Healthcare Cybersecurity

FBI Issues Warning About BlackCat Ransomware Operation

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has issued a TLP: WHITE flash alert about the BlackCat ransomware-a-s-a-service (RaaS) operation. BlackCat, also known as ALPHAV, was launched in November 2021, shortly after the shutdown of the BlackMatter ransomware operation, which was a rebrand of DarkSide, which was behind the ransomware attack on Colonial Pipeline. A member of the operation has claimed they are a former affiliate of BlackMatter/DarkSide that branched out on their own; however, it is more likely that BlackCat is a rebrand of BlackMatter/DarkSide.

The FBI said many of the developers and money launderers involved with the BlackCat operation have been linked to DarkSide/BlackMatter, which indicates they have extensive networks and considerable experience with running RaaS operations. The BlackCat RaaS operation has not been active for long, but the group has already claimed at least 60 victims worldwide. BlackCat typically targets large organizations and demands ransom payments of several million dollars in Bitcoin or Monero, although the group does appear willing to negotiate payments with victims.

Unusually for ransomware, it is written in RUST, which is considered to be a more secure programming language that ensures better performance and concurrent processing. Initial access to networks is usually gained using previously compromised credentials, and once access is gained, Active Directory user and administrator accounts are compromised. The ransomware executable is highly customizable and allows attacks on a wide range of corporate environments, it supports multiple encryption methods, and can disable security features on victim networks.

The group uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy the ransomware, initially using PowerShell scripts and Cobalt Strike. Windows administrative tools and Microsoft Sysinternals tools are also used during compromise. Prior to encrypting files, victim data is stolen, including from cloud providers. Threats are then issued to publish the stolen data on the leak site if the ransom is not paid. In the flash alert, the FBI has shared indicators of compromise (IoCs) and mitigation measures that should be adopted to improve security and make it harder for attacks to succeed.

As with all ransomware attacks, the FBI recommends not paying the ransom as there is no guarantee that files will be recovered, payment does not prevent further attacks, and there is no guarantee that any data stolen in the attack will not be published, stolen, or misused. However, the FBI accepts that payment of the ransom may be the only option in some cases to protect customers, patients, employees, and shareholders.

Regardless of whether or not the ransom is paid, the FBI has requested victims report attacks to their local FBI field office. The FBI has requested IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.

The post FBI Issues Warning About BlackCat Ransomware Operation appeared first on HIPAA Journal.

HHS Issues Warning to HPH Sector about Hive Ransomware

Posted by HIPAA Journal

The HHS’ Office of Information Security Health Sector Cybersecurity Coordination Center (HC3) has issued a TLP: White alert about the Hive ransomware group – A particularly aggressive cybercriminal operation that has extensively targeted the healthcare sector in the United States.

HC3 has shared an analysis of the tactics, techniques, and procedures (TTPs) known to be used by the group in their attacks and has shared cybersecurity principles and mitigations that can be adopted to improve resilience against Hive ransomware attacks.

The Hive ransomware group has been conducting attacks since at least June 2021. The group is known for using double extortion tactics, where sensitive data is exfiltrated prior to file encryption and threats are issued to publish the data if the ransom is not paid. The group is also known to contact victims by phone to pressure them into paying the ransom.

Hive is a ransomware-a-service (RaaS) operation where affiliates are recruited to conduct attacks on the gang’s behalf in exchange for a cut of the profits that are generated, which allows the core members of the group to concentrate on development and operations.

Having affiliates with different specialties means a variety of TTPs are employed to gain access to networks; however, the group most commonly uses phishing emails, Remote Desktop Protocol, and VPN compromise in their attacks. Once access to networks is gained, compromised systems are searched to identify applications and processes involved in backing up data, and then those processes and applications are terminated or disrupted. Shadow copies, backup files, and system snapshots are also deleted to make it harder for victims to recover without paying the ransom.

