Healthcare Cybersecurity

VMware Patches High Severity Flaws in vRealize Operations, Cloud Foundation and vRealize Suite Lifecycle Manager

Posted by HIPAA Journal

VMware has released patches to correct two high severity vulnerabilities in its AI-powered IT operations management platform for private, hybrid, and multi-cloud environments – vRealize Operations. The flaws also affect VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

CVE-2021-21975 is a server side request forgery flaw which could be exploited by a remote attacker to abuse the functionality of a server and access or manipulate information that should not be directly accessible. The flaw could be exploited by sending a specially crafted request to a vulnerable vRealize Operations Manager API endpoint which would allow the attacker to steal administrative credentials. The vulnerability has been assigned a CVSS score of 8.6 out of 10.

The second vulnerability, tracked as CVE-2021-21983, is an arbitrary file write vulnerability in the vRealize Operations Manager API. The flaw has been assigned a CVSS score of 7.2 out of 10. Exploitation of the vulnerability would allow an attacker to write files to the underlying photon operating system. An attacker would first need to be authenticated with admin credentials in order to exploit the vulnerability.

The concern is that both vulnerabilities could be chained together, which would allow an attacker to achieve remote code execution of arbitrary code in the vRealize Operations platform. In order to exploit the flaws an attacker would need to have access to the vRealize Operations Manager API.

VMWare has fixed the flaws in vRealize Operations Manager versions 7.5.0 to 8.3.0. Users of the vRealize Operations platform have been advised to update to a secure version of the platform as soon as possible to prevent exploitation of the vulnerabilities.

If it is not possible to update promptly, VMware has offered a workaround which involves removing a configuration line from the casa-security-context.xml, followed by restarting the CaSA service on the affected device. The flaws were identified by Igor Dimitenko of security firm Positive Technologies.

The post VMware Patches High Severity Flaws in vRealize Operations, Cloud Foundation and vRealize Suite Lifecycle Manager appeared first on HIPAA Journal.

Iranian APT Group Linked to Spear Phishing Campaign Targeting Senior Staffers at Medical Research Firms

Posted by HIPAA Journal

The Advanced Persistent Threat (APT) group Charming Kitten has been linked to a spear phishing campaign conducted in late 2020 targeting senior professionals at medical research organizations in the United States and Israel by security firm Proofpoint.

Charming Kitting, aka Phosphorus, Ajax, and TA453, is an APT group with links to the Islamic Revolutionary Guard Corps (IRCG) in Iran. Charming Kitting has been active since at least 2014 and is primarily involved in espionage campaigns involving spear phishing attacks and custom malware. The attacks previously linked to the APT group have been on dissidents, academics, and journalists, so the latest spear phishing campaign targeting medical research organizations is a departure from the group’s usual targets.

The phishing campaign, dubbed BadBlood, attempted to steal Microsoft Office credentials and coincided with growing tensions between Iran, the United States, and Israel. It is unclear at this stage whether the targeting of very senior professionals in medical research firms is part of a wider campaign or was simply an outlier event. The researchers suspect the latter to be the case and the groups was attempting to obtain specific types of intelligence.

The campaign was detected in December 2020, around a month after the U.S Department of Justice seized 27 website domains operated by IRCG that were being used for covert campaigns that attempted to influence events in the United States and other countries.

The spear phishing campaign involved emails from a Gmail account that impersonated a prominent Israeli physicist, Daniel Zajfman. The emails had the subject line “Nuclear weapons at a glance: Israel” and social engineering methods were used to convince the recipients to click a link in the emails and visit a Charming Kitten domain that spoofed Microsoft OneDrive. An image of a PDF file was hosted on the landing page stating that the file could not be opened. Clicking the image directed the individual to web page with a fake Microsoft Office login prompt that harvested credentials. After credentials were stolen, the victim was redirected to a page containing a document with the same title as the email with content related to that topic.

Proofpoint researchers were unable to determine what Charming Kitten did with the stolen credentials, but they point out that previous phishing campaigns conducted by the group have resulted in the contents of compromised email accounts being exfiltrated by the APT group and the accounts used in further phishing campaigns.

