Healthcare Cybersecurity

Increased Risk of Cyber and Ransomware Attacks Over Thanksgiving Weekend

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned organizations in the United States about the increased risk of cyberattacks over Thanksgiving weekend.

Cyber threat actors are often at their most active during holidays and weekends, as there are likely to be fewer IT and security employees available to detect attempts to breach networks. Recent attacks have demonstrated holiday weekends are prime time for cyber threat actors, with Las Vegas Cancer Center one of the most recent victims of such an attack on the Labor Day weekend.

The warning applies to all organizations and businesses, but especially critical infrastructure firms. Cyber actors around the world may choose Thanksgiving weekend to conduct attacks to disrupt critical infrastructure and conduct ransomware attacks.

CISA and the FBI are urging all entities to take steps to ensure risk is effectively mitigated ahead of the holiday weekend to help prevent them from becoming the next victim of a costly cyberattack.

Steps that should be taken immediately include a review of current cybersecurity measures and to ensure cybersecurity best practices are being followed. Multi-factor authentication should be activated on all remote and administrative accounts, default passwords should be changed, and strong passwords set on all accounts, with steps taken to ensure passwords are not reused elsewhere.

Remote Desktop Protocol (RDP) is commonly targeted by threat actors, as are other remote access services. It is important to ensure that RDP and remote access services are secured, and connections are monitored. If remote access is not required, these services should be disabled.

Phishing is commonly used to gain access to networks. It is important to remind employees to exercise caution with email, never to click on suspicious links in messages, or to open attachments in unsolicited emails. Phishing scams often spoof trusted entities such as charities, well-known brands, vendors, and work colleagues and phishing campaigns are conducted in large numbers at this time of year targeting holiday season shoppers, especially in the run-up to Black Friday and Cyber Monday.  Over the next couple of days, it is wise to conduct exercises to raise awareness of security risks.

All staff members will likely want to have time off over Thanksgiving weekend, but it is important to identify IT security employees who can be available to surge into action should a security incident or ransomware attack occur. Prompt action can greatly reduce the severity and cost of a cyberattack.

It is also recommended to review and update incident response and communication plans to ensure they will be effective in the event of a cyberattack. This month, CISA issued new cybersecurity incident and vulnerability response playbooks to help federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities; however, they can be used by all businesses for developing cybersecurity incident and vulnerability response plans.

Mitigations and cybersecurity best practices that can be adopted to reduce risk are detailed in the previously released CISA alert – Ransomware Awareness for Holidays and Weekends.

The post Increased Risk of Cyber and Ransomware Attacks Over Thanksgiving Weekend appeared first on HIPAA Journal.

HHS Warns Healthcare Sector About Risk of Zero-day Attacks

Posted by HIPAA Journal

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief warning the healthcare and public health sector about an increase in financially motivated zero-day attacks, outlining mitigation tactics that should be adopted to reduce risk to a low and acceptable level.

A zero-day attack leverages a vulnerability for which a patch has yet to be released. The vulnerabilities are referred to as zero-day, as the developer has had no time to release a patch to correct the flaw.

Zero-day attacks are those where a threat actor has exploited a zero-day vulnerability using a weaponized exploit for the flaw. Zero-day vulnerabilities are exploited in attacks on all industry sectors and are not only a problem for the healthcare industry.  For instance, in 2010, exploits were developed for four zero-day vulnerabilities in the “Stuxnet” attack on the Iranian nuclear program, which caused Iranian centrifuges to self-destruct to disrupt Iran’s nuclear program.

More recently in 2017, a zero-day vulnerability was exploited to deliver the Dridex banking Trojan. While it would normally be necessary for an individual to take additional actions after opening a malicious email attachment for malware to be downloaded, by including an exploit for a zero-day vulnerability the threat actors were able to install the Dridex banking Trojan if an individual simply opened an infected email attachment. A zero-day vulnerability was also exploited this year in the 2021 SonicWall ransomware attacks. The vulnerability was identified by the UNC2447 threat group and was exploited to deliver FiveHands ransomware.

The very nature of zero-day vulnerabilities means it is not possible to eliminate risk entirely, as software developers need to develop patches to fix the vulnerabilities, but strategies can be adopted to reduce the potential for zero-day vulnerabilities to be exploited.

