Healthcare Cybersecurity

May 2021 Healthcare Data Breach Report

May was the worst month of 2021 to date for healthcare data breaches. There were 63 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in May. For the past three months, breaches have been reported at a rate of more than 2 per day. The average number of healthcare data breaches per month has now risen to 54.67.

U.S. Healthcare Data Breaches - Past 12 Months

May was also the worst month of the year in terms of the severity of breaches. 6,535,130 healthcare records were breached across those 63 incidents. The average number of breached healthcare records each month has now risen to 3,323,116. 17,733,372 healthcare records have now been exposed or impermissibly disclosed so far in 2021 and almost 40 million records (39.87M) have been breached in the past 12 months.

U.S. Healthcare Data Breaches - Records Breached in the Past 12 Months

Largest Healthcare Data Breaches Reported in April 2021

As was the case in April, there were 19 healthcare data breaches involving 10,000 or more records and 7 of those breaches involved 100,000 or more records. All but one of those breaches was a hacking incident or involved It systems being compromised by other means.

The largest healthcare data breach of the month by some distance affected 20/20 Eye Care Network, a vision and hearing benefits administrator. The records of more than 3.25 million individuals were stored in an AWS S3 bucket that was accessed by an unauthorized individual. Data was downloaded by the attacker before being deleted. Another benefits administrator, SEIU 775 Benefits Group, also suffered a breach in which sensitive data was deleted. That breach involved the PHI of 140,000 individuals.

Over the past two months, several healthcare providers have announced they were affected by a ransomware attack on the third-party administration service provider CaptureRx. At least 26 healthcare providers are known to have had PHI exposed in that breach. This month, CaptureRx issued its own notification to the HSS which confirms the breach affected 1,656,569 individuals. This month, several healthcare organizations have reported they have been affected by a ransomware attack on another business associate, Netgain Technologies. The table below shows the extent to which ransomware has been used in attacks on the healthcare industry.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause Business Associate Involvement
20/20 Eye Care Network, Inc Business Associate 3,253,822 Hacking/IT Incident Unsecured AWS S3 Bucket Yes
NEC Networks, LLC d/b/a CaptureRx Business Associate 1,656,569 Hacking/IT Incident Ransomware attack Yes
Orthopedic Associates of Dutchess County Healthcare Provider 331,376 Hacking/IT Incident Ransomware attack No
Rehoboth McKinley Christian Health Care Services Healthcare Provider 207,195 Hacking/IT Incident Ransomware attack No
Five Rivers Health Centers Healthcare Provider 155,748 Hacking/IT Incident Phishing attack No
SEIU 775 Benefits Group Business Associate 140,000 Hacking/IT Incident Unspecified hacking incident Yes
San Diego Family Care Healthcare Provider 125,500 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Hoboken Radiology LLC Healthcare Provider 80,000 Hacking/IT Incident Hacked medical imaging server No
CareSouth Carolina, Inc. Healthcare Provider 76,035 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Arizona Asthma and Allergy Institute Healthcare Provider 70,372 Hacking/IT Incident Ransomware attack No
New England Dermatology, P.C. Healthcare Provider 58,106 Improper Disposal Improper disposal of specimen bottles No
Sturdy Memorial Hospital Healthcare Provider 57,379 Hacking/IT Incident Ransomware attack No
LogicGate Business Associate 47,035 Hacking/IT Incident Unsecured AWS S3 Bucket Yes
Lafourche Medical Group Healthcare Provider 34,862 Hacking/IT Incident Phishing attack No
Internal Medicine Associates of Jasper, PC, dba Prestige Medical Group Healthcare Provider 34,203 Hacking/IT Incident Ransomware attack No
SAC Health Systems Healthcare Provider 28,128 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Monadnock Community Hospital Healthcare Provider 14,340 Hacking/IT Incident Unspecified hacking incident Yes
Community Access Unlimited Business Associate 13,813 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Westwood Obstetrics and Gynecology Healthcare Provider 12,931 Hacking/IT Incident Unspecified hacking incident Yes

Causes of May 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in May. Out of the 63 reported breaches, 47 (74.60%) were hacking/IT incidents. These incidents resulted in the exposure or theft of 6,432,367 healthcare records – 98.43% of all records breached in the month. The average breach size was 131,273 records and the median breach size was 4,250 records.

