Healthcare Cybersecurity

100% of Tested mHealth Apps Vulnerable to API Attacks

Posted by HIPAA Journal

The personally identifiable health information of millions of individuals is being exposed through the Application Programming Interfaces (APIs) used by mobile health (mHealth) applications, according to a recent study published by cybersecurity firm Approov.

Ethical hacker and researcher Allissa Knight conducted the study to determine how secure popular mHealth apps are and whether it is possible to gain access to users’ sensitive health data. One of the provisos of the study was she would not be permitted to name any of the apps if vulnerabilities were identified. She assessed 30 of the leading mHealth apps and discovered all were vulnerable to API attacks which could allow unauthorized individuals to gain access to full patient records, including personally identifiable information (PII) and protected health information (PHI), indicating security issues are systemic.

mHealth apps have proven to be invaluable during the COVID-19 pandemic and are now increasingly relied on by hospitals and healthcare providers. According to Pew Research, mHealth apps are now generating more user activity than other mobile device apps such as online banking. There are currently an estimated 318,000 mHealth apps available for download from the major app stores.

The 30 mHealth apps analyzed for the study are used by an estimated 23 million people, with each app downloaded an average of 772,619 times from app stores. These apps contain a wealth of sensitive data, from vital signs data to pathology reports, test results, X-rays and other medical images and, in some cases, full medical records. The types of information stored in or accessible through the apps carries a high value on darknet marketplaces and is frequently targeted by cybercriminals. The vulnerabilities identified in mHealth apps makes it easy for cybercriminals to gain access to the information.

“Look, let’s point the pink elephant out in the room. There will always be vulnerabilities in code so long as humans are writing it. Humans are fallible,” said Knight. “But I didn’t expect to find every app I tested to have hard-coded keys and tokens and all of the APIs to be vulnerable to broken object level authorization (BOLA) vulnerabilities allowing me to access patient reports, X-rays, pathology reports, and full PHI records in their database.”

BOLA vulnerabilities allow a threat actor to substitute the ID of a resource with the ID of another. “When the object ID can be directly called in the URI, it opens the endpoint up to ID enumeration that allows an adversary the ability to read objects that don’t belong to them,” explained Knight. “These exposed references to internal implementation objects can point to anything, whether it’s a file, directory, database record or key.” In the case of mHealth apps, that could provide a threat actor with the ability to download entire medical records and personal information that could be used for identity theft.

APIs define how apps can communicate with other apps and systems and are used for sharing information. Out of the 30 mHealth apps tested, 77% had hard-coded API keys which made them vulnerable to attacks that would allow the attacker to intercept information as it is exchanged. In some cases, those keys never expired and 7% of the API keys belonged to third-party payment processors that strongly advise against hard coding these private keys in plain text, yet usernames and passwords had still been hard coded.

All of the apps lacked certificate pinning, which is used to prevent man-in-the-middle attacks. Exploiting this flaw would allow sensitive health and personal information to be intercepted and manipulated. Half of the tested apps did not authenticate requests with tokens, and 27% did not have code obfuscation protections, which made them vulnerable to reverse engineering.

Knight was able to access highly sensitive information during the study. 50% of records included names, addresses, dates of birth, Social Security numbers, allergies, medications, and other sensitive health data. Knight also found that if access is gained to one patient’s records, other patient records can also be accessed indiscriminately.  Half of all APIs allowed medical professionals to view pathology, X-ray, and clinical results of other patients and all API endpoints were found to be vulnerable to BOLA attacks, which allowed Knight to view the PHI and PII of patients not assigned to her clinical account. Knight also found replay vulnerabilities that allowed her to replay FaceID unlock requests that were days old and take other users’ sessions.

Part of the problem is mHealth apps do not have security measures baked in. Rather than build security into the apps at the design stage, the apps are developed, and security measures are applied afterwards. That can easily result in vulnerabilities not being fully addressed.