The researchers suggest the attackers appear to have a mission to gain access to information related to genetics, oncology, and neurology, that they were also seeking access to patient data, and they wanted to obtain credentials for use in further phishing campaigns. This was a highly targeted campaign that attempted to obtain the credentials of fewer than 25 senior-level staffers at medical research organizations.

“While targeting medical experts in genetics, neurology and oncology may not be a lasting shift in TA453 targeting, it does indicate at least a temporary change in TA453 collection priorities. BadBlood is aligned with an escalating trend globally of medical research being increasingly targeted by espionage motivated focused threat actors,” said Proofpoint’s Joshua Miller.

The post Iranian APT Group Linked to Spear Phishing Campaign Targeting Senior Staffers at Medical Research Firms appeared first on HIPAA Journal.

New Report Provides Deep Dive into COVID-19 Themed Phishing Tactics

Posted by HIPAA Journal

In early 2020, phishers started to take advantage of the pandemic and switched from their standard lures to a wide variety of pandemic-related themes for their campaigns. To coincide with the one-year anniversary of the pandemic, researchers at the Palo Alto Networks Unit 42 Team analyzed the phishing trends over the course of the past year to review the changes in the tactics, techniques, and procedures (TTPs) of phishers and the extent to which COVID-19 was used in their phishing campaigns.

The researchers analyzed all phishing URLs detected between January 2020 and February 2021 to determine how many had a COVID-19 theme, using specific keywords and phrases related to COVID-19 and other aspects of the pandemic. The researchers identified 69,950 unique phishing URLs related to COVID-19 topics, with almost half of those URLs directly related to COVID-19.

Phishing campaigns were promptly adapted to the latest news and thoughts on the coronavirus and closely mirrored the latest pandemic trends. Following the World Health Organization’s declaration of the pandemic in March 2020 there was a global shortage of personal protective equipment (PPE) and testing kits, and phishing campaigns were launched offering access to stocks. Government stimulus programs were then launched, and phishing campaigns were quickly adapted to include lures related to those programs. For instance, the volume of phishing emails related to COVID-19 online test kits closely followed the popularity of test kit-related searches on Google.

Source: Palo Alto Networks COVID19 Phishing Report

Throughout the pandemic, the websites of genuine vendors of COVID-19 test kits were targeted. Access to the sites was gained and phishing kits were uploaded to steal credentials. In December 2020, when the vaccine rollout started, campaigns switched to vaccine related lures using domains that spoofed vaccine developers such as Pfizer, BioNTech and others. The websites of pharmaceutical companies were targeted and had phishing content added related to vaccines. Between December 2020 and February 2021, vaccine-related phishing scams increased by 530%.

One off the techniques employed by phishers to evade security solutions is to use a two-step process on their phishing websites that requires the visitor to first click to login before being presented with the phishing form – a tactic called client-side cloaking. Many anti-phishing solutions will visit the URL linked in an email to assess the content but will only check the landing page for phishing content. By using client-side cloaking the malicious content is less likely to be detected.

The report highlights the opportunistic nature of phishers. They will rapidly change their TTPs in response to new trends and use lures that are likely to get the best response, including changing targets. Between December 2020 and February 2021, phishing attacks targeting pharmacies and hospitals increased by 189% as phishers switched to targeting healthcare employees to steal their credentials.

Throughout the pandemic, Microsoft was the brand most targeted by attackers. More than 23% of COVID-19 phishing URLS targeted Microsoft credentials. Fake Microsoft login pages were set up to steal the Microsoft 365 credentials of employees at pharmaceutical firms and pharmacies. When Microsoft credentials are obtained, they can be used to access email accounts to send phishing emails from genuine pharmacy and pharma company domains, increasing the chance of those emails being delivered and acted upon by the recipients. Targeted companies include Walgreens in the US, Pharmascience in Canada, Glenmark Pharmaceuticals in India, and Junshi Biosciences in China.

Currently, large numbers of phishing emails are being sent related to vaccines and as more individuals try to get themselves and their family members registered for immunization, vaccine-related phishing scams are likely to continue.