There were 9 reported unauthorized access/disclosure incidents involving the records of 17,834 individuals. The average breach size was 1,982 records and the median breach size was 1,562 records. There were 3 loss/theft incidents reported involving the 20,325 records and two incidents involving the improper disposal of protected health information affecting 64,604 individuals.

May 2021 U.S. Healthcare Data Breaches - Causes

While phishing incidents have plagued the healthcare industry over the past few years, it is now network server incidents that dominate the breach reports. 41 of the month’s breaches involved compromised network servers, compared to just 9 incidents involving email.

May 2021 U.S. Healthcare Data Breaches- location of breached PHI

May 2021 Healthcare Data Breaches by Covered Entity Type

47 healthcare providers reported data breaches in May 2021, although only 20 of those incidents were breaches directly involving the healthcare provider. 27 of those breaches were reported by the healthcare provider but occurred at a business associate.

7 data breaches were reported to the HHS’ Office for Civil Rights by business associates of HIPAA-covered entities, although in total, the business associate was present in 31 of the month’s breaches.

8 breaches affected health plans, 4 of which had some business associate involvement, and one breach was reported by a healthcare clearinghouse.

May 2021 healthcare data breaches by covered entity type

States Affected by Healthcare Data Breaches

Healthcare data breaches were reported by HIPAA-covered entities and business associates based in 32 U.S. states.

State No. Reported Data Breaches
Texas 6
New York & Ohio 5
California, Illinois, West Virginia 4
Mississippi & Missouri 3
Florida, Maryland, Massachusetts, New Jersey, & Oklahoma 2
Arizona, Arkansas, Connecticut, Delaware, Georgia, Indiana, Louisiana, Maine, Minnesota, North Carolina, Nevada, New Hampshire, New Mexico, Pennsylvania, Rhode Island, South Carolina, Tennessee, Washington, and Wisconsin 1

HIPAA Enforcement in May 2021

There was one HIPAA enforcement action announced by the HHS’ Office for Civil Rights in May, bringing the total up to 8 for 2021. Most of the settlements announced so far in 2021 have resolved violations of the HIPAA Right of access; however, May’s settlement was for multiple violations of the HIPAA Security Rule.

Most financial penalties stem from an OCR investigation into a data breach or complaint from a patient. May’s financial penalty was atypical, as it was the result of a compliance investigation. OCR had investigated a data breach reported by the Department of Veteran Affairs involving its business associate Authentidate Holding Corporation (AHC).

That investigation was resolved without financial penalty; however, during the investigation OCR learned that AHC had entered into a reverse merger with Peachstate Health Management, LLC, a CLIA-certified laboratory that provides clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR decided to conduct a compliance review of Peachstate’s clinical laboratories to assess Privacy and Security Rule compliance and discovered multiple violations of the HIPAA Security Rule. OCR discovered potential violations related to risk assessments, risk management, audit controls, and a lack of documentation of HIPAA Security Rule policies and procedures. The case was settled for $25,000.

The post May 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Avaddon Ransomware Operation Shuts Down and Releases Decryption Keys

The Avaddon ransomware-as-a-service operation was shut down on Friday and the threat group released the decryption keys for all victims. Bleeping Computer was sent an email with password and a link to a password protected ZIP file that contained the private keys for 2,934 Avaddon ransomware victims. The keys were confirmed as legitimate by Emsisoft and Coveware, with the former now having released a free decryptor that can be used by all Avaddon ransomware victims to decrypt their files.

Avaddon is a relatively new ransomware-as-a-service operation which started up in March 2020. The threat group behind the operation recruited affiliates to conduct attacks and provided them with a portal through which they could generate copies of the ransomware to conduct their own attacks. All ransoms generated were then shared between the affiliate and the RaaS operator.

It is not uncommon for RaaS operations to suddenly stop and release the keys for victims that have not yet paid, but the timing of the shut down suggests the RaaS operator may have got nervous with the increased focus of governments and law enforcement agencies on ransomware gangs.

Following the ransomware attacks on JBS and Colonial Pipeline attack, the White House ordered the Department of Justice to centralize its approach to ransomware investigations and treat attacks in the same way as terrorist attacks. White House deputy press secretary Karine Jean-Pierre said it would also be “delivering the message that responsible states do not harbor ransomware criminals,” and will be engaging with the Russian government to try to get action taken against ransomware gangs that operate in the country.

