The Hive ransomware-as-a-service (RaaS) operation first emerged in June 2021 and has aggressively targeted the health and public health sector (HPH) and continues to do so. From June 2021 until November 2022, the group conducted attacks on more than 1,300 organizations worldwide, generating more than $100 million in ransom payments.

Victims in the HPH sector include the public health system in Costa Rica, Partnership HealthPlan of California, Memorial Health System, Missouri Delta Medical Center, Southwell, Hendry Regional Medical Center, and Lake Charles Memorial Health System, with the latter currently recovering from the attack that occurred this month. The attacks put patient safety at risk and have forced hospitals to divert ambulances, cancel surgeries, postpone appointments, and close urgent care units.

On November 17, 2022, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) issued a joint alert to the HPH sector warning about the risk of attacks and shared Indicators of Compromise (IoCs) and details of the tactics, techniques, and procedures (TTPs) used by the group, along with recommended mitigations for blocking, detecting, and mitigating attacks.

Hive has sophisticated capabilities, engages in double extortion tactics, and publicly releases stolen data on its leak site when victims refuse to pay the ransom. The group has been known to reinfect victims that have attempted to recover without paying the ransom. As a RaaS operation, affiliates are recruited to conduct attacks on behalf of the gang for a cut of the ransom payments they generate, with the affiliates having areas of expertise for gaining access to victims’ networks.

The most common methods used for initial access are exploiting vulnerabilities in Remote Desktop Protocol (RDP) and other remote network connection protocols, compromising Virtual Private Networks (VPNs), conducting phishing attacks using malicious attachments, and exploiting unpatched vulnerabilities, including the CVE-2020-12812 vulnerability to access FortiOS servers, and the Microsoft Exchange Server vulnerabilities CVE-2021-31207, CVE-2021-34473, CVE-2021-34523.

Once access to networks has been gained, the group identifies processes related to backups, antivirus/anti-spyware, and file copying, and terminates those processes. Volume shadow copy services are stopped and all existing shadow copies are deleted, and Windows event logs are deleted, specifically the System, Security, and Application logs. Prior to encryption, virus definitions are removed and all portions of Windows Defender and other common antivirus programs are disabled in the system registry, and sensitive data is exfiltrated using Rclone and the cloud storage service Mega.nz. The group operates a live chat service to engage with victims and has also been known to contact victims by phone and email to discuss payment. Ransom demands can be considerable, ranging from several thousand to millions of dollars.

Healthcare organizations are urged to read the joint security alert, monitor their systems using the provided IoCs, harden defenses against the identified TTPs, and implement the recommended mitigations.

The post Feds Issue Warning to HPH Sector About Aggressive Hive Ransomware Group appeared first on HIPAA Journal.

There was a global increase in cyberattacks in Q3, 2022, with attacks rising by 28% compared to the corresponding period last year. Attacks are now occurring at a rate of 1,130 per week, on average, according to Check Point Research.

Education was the most extensively targeted sector in Q3, experiencing an 18% rise in attacks, followed by government/military which saw a 20% increase. Healthcare was the third most targeted sector with an average of 1,426 attacks per month, but saw the second highest percentage increase in attacks, increasing by 60% from 2021. Healthcare also experienced the highest number of ransomware attacks out of any sector in Q3, with 1 in 42 healthcare organizations experiencing an attack – a 5% increase from Q3, 2021. This was despite an 8% global fall in ransomware attacks in Q3.

While the number of attacks has increased compared to last year, it appears that the attacks are starting to plateau, as the percentage increase is nowhere near as sharp as in 2021. Check Point suggests that this could be due to the increased investment in cybersecurity by enterprises, and the increased focus of governments on pursuing hackers and ransomware gangs and bringing them to justice.

“Hackers and attack groups have gained momentum and confidence, luring and attacking what seems to be endless targets around the globe,” wrote the researchers. In Q3, several major attacks were reported, including a cyberattack on the second largest school district in the United States – LA Unified School District. Australia has also seen more than its fair share of attacks, having experienced one of the largest data breaches in the country’s history – The attack on the telecoms company Optus, which was closely followed by a ransomware attack on Medibank – the largest health insurer in the country. The ANZ (Australia and New Zealand) region saw the highest percentage increase in cyberattacks in Q3, with a 72% increase, followed by North America, which saw a 47% increase in cyberattacks to an average of 849 attacks on organizations per week.