“Individuals should continue to exercise caution when viewing any emails or websites claiming to sell any goods or services or provide any benefits related to COVID-19. If it seems too good to be true, it most likely is,” warned the Unit42 researchers. “Employees in the healthcare industry in particular should view links contained in any incoming emails with suspicion, especially from emails trying to convey a sense of urgency.”

The post New Report Provides Deep Dive into COVID-19 Themed Phishing Tactics appeared first on HIPAA Journal.

FBI Issues Warning About Mamba Ransomware

Posted by HIPAA Journal

An increase in cyberattacks involving Mamba ransomware has prompted the Federal Bureau of Investigation and the Department of Homeland Security to issue a flash alert warning organizations and companies in multiple sectors about the dangers of the ransomware.

In contrast to many ransomware variants that have their own encryption routines, Mamba ransomware has weaponized the open source full disk encryption software DiskCryptor. DiskCryptor is a legitimate encryption tool that is not malicious and is therefore unlikely to be detected as such by security software.

The FBI has not provided any details of the extent to which the ransomware has been used in attacks, which have so far mostly targeted government agencies and transportation, legal services, technology, industrial, commercial, manufacturing, construction companies.

Several methods are used to gain access to systems to deploy the ransomware, including exploitation of vulnerabilities in Remote Desktop Protocol (RDP) and other unsecured methods of remote access.

Rather than searching for certain file extensions to encrypt, Mamba ransomware used DiskCryptor to encrypt entire drives, rendering all infected devices inoperable. After encryption, a ransom note is displayed that alerts the victim that their drive has been infected and an email address is provided for contact, the victim’s ID and Hostname, and a place to enter the decryption key to restore the drive.

The Mamba ransomware package includes DiskCryptor, which is unpacked and installed. The system is rebooted after around two minutes to complete the installation, and the encryption routine is started. A second restart will take place around two hours later which completes the encryption routine and displays the ransom note.

It is possible to stop an attack in progress up until the second restart. The encryption key and the shutdown time variable are saved to the configuration file – myConfig.txt – which remains readable until the second restart. The myConfig.txt cannot be accessed after the second restart and the decryption key will then be required to decrypt files. This gives network defenders a short window of opportunity to stop an attack and recover without having to pay the ransom. A list of DiskCryptor files is included in the alert to help network defenders identify attacks in progress. These files should be blacklisted if DiskCryptor is not used.

The FBI TLP: White Alert also details mitigations that will make it harder for an attack to succeed, to limit the impact of a successful attack, and ensure that systems can be recovered without paying the ransom.

Suggested mitigations include:

  • Backing up data and storing the backups on an air-gapped device.
  • Segmenting networks.
  • Configuring systems to only allow software to be installed by administrators.
  • Patching operating systems, software, and firmware promptly.
  • Implementing multifactor authentication.
  • Maintaining good password hygiene.
  • Disabling unused remote access/RDP ports and monitoring access logs.
  • Only using secure networks and implementing a VPN for remote access.

The post FBI Issues Warning About Mamba Ransomware appeared first on HIPAA Journal.

FBI Warns of Increase in Business Email Compromise Attacks on Local and State Governments

Posted by HIPAA Journal

State, local, tribal, and territorial (SLTT) governments have been warned they are being targeted by Business Email Compromise (BEC) scammers. In a March 17, 2021 Private Industry Notification, the Federal Bureau of Investigation (FBI) explained it has observed an increase in BEC attacks on SLTT government entities between 2018 and 2020. Losses to these attacks range from $10,000 to $4 million.

BEC attacks involve gaining access to an email account and sending messages impersonating the account holder with a view to convincing the target to make a fraudulent transaction. The email account is often used to send messages to the payroll department to change employee direct deposit information or to individuals authorized to make wire transfers, to request changes to bank account details or payment methods.

In 2020, the FBI’s Internet Crime Complaint Center (IC3) was notified about 19,369 BEC attacks and losses of almost $1.9 billion were reported. In July 2019, a small city government was scammed out of $3 million after receiving a spoofed email that appeared to be from a contractor requesting a change to their payment method. In December 2019, the email account of a financial coordinator of a government agency of a US territory was compromised and used to send 146 messages to government entities with financial transaction instructions. Many of these requests were queried via email, and the attacker was able to intercept and respond to those messages. In total, $4 million was transferred to the attacker’s account.