The G7 nations also committed to take action on ransomware attacks and issued a communique calling on Russia and other countries that may harbor ransomware gangs to take steps to identify, disrupt, and hold individuals to account who are conducting ransomware attacks, abusing virtual currency to launder ransom, and commit other cybercrimes. President Biden is also expected to speak with Vladimir Putin at the Geneva summit on June 16 about ransomware gangs operating out of Russia.

Following the DarkSide ransomware attack on Colonial Pipeline that disrupted fuel supplies to the eastern seaboard, the DarkSide ransomware gang announced it was shutting down. The REvil and Avaddon gangs issued a joint statement saying they were updating their rules and would not permit its affiliates to conduct ransomware attacks on critical infrastructure firms, governments, healthcare organizations, and educational institutions. It would appear that this was not enough for the Avaddon ransomware gang. It remains to be seen whether the operation has permanently been shut down or if the operator of the ransomware is just laying low for a while. It is not uncommon for ransomware operations to shut down then rebrand and recommence their attacks several weeks or months later.

“The recent actions by law enforcement have made some threat actors nervous: this is the result. One down, and let’s hope some others go down too,” said Emsisoft threat analyst Brett Callow to Bleeping Computer.

The post Avaddon Ransomware Operation Shuts Down and Releases Decryption Keys appeared first on HIPAA Journal.

HSCC Urges Biden to Provide Funding to Bolster Cybersecurity Posture of the Healthcare Sector

The Healthcare and Public Health Sector Coordinating Council (HSCC) has urged President Biden to provide further funding and support to improve the cybersecurity posture of the healthcare sector to improve resilience to cyberattacks.

In a recent letter addressed to President Biden and copied to Senate and House party leaders, the HSCC called for more funds to help the healthcare sector deal with cyber threats, improved collaboration between the healthcare industry and government, and for the government to provide a roadmap for making improvements to the cybersecurity readiness of the healthcare sector.

Under the American Rescue Plan, the government has made funding available to modernize federal information technology systems to improve resilience against future cyberattacks. $9 billion will be invested to help the U.S. launch major new IT and cybersecurity shared services at the Cyber Security and Information Security Agency (CISA) and the General Services Administration, and $690 million has been made available to CISA to bolster cybersecurity across federal civilian networks; however, none of that funding has been made available to directly help the healthcare sector, even though the healthcare sector has been heavily targeted by cyber actors prior to and during the pandemic.

According the HSCC, the healthcare sector is currently stretched to its limits to meet its clinical and public health obligations. The healthcare industry has faced relentless cybersecurity threats that have grown in magnitude and complexity year after year, and the situation has become far worse during the pandemic. Those threats, including ransomware, have targeted the technology integral to patient care.

Cyberattacks such as the ransomware attack on Colonial Pipeline threaten national security, but these attacks are also placing patient safety at risk. The attacks can result in denial of service, corruption of data on medical devices, and data manipulation that can have a direct implication for clinical operations, patient care, and public health.

“In assessing how the American Rescue Plan, coupled with the recently released Executive Order on Improving the Nation’s Cybersecurity, can measurably strengthen the security and resiliency of the healthcare system and patient safety, we request an enhanced strategic planning process within the administration that will complement the ongoing cybersecurity partnership between the HSCC, the Department of Health and Human Services and other essential government partners,” said HSCC in the letter. “As you lead the nation out of the pandemic, put more Americans back to work and increase their access to health insurance, the ability of the healthcare sector to deter cyber threats is imperative for the nation to maintain public health and global competitiveness beyond the pandemic.”

The post HSCC Urges Biden to Provide Funding to Bolster Cybersecurity Posture of the Healthcare Sector appeared first on HIPAA Journal.

Patch Issued to Fix Critical RCE Vulnerability in ZOLL Defibrillator Dashboard

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning about 6 vulnerabilities in the ZOLL Defibrillator Dashboard, including one critical 9.9 severity remote code execution flaw.

The vulnerabilities were reported to CISA anonymously and affect all versions of the ZOLL Defibrillator Dashboard prior to version 2.2. Some of the flaws can be exploited remotely and require a low level of skill to exploit.

Exploitation of the vulnerabilities could allow non-admin users to achieve remote code execution and steal credentials, which would impact the confidentiality, integrity, and availability of the application.

ZOLL has confirmed that all 6 vulnerabilities have been fixed in version 2.2 of the ZOLL Defibrillator Dashboard. Customers have been advised to upgrade the solution to version 2.2 or later as soon as possible. ZOLL also explained that in the event of any discrepancy with the Defibrillator Dashboard, the defibrillator device should be considered the source of accurate data.

