The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning about escalating Conti ransomware attacks. CISA and the FBI have observed Conti ransomware being used in more than 400 cyberattacks in the United States and globally.

Like many ransomware gangs, prior to deploying Conti ransomware the gang exfiltrates data from victims’ networks. A ransom demand is issued along with a threat to publish the stolen data if the ransom is not paid. The developers of Conti ransomware run a ransomware-as-a-service operation, where affiliates are recruited to conduct attacks. Under this model, affiliates usually receive a percentage of any ransoms they generate. Conti appears to operate slightly differently, where affiliates are paid a wage to conduct attacks.

A variety of methods are used to gain access to victims’ networks. Spear phishing emails are common, where malicious attachments such as Word documents with embedded scripts are used as malware droppers. Typically, a malware variant such as TrickBot or IcedID is downloaded which gives the attackers access to victims’ networks. The attackers then move laterally within the compromised network, identify data of interest, then exfiltrate the data before deploying the Conti ransomware payload.

Brute force attacks are often conducted to guess weak Remote Desktop Protocol (RDP) credentials, vulnerabilities in unpatched systems are exploited, and search engine poisoning has been used to get malicious sites appearing in the search engine listings offering fake software. Malware distribution networks such as Zloader have been used, and attacks have been conducted where credentials have been obtained through telephone calls (vishing).

CISA and the FBI have observed legitimate penetration testing tools being used to identify routers, cameras, and network-attached storage devices with web interfaces that can be brute forced and legitimate remote monitoring and management software and remote desktop software have been used as backdoors to maintain persistence on victim networks. The attackers use tools such as Windows Sysinternals and Mimikatz to escalate privileges and for lateral movement.

Vulnerabilities known to be exploited include ZeroLogon (CVE-2020-1472), PrintNightmare (CVE-2021-34527), and the vulnerabilities in Microsoft Windows Server Message Block that were exploited in the WannaCry ransomware attacks in 2017.

Because a variety of tactics, techniques, and procedures are used to gain access to victim networks, there is no single mitigation that can be implemented to prevent attacks. CISA and the FBI recommend the following mitigations to improve defenses against Conti ransomware attacks:

• Use multi-factor authentication
• Implement network segmentation and filter traffic
• Scan for vulnerabilities and keep software updated
• Remove unnecessary applications and apply controls
• Implement endpoint and detection response tools
• Limit access to resources over the network, especially by restricting RDP
• Secure user accounts
• Ensure critical data are backed up, with backups stored offline and tested to ensure file recovery is possible

The post CISA and FBI Warn About Escalating Conti Ransomware Attacks appeared first on HIPAA Journal.

The health and public health sector is facing an elevated risk of ransomware attacks by affiliates of the BlackMatter ransomware-as-a-service (RaaS) operation, according to the Health Sector Cybersecurity Coordination Center (HC3) of the Department of Health and Human Services.

The BlackMatter threat group emerged in July 2021 shortly after the DarkSide and Sodinokibli/REvil ransomware gangs shut down their operations. The Russian speaking threat group is believed to originate in Eastern Europe and has conducted many attacks over the past couple of months in Brazil, Chile, India, Thailand, and the United States. The group also started leaking data stolen in attacks on its data leak site on August 11, 2021.

The threat group has mostly conducted ransomware attacks on companies in the real estate, food and beverage, architecture, IT, financial services, and education sectors, and while the ransomware gang has publicly stated it would not attack hospitals, critical infrastructure companies, nonprofits, government, and defense contractors, there is concern that attacks may still occur.

The threat group said in its sales pitch for affiliates that its ransomware incorporates the best features of the DarkSide, Lockbit 2.0 and Sodinokibi/REvil ransomware variants, and a technical analysis of the ransomware found several similarities between both DarkSide and Sodinokibi/REvil ransomware variants suggesting the gang has links with those operations.

BlackMatter said its affiliates are not permitted to attack hospitals, and should any hospital or nonprofit company be attacked, they can make contact and request free decryption. The threat group also said “We will not allow our project to be used to encrypt critical infrastructure that will attract unwanted attention to us.” There is of course no guarantee that an attack would not still occur nor that a free decryptor would be provided. As HC3 warmed, “these details are what BlackMatter claims to be, and may not be accurate,” and the DarkSide and Sodinokibi/REvil ransomware variants have both been used in attacks on the health and public health sector.