The number of detected exploits for zero-day vulnerabilities more than doubled between 2019 and 2021. This is, in part, due to the high value of exploits for zero-day flaws. The price paid for working exploits rose by more than 1,150% between 2018 and 2021. While the market for zero-day exploits was limited to a handful of groups with deep pockets, there are now many threat actors with considerable resources that are willing to pay as they know they can make their money back many times over by using the exploits in their attacks. Now, an exploit for a zero-day vulnerability could be worth more than $1 million.

Zero-day attacks specifically conducted against the healthcare sector are a very real possibility. In August this year, a zero-day vulnerability dubbed PwnedPiper was identified in the pneumatic tube systems used in hospitals to transport biological samples and medications. The vulnerability was identified in the control panel, which would allow unsigned firmware updates to be applied. An attacker could exploit the flaw and take control of the system and deploy ransomware.

In August 2020, four zero-day vulnerabilities were identified that exposed OpenClinic patients’ test results. Unauthenticated attackers could successfully request files containing sensitive documents from the medical test directory, including medical test results.

The best defense against zero-day vulnerabilities is to patch promptly, but patching is often slow, especially in healthcare. In 2019, a survey conducted by the Ponemon Institute revealed the average time to apply, test, and deploy a patch for a zero-day vulnerability was 97 days after the patch was released.

The advice of HC3 is to “patch early, patch often, patch completely.” HC3 provides up-to-date information on actively exploited zero-days and the available patches to fix zero-day flaws. HC3 also suggests implementing a web-application firewall to review incoming traffic and filter out malicious input, as this can prevent threat actors from gaining access to vulnerable systems. It is also recommended to use runtime application self-protection (RASP) agents, which sit inside applications’ runtime and can detect anomalous behavior. Segmenting networks is also strongly recommended.

The TLP: WHITE Zero-Day Threat Brief is available for download on this link.

The post HHS Warns Healthcare Sector About Risk of Zero-day Attacks appeared first on HIPAA Journal.

Vulnerabilities Identified in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors

Posted by HIPAA Journal

Five vulnerabilities have been identified that affect the IntelliBridge EC 40 and EC 80 Hub, Philips Patient Information Center iX, and Efficia CM series patient monitors.

IntelliBride EC 40 and EC 80 Hub

Two vulnerabilities have been identified that affect C.00.04 and prior versions of the IntelliBridge EC 40 and EC 80 Hub. Successful exploitation of the vulnerabilities could allow an unauthorized individual to execute software, change system configurations, and update/view files that may include unidentifiable patient data.

The first vulnerability is due to the use of hard-coded credentials – CVE-2021-32993 – in the software for its own inbound authentication, outbound communication to external components, or the encryption of internal data. The second vulnerability is an authentication bypass issue – CVE-2021-33017. While the standard access path of the product requires authentication, an alternative path has been identified that does not require authentication.

Both vulnerabilities have been assigned a CVSS v3 severity score of 8.1 out of 10.

Philips has not yet issued an update to correct the vulnerabilities but expects to fix the flaws by the end of the year. In the meantime, Philips recommends only deploying the products within Philips authorized specifications, and only using Philips-approved software, software configuration, system services, and security configurations. The devices should also be logically or physically isolated from the hospital network.

Patient Information Center iX and Efficia CM Series Patient Monitors

Three vulnerabilities have been identified that affect the Philips Patient Information Center iX and Efficia CM series patient monitors. The flaws could be exploited to gain access to patient data and to conduct a denial-of-service attack. While exploitation has a low attack complexity, the flaws could only be exploited via an adjacent network.

The vulnerabilities affect the following Philips products:

  • Patient Information Center iX (PIC iX): Versions B.02, C.02, C.03
  • Efficia CM Series: Revisions A.01 to C.0x and 4.0

Vulnerable versions of the PIC iX do not adequately validate input to determine whether the input has the properties to be processed safely and correctly. The vulnerability is tracked as CVE-2021-43548 and has been assigned a CVSS severity score of 6.5 out of 10.