The ransomware is actively developed, and several features and practices have been adopted to prevent analysis of the ransomware, interception and monitoring of negotiations with victims, and the group has adopted a new IPv4 obfuscation technique – IPfuscation – to make their attacks stealthier.

Defending against Hive ransomware attacks requires standard cybersecurity best practices to be followed, including  the following:

  • Changing default passwords and setting strong passwords
  • Implementing 2-factor authentication, especially for remote access services
  • Providing regular security awareness training to the workforce
  • Creating multiple copies of backups, testing those backups, and storing backups offline
  • Ensuring there is continuous monitoring, supported by a constant input of threat data
  • Implementing a comprehensive vulnerability management program and prioritizing known exploited vulnerabilities
  • Ensuring software and operating systems are kept up to date
  • Implementing comprehensive endpoint security solutions that are automatically updated with the latest signatures/updates.

The post HHS Issues Warning to HPH Sector about Hive Ransomware appeared first on HIPAA Journal.

Microsoft Sinkholes Notorious ZLoader Botnet

Posted by HIPAA Journal

The notorious cybercrime ZLoader botnet, which was used to deliver Ryuk ransomware in attacks on healthcare providers, has been disabled by Microsoft’s Digital Crimes Unit (DCU). Microsoft recently obtained a court order from the United States District Court for the Northern District of Georgia authorizing the seizure of 65 hard-coded domains used by the ZLoader botnet for command-and-control communications. Those domains have now been sinkholed, preventing the operator of the botnet from communicating with devices infected with ZLoader malware.

ZLoader malware included a domain generation algorithm (DGA) which is triggered if communication with the hard-coded domains is not possible, which serves as a failsafe against any takedown efforts. The court order also allowed Microsoft to seize 319 DGA-registered domains. Microsoft is working to block the registration of any future DGA domains.

ZLoader is part of a family of malware variants that descended from the ZeuS banking Trojan. Initially, ZeuS was used for credential and financial theft, with the aim of transferring money out of victims’ financial accounts. The threat actor behind the malware then established a malware-as-a-service operation to deliver malware and ransomware for other threat actors such as Ryuk.

Ryuk ransomware has been extensively used in attacks on the healthcare industry since its emergence in 2018, and ZLoader was one of the ways the ransomware was delivered. ZLoader is capable of disabling a popular antivirus solution to evade detection, and the malware has been installed on thousands of devices, many of which are in education and healthcare.

The takedown of the botnet is significant; however, the operators of the botnet are likely already working to set up new command and control infrastructure. Microsoft said the takedown has been a success and resulted in the temporary disabling of the ZLoader infrastructure, which has made it more difficult for the organized criminal gang to continue with its malicious activities.

“We referred this case to law enforcement, who are tracking this activity closely and will continue to work with our partners to monitor the behavior of these cybercriminals. We will work with internet service providers to identify and remediate victims,” said Microsoft. Microsoft also confirmed that it is prepared to take further legal action and implement technical measures to deal with ZLoader and other botnets.

Microsoft also named an individual who is believed to be responsible for developing a component of the malware that was used for delivering ransomware – Denis Malikov, who resides in Simferopol on the Crimean Peninsula. “We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes.”

Microsoft said it was assisted with its investigation of the ZLoader operation by the cybersecurity firm ESET, Palo Alto Networks’ Unit 42, team, and Black Lotus Labs, and was provided with additional insights from the Financial Services Information Sharing and Analysis Centers (FS-ISAC), the Health Information Sharing and Analysis Center (H-ISAC), the Microsoft Threat Intelligence Center, and the Microsoft Defender Team.

The post Microsoft Sinkholes Notorious ZLoader Botnet appeared first on HIPAA Journal.

JekyllBot:5 Vulnerabilities Allow Hackers to Take Control of Aethon TUG Hospital Robots

Posted by HIPAA Journal

Five zero-day vulnerabilities have been identified in Aethon TUG autonomous mobile robots, which are used in hospitals worldwide for transporting goods, medicines, and other medical supplies. Hospital robots are attractive targets for hackers. If access to the robots is gained, a variety of malicious actions could be performed.