In addition to the financial losses, the attacks impair operational capabilities of SLTT government entities, cause reputational damage, and can also result in the loss of sensitive information such as PII, banking information, and employment data.

BEC scammers can easily research targets and can discover SLTT operating information and information about vendors, suppliers, and contractors from public sources. Gaining access to the email accounts is straightforward as the target’s email address is easy to locate, and phishing kits can be purchased cheaply on the darknet for harvesting credentials.

Once an email account is compromised, the writing style of the account holder is copied, and message threads are often hijacked. The scam could involve multiple messages where the target believes they are communicating with the genuine account holder, when they are communicating with the scammer.

The FBI warns that BEC scammers often go for low hanging fruit, and most likely target SLTT government entities with inadequate cybersecurity protocols and take advantage of SLTT government entities that fail to provide sufficient training to the workforce. The move to remote working due to the pandemic has also made it easier for the scammers.

In 2020, CISA conducted phishing simulations of SLTT government entities. Across 152 campaigns consisting of around 40,000 messages, there were around 5,500 unique clicks of fake malicious links, which is a click rate of 13.6%. Such a high click rate suggests security awareness training is failing to teach employees about the risk of email-based attacks and highlights the need for “defense in depth mitigations.”

The FBI suggests ensuring all members of the workforce receive security awareness training, are told about BEC attacks and how to identify phishing emails and fraudulent emails. Employees must be instructed to carefully check email requests for advance payments, changes to bank account information, or requests for sensitive information. Policies and procedures should be implemented that require any bank account change or transaction request to be verified by telephone using a verified number, not information supplied in emails.

Additional measures that should be considered include phishing simulations, multi-factor authentication on email accounts, blocking of automatic email forwarding, monitoring email Exchange servers for configuration changes, adding banners to emails arriving from external sources, and using email filtering services.

Further measures that can be implemented to prevent and detect BEC attacks are detailed in the FBI Alert.

The post FBI Warns of Increase in Business Email Compromise Attacks on Local and State Governments appeared first on HIPAA Journal.

Verkada Surveillance Camera Hacker Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft

Posted by HIPAA Journal

The Swiss hacktivist who gained access to the security cameras of the California startup Verkada in March 2021 has been indicted by the US. government for computer crimes from 2019 to present, including accessing and publicly disclosing source code and proprietary data of corporate and government victims in the United States and beyond.

Till Kottmann, 21, aka ‘tillie crimew’ and ‘deletescape’ resides in Lucerne, Switzerland and is a member of a hacking collective self-named APT 69420 / Arson Cats. Most recently, Kottman admitted accessing the Verkada surveillance cameras used by many large enterprises, including Tesla, Okta, Cloudflare, Nissan, as well as schools, correctional facilities, and hospitals. Live streams of surveillance camera and archived footage were accessed between March 7 and March 9, 2021, screenshots and videos of which were published online.

Ethical hackers often exploit vulnerabilities and gain access to systems and their efforts often result in vulnerabilities being addressed before they can be exploited by bad actors. The vulnerabilities are reported to the entities in question, and steps are taken to fix the vulnerabilities before details are publicly disclosed. In the case of Kottmann, responsible disclosure procedures were not followed. Sensitive information obtained from victims’ networks was publicly disclosed, with no attempts made to notify the breached entities directly prior to the disclosure of stolen data.

On March 18, 2021, Kottmann was indicted by a grand jury in the Western District of Washington for a string of computer intrusion and identity and data theft activities from 2019 to present. The indictment, which only names Kottmann, includes charges of one count of conspiracy to commit computer fraud and abuse, several counts of wire fraud, one count of conspiracy to commit wire fraud, and one count of aggravated identity theft.

Conspiracy to commit computer fraud and abuse carries a maximum jail term of 5 years, the wire fraud and conspiracy to commit wire fraud charges have a maximum jail term of 20 years, and the aggravated identity theft charge has a mandatory 24-month jail term, which runs consecutively to other sentences.