A hard-coded cryptographic key has been used which means it is possible for encrypted data to be recovered from vulnerable versions of the PIC iX. The flaw is tracked as CVE-2021-43552 and has a CVSS score of 6.1.

A broken or risky cryptographic algorithm means sensitive data may be exposed in communications between PIC iX and Efficia CM Series patient monitors. The vulnerability is tracked as CVE-2-21-43550 and has a CVSS score of 5.9.

CVE-2021-43548 has been remediated in PIC iX C.03.06 and updates to fix the other two vulnerabilities are due to be released by the end of 2022.

To reduce the potential for exploitation of the vulnerabilities, the products should only be used in accordance with Philips authorized specifications, which include physically or logically isolating the devices from the hospital local area network, and using a firewall or router that can implement access control lists restricting access in and out of the patient monitoring network for only necessary ports and IP addresses.

Philips-issued hardware has Bitlocker Drive Encryption enabled by default and this should not be disabled. Prior to disposal, NIST SP 800-88 media sanitization guidelines should be followed. Patient information is not included in archives by default, so if archives are exported that contain patient information, the information should be stored securely with strong access controls.

The post Vulnerabilities Identified in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors appeared first on HIPAA Journal.

Iranian APT Actors Actively Exploiting Microsoft Exchange and Fortinet Vulnerabilities

Posted by HIPAA Journal

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) warning of ongoing attacks by an Iranian Advanced Persistent Threat (APT) actor on critical infrastructure sectors including the healthcare and public health sector.

Cyber actors known to be associated with the Iranian government have been exploiting vulnerabilities in the Fortinet FortiOS operating system since at least March 2021, and have been leveraging a Microsoft Exchange ProxyShell vulnerability since October 2021 to gain access to targets’ networks.

The attacks appear to be focused on exploiting the vulnerabilities rather than any specific sector. Once the vulnerabilities have been exploited to gain a foothold in networks, the threat actor can perform a range of follow-on operations, which have included data exfiltration and data encryption.

The threat actors are exploiting three vulnerabilities in Fortinet Devices – CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812, and the CVE-2021-34473 in Microsoft Exchange. Patches have been released to fix the flaws that are being exploited, but many organizations have been slow to apply the patches and remain vulnerable.

Post-exploitation, the threat actors use legitimate tools to achieve their objectives, including Mimikatz for credential theft, WinPEAS for privilege escalation, SharpWMI, WinRAR for archiving data of interest, and FileZilla for transferring files. They are known to make modifications to the Task Scheduler and establish new user accounts on domain controllers, servers, workstations, and active directories. In some attacks, the accounts have been created to look similar to genuine accounts on the network to reduce the risk of detection. Data of interest have been exfiltrated via File Transfer Protocol (FTP) transfers over port 443.

The alert provides Indicators of Compromise (IoCs) for organizations using Fortinet devices and/or Microsoft Exchange, and several mitigations that will reduce the risk of compromise, the most important of which is to apply the patches to fix the above vulnerabilities as soon as possible.

The post Iranian APT Actors Actively Exploiting Microsoft Exchange and Fortinet Vulnerabilities appeared first on HIPAA Journal.

82% Of Healthcare Organizations Have Experienced an IoT Cyberattack in the Past 18 Months

Posted by HIPAA Journal

A new study conducted by Medigate and CrowdStrike has highlighted the extent to which healthcare Internet of Things (IoT) devices are being targeted by threat actors and warns about the worrying state of IoT security in the healthcare industry.

The number of IoT devices being used in healthcare has increased significantly in recent years as connected health drives a revolution in care delivery. Healthcare providers are increasingly reliant on IoT devices to perform a range of essential functions, and while the devices offer huge clinical benefits, full consideration should be given to cybersecurity.

Cyber threat actors have disproportionately targeted healthcare organizations for many years due to the high value of healthcare data, the ease at which it can be monetized, and the relatively poor cybersecurity defenses in healthcare compared to other industry sectors. The rapid adoption of IoT devices has resulted in a major increase in the attack surface which gives cyber actors even more opportunities to conduct attacks. Further, IoT devices often have weaker cybersecurity controls than other devices and can provide an easy entry point into healthcare networks.