The vulnerabilities are as follows:

Vulnerability CVSS Severity Score Description Risk
CVE-2021-27489 9.9 Unrestricted file upload Remote code execution
CVE-2021-27481 7.1 Hard-coded cryptographic key Theft of sensitive information
CVE-2021-27487 7.1 Sensitive data stored in cleartext Theft of sensitive information
CVE-2021-27485 7.1 Passwords stored in recoverable format Theft of credentials
CVE-2021-27483 5.3 Improper privilege management Elevation of privileges to administrator level
CVE-2021-27479 4.6 Improper neutralization of input during web page generation Injection of malicious scripts to be executed by higher privilege users

There are not believed to have been any attempted exploits of the vulnerabilities in the wild.

The post Patch Issued to Fix Critical RCE Vulnerability in ZOLL Defibrillator Dashboard appeared first on HIPAA Journal.

Critical VMWare VCenter Software Vulnerability Under Attack

A critical remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation is being actively exploited by cyber actors to take full control of unpatched systems. The flaw, tracked as CVE-2021-21985, was announced by VMWare in late May and a patch was released to correct the flaw on May 25, 2021.

The Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert warning all users of VMware vCenter Server and VMware Cloud Foundation that the vulnerability is an attractive target for attackers and there is a high risk of exploitation. A reliable proof-of-concept exploit for the vulnerability is now in the public domain.

There are thousands of vulnerable vCenter servers accessible over the Internet that are vulnerable to attack. Mass scanning for VMware vSphere hosts vulnerable to RCE attacks are currently being conducted and several security researchers have reported the honeypots they set up with vulnerable versions of VMware vCenter Server have been scanned for the vulnerability.

Today, the Department of Health and Human Services’ Office for Civil Rights issued a cyber alert reiterating the importance of patching the vulnerability, explaining CISA identified several agencies that have not yet applied the patch and are vulnerable to attack.

According to VMWare, “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.”

Security researcher Kevin Beaumont said his honeypot was infected with a web shell after the vulnerability was exploited. “vCenter is a virtualization management software,” he said. “If you hack it, you control the virtualization layer (e.g., VMware ESXi)—which allows access before the OS layer (and security controls). This is a serious vulnerability, so organizations should patch or restrict access to the vCenter server to authorized administrators.”

If it is not possible to apply the patches immediately, there are workarounds available that can reduce the risk of exploitation. These workarounds should be implemented immediately.

The post Critical VMWare VCenter Software Vulnerability Under Attack appeared first on HIPAA Journal.

Vulnerabilities Identified in Hillrom Medical Device Management Products

Two medium severity vulnerabilities have been identified in Hillrom medical device management tools which could result in the leakage of sensitive data, corruption of data, and remote code execution.

An out-of-bounds write vulnerability – tracked as CVE-2021-27410 – could allow an attacker to cause memory corruption which would allow the remote execution of arbitrary code. While remote code execution is possible, exploiting the flaw is highly complex. The flaw has been assigned a CVSS v3 severity score of 5.9 out of 10.

The second flaw is an out-of-bounds read issue that could result in information leakage and arbitrary code execution if combined with the out-of-bounds write vulnerability. The flaw is tracked as CVE-2021-27408 and has been assigned a CVSS severity score of 5.9.

The flaws affected the following Hillrom Welch Allyn medical device management tools:

  • Welch Allyn Service Tool: versions prior to v1.10
  • Welch Allyn Connex Device Integration Suite – Network Connectivity Engine (NCE): versions prior to v5.3
  • Welch Allyn Software Development Kit (SDK): versions prior to v3.2
  • Welch Allyn Connex Central Station (CS): versions prior to v1.8.6
  • Welch Allyn Service Monitor: versions prior to v1.7.0.0
  • Welch Allyn Connex Vital Signs Monitor (CVSM): versions prior to v2.43.02
  • Welch Allyn Connex Integrated Wall System (CIWS): versions prior to v2.43.02
  • Welch Allyn Connex Spot Monitor (CSM): versions prior to v1.52
  • Welch Allyn Spot Vital Signs 4400 Device (Spot 4400) / Welch Allyn Spot 4400 Vital Signs Extended Care Device: versions prior to v1.11.00

The vulnerabilities were identified by Itamar Cohen-Matalon of Medigate Reserach Labs who reported the vulnerabilities to Hillrom. Hillrom has now released software updates to correct the flaws. Customers are advised to upgrade to the latest versions of the software to fix the flaws to prevent exploitation. At present, there are no reported cases of exploitation of the vulnerabilities.

