Healthcare Cybersecurity

2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches

Posted March 16, 2021 by HIPAA Journal

2021 was a challenging year for healthcare organizations. Not only was the industry on the frontline in the fight against COVID-19, hackers who took advantage of overrun hospitals to steal data and conduct ransomware attacks.

The 2021 Breach Barometer Report from Protenus shows the extent to which the healthcare industry suffered from cyberattacks and other breaches in 2020. The report is based on 758 healthcare data breaches that were reported to the HHS’ Office for Civil Rights or announced via the media and other sources in 2020, with the data for the report provided by databreaches.net.

The number of data breaches has continued to rise every year since 2016 when Protenus started publishing its annual healthcare breach report. 2020 saw the largest annual increase in breaches with 30% more breaches occurring than 2019. Data was obtained on 609 of those incidents, across which 40,735,428 patient and health plan members were affected. 2020 was the second consecutive year that saw more than 40 million healthcare records exposed or compromised.

Healthcare Hacking Incidents Increased by 42% in 2020

Healthcare hacking incidents increased by 42% in 2020, continuing a 5-year trend that has seen hacking incidents increase each year. 470 incidents were classed as hacking-related breaches, which accounted for 62% of all breaches in the year. 31,080,823 healthcare records were compromised in the 277 incidents where the number of affected individuals is known. Many of the 2020 hacking incidents involved the use of ransomware. Ransomware attacks increased considerably in 2020, with more than double the number of ransomware attacks on healthcare organizations than in 2019.

Surge in Insider Data Breaches in 2020

There has been a four-year decline in insider breaches, but the Protenus report shows insider data breaches increased in 2020. More than 8.5 million records were exposed or compromised in those incidents – more than double the number of breached records by insiders as 2019. In fact, more records were breached by insiders in 2020 than in 2017, 2018, and 2019 combined. In 2020, 1 in 5 data breaches was an insider incident.

Insider breaches include insider errors and insider wrongdoing. 96 breaches involved insider error in 2020, of which data was obtained for 74 of the incidents. There were 45 cases of insider wrongdoing, with data obtained for 30 of the incidents. Errors by employees resulted in the exposure of the protected health information of at least 7,673,363 individuals and insider wrongdoing incidents resulted in the exposure/theft of at least 241,128 records.

Business Associates Often Involved

The number of data breaches involving business associates increased in 2020, with 12% of all breaches having at least some business associate involvement. Business associate breaches resulted in the exposure or theft of more than 24 million patient records, with 55% of all hacking incidents having some business associate involvement along with 25% of insider error incidents. The number of breaches involving business associates could be considerably higher as the researchers were unable to accurately determine if business associates were involved in many of the breaches.

Data Breaches Discovered Faster but Breach Reporting Slower

In 2020 it took an average of 187 days from the breach occurring to discovery by the breached entity, which is a considerable improvement on the 224-day average discovery time in 2019. In 2020, the median discovery time was just 15 days. However, there was considerable variation in discovery times, from almost immediately in some cases to several years after the breach in others.

Reporting on data breaches was slower than in 2019, with the average time for reporting a breach increasing from 80 days in 2019 to 85 days in 2020, with a median time of 60 days – the maximum time allowed for reporting a breach by the HIPAA Breach Notification Rule. The figures were based on just 339 out of the 758 breaches due to a lack of data.

“The current climate has increased risk for health systems as a new trend emerged of at least two data breaches per day, a troubling sign of the continuing vulnerability of patient information, heightened by the pandemic,” explained Protenus in the report. “Healthcare organizations need to leverage technology that allows organizations to maintain compliance priorities in a resource-constrained environment. Hospitals can’t afford the costs often associated with these incidents, as more than three dozen hospitals have filed bankruptcy over the last several months. Non-compliance is not an option.”

The post 2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches appeared first on HIPAA Journal.

Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras

Posted March 12, 2021 by HIPAA Journal

A hacking collective has gained access to the systems of the Californian security camera startup Verkada Inc. and the live feeds and archived footage from almost 150,000 cloud-connected surveillance cameras used by large corporations, schools, police departments, jails, and hospitals.

As initially reported by Bloomberg, Verkada’s systems were accessed by a white hat hacking collective named Advanced Persistent Threat 69420 using credentials they found on the Internet. Those credentials gave the group super admin level privileges, which provided root access to the security cameras and, in some cases, the internal networks of the company’s clients. The hackers also said they were able to obtain the full list of Verkada clients and view the company’s private financial information.

Verkada’s systems were not accessed with a view to conducting any malicious actions, instead the aim was to raise awareness of the ease at which the systems could be hacked. Malicious threat actors could also have easily gained access to the Verkada’s systems for a range of malicious purposes.

Till Kottmann, one of the hackers in the collective, said her collective accessed Verkada systems on March 8, 2021 and had full access for around 36 hours. Since the system was fully centralized, it was easy to access and download camera footage from its clients. Kottmann described the security on Verkada’s systems as “nonexistent and irresponsible.” Kottmann said an internal development system had inadvertently been exposed to the Internet and hard-coded credentials for a system account were stored in an unencrypted subdomain that provided full access.

The hackers were able to use the credentials to login to the web-based systems used by all customers to access their own security cameras, except the super admin privileges allowed them to access the security cameras of all customers.

Footage was obtained from corporate customers including Tesla, Equinox, Cloudflare, and Nissan, along with camera feeds from Madison County Jail in Huntsville, AL, Sandy Hook Elementary School in Newtown, CT and many others.

The security cameras of ICU departments in hospitals could also be accessed, including Halifax Health in Florida and Wadley Regional Medical Center in Texarkana, TX.

Verkada issued a statement about the hacking incident, saying “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.” All affected customers have now been notified and an investigation into the breach has been launched.

Surveillance Cameras are a Potential Security Risk

The hacking incident should serve as a wake-up call about the dangers of surveillance cameras. While security cameras can improve security, they may also be a security weak point. This incident is certainly notable in terms of scale, buy Verkada is not the only security camera company to have suffered a breach.

In 2020, the threat group behind the Chalubo and FBot botnets – which targets poorly secured IoT devices – was discovered to be exploiting vulnerabilities in CCTV cameras manufactured by Taiwan-based LILIN and using the devices for DDoS attacks.

Also in 2020, vulnerabilities were identified in around 700,000 security cameras including those manufactured by Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT, and Tenvis which put them at risk of being hacked. The vulnerabilities could be exploited to bypass firewalls and steal passwords. The flaws were present in a P2P solution from Shenzhen Yunni Technology Company that was used by the camera manufacturers.

The post Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras appeared first on HIPAA Journal.

Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion

Posted March 11, 2021 by HIPAA Journal

Ransomware attacks on the healthcare industry skyrocketed in 2020. In 2020, at least 91 US healthcare organizations suffered ransomware attacks, up from 50 the previous year. 2020 also saw a major ransomware attack on the cloud software provider Blackbaud, with that attack known to have affected at least 100 US healthcare organizations.

The first known ransomware attack occurred in 1989 but early forms of ransomware were not particularly sophisticated and attacks were easy to mitigate. The landscape changed in 2016 when a new breed of ransomware started to be used in attacks.

These new ransomware variants use powerful encryption and delete or encrypt backup files to ensure data cannot be easily recovered without paying the ransom. Over the past 5 years ransomware has been a constant threat to the healthcare industry, with healthcare providers being increasingly targeted in recent years. Attacks now see sensitive data stolen prior to file encryption, so even if files can be recovered from backups, payment is still required to prevent the exposure or sale of stolen data.