“The fact is that leading developers and their corporate and organizational customers consistently fail to recognize that APIs servicing remote clients such as mobile apps need a new and dedicated security paradigm,” said David Stewart, founder and CEO of Approov. “Because so few organizations deploy protections for APIs that ensure only genuine mobile app instances can connect to backend servers, these APIs are an open door for threat actors and present a real nightmare for vulnerable organizations and their patients.”

The post 100% of Tested mHealth Apps Vulnerable to API Attacks appeared first on HIPAA Journal.

Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers

Posted by HIPAA Journal

The Conti ransomware gang has dumped a large batch of healthcare data online that was allegedly stolen from Leon Medical Centers in Florida and Nocona General Hospital in Texas.

Leon Medical Centers suffered a Conti ransomware attack in early November 2020, which was initially reported to the HHS’ Office for Civil Rights on January 8, 2021 as affecting 500 individuals. Leon Medical Centers explained in its substitute breach notice that the incident involved the use of malware and the investigation confirmed the attackers accessed the personal and protected health information of certain patients.

It is unclear when the ransomware attack on Nocona General Hospital occurred, as notification letters do not appear to have been sent to affected individuals, no breach notice has been posted on its website, and the incident is not listed on the HHS’ Office for Civil Rights breach portal.

According to NBC, which spoke with an attorney representing the hospital, none of its systems appeared to have been breached, files were apparently not encrypted, and no ransom note had been identified by the hospital. The Conti leak site had around 20 files uploaded on February 3, 2021 which contained patient information and Databreaches.net reports that the site included more than 1,760 leaked files on February 10, most of which appeared to be old data. Databreaches.net was contacted by the hospital’s attorney who confirmed that the current systems used by the hospital had not been compromised, instead an old server was compromised that held files relating to patient or patient data transfers. The incident is still under investigation.

The theft of patient data prior to file encryption, often called double extortion, is now commonplace. According to the New Zealand cybersecurity firm Emsisoft, at the start of 2020 only one ransomware group was exfiltrating data prior to file encryption, but by the end of the year at least 17 ransomware groups were exfiltrating data prior to deploying ransomware.

This tactic increases the probability of the ransom being paid. Healthcare organizations may be able to recover files from backups, but they would need to pay the ransom to prevent the stolen data from being dumped on leak sites or sold to other threat actors.

There are signs, however, that this tactic is now proving to be less effective. A recent report by Coveware suggests trust has been eroded and more victims are choosing not to pay the ransom when they can recover their data from backups as there is no guarantee that stolen data will be deleted if the ransom is paid.

Coveware attributed the dramatic reduction in ransom payments in Q4, 2020 to victims choosing not to pay due to a lack of trust that in the attackers. “Coveware continues to witness signs that stolen data is not deleted or purged after payment. Moreover, we are seeing groups take measures to fabricate data exfiltration in cases where it did not occur,” explained Coveware, in its Q4 Ransomware Report.

The post Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers appeared first on HIPAA Journal.

Feds Release Ransomware Fact Sheet

Posted by HIPAA Journal

A ransomware factsheet has been released by the National Cyber Investigative Joint Task Force (NCIJTF) to raise awareness of the threat of ransomware attacks and provide insights that can be leveraged to prevent and mitigate attacks.

The fact sheet was developed by an interagency group of more than 15 government agencies and is primarily intended for use by police and fire departments, state, local, tribal and territorial governments, and critical infrastructure entities. The factsheet was released as part of the “Reduce the Risk of Ransomware Campaign” launched by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) in January 2021.

The fact sheet explains the impact ransomware attacks have had on the public sector, provides information on U.S. government efforts to combat ransomware threats, and details the most common methods used by threat actors to gain access to networks to deploy ransomware payloads: Phishing emails, Remote Desktop Protocol (RDP) vulnerabilities, and software vulnerabilities.

Phishing emails contain either a malicious link or file attachment. If the user opens the attachment or visits the link, code is executed which downloads a malicious payload. That payload may be ransomware or another malware variant which will ultimately be used to deliver ransomware. A recent report from Coveware has revealed phishing emails are now the most common method of ransomware delivery, overtaking the exploitation of RDP vulnerabilities.