Product versions with the vulnerabilities corrected are listed below:

  • Welch Allyn Service Tool: v1.10
  • Welch Allyn Connex Device Integration Suite – Network Connectivity Engine (NCE): v5.3 (available Summer 2021)
  • Welch Allyn Software Development Kit (SDK): v3.2
  • Welch Allyn Connex Central Station (CS): v1.8.6 (available Fall 2021)
  • Welch Allyn Service Monitor: v1.7.0.0
  • Welch Allyn Connex Vital Signs Monitor (CVSM): v2.43.02
  • Welch Allen Connex Integrated Wall System (CIWS): v2.43.02
  • Welch Allyn Connex Spot Monitor (CSM): v1.52
  • Welch Allyn Spot Vital Signs 4400 Device (Spot 4400) / Welch Allyn Spot 4400 Vital Signs Extended Care Device: v1.11.00 (available Fall 2021)

Hillrom also recommends applying proper network and physical security controls, applying authentication for server access, and applying data execution prevention (DEP) where possible to prevent shellcode from running.

The post Vulnerabilities Identified in Hillrom Medical Device Management Products appeared first on HIPAA Journal.

Critical Vulnerabilities identified in MesaLabs Laboratory Temperature Monitoring System

Five vulnerabilities have been identified in the MesaLabs AmegaView continuous monitoring system used in hospital laboratories, forensics labs, and biotech firms. Two of the flaws are critical command injection vulnerabilities with CVSS severity scores of 9.9/10 and 10/10. The vulnerabilities affect AmegaView Versions 3.0 and prior and were identified by Stephen Yackey of Securifera.

In order of severity, the vulnerabilities are as follows:

  • CVE-2021-27447 – CVSS 10/10 – Flaw due to improper neutralization of special elements used in a command, which could allow an attacker to execute arbitrary code.
  • CVE-2021-27449 – CVSS 9.9/10 – Flaw due to improper neutralization of special elements used in a command, which could allow an attacker to execute commands in the web server.
  • CVE-2021-27445 – CVSS 7.8/10 – Insecure file permissions which could be exploited to elevate privileges on the device.
  • CVE-2021-27451 – CVSS 7.3/10 – Improper authentication due to passcodes being generated by an easily reversible algorithm, which could allow an attacker to gain access to the device.
  • CVE-2021-27453 – CVSS 7.3/10 – Authentication bypass issue that could allow an attacker to gain access to the web application.

There are currently no public exploits that specifically target these vulnerabilities. Since AmegaView reaches end-of-life at the end of this year, MesaLabs has taken the decision not to release patches to correct the vulnerabilities. Instead, all users of the vulnerable products have been advised to upgrade to newer Viewpoint software compatible with AmegaView hardware.

Should this not be possible, or until it is, it is recommended to locate vulnerable products behind firewalls and to isolate them from the network and ensure they are not accessible from the Internet. If remote access is required, Virtual Private Networks (VPNs) should be required for access, and VPNs should be updated to the most current version.

Prior to implementing any new defensive measures, an impact analysis and risk assessment should be performed.

The post Critical Vulnerabilities identified in MesaLabs Laboratory Temperature Monitoring System appeared first on HIPAA Journal.

FBI Warns of Ongoing Exploitation of Fortinet Vulnerabilities by APT Actors

The Federal Bureau of Investigation (FBI) has issued a Flash Alert warning users of Fortinet Fortigate appliances that Advanced Persistent Threat (APT) groups are targeting devices that have not been patched for three CVEs: CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812.

These are not zero-day vulnerabilities, as patches have been available for some time. Many organizations have been slow to apply the patches and are now being targeted. In early April, the FBI, in conduction with the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory warning that the vulnerabilities could be exploited by threat actors to conduct data exfiltration, data encryption, and to pre-position for follow-on attacks.

In the recent Flash Alert, the FBI confirmed that an APT actor has been attempting to exploit the vulnerabilities since at least May 2021, and almost certainly exploited the vulnerabilities to gain access to a webserver hosting the domain for a U.S. municipal government. In that instance, the threat actors most likely created a new account – named elie – for conducting further malicious activities on the network.