The increase in attacks shows how important it is to invest in cybersecurity and continuously assess and improve defenses. Check Point recommends focusing on prevention and ensuring that cybersecurity best practices are followed, rather than concentrating on threat detection once networks have been breached.

Many of these cyberattacks targeted employees, with phishing one of the most common ways that threat actors gain initial access to networks and spread ransomware and malware. It is important to ensure that employees receive adequate training, which should be provided frequently to reinforce cybersecurity best practices and train employees how to recognize and avoid threats such as phishing. Modern email filtering solutions should also be deployed that are capable of behavioral analysis of attachments to identify zero-day malware threats, through sandboxing technology. Healthcare organizations should also consider signing up for real-time threat intelligence, which can help to actively guard against zero-day phishing campaigns, as well as employ URL filtering to block access to known malicious websites.

Vulnerabilities are commonly exploited and it can be difficult for security teams to keep on top of patching and software updates. Prioritizing patching is vital to ensure that the most serious vulnerabilities are addressed first. CISA has recently published a methodology that can be adopted for improving patch management efficiency. In healthcare especially, anti-ransomware technology should be deployed that can rapidly detect signs of ransomware and uncover running mutations of known and unknown malware families by using behavioral analysis and generic rules.

The post Healthcare Sees 60% YoY Increase in Cyberattacks appeared first on HIPAA Journal.

In the event of a cyberattack that impacts the functionality of medical devices, a rapid and effective response is essential to ensure patient safety and the continuity of clinical operations. While healthcare organizations have practiced protocols that can be implemented immediately in the event of a natural disaster such as a hurricane, they tend to be less well prepared to deal with cybersecurity incidents. Earlier this month, Senator Mark Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, published a white paper – Cybersecurity is Patient Safety – highlighting this problem, which he said is due to an outdated mode of thinking, where cybersecurity is viewed as a secondary or tertiary concern, and that is something that needs to change.

The key to a rapid recovery from a cyberattack is preparedness. Healthcare organizations need to treat cyberattacks as a primary concern and ensure they have a tried and tested plan for responding to attacks, and protocols that can be implemented immediately when a cyberattack is detected. Following the WannaCry ransomware attacks in 2017, which caused massive disruption to clinical operations at several U.S. healthcare organizations, the Food and Drug Administration (FDA) asked MITRE to develop a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook to help hospitals and healthcare delivery organizations (HDOs) develop a cybersecurity preparedness and response framework.

According to MITRE, “[The playbook] supplements HDO emergency management and/or incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents.” Since the playbook was published in 2018, cyberattacks on the healthcare sector have continued to increase in number and sophistication. From the middle of 2020 to the end of 2021, 82% of healthcare systems reported a cyber incident, and 34% of those incidents were ransomware attacks. Those attacks were often sophisticated and impacted multiple IT systems, resulting in widespread disruption to business operations, and in many cases that disruption continued for weeks or months.

In light of the increase in cyberattacks and the changing threat landscape, the FDA contacted MITRE to reach out to stakeholders to identify gaps in the playbook, challenges, and additional resources that had become available since the original publication of the playbook. An updated version of the playbook has now been released.

The playbook focuses on preparedness and response for medical device cybersecurity issues that impact medical device functions, with the updated version emphasizing the importance of having a diverse team participating in cybersecurity preparedness and response exercises. Cyberattacks impact many individuals, so it is important that those individuals participate in preparedness exercises, including clinicians, healthcare technology management professionals, the IT team, emergency response, and risk management and facilities staff.

Version 2.0 of the playbook highlights considerations for widespread impacts and extended downtimes that are common following ransomware attacks, which benefit from the use of regional response models and partners. MITRE has also added a resource appendix that makes it easier to find tools, references, and other resources to help healthcare organizations prepare for and respond to medical device cybersecurity incidents, including ransomware attacks.

In addition to the updated Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, a Playbook Quick Start Companion Guide has also been released, which is a shorter version of the playbook that discusses preparedness and response activities that health care organizations might want to start when developing their medical device incident response program.

It may not be possible to prevent cyberattacks, but by preparing and practicing the incident response, the severity of those attacks and the impact they have on clinical operations can be greatly reduced.

The post FDA, MITRE Update Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook appeared first on HIPAA Journal.