The threat group is actively seeking initial access brokers (IABs) that can provide access to corporate networks, as well as affiliates to conduct attacks. IABs often sell compromised RDP credentials, VPN login credentials, and web shells, which provide ransomware gangs with the access they need to conduct attacks.

According to HC3, there have been “at least 65 instances of threat actors selling network access to healthcare entities on hacking forums in the past year.” An analysis of 1,000 forum posts selling network access in the past 12 months found the United States was the worst affected country, and 4% of breached entities were in the healthcare industry.

BlackMatter is used in attacks on Windows and Linux systems, encrypts files using Salsa20 and 1024-bit RSA, and attempts to mount and encrypt unmounted partitions. The ransomware encrypts files stored locally, on removable media, and on network shares, and deletes shadow copies to prevent recovery without paying the ransom. Files are also exfiltrated prior to encryption and stolen data have been published on the gang’s leak site to encourage payment of the ransom.

Even if free decryptors are provided, the cost of remediating attack is likely to be significant. It is therefore important for the health and public health sector to take steps to improve defenses to make BlackMatter and other ransomware attacks more difficult.

In the threat brief, HC3 provides cybersecurity best practices that should be adopted to mitigate the BlackMatter threat, which include maintaining offline encrypted backups, regularly testing backups to ensure file recovery is possible, creating, maintaining, and exercising a basic cyber incident response plan and communications plan.

The sector has also been advised to mitigate Internet-facing vulnerabilities and misconfigurations, patch promptly, and conduct regular security awareness training for the workforce and to implement defenses such as spam filters to combat email phishing and social engineering attacks.

The post Health and Public Health Sector Warn of Elevated Risk of BlackMatter Ransomware Attack appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning to all public and private sector organizations about the increased risk of ransomware attacks at times when offices are normally closed, such as long holiday weekends.

While many employees will be having a long weekend due to Labor Day, this is a time when threat actors are usually highly active. The low staff numbers during holidays and weekends make it less likely that their attacks will be detected and blocked. The CISA and the FBI explained in the warning that they have observed an increase in “highly impactful ransomware attacks occurring on holidays and weekends,” and provided multiple examples of threat actors conducting attacks over holiday weekends in the United States in 2021.

Most recently, the Sodinokibi/REvil ransomware actors conducted an attack on the Kaseya remote monitoring and management tool over the Fourth of July 2021 holiday weekend. The attack affected hundreds of organizations including many managed service providers and their downstream customers.

In May 2021, during the Memorial Day weekend, the same threat actors conducted a ransomware attack on JBS Foods, which affected the company’s food production facilities in the United States, causing all production to stop. JBS Foods paid the $11 million ransom for the keys to decrypt files and prevent the release of data stolen in the attack.

Prior to that, over the Mother’s Day weekend in May, the DarkSide ransomware gang conducted its attack on Colonial Pipeline, which resulted in the fuel pipeline serving the Eastern Seaboard being shut down for a week. Colonial Pipeline paid a $4.4 million ransom payment to accelerate recovery from the attack.

The ransomware threat actors behind the cyberattacks on Kaseya, Colonial Pipeline, and JBS Foods have shut down their operations, but threat actors rarely remain inactive for long. It is common for them to remerge with a new ransomware operation after a period of apparent dormancy. There are also many other ransomware threat actors that are currently highly active that may try to take advantage of the absence of key staff over the holiday weekend.

The ransomware actors behind the Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin, and Crysis/Dharma/Phobos ransomware variants have all been active over the course of the past month and attacks involving those ransomware variants have frequently been reported to the FBI over the past 4 weeks.

While neither CISA nor the FBI have discovered any specific threat intelligence to indicate a ransomware or other cyberattack will occur over the Labor Day weekend, based on the attack trends so far this year, there is an increased risk of a major cyberattack occurring.

Consequently, the FBI and CISA are advising security teams to be especially vigilant in the run up to the Labor Day weekend, and to ensure that they are diligent in their network defense practices, engage in preemptive threat hunting on their networks, follow recommended cybersecurity and ransomware best practices, and implement the recommended mitigations to reduce the risk of ransomware and other cyberattacks.