Exploitation of RDP vulnerabilities is also common. RDP allows remote workers to access resources and data over the Internet. Brute force tactics are often used to guess weak passwords and stolen credentials are purchased on darknet marketplaces that allow the attackers to remotely access systems and deploy malware or ransomware. While less common, vulnerabilities in software are also exploited to gain control of victim systems and deploy ransomware.

Many of the recent ransomware campaigns have been highly sophisticated and targeted. While it is not possible to eliminate risk entirely, most ransomware attacks can be prevented by following cybersecurity best practices.

NCIJTF suggests:

  1. Backing up data, testing backups, and ensuring a copy is stored securely offline.
  2. Implementing multifactor authentication.
  3. Updating software and patching all systems.
  4. Ensuring security solutions such as antivirus software are kept up to date.
  5. Creating, reviewing, and testing an incident response plan.

The ransomware fact sheet can be accessed on this link.

Further information on preventing and mitigating ransomware attacks can be found here (CISA).

The post Feds Release Ransomware Fact Sheet appeared first on HIPAA Journal.

VMWare Carbon Black Explores the State of Healthcare Cybersecurity in 2020

Posted by HIPAA Journal

Throughout 2020, the healthcare industry was on the frontline of the pandemic providing medical care to patients suffering from COVID-19 but also had to deal with increasing numbers of cyberattacks, as cybercriminals stepped up their attacks on hospitals and health systems.

Recently, VMware Carbon Black conducted a retrospective review of the state of healthcare cybersecurity in 2020 that revealed the extent to which the healthcare industry was targeted by cybercriminals, how those attacks succeeded, and what healthcare organizations need to do to prevent cyberattacks in 2021.

VMware Carbon Black analyzed data from attacks on its healthcare customers in 2020 and found 239.4 million cyberattacks were attempted in 2020, which equates to an average of 816 attempted attacks per endpoint. That represents a 9,851% increase from 2019.

As it became clear that the outbreak in Wuhan was turning into a pandemic, cyberattacks on healthcare providers started to increase. Between January and February 2020, cyberattacks on healthcare customers increased by 51% and continued to increase throughout the year, peaking between September and October when there was an 87% month-over-month increase in attacks. The large spike in attacks in the fall was due to increased ransomware activity, with the Ryuk ransomware gang in particular stepping up attacks on the healthcare industry.

Attacks were conducted to gain access to healthcare data for identity theft and fraud, with the stolen data bought and sold on darknet marketplaces but the biggest threat came from ransomware. “In 2020, we saw ransomware go mainstream. The wide-reaching impact of ransomware has been assisted largely by way of affiliate programs,” explained VMWare Carbon Black. “With many ransomware groups offering ransomware-as-a-service (RaaS), making the deployment of ransomware easily accessible to millions of cybercriminals who previously didn’t have the tools to carry out these attacks.” The high potential rewards for conducting attacks have drawn many individuals into ransomware distribution who would otherwise have not been able to conduct these types of attacks. Cybercriminals are also recruiting insiders that can provide them with access to networks in exchange for large sums of money or a cut of any ransoms that are paid.

Double extortion tactics have also been extensively adopted by ransomware gangs to increase the likelihood of victims paying, if only to prevent the exposure of stolen data rather than for the keys to recover encrypted files. Much of the stolen data is being offered for sale on dark web sites, especially stolen protected health information and COVID-19 test result data.

2020 saw many threat actors join forces and share resources and exchange tactics, with access to systems being provided to other threat groups to conduct their own attacks. Collaboration between threat groups is increasing and threat actors are discovering new ways of gaining access to networks to deploy their malicious payloads.

The researchers have seen attacks increase throughout 2020 and there are no signs that the attacks will slow as 2021 progresses. In fact, it is possible that attacks will continue to increase.