Healthcare ransomware attacks cripple IT systems, prevent patient medical records from being accessed, cause disruption to patient care, and put patient safety at risk. Recovering data and restoring systems can take weeks or months and mitigating the attacks is expensive, with considerable loss of revenue due to downtime. In 2020, the ransomware attack on the University of Vermont Health Network was costing $1.5 million a day in recovery costs and lost revenue.

The True Cost of Healthcare Ransomware Attacks

Researchers at Comparitech recently conducted a study to identify the true cost of ransomware attacks on US healthcare organizations. The researchers gathered information on all ransomware attacks reported to the US Department of Health and Human Services’ Office for Civil Rights since 2016, as well as attacks reported through media outlets but were not made public by OCR as they affected fewer than 500 individuals.

Calculating the true cost of healthcare ransomware attacks is difficult, as only limited data is made public. Ransoms may be paid, but the amounts are often not disclosed and attacks that affect fewer than 500 individuals are often not made public.

The researchers identified 92 healthcare ransomware attacks in 2020, including the attack on Blackbaud. More than 600 separate hospitals, clinics, and other healthcare facilities were affected by those attacks, with a further 100 affected by the attack on Blackbaud. Those attacks involved the theft or exposure of the protected health information of at least 18,069,012 patients.

Ransom demands were issued ranging from $300,000 to $1.14 million, with data from Coveware indicating an average ransom demand of $169,446 in 2020. $15.6 million in ransoms were demanded from healthcare organizations in the United States in 2020, and $2,112,744 is known to have been paid to ransomware gangs in 2020. The true figure is substantially higher as many ransoms were paid but the amounts were not publicly disclosed.

In addition to the ransom payment there is the cost of downtime, which in some cases can be weeks or months following the attack. Coveware research indicates the average downtime ranged from 15 days in Q1, 2020 to 21 days in Q4, 2020. The Comparitech researchers determined the total downtime from the attacks in 2020 was likely to be 1,669 days. Using a 2017 estimate of the cost of downtime of $8,662 per minute, the researchers determined the attacks cost at least $20.8 billion in 2020, which is more than double the estimated cost of ransomware attacks in 2019 ($8.46 billion).

The researchers identified 270 healthcare ransomware attacks in the United States between January 2016 and December 2020, which affected around 2,100 hospitals, clinics, and other healthcare facilities. The attacks resulted in the theft or encryption of the records of more than 25 million individuals, with the overall cost to the healthcare industry estimated to be $31 billion.

Healthcare ransomware attacks 2016-2020. Source: Comparitech.

You can view the full findings from the Comparitech healthcare ransomware study on this link.

The post Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion appeared first on HIPAA Journal.

Small and Medium Sized Practices Under Increased Pressure from Cyberattacks

Posted March 5, 2021 by HIPAA Journal

2020 saw cyberattacks on healthcare organizations increase significantly. While large healthcare organizations are being targeted by Advanced Persistent Threat (APT) groups and ransomware gangs, there has also been a marked increase in attacks on small- to medium-sized healthcare organizations.

A cyberattack on a large healthcare organization could allow the hackers to steal large quantities of protected health information and ransomware attacks typically see ransom demands issued for millions of dollars. The rewards from these attacks are considerable, but large healthcare organizations tend to invest heavily in cybersecurity and often have their own IT security teams to protect and monitor their IT networks. Cyberattacks on these organizations require more skill and they can be difficult and time consuming.

Medium-sized healthcare organizations also store large amounts of sensitive data, yet their networks tend to be less well protected, which makes cyberattacks much easier and still highly profitable.

Cyberattacks on Small- and Medium-Sized Healthcare Organizations are Increasing

The CTI League recently published a report highlighting the work completed by its “Dark Team” on emerging threats to the healthcare industry. In the final Quarter of 2020, its researchers identified a sharp increase in cyberattacks on the healthcare sector. “From October to December the CTI League observed a dramatic uptick in focused attacks against healthcare entities, particularly small and medium sized hospitals and clinics, which impacted clinical workflows at hundreds of healthcare providers,” explained the researchers in the report.