Those mitigations include:

• Make an offline backup copy of data and testing backups to ensure data recovery is possible
• Not clicking on suspicious links in emails
• Secure and monitor RDP connections
• Update operating systems and software and scan for vulnerabilities
• Ensure strong passwords are set
• Ensure multi-factor authentication is implemented
• Secure networks by implementing segmentation, filtering traffic, and scanning ports
• Secure user accounts
• Ensure an incident response plan is developed

Recommended best practices, mitigations, and resources are detailed in the alert, which can be found on this link.

The post FBI & CISA Warn of Increased Risk of Ransomware Attacks over Labor Day Weekend appeared first on HIPAA Journal.

Researchers at McAfee Advanced Threat Research (ATR), in conjunction with the medical device cybersecurity firm Culinda, have identified 5 previously unreported vulnerabilities in two widely used models of B. Braun drug infusion pumps.

The devices are used globally in hospitals to treat adult and pediatric patients and automate the delivery of medications and nutrients to patients. They are especially useful for ensuring controlled delivery of critical medication doses.

The flaws in the B. Braun infusion pumps could be exploited by an unauthenticated attacker to change the configuration of the infusion pumps while they are in standby mode, which could result in an unexpected dose of medication being delivered the next time the device is used, potentially causing harm to a patient.

McAfee alerted B.Braun to the vulnerabilities in the B. Braun Infusomat Space Large Volume Pump and the B. Braun SpaceStation on January 11, 2021, and recommended safeguards that should be implemented to prevent the flaws being exploited. In May 2021, B.Braun published information for customers and notified the Health Information Sharing & Analysis Center (H-ISAC) about the flaws and recommended mitigations. The flaws affect infusion pumps running older versions of B.Braun software; however, the researchers explained that “vulnerable versions of software are still widely deployed across medical facilities and remain at risk of exploitation.”

Safeguards have been incorporated into the infusion pumps to prevent attackers from changing doses while the pumps are operational, so it would not be possible for an attacker to change doses as they are being administered. The vulnerabilities can however be exploited while the pumps are idle or on standby, so changes could be made to the function of the devices between infusions.

There have been no reported cases of the vulnerabilities in these or other drug infusion pumps being exploited in the wild, but this is a credible attack scenario and one that could easily be exploited to cause harm to patients. The latest version of B.Braun software blocks the initial network vector of the attack chain, but the flaws have not been totally addressed. An attacker could find another way to gain access to the network to which the devices connect and exploit the flaws. Given the number of ransomware attacks that have been reported in recent months, gaining access to healthcare networks is not proving to be a major challenge for many threat actors.

“Until a comprehensive suite of patches is produced and effectively adopted by B. Braun customers, we recommend medical facilities actively monitor these threats with special attention, and follow the mitigations and compensating controls provided by B. Braun Medical Inc. in their coordinated vulnerability disclosure documentation,” suggested the researchers.

The researchers believe that many other medical devices could have vulnerabilities that could be exploited to cause harm to patients. Medical devices are designed primary to ensure patient safety, and safeguards are implemented to ensure patient safety is not put at risk; however, it is common for cybersecurity protections to be given less consideration during the design stage. Further, when security flaws are discovered in medical devices, patching is costly. The devices are tightly controlled, so it is not just a case of releasing a patch or automatically updating the devices as would occur with an Internet browser for instance. Patches need to be thoroughly tested, the devices must be taken out of action while updates are applied, and the patches and updates need to be thoroughly tested. It is for this reason that many devices still use legacy versions of software and firmware.

“For the time being, ransomware attacks are a more likely threat in the medical sector, but eventually these networks will be hardened against this type of attacks and malicious actors will look for other lower-hanging fruits,” explained the researchers. “Given the lifespan of medical devices and the difficulties surrounding their updates, it is important to start planning now for tomorrow’s threats. We hope this research will help bring awareness to an area that has been a blind spot for far too long.”

The post Researchers Identify Easily Exploitable Vulnerabilities in Drug Infusion Pumps appeared first on HIPAA Journal.