The study included a survey of healthcare organizations to determine what threats they have faced over the past 18 months. 82% of surveyed healthcare organizations said they have experienced at least one form of IoT cyberattack in the past 18 months, with 34% of respondents saying the attack involved ransomware. The situation is likely to get worse as the number of IoT devices in healthcare grows. According to the report, spending on connected medical devices has been predicted to increase at a CAGR of 29.5% through 2028.

One of the main problems with securing IoT devices is a lack of visibility into all connected devices, which is especially poor in the healthcare industry. IoT security risks can be managed and reduced to a low and acceptable level, but if healthcare organizations do not have visibility into the IoT devices that connect to the network, essential security enforcement systems will not be able to perform at the required levels.

Healthcare organizations need to have a clear picture of the security posture of each device and be aware of network status, location, and device utilization. There could be 100 or more devices in use, so keeping track of those devices and the security status of each can be a major challenge and will only get worse as the number of devices increases.

The researchers make several recommendations about improving IoT security, including endpoint detection and response (EDR), orchestrated visibility, and network segmentation to allow attacks to be easily contained. It is also important to ensure insurance policies have sufficient coverage.

“HDOs must have an intimate understanding of their entire connected landscapes, otherwise, threat intelligence cannot be accurately processed or correlated to the right devices, and remediations will not deliver the desired impact,” explained the researchers. “Processes that continuously improve visibility and its orchestration, EDR, and containment capability must be in place, or these additional defense layers cannot perform at their highest intended levels.

In order to scale the delivery of connected health, the researchers say security and asset management practices must converge. The researchers recommend creating a common reference foundation, “not only to modernize existing infrastructure where possible but to ensure the performance of future investments in layered capabilities.”

The post 82% Of Healthcare Organizations Have Experienced an IoT Cyberattack in the Past 18 Months appeared first on HIPAA Journal.

Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft

Posted by HIPAA Journal

A recent survey conducted by the unified asset visibility and security platform provider Armis has explored the state of cybersecurity in healthcare and the security risks that are now faced by healthcare organizations.

The survey was conducted by Censuswide on 400 IT professionals at healthcare organizations across the United States, and 2,000 U.S. patients to obtain their views on cybersecurity and data breaches in healthcare.

The survey confirmed cyber risk is increasing, with 85% of respondents saying cyber risk has increased over the past 12 months. Ransomware gangs have targeted the healthcare industry over the past 12 months, and many of those attacks have succeeded. 58% of the surveyed IT professionals said their organization had experienced a ransomware attack in the past 12 months.

Ransomware attacks were viewed as a cause of concern by 13% of IT security pros, indicating most are confident that they will be able to recover data in the event of an attack. However, data breaches that result in the loss of patient data were a major worry, with 52% of IT pros rating data loss as a top concern, with attacks on hospital operations rated as a major concern by 23% of healthcare IT pros.

Defending against cyberattacks is becoming increasingly difficult due to the expanding attack surface. Armis says there are now 430 million connected healthcare devices worldwide, and that number is continuing to rise. When asked about the riskiest systems and devices, building systems such as HVAC were the biggest concern with 54% of IT professionals rating them as a major cybersecurity risk. Imaging machines were rated as among the riskiest by 43% of respondents, followed by medication dispensing equipment (40%), check-in kiosks (39%), and vital sign monitoring equipment (33%). While there is concern about the security of these systems and medical devices, 95% of IT professionals said they thought their connected devices and systems were patched and running the latest software.

The increase in cyberattacks on the healthcare sector is influencing healthcare decisions. 75% of IT professionals said recent attacks have had a strong influence on decision making and 86% of respondents said their organization had appointed a CISO; however, only 52% of respondents said their organization was allocating more than sufficient funds to cover IT security.

The survey of patients revealed a third had been the victim of a healthcare cyberattack, and while almost half of patients (49%) said they would change healthcare provider if it experienced a ransomware attack, many patients are unaware of the extent of recent cyberattacks and how frequently they are now being reported. In 2018, healthcare data breaches were reported at a rate of 1 per day. In the past year, there have been 7 months when data breaches have been reported at a rate of more than 2 per day.