According to the indictment, Kottmann and co-conspirators hacked the systems of dozens of companies and government entities and published data stolen from more than 100 companies on the Internet. Kottmann most often targeted git and other source code repositories, and cloned the source code, files, and other confidential information, which often included access codes, and hard-coded credentails, and other means of gaining access to corporate networks. Kottmann then used the stolen credentials for further intrusions, often copying additional information from victims’ networks before leaking the stolen data online.

According to the indictment, Kottmann would speak with the media and publish information on social media networks about her role in the hacks “to recruit others, grow the scheme, and further promote the hacking activity and Kottmann’s own reputation in the hacking community.”

The FBI’s cyber task force led the investigation into Kottmann, with Swiss law enforcement executing a search warrant of Kottmann’s property in Lucerne on March 12, 2021 that resulted in computer equipment being seized. The FBI recently seized a domain that was operated by Kottmann and used to publicly disclose stolen data.

“Stealing credentials and data, and publishing source code and proprietary and sensitive information on the web is not protected speech–it is theft and fraud,” said Acting U.S. Attorney Tessa M. Gorman.  “These actions can increase vulnerabilities for everyone from large corporations to individual consumers.  Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft, and fraud.”

The post Verkada Surveillance Camera Hacker Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft appeared first on HIPAA Journal.

February 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

The was a 40.63% increase in reported data breaches of 500 or more healthcare records in February 2021. 45 data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights by healthcare providers, health plans and their business associates in February, the majority of which were hacking incidents.

Healthcare Data Breaches Past 12 Months

After two consecutive months where more than 4 million records were breached each month there was a 72.35% fall in the number of breached records. 1,234,943 records were exposed, impermissibly disclosed, or stolen across the 45 breaches.

Healthcare Records Breached Past 12 Months

Largest Healthcare Data Breaches Reported in February 2021

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
The Kroger Co. OH Healthcare Provider 368,100 Hacking/IT Incident Ransomware
BW Homecare Holdings, LLC (Elara Caring single affiliated covered entity) TX Healthcare Provider 100,487 Hacking/IT Incident Phishing
RF EYE PC dba Cochise Eye and Laser AZ Healthcare Provider 100,000 Hacking/IT Incident Ransomware
Gore Medical Management, LLC GA Healthcare Provider 79,100 Hacking/IT Incident Hacking incident
Summit Behavioral Healthcare TN Healthcare Provider 70,822 Unauthorized Access/Disclosure Phishing
Humana Inc KY Health Plan 62,950 Unauthorized Access/Disclosure Subcontractor shared PHI without consent
Nevada Orthopedic & Spine Center NV Healthcare Provider 50,000 Hacking/IT Incident Unconfirmed
Fisher Titus Health, Inc. OH Health Plan 49,636 Hacking/IT Incident Phishing
Covenant HealthCare MI Healthcare Provider 47,178 Hacking/IT Incident Phishing
UPMC PA Healthcare Provider 36,086 Hacking/IT Incident Phishing attack on BA
Grand River Medical Group IA Healthcare Provider 34,000 Hacking/IT Incident Phishing
AllyAlign Health, Inc. VA Health Plan 33,932 Hacking/IT Incident Ransomware
Harvard Eye Associates CA Business Associate 29,982 Hacking/IT Incident Ransomware attack on BA
Texas Spine Consultants, LLP TX Healthcare Provider 25,728 Unauthorized Access/Disclosure Unconfirmed
UPMC Health Plan PA Health Plan 19,000 Hacking/IT Incident Phishing attack on BA

Causes of February 2021 Healthcare Data Breaches

Three breaches of more than 100,000 record were reported in February. The largest healthcare data breach of the month was reported by Kroger, an Ohio-based chain of supermarkets and pharmacies. The breach was due to a CLOP ransomware attack on a vendor – Accellion – that resulted in the theft of the protected health information of 368,100 of its customers. Kroger was one of several HIPAA-covered entities to be affected by the breach.