Attackers could trigger a denial-of-service condition to disrupt hospital operations for extortion, and since sensitive patient data is fed into the devices, exploitation of the vulnerabilities could provide hackers with access to patient data. The robots are given privileged access to restricted areas within healthcare facilities, which would not normally be accessible to unauthorized individuals. The robots can open doors and access elevators, and could be used to block access, shut down elevators, or bump into staff and patients. Since the robots have integrated cameras, they could be hijacked and used for surveillance. The robots could also potentially be hijacked and used to deliver malware or could serve as a launchpad for more extensive cyberattacks on hospital networks.

The vulnerabilities, which are collectively named JekyllBot:5, were identified by Asher Brass and Daniel Brodie of the healthcare IoT security firm Cynerio. The researchers said the vulnerabilities require a low level of skill to exploit, can be exploited remotely if the system is connected to the Internet, and exploitation of the vulnerabilities does not require any special privileges.

One of the vulnerabilities is rated critical with a CVSS severity score of 9.8 out of 10 and the other four are all high-severity issues with CVSS scores between 7.6 and 8.2. The most serious vulnerability, tracked as CVE-2022-1070, could be exploited by an unauthenticated attacker to access the TUG Home Base Server websocket, which would allow the attacker to cause a denial-of-service condition, gain access to sensitive information, and take full control of TUG robots.

Two of the vulnerabilities – CVE-2022-1066 and CVE-2022-26423 – are due to missing authentication and have been given CVSS scores of 8.2. The first vulnerability can be exploited by an unauthenticated attacker and allows new users to be created with administrative privileges and allows existing users to be modified or deleted. The second vulnerability allows an unauthenticated attacker to freely access hashed user credentials.

The remaining two vulnerabilities – CVE-2022-1070 and CVE-2022-1059 – make the Fleet Management Console vulnerable to cross-site scripting attacks. Both flaws have been given a CVSS score of 7.6.

“The worst-case scenario is a total disruption of critical care and violation of patient privacy, and JekyllBot:5 would give attackers the means to compromise security in ways they would not otherwise be able to, especially in terms of physical security,” said Brodie.

The researchers notified Aethon and CISA about the vulnerabilities. Aethon has patched the vulnerabilities via a new firmware release – version 24. All versions of the firmware prior to version 24 are at risk of exploitation of the JekyllBot:5 vulnerabilities.

Further steps can also be taken to minimize the risk of the exploitation of vulnerabilities. CISA recommends not exposing control system devices and systems to the Internet, locating all control systems behind firewalls, and isolating systems such as TUG Home Base Server from business networks. If remote access is necessary, Virtual Private Networks should be required for access and VPNs should be kept up to date and always be running the latest software version.

“Hospitals need solutions that go beyond mere healthcare IoT device inventory checks to proactively mitigate risks and apply immediate remediation for any detected attacks or malicious activity,” said Leon Lerman, founder and CEO of Cynerio. “Any less is a disservice to patients and the devices they depend on for optimal healthcare outcomes.”

The post JekyllBot:5 Vulnerabilities Allow Hackers to Take Control of Aethon TUG Hospital Robots appeared first on HIPAA Journal.

Warning Issued About Phishing Campaigns Involving Legitimate Email Marketing Platforms

Posted by HIPAA Journal

A recent data breach at the email marketing platform vendor Mailchimp has prompted a warning from the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) about the risk of phishing attacks using the platform.

The breach came to light when the cryptocurrency hardware wallet provider, Trezor, investigated a phishing campaign targeting its customers that used the email addresses registered to Trezor accounts, which uncovered a data breach at Mailchimp.

