The Federal Bureau of Investigation (FBI) has issued a public service announcement warning about the threat of Business Email Compromise/Email Account Compromise (BEC/EAC) scams. The number of attacks reported to the FBI Internet Crime Complaint Center (IC3) and the amount of money lost to these scams continues to grow each year, with losses to BEC/EAC scams increasing 65% between July 2019 and December 2021.

BEC/EAC scams are the leading cause of losses to cybercrime. Between June 2016 and December 2021, IC3 received 241,206 complaints about domestic and international BEC/EAC attacks with reported losses of more than $43.3 billion. The IC3 2021 Internet Crime Report shows victims reported losses of $2.4 billion in 2021 across 19,954 complaints – around one-third of all losses to cybercrime in 2021. The actual losses to these scams are undoubtedly far higher, as many victims do not report the scams to the FBI, especially if the losses are relatively small.

BEC/EAC scams involve compromising email accounts and using them to send emails to businesses and individuals who perform legitimate transfers of funds requesting fraudulent transfers or changes to bank account information for upcoming payments. Statistical data shows the destination accounts for these transfers are most commonly overseas. The FBI says fraudulent transfers were made to banks in 140 countries, with Thailand topping the list followed by Hong Kong, China, Mexico, and Singapore.

The number of complaints about BEC/EAC scams involving cryptocurrencies has been growing. BEC/EAC scams involving cryptocurrencies started to be received by IC3 in 2018 when losses of less than $5 million. In 2021, cryptocurrency losses from BEC/EAC scams of $40 million were reported.

While it is common for scammers to target large enterprises that routinely perform transfers of millions of dollars, businesses of all sizes have been targeted including small local firms as well as individuals. The FBI says scams have been reported domestically in all 50 states, and reports have been received from victims in 177 countries.

BEC/EAC scams are conducted frequently because they have a high success rate and the ROI is so high. Fraudulent transfers are often for hundreds of thousands or millions of dollars, and the high success rate is due to the abuse of trust. The emails requesting transfers come from the email accounts of trusted individuals, such as company executives, vendors, and business partners, and the requests for transfers or bank account changes are often not questioned. The scams can also target sensitive data, such as the personally identifiable information of employees in W-2 forms.

Businesses and individuals should take steps to protect against BEC/EAC scams. These scams often start with phishing emails to obtain credentials to email accounts, so implementing a spam filtering solution to block the initial phishing emails will help to prevent email accounts from being compromised. 2-factor authentication should also be implemented to prevent stolen credentials from being used to access email accounts. Password policies should be implemented and enforced to prevent weak passwords from being set, which are vulnerable to brute force attacks.

Businesses should conduct security awareness training to teach employees how to recognize phishing emails and BEC/EAC scams and condition them to be wary of any email that requests login credentials or PII of any kind. The emails may appear to have been sent by trusted individuals and the reason for providing information often appears legitimate.

It is important to verify the email address used to send emails to ensure that the sender’s name and email address match, and to carefully check any URLs in emails to make sure they are associated with the business or individual they claim to be from. Employees should be alert to hyperlinks that may contain misspellings of the actual domain name. Employees’ computers and corporate-issued mobile devices should be configured to allow full email extensions to be viewed.

Since these scams often involve compromised internal email accounts and those of vendors, it is important to use secondary channels or two-factor authentication to verify requests for changes to account information and wire transfers, and businesses and individuals should monitor their financial accounts closely for irregularities such as missing deposits.

Victims of BEC/EAC scams should immediately report the incidents to their financial institution and request a recall of funds, and should also file a complaint with IC3. IC3’s Recovery Assist Team initiated the Financial Fraud Kill Chain (FFKC) in 2021 on 1,726 BEC complaints involving domestic to domestic transactions with potential losses of $443,448,237 and achieved a 74% success rate, freezing funds totaling $329 million.

The post FBI Issues Warning About BEC Scams as Losses Increase to $43 Billion appeared first on HIPAA Journal.

Thursday, May 2, 2024, is World Password Day. Established in 2013, the event is observed on the first Thursday of May with the goal of improving awareness of the importance of creating complex and unique passwords and adopting password best practices to keep sensitive information private and confidential.

Passwords were first used to protect accounts against unauthorized access in computing environments in the 1960s. In 1961, researchers at the Massachusetts Institute of Technology (MIT) started using the Compatible Time-Sharing System (CTSS). The system ran on an IBM 709 and users could access the system through a dumb terminal, with passwords used to prevent unauthorized access to users’ personal files.