CISA has issued a decision tree methodology that can be adopted by healthcare organizations to help them develop an efficient and effective vulnerability management program.

The Importance of an Efficient Patch Management Program

When it comes to vulnerability management, the best practice is to patch promptly. When software updates and patches are released, they should be applied as soon as possible to prevent bad actors from exploiting the flaws.  In practice, promptly patching all vulnerabilities can be a major challenge due to the sheer number of patches and software updates that are being released, and nor is it wise, as vulnerabilities are not all equal. Some are much more likely to be exploited than others and the impact of the successful exploitation of vulnerabilities can vary considerably. When it comes to vulnerability management, IT teams need to prioritize patching and deal with critical and actively exploited vulnerabilities first.

Healthcare organizations with mature vulnerability management programs are more likely to have efficient processes for vulnerability management. They will assess the severity of each vulnerability, the impact exploitation of the vulnerability will have, whether the vulnerability is being actively exploited or if a proof-of-concept(PoC) exploit is in the public domain, and therefore determine the likelihood of a vulnerability being exploited. After assessing each vulnerability, they can then effectively prioritize patching. Smaller healthcare organizations may struggle with assessing and prioritizing patching and the consequences of getting things wrong can be severe. Important updates may be missed, which leaves the door wide open for hackers.

A Decision Tree Method for Assessing and Remediating Software Vulnerabilities

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance to help organizations prioritize patching and shared a Stakeholder-Specific Vulnerability Categorization (SSVC) vulnerability management methodology that can be adopted to ensure vulnerabilities are accurately assessed, allowing remediation efforts to be prioritized

CISA Executive Assistant Director (EAD) Eric Goldstein explained in a recent blog post that there are three key steps needed to advance the vulnerability management ecosystem. They are:

1) To introduce greater automation into vulnerability management.

2) To make it easier for organizations to understand whether a given product is impacted by a vulnerability through widespread adoption of the Vulnerability Exploitability eXchange (VEX).

3) To help organizations more effectively prioritize vulnerability management resources through the use of SSVC, including prioritizing vulnerabilities based on CISA’s Known Exploited Vulnerabilities (KEV) catalog.

The SSVC system was developed by CISA and the Software Engineering Institute (SEI) at Carnegie Mellon University, with CISA then developing its own custom version of the SSVC for assessing and addressing vulnerabilities that affect government and critical infrastructure organizations.

The SSVC can be used by organizations to assess vulnerabilities based on five values: The exploitation status (is it currently being exploited), the technical impact (how serious is the vulnerability), whether the vulnerability is automatable, the mission prevalence, and the public well-being impact. Vulnerabilities can then be categorized into one of four categories:

• Track – No immediate action is required, but the vulnerability should be tracked and reassessed if further information becomes available, with the vulnerability updated within standard timeframes.
• Track* – No immediate action is required, but there are characteristics that require closer monitoring for changes. These vulnerabilities should be remediated within standard time frames.
• Attend – The vulnerability requires attention from the organization’s internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability and potentially publishing a notification internally and/or externally. The vulnerability needs to be remediated sooner than standard update timelines.
• Act – The vulnerability requires attention from the organization’s internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability and publishing a notification either internally and/or externally. Internal groups would meet to determine the overall response and then execute agreed-upon actions, with the vulnerability remediated as soon as possible.

CISA recommends using the SVCC alongside CISA’s Known Exploited Vulnerabilities (KEV) Catalog, the Common Security Advisory Framework (CSAF) machine-readable security advisories, and the Vulnerability Exploitability eXchange (VEX). When these are all used together, the window cyber threat actors have to exploit networks will be significantly reduced.

The SVCC and the guide on usage can be viewed here.

The post CISA Releases Decision Tree Methodology for Assessing and Remediating Software Vulnerabilities appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has recently shared details of the tactics, techniques, and procedures associated with Venus ransomware attacks, and has made several recommendations on mitigations that healthcare organizations can implement to improve their defenses against attacks. Venus ransomware, aka GOODGAME, is a relatively new threat, having first been identified in mid-August 2022; however, the ransomware has been used globally in attacks and there are now submissions of the ransomware variant every day.

While the threat group is not known to specifically target the healthcare sector, there has been at least one attack on the healthcare industry in the United States. The primary method of initial access, as is the case with several ransomware groups, is exploiting publicly exposed Remote Desktop services to encrypt Windows devices, including Remote Desktop on standard and non-standard TCP ports.