Mailchimp’s investigation confirmed that threat actors had successfully compromised internal accounts of its customer support and account administration teams, and while those accounts have now been secured, the attackers were able to gain access to the accounts of 300 Mailchimp users and were able to extract audience data from 102 of those accounts. API keys were also obtained by the attackers that allow them to create email campaigns for use in phishing attacks without having to access customer portals.

Since accounts used by Mailchimp customers to send marketing campaigns such as newsletters may be whitelisted by subscribers, any phishing campaigns conducted using the compromised accounts may see the emails delivered to inboxes. HC3 says it is only aware of one phishing campaign being conducted using a compromised account, which targeted users in the cryptocurrency and financial sectors, but there is a risk that campaigns could also be conducted targeting users in the healthcare and public health (HPH) sector.

HC3 has recommended organizations in the HPH sector take steps to mitigate the threat. HC3 says the best defense is user awareness training since phishing emails will come from a legitimate and trusted sender. Employees should be made aware of the threat and be instructed to be wary of any emails sent via Mailchimp. While phishing emails could be sent, malware may also be delivered. Antivirus software should be implemented, network intrusion prevention systems are beneficial, and HC3 also suggests using web filters to restrict access to web content that is not necessary for business operations.

Anti-spoofing and other email authentication mechanisms are also recommended. These include performing validity checks of the sender domain using SPK, checking the integrity of messages using DKIM, and checking to make sure the sender is authorized to use the domain using DMARC.

The post Warning Issued About Phishing Campaigns Involving Legitimate Email Marketing Platforms appeared first on HIPAA Journal.

Increase in Class Action Lawsuits Following Healthcare Data Incidents

Posted by HIPAA Journal

The law firm BakerHostetler has published its 8th Annual Data Security Incident Response (DSIR) Report, which provides insights based on 1,270 data security incidents managed by the firm in 2021. 23% of those incidents involved data security incidents at healthcare organizations, which was the most targeted sector.

Ransomware Attacks Increased in 2021

Ransomware attacks have continued to occur at elevated levels, with them accounting for 37% of all data security incidents handled by the firm in 2021, compared to 27% in 2020 and there are no signs that attacks will decrease in 2022. Attacks on healthcare organizations increased considerably year over year. 35% of healthcare security incidents handled by BakerHostetler in 2021 involved ransomware, up from 20% in 2022.

Ransom demands and payments decreased in 2021. In healthcare, the average initial ransom demand was $8,329,520 (median $1,043,480) and the average ransom paid was $875,784 (median $500,846) which is around two-thirds of the amount paid in 2020. Restoration of files took an average of 6.1 days following payment of the ransom, and in 97% of cases, data was successfully restored after paying the ransom.

Data exfiltration is now the norm in ransomware attacks. 82% of the ransomware attacks handled by BakerHostetler in 2021 included a claim that the attackers had exfiltrated data prior to encrypting files. In 73% of those incidents, evidence of data theft was uncovered, and 81% required notice to be provided to individuals. The average number of notifications was 81,679 and the median number of notifications was 1,002.

The threat of the exposure of stolen data prompted many organizations to pay the ransom. 33% of victims paid the ransom even though they were able to partially restore files from backups and 24% paid even though they had fully restored files from backups.

There was also an increase in business email compromise (BEC) attacks, where phishing and social engineering are used to access organizations’ email accounts, which are then used to trick organizations into making fraudulent payments. While there was an improvement in detection in time to recover transferred funds – 43% compared to 38% in 2020 – there was an increase in the number of organizations that had to provide notifications about the incident to individuals and regulators, jumping from 43% of incidents in 2020 to 60% in 2021.

Class Action Lawsuits are More Common, Even for Smaller Data Incidents

It is now more common for organizations to face class action lawsuits after data security incidents. While class action lawsuits tended to only be filed for large data incidents, it is now increasingly common for smaller data incidents to also result in lawsuits. In 2021, 23 disclosed data incidents resulted in lawsuits being filed, up from 20 in 2020. 11 of the lawsuits related to data incidents involving the data of fewer than 700,000 individuals, with 3 lawsuits filed in relation to incidents that affected fewer than 8,000 individuals.