VMWare Carbon Black makes three recommendations for CISOs to ensure that they stay one step ahead of attackers. Most AV solutions only focus on the delivery stage. For much better protection healthcare organizations should deploy next-generation antivirus solutions that protect against every stages of ransomware attacks, from delivery to propagation to encryption. Endpoint protection solutions should be chosen that can be rapidly scaled and deployed to protect new users, while maintaining data privacy, compliance, and security practices.

Lastly, healthcare CISOs need to be proactive and address vulnerabilities before they are exploited. That means IT tracking tools should be deployed that provide full visibility into devices that connect to the network. This will allow CISOs to track configuration drift and quickly remediate issues and ensure all devices are patched and protected.

The post VMWare Carbon Black Explores the State of Healthcare Cybersecurity in 2020 appeared first on HIPAA Journal.

FDA Appoints Kevin Fu as its First Director of Medical Device Security

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has announced the appointment of University of Michigan associate professor Kevin Fu as its first director of medical device security.

Kevin FuFu will serve a one-year term as acting director of medical device security at the FDA’s Center for Devices and Radiological Health (CDRH) and the recently created Digital Health Center of Excellence, starting on January 1, 2021. Fu has been tasked with helping “to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.”

Fu will help to develop the CDRH cybersecurity programs, public-private partnerships, and premarket vulnerability assessments to ensure the safety of medical devices including insulin pumps, pacemakers, imaging machines, and healthcare IoT devices and protect them against digital security threats.

Fu has considerable experience in the field of medical device cybersecurity. Fu currently serves as chief scientist at the University of Michigan’s Archimedes Center for Medical Device Security, which he founded, he co-founded the healthcare cybersecurity startup Virtua Labs with his doctoral students and was previously a member of the National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board. Fu has also conducted research into software radio attacks on implantable medical devices such as pacemakers and cardiac defibrillators and demonstrated how off-the-shelf radio software could be used to access the devices and intercept communications. Fu is currently associate professor of electrical engineering and computer science and the Dwight E. Harken Memorial Lecturer and will retain those University of Michigan roles.

Securing medical devices is a major challenge. Huge numbers of medical devices are now used by hospitals in complex interconnected networks. Many hospitals do not have complete inventories of their devices, and since many run on legacy systems, vulnerabilities can easily go unaddressed. Those vulnerabilities could be exploited by cyber threat actors to cause harm to patients or to gain a foothold in healthcare computer networks.

As Fu explained in an interview recently published on Michigan News, the threat landscape has changed dramatically over the past decade. “Today, there are many more adversaries that are mounting attacks. A decade ago, it was very theoretical. But now you have hundreds of hospitals literally shut down because of ransomware. And new security vulnerabilities are identified in medical device software almost every day,” said Fu. “We need to be vigilant in making sure that all of our medical devices have a basic level of security built in. Medical devices must remain safe and effective despite cybersecurity risks.”

Medical devices need to have privacy and security measures incorporated early in the design process, rather than being bolted on after the devices have been developed. By that time, security flaws have been baked into the devices and they are much harder to address.

Unfortunately, all too often, medical device manufacturers do not seek input from security experts during the design of medical devices and fail to design the devices based on established computer security engineering principles. That is something that needs to change. “You can’t simply sprinkle magic security pixie dust after designing a device,” said Fu.

“Right now, though, I’m focused on medical device safety,” explained Fu. “I’m really looking forward to working at FDA to help build public trust in the safety and effectiveness of medical devices despite the inherent cybersecurity risks.”

The post FDA Appoints Kevin Fu as its First Director of Medical Device Security appeared first on HIPAA Journal.

Global Law Enforcement Action Disrupts NetWalker Ransomware Operation

Posted by HIPAA Journal

The U.S. Department of Justice (DOJ) has announced a dark web website used by the NetWalker ransomware gang has been sized as part of a global action to disrupt operations and bring the individuals responsible for the file-encrypting extortion attacks to justice.

The action was taken in coordination with the United States Attorney’s Office for the Middle District of Florida, the Computer Crime and Intellectual Property Section of the Department of Justice, with substantial assistance provided by the Bulgarian National Investigation Service and General Directorate Combatting Organized Crime. The announcement comes just a few hours after Europol an international effort that resulted in the takedown of the Emotet Botnet.