Once access has been gained, the ransomware will attempt to terminate 39 processes associated with database servers and Microsoft Office applications. Event logs will be deleted along with Shadow Copy Volumes, and Data Execution Prevention will be disabled on compromised endpoints. Files are encrypted using AES and RSA algorithms, and encrypted files have the .venus extension, with a goodgamer filemarker and other information added to the file.

The threat actor claims to download data before encrypting files, although no data leak site has been associated with the group. This also does not appear to be a ransomware-as-a-service operation, although based on the number of attacks and IP addresses associated with group it appears to consist of several individuals.

Since publicly exposed Remote Desktop/RDP is attacked, healthcare organizations should ensure these services are protected by a firewall. Windows 11 users will be protected against brute force attacks to some degree, as login attempts are automatically limited. For other Windows versions, rate limiting should be implemented, as this will limit the number of attempts an attacker can make to try to connect to Remote Desktop services. Strong, unique passwords should be set for Remote Desktop services, multi-factor authentication (MFA) should be enforced, and consider putting RDP behind a Virtual Private Network (VPN).

The damage caused by a successful attack can be greatly limited by implementing network segmentation, and best practices should be followed for data backups – The 3-2-1 approach is recommended: Create one primary backup and two copies, store the backups on at least 2 different media, with one copy stored securely offsite. Backups should ideally be encrypted, and certainly password-protected, and should not be accessible from the system where the data resides.

While these attacks target Remote Desktop services, security measures should be implemented to protect against other attack vectors such as email and the exploitation of software vulnerabilities. Ensure an email security solution is in place, consider adding a banner to emails from external sources, disable hyperlinks in emails, provide regular security awareness training to the workforce, ensure patches are applied promptly, make sure the latest version of software is installed, and ensure that administrator access is required to install software. Antivirus software should also be installed on all endpoints.

Further information can be found in the HC3 Venus Ransomware Analyst Note.

The post HC3 Sounds Alarm About Venus Ransomware appeared first on HIPAA Journal.

The number of connected devices being used in hospitals continues to grow and while these devices can improve efficiency, safety, and patient outcomes, they have also substantially increased the attack surface, and many of these devices either lack appropriate security features or are not correctly configured.

According to a recent Microsoft-sponsored study by the Ponemon Institute into the current state of IoT/OT cybersecurity, 65% of organizations said their IoT/OT devices were one of the least secured parts of their networks, with 50% reporting an increase in attacks on IoT/OT devices. 88% of respondents said they have IoT devices that are accessible over the Internet, and 51% have OT devices accessible over the Internet. Cybercriminals are increasingly attacking these devices as they are a weak point that can be easily exploited. These devices are the target of malware, ransomware, and are among the main initial access points for malicious actors.

In 2020, Forescout analyzed the types of devices used in enterprise networks to determine which pose the highest risk, and this month has published an updated version of the report. Most of the devices that were rated high risk remain on the updated list, and include networking equipment, VoIP, IP cameras, and programmable logic controllers (PLCs), with hypervisors and human-machine interfaces (HMIs) added this year.

The majority of the riskiest devices are on the list because they are frequently exposed on the Internet or because they are critical to business operations, and vulnerabilities are present in all devices. Almost all organizations rely on a combination of IT, IoT, and OT, with healthcare also relying on IoMT devices. That means almost all organizations face a growing attack surface as they have at least one type of risky device connected to their network.

The riskiest devices in each category are detailed in the table below:

Many of the devices included in the list are difficult to patch and manage, which means vulnerabilities are not addressed quickly. IoMT devices are risky because they can provide access to internal networks and can contain valuable patient information, and attacks on these devices can have an impact on healthcare delivery and patient safety. Attacks have been conducted on hospitals that have resulted in fetal monitors being disabled, and in 2020, several attacks were conducted on radiation information systems.

DICOM workstations, nuclear medicine systems, imaging devices, and PACS are all used for medical imaging, and as such can contain highly sensitive patient data. They also commonly run legacy IT operating systems and have extensive network capability for easy sharing of medical imaging data, most commonly using the DICOM standard for sharing files. DICOM was not developed with security in mind, and while DICOM does permit the encryption of data in transit, it is up to individual healthcare organizations to configure encryption. Encryption is not activated in many hospitals, which means medical images are transmitted in clear text and can easily be intercepted and tampered with to include malware. Patient monitors are also amongst the most vulnerable IoMT devices as they commonly communicate using unencrypted protocols, which means communications could be easily intercepted and tampered with. Tampering could prevent alerts from being received.