Despite extensive media reports about healthcare data breaches and vulnerabilities in medical devices, 61% of potential patients said they had not heard about any healthcare cyberattacks in the past two years, clearly showing many patients are unaware of the risk of ransomware and other cyberattacks. However, patients are aware of the impact those attacks may have, with 73% of potential patients understanding a cyberattack could impact the quality of care they receive.

When potential patients were asked about their privacy concerns, 52% said they were worried a cyberattack would shut down hospital operations and would potentially affect patient care, and 37% said they were concerned about the privacy of information accessible through online portals.

There certainly appears to be trust issues, as only 23% of potential patients said they trusted their healthcare provider with their sensitive personal data. By comparison, 30% said they trusted their best friend with that information.

The post Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft appeared first on HIPAA Journal.

Medical Devices Affected by 13 Siemens Nucleus RTOS TCP/IP Stack Vulnerabilities

Posted by HIPAA Journal

13 vulnerabilities have been identified in the Siemens Nucleus RTOS TCP/IP stack that could potentially be exploited remotely by threat actors to achieve arbitrary code execution, conduct a denial-of-service attack, and obtain sensitive information.

The vulnerabilities, dubbed NUCLEUS:13, affect the TCP/IP stack and related FTP and TFTP services of the networking component (Nucleus NET) of the Nucleus Real-Time Operating System (RTOS), which is used in many safety-critical devices. In healthcare, Nucleus is used in medical devices such as anesthesia machines and patient monitors.

One critical vulnerability has been identified that allows remote code execution which has a CVSS v3 severity score of 9.8 out of 10. Ten of the vulnerabilities are rated high severity flaws, with CVSS scores ranging from 7.1 to 8.8. There are also two medium-severity flaws with CVSS scores of 6.5 and 5.3.

The vulnerabilities were identified by security researchers at Forescout Research Labs, with assistance provided by researchers at Medigate.

The vulnerabilities affect the following Nucleus RTOS products:

  • Capital VSTAR: All versions
  • Nucleus NET: All versions
  • Nucleus ReadyStart v3: All versions prior to v2017.02.4
  • Nucleus ReadyStart v4: All versions prior to v4.1.1
  • Nucleus Source Code: All versions

Identifying where vulnerable code has been used is a challenge. The researchers attempted to estimate the impact of the vulnerabilities based on evidence collected from the official nucleus website, the Shodan search engine, and the Forescout device cloud. Healthcare is the worst affected industry, with 2,233 vulnerable devices. 1,066 government devices were identified as vulnerable, with other vulnerable devices found in retail (348), financial (326), manufacturing (317), with 1,176 vulnerable devices found in other industry sectors. 76% of the vulnerable devices are used for building automation, 13% are used in operational technology, 4% for networking, 5% IoT, and 2% were computers running Nucleus.

The vulnerabilities were reported to Siemens under responsible disclosure guidelines and Siemens has made patches available to fix all of the identified vulnerabilities. Siemens said some of the flaws had been identified and addressed in previously released versions, but no CVEs were issued.

Applying patches to fix the vulnerabilities can be a challenge, especially for embedded devices and those of a mission-critical nature, such as devices used in healthcare settings.

If patches cannot be applied, Forescout and Siemens recommend implementing mitigating measures to reduce the potential for exploitation. Siemens recommends protecting network access to devices with appropriate mechanisms and ensuring the devices operate within protected IT environments that have been configured in accordance with Siemens’ operational guidelines.

Forescout has released an open-source script that uses active fingerprinting to detect devices running Nucleus for discovery and inventory purposes. After identifying devices, Forescout recommends enforcing segmentation controls and practicing proper network hygiene, including restricting external communication paths and isolating or containing vulnerable devices in zones until they can be patched.

In addition, all network traffic should be monitored for malicious traffic and progressive patches released by vendors of affected devices should be monitored. A remediation plan should be developed for all vulnerable assets that balances risk with business continuity requirements.

Specific mitigations recommended by Forescout are detailed in the table below:

Nucleus 13 Mitigations recommended by Forescout.

The post Medical Devices Affected by 13 Siemens Nucleus RTOS TCP/IP Stack Vulnerabilities appeared first on HIPAA Journal.

DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information

Posted by HIPAA Journal

The United States Department of Justice (DoJ) has unsealed indictments charging two individuals for their roles in multiple REvil/Sodinokibi ransomware attacks on organizations in the United States.

Ukrainian national, Yaroslav Vasinskyi, 22, has been indicted on multiple charges related to the ransomware attacks, including the supply chain attack that saw Kaseya’s Virtual System/Server Administrator (VSA) platform compromised. That attack involved ransomware being deployed on the systems of around 40 managed service providers and 1,500 downstream businesses.

Russian national, Yevgeniy Igoryevich Polyanin, 28, has been indicted for his role in multiple ransomware attacks, including attacks on government entities in Texas. The DoJ says it seized $6.1 million in ransom payments that were paid to cryptocurrency wallets linked to Polyanin.

The DoJ has indicted several individuals believed to have been involved in cyberattacks in the United States; however, those individuals can only face trial if they are located, arrested, and extradited to the United States. Many ransomware threat actors are believed to reside in Russia, where there is no extradition treaty, so there is little chance of them facing justice unless they leave Russia.

International arrest warrants have been issued for both individuals and Vasinskyi was arrested in October at the Polish border. Poland signed an extradition treaty with the United States in 1996 and the U.S. is currently seeking Vasinskyi’s extradition. Polyanin has yet to be apprehended.

“Ransomware can cripple a business in a matter of minutes. These two defendants deployed some of the internet’s most virulent code, authored by REvil, to hijack victim computers,” said Acting U.S. Attorney Chad E. Meacham for the Northern District of Texas. “In a matter of months, the Justice Department identified the perpetrators, effected an arrest, and seized a significant sum of money. The Department will delve into the darkest corners of the internet and the furthest reaches of the globe to track down cybercriminals.”

State Department Offers $10 Million Reward for Information on Leaders of REvil and DarkSide Ransomware Operations

Individuals with information about Polyanin, other leaders of the REvil and DarkSide ransomware groups, or affiliates who conducted attacks, are being encouraged to come forward. The U.S. State Department has announced a reward of up to $10 million for information about that leads to the identification or location of leaders of the REvil/DarkSide ransomware groups, with up to $5 million paid for information that leads to the arrest and conviction of any individual who conspired to participate or attempted to participate in a REvil/DarkSide ransomware attacks. The size of the rewards being offered for information clearly shows how focused the United States is on bringing ransomware threat actors to justice.

The pressure being put on ransomware gangs appears to be having some effect. Chris Inglis, U.S. National Cyber Director, recently told House lawmakers that there has been a discernable decrease in Russia-based cyberattacks. and the DoJ says it expects there to be several more arrests in relation to the REvil and DarkSide ransomware attacks in the coming weeks.

Global Law Enforcement Effort Results in Multiple Arrests

The United States is not the only country to be laser-focused on bringing ransomware threat actors to justice. An international law enforcement operation dubbed GoldDust involving 17 nations has recently resulted in the arrest of 7 hackers believed to be involved in the REvil and GandCrab ransomware operations. The Europol, Eurojust, and INTERPOL-coordinated operation saw three individuals arrested in South Korea, two in Romania, one in Kuwait, and one in an unnamed European country, with the latest takedown occurring on November 4 in Romania and Kuwait.

The three individuals in South Korea were previously arrested in February, April, and October for their role in the GandCrab ransomware attacks, which is believed to be the predecessor of REvil/Sodinokibi. The GoldDust operation has been active since 2018 and was launched in response to the GandCrab ransomware attacks.

The previous week, Europol announced 12 individuals had been arrested in raids in Ukraine and Switzerland over their suspected involvement in ransomware attacks involving LockerGoga and other ransomware attacks. Those individuals are believed to have had specialist roles in various stages of the attacks, from infiltration to cashing out and laundering millions in ransom payments.

In September, a French National Gendarmerie, Ukrainian National Police, Europol, and INTERPOL operation resulted in the arrest of 2 individuals suspected to be members of two prolific ransomware operations. That operation also saw $375,000 in cash and luxury vehicles seized, and the asset freezing of $1.3 million in cryptocurrency.

