the quarter with a minimum of 50 victims added to data leak sites each week and a high of 125 victims posted one week in March. GRIT identified attempts by several groups to attract new affiliates in Q1, including the Medusa, Cloak, and RansomHub groups, which were advertising their RaaS operations on deep and dark web forums in January and February 2024, with RansomHub activity appearing to have increased in the weeks since. Three new ransomware groups emerged in Q1 – Killsec, Donex, and Redransomware. While these groups only conducted a small number of attacks (22) in March, activity is likely to increase. Attacks fell from 1,117 in Q4, 2023 to 1,024 in Q1, 2024, and with the shutdown of the ALPHV operation, Q2 may see attacks continue to decline; however, the affiliates who worked for ALPHV are likely to switch ransomware operations, with other groups likely to increase activity to fill the gap.

The post Ransomware Attacks Up 20% YoY with 55% Increase in Active Ransomware Groups appeared first on HIPAA Journal.