The NetWalker ransomware gang is one of around 20 ransomware-as-a-service (RaaS) operators that recruit affiliates to distribute ransomware for a cut of any ransom payments they generate. The NetWalker gang started operating in late 2019. Since then, the ransomware has proven popular with affiliates and many attacks have been conducted. It has been estimated that in the first 5 months of the operation, the gang had generated around $25 million in ransom payments, around $1.14 million of which was paid by the University of California San Francisco to recover data encrypted in June 2020 attack. The total amount of ransom payments is believed to be in excess of $46 million.

The gang has attacked businesses and organizations in a range of different sectors, with the healthcare industry targeted throughout the pandemic. Attacks have also been conducted on schools, colleges, universities, companies, municipalities, and the emergency services.

The investigation into the NetWalker ransomware operation was led by the FBI’s Tampa Field Office and has so far resulted in one arrest. Sebastien Vachon-Desjardins of Gatineau, a Canadian national, has been indicted for his involvement in extortion attacks as an affiliate of the operation. The DOJ alleges Vachon-Desjardins obtained more than $27.6 million in ransom payments since at least April 2020. Vachon-Desjardins is believed to have been responsible, as an affiliate, for hacking networks and deploying ransomware, for which he received 80% of the ransom payments he generated. He is believed to have conducted at least 91 attacks in 8 months. According to a report from Chainalysis, Vachon-Desjardins is also suspected of working with other RaaS operations.

The DOJ said $454,530 in cryptocurrency, paid by three victims of the ransomware attacks, has been seized and Bulgarian law enforcement officials have taken control of a dark web website used by NetWalker ransomware affiliates to communicate with victims and provide instructions for paying ransoms. The website now has a notice explaining the resource is under the control of law enforcement.

The developers of the ransomware are still at large and only one affiliate has been arrested out of more than a dozen, but the action will have caused some disruption to the operation and further arrests may follow.

“We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division.  “Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”

McQuaid also took the opportunity to encourage victims of ransomware attacks to contact law enforcement, saying, “Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”

The post Global Law Enforcement Action Disrupts NetWalker Ransomware Operation appeared first on HIPAA Journal.

Multinational Law Enforcement Operation Takes Down the Emotet Botnet

Posted by HIPAA Journal

Europol has announced the notorious Emotet Botnet has been taken down as part of a multinational law enforcement operation. Law enforcement agencies in Europe, the United States, and Canada took control of the Emotet infrastructure, which is comprised of hundreds of servers around the world.

The Emotet botnet was one of the most prolific malware botnets of the last decade and the Emotet Trojan was arguably the most dangerous malware variant to emerge in recent years. The Emotet operators ran one of the most professional and long-lasting cybercrime services and was one of the biggest players in the cybercrime world. Around 30% of all malware attacks involved the Emotet botnet.

The Emotet Trojan was first identified in 2014 and was initially a banking Trojan, but the malware evolved into a much more dangerous threat and became the go-to solution for many cybercriminal operations. The Emotet Trojan acted as a backdoor into computer networks and access was sold to other cybercriminal gangs for data theft, malware distribution, and extortion, which is what made the malware so dangerous. Emotet was used to deliver TrickBot and QakBot, which in turn were used to deliver ransomware variants such as Ryuk, Conti, Egregor, and ProLock.

Once a device was infected with the Emotet Trojan it would be added to the botnet and used to infect other devices. Emotet could spread laterally across networks and hijacked email accounts to send copies of itself to contacts. The Emotet gang took phishing to the next level and their campaigns were highly successful. A wide range of lures were used to maximize the chance of the emails being opened and the malware installed. Emotet also hijacked message threads and inserted itself into email conversations to increase the chance of malicious attachments being opened.

The law enforcement operation was planned for around 2 years and was a collaborative effort between authorities in the Netherlands, Germany, France, Lithuania, Canada, Ukraine, the United States, and the United Kingdom, with the operation coordinated by Europol and Eurojust.