Elara Caring, one of the nation’s largest providers of home-based care, announced that several employee email accounts containing protected health information had been accessed by unauthorized individuals as a result of responses to phishing emails. Cochise Eye and Laser was also the victim of a ransomware attack in which the protected health information of 100,000 individuals was potentially stolen.

February 2021 Healthcare Data Breaches - Causes

Phishing attacks were the most common cause of data breaches in February, with network server incidents in close second. These mostly involved hacking and the deployment of malware or ransomware. Hacking incidents accounted for 71.1% of the month’s breaches and 85.7% of all records breached in the month. The average size of a hacking breach was 30,239 records and the median breach size was 8,849 records.

There were 10 unauthorized access/disclosure incidents reported in February involving 172,799 records. The average breach size was 17,280 records and the median breach size was 2,497 records. There were 2 theft incidents and 1 reported loss incident reported involving a total of 3,773 records, all three of which involved paper records.

February 2021 Healthcare Data Breaches - Location of breached PHI

Entities Reporting Healthcare Data Breaches in February 2021

Healthcare providers were the worst affected covered entity type in February, with 35 breaches reported. There were 5 breaches reported by health plans and 5 reported by business associates of HIPAA-covered entities. A further 5 breaches were reported by the covered entity but had some business associate involvement.

Entities affected by February 2021 healthcare data breaches

Healthcare Data Breaches by State

Healthcare data breaches of 500 or more records were reported in 20 states in February 2021. The worst affected states were California and Texas with six breaches reported in each state. 5 entities in Pennsylvania reported breaches, there were 4 breaches reported in Florida and Michigan, 2 in each of North Carolina, Nevada, Ohio, Tennessee, and Virginia, and 1 in each of Arizona, Colorado, Georgia, Iowa, Kentucky, Louisiana, Minnesota, North Dakota, Utah, and Wyoming.

HIPAA Enforcement Activity in February 2021

In February, the HHS’ Office for Civil Rights announced two settlements had been reached with HIPAA-covered entities to resolve potential violations of the HIPAA Rules. Both enforcement actions were in response to complaints from patients who had not been provided with timely access to their medical records.

OCR launched a new enforcement initiative in late 2019 targeting healthcare providers who were not complying with the HIPAA Right of Access provision of the HIPAA Privacy Rule. Three Right of Access enforcement actions have resulted in settlements so far in 2021, and the latest two bringing the total number of settlements under this enforcement initiative to 16.

Sharpe Healthcare settled its case with OCR and paid a $70,000 penalty and Renown Health settled its case for $75,000.

The post February 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

FBI: $4.2 Billion Lost to Cybercrime in 2020

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has published its annual Internet Crime Report. 791,790 complaints were made to the FBI’s Internet Crime Complaint Center (IC3) in 2020, which is a 69% increase from 2019. More than $4.2 billion was lost to cybercrime in 2020, an increase of 20% from 2019. Since 2016, there have been reported losses to cybercrime of more than $13.3 billion.

In 2020, the most reported cybercriminal activity was phishing, which accounted for 30.5% of all complaints to IC3. 2.45% of complaints were about business email compromise (BEC) attacks. Business email compromise scams involve compromising a business email account through social engineering or phishing and using the account to arrange fraudulent transfers of funds. While these incidents were far less numerous than phishing, they were the biggest cause of losses. $1,866,642,107 was lost to BEC attacks in 2020. 2020 saw a 19% reduction in BEC attacks compared to 2019, although losses increased by 0.1 billion.

FBI IC3 2020 Losses to Cybercrime

Source: IC3 Internet Crime Report 2020

In 2020, cybercriminals exploited the COVID-19 pandemic to scam businesses and individuals. IC3 received more than 28,500 complaints about COVID-19 related scams, including targeting the Coronavirus Aid, Relief, and Economic Security Act (CARES) Act which provided small businesses with financial assistance during the pandemic.

Thousands of complaints were received by IC3 about scams targeting unemployment insurance, Paycheck Protection Program (PPP) loans, and Small Business Economic Injury Disaster Loans, as well as phishing scams that used COVID-19 themed lures to obtain personally identifiable information to steal identities and fraudulently apply for CARES Act benefits. Recently, IC3 has been receiving complaints about scams related to vaccines, such as demands to pay out of pocket to receive the vaccine, be placed on a waiting list, or get early access to the vaccine.