Ransomware attacks on small to mid-sized healthcare organizations have been increasing, according to the ransomware response company Coveware. Coveware’s data for Q3, 2020 shows more than 70% of ransomware attacks were conducted on companies with fewer than 1,000 employees and 65.9% of ransomware attacks in Q4, 2020 were on small (30.2%) and medium (35.7%) sized companies. The Ryuk and Sodinokibi ransomware operations continue to target large enterprises; but there are many more smaller operations that target small- to medium-sized entities, including the Dharma, Snitch, and Netwalker ransomware operations.

Q4, 2020 Ransomware Attacks. Source: Coveware

Attacks on small-and medium-sized organizations tend to be easier to pull off, as access controls tend to be simpler and it is less common for 2-factor authentication to be implemented. These organizations also tend to have less robust backup systems, which makes data recovery without paying the ransom problematic. Oftentimes backups are performed, but they do not cover all systems, or the backups are not tested to make sure file recovery is possible. It is also common for cybersecurity best practices such as network segmentation not to be followed.

These organizations have less money available to devote to cybersecurity and often have a lack of skilled in-house cybersecurity professionals. It is also common for them not to view themselves as being targets for hackers. Medium sized healthcare organizations are undoubtedly a sweet spot – Attacks are easier as defenses are poorer, so less skill is required to breach defenses. That means they are attractive targets for the affiliates of many of the smaller ransomware operations. These organizations are also likely to have the funds available to pay reasonably high ransom demands.

How Can Small- and Medium Sized Healthcare Organizations Improve their Security Posture?

Preventing attacks with limited resources can be difficult, so it is important to concentrate on the main attack vectors. The initial aim is not to make it impossible for systems to be compromised. The initial aim should be to make small changes to improve defenses to make attacks harder.

Phishing is the most common attack vector so improving defenses against phishing emails will go a long way toward improving your security posture. An advanced email security solution will help to block more phishing emails for a relatively low cost. Employee security awareness training will help to make employees aware of cyber threats. The importance of training employees to identify phishing emails cannot be overstated. Strong passwords need to be set and 2-factor authentication should be implemented on all username-password systems.

RDP compromise is also a common attack vector. Start with changing default ports, locking out individuals after a set number of failed logins to block brute force tactics to guess weak passwords, and use whitelists to restrict access. Also ensure you apply patches and perform security updates promptly to correct known vulnerabilities. If it is not possible to apply patches, ensure those systems are not Internet facing and segment networks to hamper lateral movement and limit the harm caused if systems are breached.

The post Small and Medium Sized Practices Under Increased Pressure from Cyberattacks appeared first on HIPAA Journal.

IBM X-Force: Healthcare Cyberattacks Doubled in 2020

Posted March 3, 2021 by HIPAA Journal

A new report from IBM X-Force shows healthcare cyberattacks doubled in 2020 with 28% of attacks involving ransomware. The massive increase in healthcare industry cyberattacks saw the sector rise from last place to 7th, with the finance and insurance industry the most heavily targeted, followed by manufacturing, energy, retail, professional services, and government. Healthcare accounted for 6.6% of cyberattacks across all industry sectors in 2020.

The 2021 X-Force Threat Intelligence Index report was compiled from monitoring data from over 130 countries and included data from more than 150 billion security events a day, with the data gathered from multiple sources including IBM Security X-Force Threat Intelligence and Incident Response, X-Force Red, IBM Managed Security Services, and external sources such as Intezer and Quad9.

The most common way networks were breached was the exploitation of vulnerabilities in operating systems, software, and hardware, which accounted for 35% of all attacks up from 30% in 2019. This was closely followed by phishing attacks, which were the initial entry point in 33% of attacks, up from 31% in 2019.