The key to managing risk is to understand how the attack surface is growing and to conduct a comprehensive risk assessment to understand where the vulnerabilities exist. Those risks can then be subjected to a risk management process and can be reduced to a low and acceptable level. “Once you understand your attack surface, you need to mitigate risk with automated controls that do not rely only on security agents and that apply to the whole enterprise instead of silos like the IT network, the OT network or specific types of IoT devices,” suggests Forescout.

The post The Riskiest Connected Devices in Healthcare appeared first on HIPAA Journal.

The federal government has issued a warning to the healthcare sector about the threat of cyberattacks by Iranian threat actors. Iranian state-sponsored actors lack the sophisticated technical capabilities of Russian and Chinese threat actors, but still pose a significant threat to the sector. The threat actors mostly use social engineering in their attacks to gain access to healthcare networks and are known to conduct sophisticated spear-phishing campaigns.

Spear phishing campaigns often involve healthcare-related lures with the threat actors using fake personas and social media platforms to interact with their targets, often impersonating doctors, researchers, and think tanks to trick targets into disclosing their credentials or downloading and installing malware. The Tortoiseshell Facebook campaign saw threat actors claim to be recruiters in hospitality, medicine, journalism, NGOs, and aviation. Fake accounts were used to trick targets into opening malware-infected files or to lure them onto phishing URLs to steal credentials. The threat actors often use LinkedIn for contacting targets and sending fake job offers headhunting individuals of interest. Popular online platforms such as Google, Microsoft, and Yahoo are also impersonated to steal credentials.

One notable campaign involved the impersonation of the Director of Research at the Foreign Policy Research Institute (FRPI), with the email appearing to CC the Director of Global Attitudes Research at the Pew Research Center. The emails sought input for an article about Iraq’s position in the world. Spear phishing emails can be realistic and convincing and may involve multiple messages to engage targets in conversation to build trust before tricking them into installing malware or disclosing their credentials. Considerable time and effort are put into creating convincing social media profiles and Internet footprints to make the scams seem more credible and to survive attempts to verify the authenticity of the profile and request.

While spear phishing is the most common initial access vector, the Iranian state-sponsored hacking group known as Pioneer Kitten (aka NC757, Parisite, & Fox Kitten) is known to exploit vulnerabilities in VPNs and other network appliances, such as CVE-2020-5902 (BIG-IP), CVE-2019-19781 (Citrix), & CVE-2019-11510 (Pulse Connect Secure). Other vulnerabilities exploited for initial access include the Log4j vulnerabilities, the Microsoft Exchange ProxyShell and other Exchange vulnerabilities, and Fortinet FortiOS vulnerabilities. One attack that was thwarted involved exploiting a vulnerability in a Fortigate appliance to gain access to the environmental control networks of a U.S. children’s hospital.

Iranian threat actors are known to conduct attacks to gain access to sensitive personally identifiable information; however, the attacks tend to be more destructive than other state-sponsored hacking groups. Cyberattacks often exploit cyber vulnerabilities to attack Iran’s adversaries to retaliate for sanctions while minimizing the risk of retaliation. Attacks have been conducted where websites have been defaced, DDoS attacks employed to damage reputations, and the country is infamous for using wiper malware in attacks. Once access is gained to networks, the threat actors move laterally and are known to install a PowerShell backdoor called POWERSTATS for persistence.

Improving resilience to attacks requires a focus on anti-phishing strategies such as implementing a robust email security solution, multi-factor authentication, and engaging in end-user training., Employees should receive regular training and be taught how to recognize and report phishing and social engineering attacks. Reviews should be conducted of all internet-accessible systems, vulnerabilities should be patched promptly, networks segmented to limit the ability of the threat actors to move laterally, user accounts should be regularly audited, especially those with administrative privileges. and strong passwords should also be set to improve resilience to brute force attacks. Further mitigations have been suggested by the Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Center in its threat brief.

The post Healthcare Sector Warned About Cyberattacks by Iranian State-Sponsored Threat Actors appeared first on HIPAA Journal.