The system is widely believed to be the first to use passwords and was also one of the first to experience a password breach. In the mid-1960s, MIT Ph.D. researcher Allan Scherr needed more than his allotted 4-hour CTSS time to run performance simulations he had designed for the computer system. He discovered a way to print out all passwords stored in the system and used the passwords to gain extra time.

Passwords are now the most common way to secure accounts and while passwordless authentication, such as biometric identifiers and single sign-on, are becoming more popular, in the short to medium term passwords are likely to remain the most widely used way of authenticating users and preventing unauthorized account access.

The Importance of Creating Strong Passwords

The use of passwords carries security risks, which World Password Day aims to address. One of the most common ways for hackers to gain access to accounts is to use stolen passwords. Phishing is used to target employees and trick them into disclosing their passwords, either via email, phone (vishing), or text message (SMiShing). Adopting 2-factor authentication will help to stop these attacks from succeeding. According to Microsoft, 2-factor authentication blocks more than 99% of automated attacks on accounts.

Hackers also use brute force tactics to guess weak passwords and take advantage of default credentials that have not been changed. If rate limiting is not implemented to lock accounts after a set number of failed login attempts, weak passwords can be guessed in a fraction of a second. Even strong passwords can be guessed in seconds or minutes if they are not sufficiently long.

In 2020, Hive Systems started publishing charts showing the time it takes for a hacker to brute force a password using a powerful, commercially available computer, and each year the table is updated to account for advances in computing technology. The chart clearly demonstrates the importance of creating strong passwords that include a combination of numbers, symbols, and upper- and lower-case letters and ensuring passwords contain enough characters. We recommend a minimum password length of 14 characters.

How long does it take to hack a password in 2024 – Source Hive Systems

Password Management Shortcuts Weaken Security

Creating and remembering long, complex passwords is difficult for most people, and it is made even harder due to the need to create passwords to protect multiple accounts – A study by NordPass suggests the average person has around 100 passwords. Many people struggle to create and remember more than one strong and unique password, so with so many accounts to secure it is unsurprising that people take shortcuts, but those password management shortcuts significantly weaken password security.

It is common for users to avoid creating unique passwords and they end up reusing the same password for multiple accounts. The problem with this is that if the password is compromised on one platform, either through brute force tactics, a phishing scam, or another method, all other accounts that use that password are at risk. Hackers take advantage of this common bad practice using a technique called credential stuffing. If they obtain a list of usernames and passwords from a data breach, they will attempt to access accounts on other unrelated platforms using those username and password combinations. This method only succeeds if there has been password reuse.

Changing passwords slightly by adding a number or substituting characters when creating new accounts isn’t much more secure, and will leave accounts susceptible to brute force attacks. If a hacker obtains a username and password combination, various permutations of that password will be attempted with that username. Writing down passwords is also a very bad idea.

Many businesses have implemented minimum complexity requirements for passwords, stipulating a minimum password length and composition requirements, yet it is common for employees to take shortcuts to make passwords easier to remember. It is possible to create a password that meets minimum complexity requirements yet is still incredibly weak. ‘Password’ is still one of the most commonly used passwords and it is usually the first one that is attempted when trying to hack an account. ‘P4ssw0rd!’ would meet the password complexity requirements imposed on many platforms, but it is still incredibly weak and offers next to no protection.

Global Password Management Survey Reveals Poor Password Management Practices

The 2024 Global Password Management Survey conducted by password management solution provider Bitwarden ahead of World Password Day confirms that extremely risky password practices are still incredibly common. The survey was conducted on more than 2,400 Internet users in the United States, United Kingdom, Australia, Germany, France, and Japan and asked questions about personal passwords, password habits at work, and the strategies that are adopted for managing passwords.

Despite the risks, 84% of respondents admitted to reusing passwords for multiple accounts, down from 90% in 2022. In 2024, 33% of respondents said they reuse passwords on 1-5 sites, 26% reuse passwords on 6-10 sites, 15% reuse passwords on 11-15 sites, and 11% use the same password to secure more than 15 sites. Password reuse is most common on personal accounts; however, 47% of respondents said they reuse passwords at work very (14%) or somewhat (33%) frequently.