2020 was the first year since IBM X-Force started publishing its annual threat index reports that the exploitation of vulnerabilities was more common than phishing as the initial attack vector, which was largely due to the global shift to a distributed workforce in response to the pandemic.

Around 1 in 5 cyberattacks in 2020 involved the exploitation of vulnerabilities in Citrix servers, which were used to support remote workforces. Out of all attacks involving the exploitation of Citrix vulnerabilities, healthcare placed third with 17% of all attacks. Credential theft-related attacks secured third place in the initial attack vector list and accounted for 18% of attacks, down from 29% in 2019.

In healthcare especially, ransomware attacks increased sharply. Overall, 23% of security events in 2020 involved ransomware, up from 20% in 2019. 28% of all cyberattacks on the healthcare industry involved ransomware. These attacks often involved data theft prior to file encryption to pressure victims into paying the ransom to prevent the exposure or sale of stolen data. 59% of ransomware attacks in 2020 involved the use of this double-extortion tactic.

Sodinokibi was used in 22% of all ransomware attacks. The researchers estimate that the Sodinokibi gang generated $123 million in ransom payments in 2020. Other highly active ransomware operations included RagnarLocker, Netwalker, Maze, and Ryuk, which each had a share of 7% of the attacks.

Ransomware was the leading attack type, followed by data theft, and server access. Data theft increased 160% year-over-year, with a large proportion of the attacks due to the Emotet Trojan. Server access increased 233% in the past 12 months, mostly involving the exploitation of vulnerabilities and the use of stolen credentials. Remote Access Trojan (RAT) attacks had a notable increase from 2% of attacks in 2019 to 6% in 2020. Business email compromise attacks decreased in 2020, falling from 14% of attacks in 2019 to 9% in 2020. Insider breaches fell from 6% to 5% of attacks, with misconfigurations unchanged, accounting for 5% of attacks.

The second and third most common types of healthcare cyberattacks were server access and BEC attacks, each accounting for 18% of attacks in 2020. Data theft, insider incidents, and misconfigurations accounted for 9% of attacks each.

The increase in healthcare industry cyberattacks was largely due to the industry being heavily targeted by ransomware gangs and threat actors targeting COVID-19-related research organizations. It could have been far worse for the healthcare industry. Security researchers became aware that the Ryuk ransomware gang was planning a targeted campaign in October that would have seen 400 hospitals attacked. Fortunately, efforts by cybersecurity companies and law enforcement limited the attacks to just 9 out of the 400 hospitals.

The post IBM X-Force: Healthcare Cyberattacks Doubled in 2020 appeared first on HIPAA Journal.

Microsoft Patches 4 Actively Exploited Flaws in Microsoft Exchange Server

Posted March 3, 2021 by HIPAA Journal

Microsoft has released out-of-band security updates to fix four zero-day Microsoft Exchange Server vulnerabilities that are being actively exploited by a Chinese Advanced Persistent Threat (APT) group known as Hafnium.

The attacks have been ongoing since early January, with the APT group targeting defense contractors, law firms, universities, NGOs, think tanks, and infectious disease research organizations in the United States. Exploitation of the flaws allows the attackers to exfiltrate mailboxes and other data from vulnerable Microsoft Exchange servers, run virtually any code on the servers, and upload malware for persistent access.

Hafnium is a previously unidentified sophisticated APT group that is believed to be backed by the Chinese government. The group is chaining together the four zero-day vulnerabilities to steal sensitive data contained in email communications. While developing the exploits required some skill, using those exploits is simple and allows the attackers to exfiltrate large quantities of sensitive data with ease. While the APT group is based in China, virtual private servers in the United States are leased for use in the attacks, which helps the group stay under the radar.

The flaws are present in all supported Microsoft Exchange Server versions (2013, 2016, 2019) and Exchange Server 2010. Patches have been released to fix the flaws in Exchange Server 2010, 2013, 2015, and 2019. The flaws do not affect Exchange Online and personal email accounts, only on-premises Exchange servers.