BakerHostetler identified a trend in 2021 for multiple class action lawsuits to be filed following a data incident. More than 58 lawsuits were filed related to the 23 incidents, and 43 of those lawsuits were in response to data breaches at healthcare organizations.

“There was always a risk of multidistrict litigation following large data incidents. However, now we are seeing multiple lawsuits following an incident notification in the same federal forum. Or, in the alternative, we see a handful of cases in one federal forum and another handful of cases in a state venue,” explained BakerHostetler in the report. “This duplicative litigation trend is increasing the “race to the courthouse” filings and increasing the initial litigation defense costs and the ultimate cost of settlement, due to the number of plaintiffs’ attorneys involved.”

OCR is Requesting Evidence of “Recognized Security Practices”

2021 saw record numbers of data breaches reported by healthcare organizations. 714 incidents were reported to the HHS’ Office for Civil Rights in 2021 compared to 663 in 2020, and more data breaches were referred to the Department of Justice to investigate possible criminal violations than in previous years.

In 2021, there was an amendment made to the HITECH Act to include a HIPAA Safe Harbor for organizations that have adopted recognized security practices for at least 12 months prior to a data breach occurring. BakerHostetler said that out of the 40 OCR investigations of organizations that it worked with, OCR frequently asked about the recognized security practices that had been in place in the 12 months prior to the incident occurring. BakerHostetler strongly recommends organizations examine their security practices and ensure they match the definition of “recognized security practices” detailed in the HITECH amendment, and to consider further investments in cybersecurity to meet that definition if their security practices fall short of what is required.

The post Increase in Class Action Lawsuits Following Healthcare Data Incidents appeared first on HIPAA Journal.

FDA Releases Updated Guidance on Medical Device Cybersecurity

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has issued new draft guidance for medical device manufacturers to help them incorporate cybersecurity protections into their products at the premarket stage, and to ensure security risks are managed for the full life cycle of the products.

The FDA first released final guidance on premarket expectations for medical devices in 2014, then updated and released draft guidance in 2018. The latest update was deemed necessary due to the changing threat landscape, the increasing use of wireless, Internet- and network-connected devices, portable media, and the frequent electronic exchange of medical device-related health information. Further, the healthcare industry is being increasingly targeted by cyber threat actors, and the severity and clinical impact of healthcare cyberattacks have increased. Cyberattacks on healthcare providers have the potential to delay test results, diagnoses, and treatment, which could lead to patient harm.

The FDA felt that an updated approach was necessary to ensure cybersecurity risks were managed and reduced to a low and acceptable level. The updated guidance includes recommendations regarding cybersecurity device design, labeling, and the documentation the FDA suggests should be included in premarket submissions for devices with cybersecurity risk.

The FDA considered feedback received on the 2018 draft guidance, input from stakeholders gathered at various public meetings, and recommendations made in the Health Care Industry Cybersecurity (HCIC) Task Force Report when updating the guidance.

The guidance covers threat modeling, the requirement for a software bill of materials that includes all third-party software components, security risk assessment, security risk management, the implementation of security controls, cybersecurity testing, vulnerability management planning, and the importance of cybersecurity transparency.

By following the FDA’s recommendations, device manufacturers can ensure an efficient premarket review process and that their devices will be sufficiently resilient to cyber threats.

The FDA has requested public comment on the new draft guidance – Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions – which will be accepted until July 7, 2022. The FDA will then work on a final version of the guidance.

The post FDA Releases Updated Guidance on Medical Device Cybersecurity appeared first on HIPAA Journal.

NCCoE Releases Final Guidance on Effective Enterprise Patch Management

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) has released the final versions of two Special Publications that provide guidance on enterprise patch management practices to prevent the exploitation of vulnerabilities in IT systems.