Password manager use is increasing. 32% of respondents said they use a password manager at home, up from 30% last year, but only 30% of respondents said they use a password manager at work. 54% of respondents said they rely on memory to manage passwords at home, which suggests that the passwords they set are easy to remember and therefore not particularly complex. 36% of respondents said they use personal information in their passwords, and 60% said that the personal information they use in their passwords can be found in their social media accounts.

Workplace security habits were rated as generally secure by 53% of respondents; with 37% of respondents admitting to somewhat (31%) or very (6%) risky workplace security habits. Risky security habits were the use of weak or personal information-based passwords (39%), storing work passwords insecurely (35%), not using 2-factor authentication (2FA) or multifactor authentication (MFA) (33%), and sharing passwords insecurely (32%).

Account security can be greatly improved with 2FA/MFA, and while there are strong feelings that the additional authentication makes accessing accounts cumbersome, 2FA/MFA is now being widely adopted. 80% of respondents said they use 2FA for personal accounts, up from 66% in 2023, and only 28% of respondents said they do not use 2FA or MFA at work. Awareness of 2FA and MFA is improving, with only 7% of users saying they are not sure what those terms mean, down from 22% last year. While any form of MFA is better than none, SMS-based MFA is still the most common despite this method being the least secure. 65% of respondents said they used SMS-based MFA at home and 50% said SMS-based MFA was used at work.

2FA/MFA is vital for protecting accounts. In the event of a phishing attack where an employee discloses their password, 2FA/MFA can prevent that password from granting access to the account, thus preventing a costly data breach. However, while any form of 2FA/MFA is better than single-factor authentication, phishing-resistant MFA provides the best protection. Threat actors are now using phishing kits capable of stealing session cookies and MFA codes, thus bypassing MFA.

Password Security and Management Tips

World Password Day 2024 is the perfect time to assess password security and take steps to ensure that all accounts are properly secured with strong and unique passwords, and start following password best practices:

• Ensure a strong, unique password is set for all accounts
• Use a combination of upper- and lower-case letters, numbers, and symbols in passwords
• Use easy-to-remember passphrases rather than passwords, that have a minimum of 14 characters
• Never reuse passwords on multiple accounts
• Don’t use information in passwords that can be found in social media profiles (DOB, spouse or pet name, etc.) or is known to others
• Ensure 2-factor authentication is set up, especially for accounts containing sensitive data
• Use a secure password generator to generate random strings of characters
• Avoid using dictionary words and commonly used passwords
• Use a password manager for creating strong passwords and secure storage, and set a long and complex passphrase for your password vault.

The post World Password Day 2024 – Password Tips and Best Practices appeared first on HIPAA Journal.

The Workgroup for Electronic Data Interchange (WEDI) has responded to the request for information from the National Institute of Standards and Technology (NIST) and has made several recommendations for improving the NIST cybersecurity framework and supply chain risk management guidance to help healthcare organizations deal with some of the most pressing threats facing the sector.

Ransomware is one of the main threats facing the healthcare industry, and that is unlikely to change in the short to medium term.  To help healthcare organizations deal with the threat, WEDI has suggested NIST increase its focus on ransomware and address the issue of ransomware directly in the cybersecurity framework. NIST published a new ransomware resource in February 2022, which contains valuable information on protecting against, detecting, responding to, and recovering from ransomware attacks. WEDI feels the inclusion of ransomware within the cybersecurity framework will expand the reach and impact of the resource.

WEDI has also recommended the inclusion of specific case studies of healthcare organizations that have experienced a ransomware attack, updating the framework to define contingency planning strategies based on the type of healthcare organization and issue guidance with a focus on contingency planning, execution, and recovery. Ransomware attacks on healthcare providers carry risks that are not applicable to other entities. Further guidance in this area would be of great benefit to healthcare providers and could help to minimize disruption and patient safety issues.

Healthcare organizations have been developing patient access Application Programming Interfaces (APIs) and applications (apps) which are covered by HIPAA, and are therefore required to incorporate safeguards to ensure the privacy and security of any healthcare data they contain, but WEDI has drawn attention to the lack of robust privacy standards that are applicable to third party health apps that are not covered by HIPAA. WEDI says there is a need for a national security framework to ensure that health care data obtained by third-party apps are held to appropriate privacy and security standards.