Microsoft has credited the cybersecurity firms Volexity and Dubex for helping to discover the attacks, which were first identified on January 6, 2021. Now that the patches have been released attacks are expected to increase as the group rushes to gain access to as many vulnerable Exchange servers before the patches are applied.

The vulnerabilities are:

CVE-2021-26855: A server-side request forgery (SSRF) vulnerability that allows HTTP requests to be sent to an on-premises Exchange Server to authenticate as the Exchange server itself.
CVE-2021-26857: An insecure deserialization vulnerability in the Unified Messaging service that can be exploited to run any arbitrary code as SYSTEM on the Exchange server.
CVE-2021-26858 and CVE-2021-26865 – Two file write vulnerabilities that allow an authenticated user to write files to any path on the server. The flaws are chained with CVE-2021-26855, although could also be exploited using stolen credentials.

Once initial access to the Exchange server is gained, the attackers deploy a web shell that allows them to harvest cached credentials, upload files such as malware for persistent access, execute virtually any command on the compromised system, and exfiltrate mailboxes and other data.

Exploits for the vulnerabilities are not believed to have been released publicly, with the attacks currently only being conducted by Hafnium, although that may not remain the case for long.

Microsoft is advising all users of the vulnerable Microsoft Exchange versions to apply the patches immediately. After applying the patches, an investigation should be conducted to determine if the flaws have already been exploited, as patching will not prevent any further malicious activity or data exfiltration if the attackers have already compromised the server.

Microsoft has provided Indicators of Compromise (IoCs) to help customers identify whether the flaws have already been exploited.

The post Microsoft Patches 4 Actively Exploited Flaws in Microsoft Exchange Server appeared first on HIPAA Journal.

NSA Releases Guidance on Adopting a Zero Trust Approach to Cybersecurity

Posted March 2, 2021 by HIPAA Journal

The National Security Agency (NSA) has recently released new guidance to help organizations adopt a Zero Trust approach to cybersecurity to better defend against increasingly sophisticated cyber threats.

Zero Trust is a security strategy which assumes that breaches are inevitable or have happened and an intruder is already inside the network. This approach assumes that any device or connection may have been compromised so it cannot be implicitly trusted. Continuous verification is required in real time from multiple sources before access is granted and for system responses.

Adopting a Zero Trust approach to security means adhering to the concept of least-privileged access for every access decision and constantly limiting access to what is needed, with anomalous and potentially malicious activity constantly examined.

“Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries,” explained the NSA in the guidance. “Zero Trust repeatedly questions the premise that users, devices, and network components should be implicitly trusted based on their location within the network.”

The Zero Trust approach provides far greater security against external threat actors and authorized insiders with malicious intentions. When an authorized user or remote cyber attacker uses credentials to gain access to resources, those credentials and the device used are assumed to be malicious until proven otherwise. Sine access to networks and resources is limited, and networks are segmented, the potential harm that can be caused is severely reduced and lateral movement is restricted.

Traditionally, cybersecurity has been focused on protecting internal networks from external threats. Provided the network perimeter is not breached, this approach is effective, but today’s increasingly sophisticated cyber threats often breach the perimeter defenses, after which threat actors are able to move laterally within networks undetected, as occurred in the SolarWinds supply chain attack. A Zero trust approach to security would not prevent a system breach, but the harm caused would be drastically reduced and alerts would be generated to advise network defenders of a potential attack in progress.

The NSA provides examples in the guidance of how the Zero Trust approach blocks attempts by a threat actor using a legitimate user’s stolen credentials to access network resources using their own or the user’s device.

Source: National Security Agency

The Zero Trust approach is also effective at blocking supply chain attacks, when a threat actor adds malicious code to a device or application. In these attacks, communication between the device or app and the attacker would not be possible as the compromised device or app would not be trusted.