Attacks exploiting the vulnerabilities do not appear to be targeted on any specific industry sector, instead the APT actor is simply attempting to exploit unpatched vulnerabilities. To date, victims have been in a broad range of industry sectors.

The APT actor creates new user accounts on domain controllers, servers, workstations, and the active directories. In addition to creating accounts named elie and WADGUtilityAccount, new accounts have been created to look similar to legitimate existing accounts on the network and have been specific to each victim organization.

The APT actor is known to make modifications to the Task Scheduler that may display as unrecognized scheduled tasks or ‘actions’, in particular, associated with SynchronizeTimeZone. Several tools have been used in the attacks, including Mimikatz for credential theft, MinerGate for cryptocurrency mining, WinPEAS for privilege escalation, SharpWMI for Windows Management Instrumentation, BitLocker for data encryption, and FileZilla for file transfers, with outbound FTP transfers identified over port 443.

Users of Fortigate appliances should ensure that patches are applied as soon as possible to correct the above vulnerabilities, and non FortiOS users should add key artifact files used by FortiOS to execution denylists to block any attempts to run FortiOS and its associated files.

Since exploitation may have already occurred, system administrators should review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts and Task Scheduler should be reviewed for any unrecognized scheduled tasks. The FBI also recommends manually reviewing operating system defined or recognized scheduled tasks for unrecognized “actions.” Antivirus logs should also be reviewed for indications that they were unexpectedly turned off.

Further mitigations to deal with the threat are detailed in the Flash Alert, a copy of which is available from the American Hospital Association on this link.

The post FBI Warns of Ongoing Exploitation of Fortinet Vulnerabilities by APT Actors appeared first on HIPAA Journal.

SolarWinds Orion Hackers Targeting U.S. Organizations with New Spear Phishing Campaign

Microsoft has discovered a large-scale spear phishing campaign being conducted by the Russian Advanced Persistent Threat (APT) group behind the SolarWinds Orion supply chain attack.

The spear phishing campaign has been active since at least January 2021 and the APT group, tracked by Microsoft as Nobelium. The APT group has been experimenting and has trialed various delivery techniques, including leveraging the Google Firebase platform to deliver a malicious ISO file via HTML email attachments that deliver a variety of malware payloads.

Nobelium escalated the campaign on May 25, 2021 when it started using the Constant Contact mass-mailing service to distribute messages to targets in a wide range of industry verticals. The latest campaign targeted around 3,000 individual accounts across 150 organizations, most of which were in the United States. Each target had its own unique infrastructure and tooling, which has helped the group stay under the radar.

The attackers gained access to the Constant Contact account of the U.S. Agency for International Development (USAID) and delivered spear phishing messages under the guise of a USAID Special Alert. The messages have a reply-to address on the usaid.gov domain and were sent from the in.constantcontact.com domain.

Example Phishing email. Source: Microsoft

The messages claimed “Donald Trump has published new documents on election fraud”, with the messages including a button to click to view the documents. If the recipient clicks the link in the email, they are directed to the legitimate Constant Contact service, and then redirected to a URL under the control of Nobelium that delivers a malicious ISO file. Within the ISO file are a decoy document, a .lnk shortcut that executes a Cobalt Strike Beacon loader, and a malicious DLL file that is a Cobalt Strike Beacon loader and backdoor dubbed NativeZone by Microsoft.

Once the payloads are deployed, Nobelium gains persistent access to compromised systems and can subsequently complete further objectives such as lateral movement, data exfiltration, and the delivery of additional malware.

A previous campaign in May also used the combination of HTML and ISO files, which dropped a .NET first-stage implant – TrojanDownloader:MSIL/BoomBox – that was used for reconnaissance and to download additional malicious payloads from Dropbox.

The phishing campaign is being investigated by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). Constant Contact issued a statement confirming that the account credentials of one of its customers were compromised. “This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement,” said Constant Contact.

Microsoft has warned that the tactics, techniques, and procedures used by Nobelium have had a high rate of evolution. “It is anticipated that additional activity may be carried out by the group using an evolving set of tactics,” warned Microsoft.

Microsoft has published Indicators of Compromise (IoCs) and has suggested several mitigations that can reduce the impact of this threat, including the use of antivirus software, enabling network protection to prevent applications or users from accessing malicious domains, and implementing multi-factor authentication to prevent the use of compromised credentials.

The post SolarWinds Orion Hackers Targeting U.S. Organizations with New Spear Phishing Campaign appeared first on HIPAA Journal.