The number of risks and vulnerabilities to portable and implantable medical devices has grown at an incredible rate in recent years and those risks are likely to grow exponentially in the years to come. WEDI has recommended NIST address cybersecurity issues related to these devices directly in the cybersecurity framework, and also address the issue of insider threats. Many healthcare data breaches are caused by insider threats such as lost electronic devices, phishing and social engineering attacks. WEDI suggests these issues and security awareness training should be addressed in the cybersecurity framework.

WEDI has also recommended NIST develop a version of its cybersecurity framework that is targeted at smaller healthcare organizations, which do not have the resources available to stay informed about the latest security developments and implement the latest security measures and protocols. A version of the framework that is more focused on the threats faced by smaller organizations would be of great benefit and should include realistic proactive steps that can be taken by small healthcare organizations to mitigate risks.

The post WEDI Makes Healthcare-Specific Recommendations for Improving the NIST Cybersecurity Framework appeared first on HIPAA Journal.

The five eyes cybersecurity agencies have recently issued a joint security alert warning about the threat of cyberattacks on critical infrastructure by Russian nation-state threat actors and pro-Russia cybercriminal groups.

Intelligence gathered by the agencies indicates the Russian government has been exploring opportunities for conducting cyberattacks against targets in the West in retaliation for the sanctions imposed on Russia and the support being provided to Ukraine. The agencies warn that Russian state-sponsored hacking groups have been conducting Distributed Denial of Service (DDoS) attacks in Ukraine and are known to have used destructive malware in Ukraine on government and critical infrastructure organizations. These hacking groups are highly skilled, can gain access to IT networks, maintain persistence, exfiltrate sensitive data, and can cause major disruption to critical systems, including industrial control systems.

The alert names several Russian government and military organizations that have engaged in these malicious activities, including the Russian Federal Security Service (FSB), Russian Foreign Intelligence Service (SVR), Russian General Staff Main Intelligence Directorate (GRU), and the Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM).

The FSB is known to have conducted cyber operations against the Energy Sector, including companies in the US and UK, private sector organizations, cybersecurity companies, and others, and has engaged cybercriminal hackers and tasked them with conducting espionage-focused activities. The SVR has conducted targeted attacks on critical infrastructure organizations and is known for conducting sophisticated attacks using stealthy intrusion tradecraft. The GRU has targeted a range of critical infrastructure organizations, and the TsNIIKhM has a history of conducting attacks on foreign companies and government organziations.

Several cybercriminal groups have publicly voiced their support for Russia and have threatened to conduct cyberattacks on organizations that are perceived to have conducted cyber offensives against the Russian government or the Russian people. These cybercriminal groups are thought to pose a threat to all critical infrastructure organizations, including healthcare. They primarily conduct DDoS attacks with extortion and ransomware attacks.

The cybersecurity agencies have urged all critical infrastructure entities to take steps to prepare for and mitigate cyberattacks. The alert provides detailed information on threat actors and state-sponsored hacking groups of concern and recommendations for preparing for and mitigating cyber threats.

The post Five Eyes Agencies Warn Critical Infrastructure Orgs About Threat of Russian State-Sponsored and Criminal Cyberattacks appeared first on HIPAA Journal.

A new report from Comcast Business indicates 2021 was another record-breaking year for Distributed Denial of Service (DDoS) attacks. 9.84 million DDoS attacks were reported in 2021, which is a 14% increase from 2019, although slightly lower than the previous year when 10.1 million attacks were reported.

The slight decline in attacks was due to several factors. 2020 was a particularly bad year as it was a full lockdown year where employees were working remotely and students were learning from home, which provided attackers with a unique landscape against which to launch an unprecedented number of DDoS attacks, and the high prices of cryptocurrencies in 2021 meant many threat actors diverted their botnets from conducting DDoS attacks to mining cryptocurrencies.

DDoS attackers spared no one in 2021; however, 73% of attacks were conducted on just four sectors – healthcare, government, finance, and education. Attackers followed seasonal trends and activities throughout the year, with education being attacked to coincide with the school year, and COVID-19 and vaccine availability drove DDoS attacks on the healthcare industry.

Multi-vector attacks increased by 47% in 2021. Comcast Business DDoS Mitigation Services defended customers against 24,845 multi-vector attacks targeting layers 3, 4, & 7 (Network, Transport & Application) simultaneously. 69% of Comcast Business clients were victims of DDoS attacks in 2021, a 41% increase from 2020, and 55% of Comcast Business customers experienced multi-vector attacks targeting layers, 3, 4, & 7 simultaneously. There was also a major increase in the number of vectors used in multi-vector attacks, increasing from 5 in 2020 to 15 in 2021, with the amplification protocols in the attacks increasing from 3 to 9.