Tech support fraud is a growing problem. These scams involve offers of customer, security, and technical support to resolve non-existent problems and defraud individuals. 15,421 complaints about tech support scams were received by IC3 in 2020 from victims in 60 countries, with more than $146 million lost to the scams in 2020, up 171% from 2019.

2,474 complaints were made to IC3 about ransomware attacks, which involved adjusted losses of $29.1 million. Ransomware was most commonly installed following email phishing campaigns, exploitation of Remote Desktop Protocol (RDP) vulnerabilities, and exploitation of unpatched vulnerabilities in software.

The FBI reported on the major successes of the IC3 Recovery Asset Team (RAT) in 2020. RAT was set up in 2018 to streamline communications with financial institutions to freeze transfers made to domestic accounts under false pretenses. RAT dealt with 1,303 incidents in 2020 involving losses of almost $463 million. The team had an 82% success rate and was able to freeze more than $380 million in fraudulent transfers.

One of the major successes was seen in June 2020 when a victim company was tricked into making a fraudulent $60 million payment to a Hong Kong bank account. The St. Louis field office was able to block and recover all $60 million. In April 2020, a healthcare victim was tricked into making 5 wire transfers totaling more than $2 million. RAT was able to successfully implement its Financial Fraud Kill Chain (FFKC) and freeze the transfers.

The post FBI: $4.2 Billion Lost to Cybercrime in 2020 appeared first on HIPAA Journal.

CISA/FBI Issue Joint Alert About Spear Phishing Attacks Delivering TrickBot Malware

Posted by HIPAA Journal

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert about TrickBot malware. TrickBot was first identified in 2016 and started out as a banking Trojan; but the malware has since had a host of new capabilities added and is now extensively used as a malware loader for delivering other malware variants, including ransomware such as Ryuk and Conti.

“TrickBot has evolved into a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities,” explained CISA/FBI in the alert.

In late 2019, TrickBot survived an attempt by Microsoft and its partners to disrupt its infrastructure and spam campaigns distributing the malware soon recommenced, with TrickBot activity surging in recent weeks. Earlier this month, Check Point researchers warned about an increase in TrickBot infections following the takedown of the Emotet botnet. TrickBot was the 4th most prevalent malware variant in 2020 and rose to third in January 2021; however, since the Emotet botnet was disrupted, TrickBot has become the most widely distributed malware variant and tops Check Point’s malware index for the first time.

TrickBot was used in the ransomware attack on Universal Healthcare Services that took systems offline for several weeks. TrickBot was used to gain access to UHS systems and detect and harvest data, after which the malware delivered the Ryuk ransomware payload. The attack caused UHS to suffer losses of $67 million in 2020.

TrickBot is primarily distributed via spear phishing emails, which are tailored for the organization that is being targeted. The emails use a combination of malicious attachments and hyperlinks to websites where the malware is downloaded. In February, the TrickBot gang conducted a large-scale phishing campaign targeting the legal and insurance sectors that used a.zip file attachment containing malicious JavaScript for delivering the malware.

One of the most recent phishing campaigns uses fake traffic violation notifications as the lure to get recipients to open a “photo proof” of the traffic violation. Clicking the photo launches a JavaScript file that establishes a connection with the gang’s command and control (C2) server and TrickBot malware is downloaded onto the victim’s system.

TrickBot is capable of lateral movement via the Server Message Block (SMB) Protocol, exfiltrates sensitive data from victim systems, and is capable of cryptomining and host enumeration. “TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT&CK framework, from actively or passively gathering information that can be used to support targeting to trying to manipulate, interrupt, or destroy systems and data,” explained CISA/FBI.

CISA has developed a snort signature for detecting network activity associated with TrickBot malware and the CISA/FBI alert also details cybersecurity best practices that make it harder for TrickBot to be installed and will help to harden systems against network propagation.

The post CISA/FBI Issue Joint Alert About Spear Phishing Attacks Delivering TrickBot Malware appeared first on HIPAA Journal.