The transition to this new approach to security requires security teams to adopt a Zero Trust mindset which requires coordinated and aggressive system monitoring, system management, and defensive operations capabilities. All requests for access to critical resources, network traffic, devices and infrastructure must be assumed to be malicious, and acceptance that access approvals to critical resources incur risk, therefore security teams must be prepared to perform rapid damage assessment, control, and recovery operations.

Adopting a Zero Trust approach to security requires major changes to existing information systems and considerable time and effort, and there are likely to be many challenges. Fortunately, the change to Zero Trust can be implemented in stages starting with fundamental integrated capabilities, then refining capability integration and further refining capabilities, before deploying advanced protections and controls with robust analytics and orchestration. When Zero Trust functionality is introduced incrementally in accordance with a strategic plan, risk will be reduced accordingly at each step.

The NSA guidance provides an outline of the Zero Trust approach to security, recommendations and best practices for transitioning to Zero Trust, resources required for a successful transition, and how the Zero Trust implementation can be matured to ensure success.

The post NSA Releases Guidance on Adopting a Zero Trust Approach to Cybersecurity appeared first on HIPAA Journal.

CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities

Posted February 25, 2021 by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity authorities Australia, New Zealand, Singapore, and the United Kingdom have issued an alert for users of the Accellion File Transfer Appliance (FTA) about 4 vulnerabilities which are being actively exploited by a threat actor to gain access to sensitive data.

The Accellion FTA is a legacy file transfer appliance used to share large files. Accellion identified a zero-day vulnerability in the product in mid-December and released a patch to address the flaw, although further vulnerabilities have since been identified.

The vulnerabilities are tracked as:

CVE-2021-27101 – SQL injection vulnerability via a crafted HOST header
CVE-2021-27102 – Operating system command execution vulnerability via a local web service
CVE-2021-27103 – Server-side request forgery via a crafted POST request
CVE-2021-27104 – Operating system command execution vulnerability via a crafted POST request

The SQL injection flaw (CVE-2021-27011) allows unauthorized individual to run remote commands on targeted devices. An exploit for the vulnerability has been combined with a webshell, with the latter used receive commands sent by the attacker and exfiltrate data and clean up logs. The removal of clean up logs allows the attacker to avoid detection and hampers analysis of the attack.

Once sensitive data have been exfiltrated, the attacker attempts to extort money from the victim. Threats are issued to publicly expose the stolen data on a ransomware data leak site if the ransom is not paid. FireEye/Mandiant have linked the attacks with the FIN11 and CL0P ransomware operation, although ransomware is not being used in the attacks.

Accellion became aware of attacks exploiting the vulnerabilities in January 2021 and reports fewer than 100 clients have been affected and around 2 dozen clients are believed to have suffered significant data theft. Kroger has recently reported that some pharmacy and little Clinic customers have been affected, and Centene has similarly suffered a data breach via the exploitation of the vulnerabilities. Other victims include Transport for New South Wales in Australia, the Canadian Aircraft manufacturer Bombardier, the Reserve Bank of New Zealand, the Australian financial regulator ASIC, the Office of the Washington State Auditor, and the University of Colorado.

CISA has provided Indicators of Compromise (IoCs) in its cybersecurity alert (AA21-055A) which can be used by Accellion customers to determine if the vulnerabilities have been exploited, along with advice should malicious activity be detected.

In addition to performing an analysis to identify if the flaws have been exploited, CISA recommends isolating systems hosting the software from the Internet and updating Accellion FTA to version FTA_9_12_432 or later. It is also recommended by Accellion and CISA to migrate from this legacy product to a supported file sharing platform. The Accellion FTA reaches end-of-life on April 30, 2021. Accellion recommends upgrading to its Kiteworks file sharing platform, which has enhanced security features.

The post CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities appeared first on HIPAA Journal.

Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity

Posted February 23, 2021 by HIPAA Journal

Throughout the pandemic, cybercriminals have taken advantage of new opportunities and have been attacking hospitals, clinics and other businesses and organizations on the front line in the fight against COVID-19.