DDoS attacks flood victims’ networks with traffic to render them unusable, and while attacks are often conducted just for that reason, it is common for DDoS attacks to be conducted to distract organizations and consume resources while the attackers engage in other nefarious activities. There is a strong link between DDoS attacks and data breaches. According to a Neustar survey, almost half of organizations (47%) that suffered a DDoS attack discovered a virus on their networks after the attack, 44% said malware was activated, 33% reported a network breach, 32% reported customer data theft, 15% suffered a ransomware attack, and 11% were victims of financial theft.

The most severe attack in 2021 was a 242 Gbps DDoS attack, which would be sufficient to saturate even high bandwidth Ethernet Dedicated Internet (EDI) circuits within minutes. The magnitude of attacks has increased and a trend has been identified where threat actors conduct low-volume attacks to stay under the radar of IT teams and cause damage on multiple levels. This tactic can degrade website performance, yet the attacks are often not detected by IT teams, who only discover they have been targeted when they start receiving complaints from customers.

DDoS attacks are cheap to perform, costing just a few dollars, although for a few hundred dollars massive attacks can be conducted that can cripple businesses. DDoS attacks can be incredibly costly for businesses. The attacks can prevent businesses from reaching their customers and meeting SLAs, and the attacks can result in devastating financial and reputational damage. In some cases, the damage is so severe that businesses have been forced to permanently close. For businesses that depend on availability, every minute of downtime can cause hundreds of thousands or even millions of dollars in losses.

“Even if you are a small business and think you are at a lower risk, you could be in the supply chain for a larger organization,” said explained Comcast Business in the report. “You can be sure that your business partners are watching their threat risk factors and are increasingly concerned about doing business with companies that are not.”

The post 2021 Saw Record Numbers of DDoS Attacks on the Healthcare Industry appeared first on HIPAA Journal.

The Federal Bureau of Investigation (FBI) has issued a TLP: WHITE flash alert about the BlackCat ransomware-a-s-a-service (RaaS) operation. BlackCat, also known as ALPHAV, was launched in November 2021, shortly after the shutdown of the BlackMatter ransomware operation, which was a rebrand of DarkSide, which was behind the ransomware attack on Colonial Pipeline. A member of the operation has claimed they are a former affiliate of BlackMatter/DarkSide that branched out on their own; however, it is more likely that BlackCat is a rebrand of BlackMatter/DarkSide.

The FBI said many of the developers and money launderers involved with the BlackCat operation have been linked to DarkSide/BlackMatter, which indicates they have extensive networks and considerable experience with running RaaS operations. The BlackCat RaaS operation has not been active for long, but the group has already claimed at least 60 victims worldwide. BlackCat typically targets large organizations and demands ransom payments of several million dollars in Bitcoin or Monero, although the group does appear willing to negotiate payments with victims.

Unusually for ransomware, it is written in RUST, which is considered to be a more secure programming language that ensures better performance and concurrent processing. Initial access to networks is usually gained using previously compromised credentials, and once access is gained, Active Directory user and administrator accounts are compromised. The ransomware executable is highly customizable and allows attacks on a wide range of corporate environments, it supports multiple encryption methods, and can disable security features on victim networks.

The group uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy the ransomware, initially using PowerShell scripts and Cobalt Strike. Windows administrative tools and Microsoft Sysinternals tools are also used during compromise. Prior to encrypting files, victim data is stolen, including from cloud providers. Threats are then issued to publish the stolen data on the leak site if the ransom is not paid. In the flash alert, the FBI has shared indicators of compromise (IoCs) and mitigation measures that should be adopted to improve security and make it harder for attacks to succeed.

As with all ransomware attacks, the FBI recommends not paying the ransom as there is no guarantee that files will be recovered, payment does not prevent further attacks, and there is no guarantee that any data stolen in the attack will not be published, stolen, or misused. However, the FBI accepts that payment of the ransom may be the only option in some cases to protect customers, patients, employees, and shareholders.

Regardless of whether or not the ransom is paid, the FBI has requested victims report attacks to their local FBI field office. The FBI has requested IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.

The post FBI Issues Warning About BlackCat Ransomware Operation appeared first on HIPAA Journal.