Cybercriminals and nation-state threat actors target unpatched vulnerabilities in software, operating systems, and firmware to gain access to business networks to steal sensitive data and disrupt operations. It is vital for all organizations to ensure patches and software/firmware updates are implemented promptly to prevent exploitation.

“Patching is a critical component of preventive maintenance for computing technologies—a cost of doing business, and a necessary part of what organizations need to do in order to achieve their missions,” explained NCCoE. “It helps prevent compromises, data breaches, operational disruptions, and other adverse events.”

While the importance of prompt patching is well understood by IT, security, and technology management, the importance and value of patching is typically less well understood by organizations’ business and mission owners. Despite vulnerabilities being regularly exploited by threat actors, many organizations either cannot or do not adequately patch. One of the main issues is the sheer number of patches and software/firmware upgrades that need to be performed and the time it takes to fully test patches before deployment and apply those patches across the entire organization. Many organizations also struggle with the prioritization of patching and fail to ensure that the most serious vulnerabilities are patched first.

NCCoE worked closely with cybersecurity technology providers to develop guidance – Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology (SP-800-40) and Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways (SP-1800-31) – to help enterprises with patch management planning and implementation. The guidance documents discuss the challenges organizations need to overcome with patch management and recommend a strategy that can be adapted to simplify and operationalize patching to improve the reduction of risk.

By following the patch management guidance, organizations can ensure effective preventive maintenance to reduce the risk of data breaches, disruption to business processes, and other adverse security events.

Image Source: J. Stoughton/NIST

The post NCCoE Releases Final Guidance on Effective Enterprise Patch Management appeared first on HIPAA Journal.

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has released a Request for information (RFI) related to two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

The HITECH Act, as amended in 2021 by the HIPAA Safe Harbor Act, requires the HHS consider the security practices that have been implemented by HIPAA-regulated entities when considering financial penalties and other remedies to resolve potential HIPAA violations discovered during investigations and audits.

The aim of the HIPAA Safe Harbor Act was to encourage HIPAA-regulated entities to implement cybersecurity best practices, with the reward being lower financial penalties for data breaches and less scrutiny by the HHS if industry-standard security best practices have been implemented for the 12 months prior to a data breach occurring.

Another outstanding requirement that dates back to when the HITECH Act was signed into law, is for the HHS to share a percentage of the civil monetary penalties (CMPs) and settlement payments with individuals who have been harmed as a result of the violations for which the penalties have been applied. The HITECH Act calls for a methodology to be established by the HHS for determining appropriate amounts to be shared, based on the nature and extent of the HIPAA violation and the nature and extent of the harm that has been caused.

Earlier this year, the recently appointed Director of the HHS’ Office for Civil Rights (OCR) – Lisa J. Pino – confirmed that these two requirements of the HITECH Act were being addressed this year. Yesterday, OCR published the RFI in the Federal Register seeking public comment on these two requirements of the HITECH Act.

Specifically, OCR is seeking feedback on what constitutes “Recognized Security Practices,” the recognized security practices that are being implemented to safeguard electronic protected health information by HIPAA-compliant entities, and how those entities anticipate adequately demonstrating that recognized security practices are in place. OCR would also like to learn about any implementation issues that those entities would like to be clarified by OCR, either through further rulemaking or guidance, and suggestions on the action that should initiate the beginning of the 12-month look-back period, as that is not stated in the HIPAA Safe Harbor Act.

One of the main issues with the requirement to share CMPs and settlements with victims is the HITECH Act has no definition of harm. OCR is seeking comment on the types of “harms” that should be considered when distributing a percentage of SMPs and settlements, and suggestions on potential methodologies for sharing and distributing monies to harmed individuals.

“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”

In order to be considered, comments must be submitted to OCR by June 6, 2022.

The post OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals appeared first on HIPAA Journal.