In addition, a 30-month operation, dubbed Operation Cyclone, which involved law enforcement agencies in multiple countries resulted in the arrest of 6 individuals believed to be involved in the Clop ransomware operation, with those arrests occurring in June 2021. The operation saw searches conducted at 20 locations and resulted in the seizure of $185,00 in cash and computer equipment suspected of having been used to conduct the attacks. The Clop ransomware gang had conducted many attacks in the United States, including those on the University of Colorado, Stanford Medicine, University of California, and the University of Maryland Baltimore.

While these arrests will cause some disruption to the activities of ransomware gangs, they represent just a fraction of the individuals involved in ransomware attacks, many of whom can be easily replaced. The core members of the ransomware operations are believed to reside in Russia where they remain untouchable.

The post DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information appeared first on HIPAA Journal.

HS3: Cobalt Strike Penetration Testing Framework Increasingly Used in Cyberattacks on Healthcare Organizations

Posted by HIPAA Journal

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief for the healthcare industry warning about the use of the Cobalt Strike penetration testing tool by cyber threat actors.

Cobalt Strike is a powerful red team tool used by penetration testers when conducting risk and vulnerability assessments, but it can also be abused and is increasingly being used by cyber threat actors in attacks on the healthcare and public health sector.

Cobalt Strike can be used for reconnaissance to gain valuable information about the target infrastructure to allow threat actors to determine the best use of their time when attacking healthcare networks. The system profiler function can be used to discover client-side applications used by a target and provides version information. The system profiler starts a local web server, fingerprints visitors, identifies internal IP addresses behind a proxy, and obtains reconnaissance data from the weblog, applications, and provides information on targets.

Cobalt Strike includes a spear phish tool that can be used to create and send fake emails using arbitrary message templates. If a message is imported, Cobalt Strike will replace links/text and create and send convincing phishing emails and track users that click.

The Beacon tool is used to discover client-side applications and versions and allows the loading of malleable command and control profiles, uses HTTP/HTTPS/DNS to egress a network, and named pipes to control Beacons, peer-to-peer, over SMB for covert communications. Beacon can also be used for post-exploitation and can execute PowerShell scripts, log keystrokes, take screenshots, download files, and spawn other malicious payloads. Cobalt Strike also uses attack packages to allow attacks to progress through their many stages and has the capability to transform innocent files into a Trojan horse.

Cobalt Strike uses browser pivoting, which can be used to bypass 2-factor authentication and access sites as the target. Cookies, authenticated HTTP sessions, and client SSL certifications can be leveraged to hijack a compromised user’s authenticated web sessions. Using the Cobalt Strike team server, attackers can share data, communicate in real-time, and take full control of compromised systems.

Cobalt Strike is a powerful penetration testing tool and since it is an entire framework, it has many more capabilities than most malware variants, which makes it a valuable tool for black hat hackers, and many nation-state hacking groups and cybercriminal organizations have been using Cobalt Strike in attacks on the healthcare sector in the United States.

Given the extent to which the framework is used in cyberattacks, healthcare organizations should work on the assumption that Cobalt Strike will be used in an attack and should therefore focus on prevention and detection strategies and follow the MITRE D3FEND framework.

Cobalt Strike is delivered by many different infection vectors, so defending against attacks can be difficult. There is also no single containment technique that is effective against the framework as a whole.

Cobalt Strike is often delivered via malware downloaders such as BazarLoader, which are often delivered using phishing emails containing malicious Office files. It is therefore important to implement advanced email security defenses that can block phishing threats and provide ongoing security awareness training to the workforce to teach employees to identify malicious messages containing malware downloaders such as BazarLoader.

Threat actors often exploit known vulnerabilities in software and operating systems to gain access to healthcare networks. It is therefore important to ensure a full inventory of devices and software is maintained, and patches or other mitigating measures are implemented to address vulnerabilities promptly. Healthcare organizations should also improve their defenses against attacks abusing their remote access capabilities.

Detecting Cobalt Strike once installed can be a challenge. HC3 recommends using signatures for intrusion detection and endpoint security systems and Yara Rules. Further information can be found in the HC3 Cobalt Strike White Paper.

The post HS3: Cobalt Strike Penetration Testing Framework Increasingly Used in Cyberattacks on Healthcare Organizations appeared first on HIPAA Journal.