Ransomware attacks on the healthcare industry soared in 2020, especially in the fall when a coordinated campaign claimed many healthcare victims. Ransomware remains a major threat to the healthcare sector and the high numbers of attacks have continued into 2021.

A recent report from the CTIL League provides further information on these attacks and some of the other ways the healthcare industry was targeted in 2020. The report highlights the work conducted by the CTIL Dark team, which monitors the darknet and deep web for signs of data breaches and cybercriminal activity that has potential to impact the healthcare industry or general public health.

This is the first report to be released that highlights the discoveries and achievements of the CTIL Dark team, and delves into realm of healthcare ransomware attacks and the dark markets where access to healthcare networks are traded.

In 2020, the CTIL Dark team’s research determined the main ransomware gangs targeting the healthcare sector to be Maze, Conti, Netwalker, REvil, and Ryuk. Between these five operations more than 100 ransomware attacks were conducted on the healthcare sector, two thirds of which were in North America and Europe. The attacks by these groups accounted for 75% of all attacks on the sector in 2020.

The increase in ransomware attacks in 2020 was attributed to the ease at which the industry could be attacked and the increased prominence of the industry during the pandemic, and no healthcare organization was immune. In fact while attacks on large healthcare organizations with the means to pay large ransom demands were favored, in the fall there was a significant increase in attacks on small- to medium-sized hospitals and clinics.

Ransomware attacks tend to dominate the news reports due to the major impact these attacks have on healthcare providers and their patients. Hospitals are forced to switch to pen and paper, appointments often have to be cancelled, and patient information is frequently leaked online and made available to a wide range of cybercriminals. What is less well understood is the supply chain that makes many of these attacks possible.

During the pandemic, demand for backdoor access to healthcare networks increased considerably, as did the number of criminals providing access. The supply chains established to provide credentials for healthcare networks to ransomware gangs and other threat actors saw the barrier to entry into cyberattacks on the sector significantly lowered.

2020 saw an increase in the number of Initial Access Brokers. These are the hackers who target and breach vulnerable networks and sell on access to the highest bidder, including ransomware gangs and their affiliates. The CTIL Dark team reports a doubling of the number of Initial Access Brokers between Q2, 2020 and Q4, 2020. Skilled hackers that can breach healthcare networks often sign up to ransomware-as-a-service operations as affiliates themselves. In 2020, several RaaS operations started recruitment drives targeting individuals who already had access to healthcare networks and could conduct large numbers of attacks.

The CTIL Dark team notes that ransomware attacks are becoming more extensive, targeted, and coordinated, with threat groups often partnering and sharing resources and information. In 2020, the ransomware activity investigated by the team most commonly involved attacks on perimeter vulnerabilities such as unpatched systems and weak passwords in remote connectivity solutions, rather than phishing attacks.

The CTIL Dark team also identified an increase in the number of databases containing PHI being sold on darknet forums for use in targeted attacks on patients, and employee databases for targeting healthcare employees to gain access to healthcare networks.

Phishing attacks increased in 2020, with opportunistic threat actors abandoning their regular campaigns and switching to COVID-19 themed campaigns that closely mirrored equipment shortages and knowledge gaps. Scams were conducted in response to the shortage in COVID-19 tests and PPE, followed by fake offers of antibody blood. When hydroxyquinoline was touted as a game changer for COVID-19 treatment, darknet vendors switched from offering cocaine to offering doses of the drug. Now, as the vaccine rollout gathers pace, scammers have switched to offering fake vaccines.

CTIL has predicted attacks targeting the healthcare sector will most likely increase in 2021 rather than decline, so it is essential for healthcare organizations to remain on high alert and leverage data from cybersecurity vendors, health-ISACs, law enforcement, and organizations such as CTIL league and implement policies, procedures, and protections to combat these threats.

The post Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information