The infrastructure used to control the botnet was spread across hundreds of servers, each of which performed different functions and were used to manage infected computers, distribute copies of the Emotet Trojan, exfiltrate data, and provide services to other cybercrime groups. The Emotet gang had also built resiliency into its infrastructure to prevent any takedown attempts.

In order to takedown the infrastructure and prevent any attempts at restoration, the operation was coordinated and saw law enforcement agencies take control of servers simultaneously from the inside. The servers are now under the control of law enforcement and a module that uninstalls the malware is already being distributed. Europol says the malware will be uninstalled from infected devices on March 25, 2021 at 12:00.

In addition to severely disabling the operation, several members of the Emotet gang in Ukraine suspected of running the botnet have been arrested and other arrests are expected to follow.

The post Multinational Law Enforcement Operation Takes Down the Emotet Botnet appeared first on HIPAA Journal.

Ransomware Attacks Account for Almost Half of Healthcare Data Breaches

Posted by HIPAA Journal

A new report published by Tenable has revealed almost half of all healthcare data breaches are the result of ransomware attacks, and in the majority of cases the attacks were preventable.

According to the Tenable Research 2020 Threat Landscape Retrospective Report, 730 data breaches were reported across all industry sectors in the first 10 months of 2020 and more than 22 billion records were exposed. 8 million of those records were exposed in healthcare data breaches.

Healthcare registered the highest number of data breaches of any industry sector between January and October 2020, accounting for almost a quarter (24.5%) of all reported data breaches, ahead of technology (15.5%), education (13%), and the government (12.5%).

Due to the high number of healthcare data breaches, Tenable researchers analyzed those breaches to identify the main causes and found that ransomware attacks accounted for 46.4% of all reported data breaches, followed by email compromise attacks (24.6%), insider threats (7.3%), app misconfigurations (5.6%) and unsecured databases (5%). Across all industry sectors, ransomware attacks accounted for 35% of data breaches and 14.4% of breaches were due to email compromises, which shows the healthcare industry is particularly vulnerable to these types of attacks.

While no healthcare organization is immune to ransomware attacks, in the most part these attacks can be prevented. One of the most common ways for ransomware gangs to gain access to healthcare networks is the exploitation of vulnerabilities in Virtual Private Network (VPN) solutions. The two vulnerabilities most commonly exploited by ransomware gangs are the CVE-2019-19781 vulnerability in the Citrix ADC controller, which affects gateway hosts, and the CVE-2019-11510 vulnerability in Pulse Connect Secure.

Patches to correct both of these vulnerabilities were released in early 2020, yet many organizations were slow to apply the patches and correct the flaws, which gave threat actors an easy way to gain a foothold in networks, access and exfiltrate sensitive data, and deploy ransomware.

“As the attack surface expands, vulnerability management has a central role to play in modern cybersecurity strategies. Unpatched vulnerabilities leave sensitive data and critical business systems exposed, and represent lucrative opportunities for ransomware actors,” said Renaud Deraison, co-founder and chief technology officer at Tenable.

Many organizations continue to use server software that is no longer supported, and ransomware gangs often target vulnerabilities in outdated server software. Ransomware gangs also exploit vulnerabilities in RDP and use brute force tactics to guess weak passwords.

It can be difficult for healthcare organizations to change software solutions and operating systems that are approaching end of life, but it is vital to upgrade to solutions that have active support or ensure that any software that is no longer supported is isolated and those systems cannot be accessed remotely. Locking down RDP and enforcing the use of strong passwords will also help to prevent ransomware attacks.

It is also important to address the second highest cause of healthcare data breaches. Email security solutions will prevent the majority of email attacks, but security awareness training for employees should also be provided regularly. One of the most important steps to take is to implement multi-factor authentication on all email accounts. It is often only after experiencing a phishing attack that healthcare organizations implement multi-factor authentication, but by being proactive, email account breaches can be prevented.

In a summer 2020 blog post, Microsoft explained that multi-factor authentication is the most important security solution to apply to block phishing attacks and will prevent 99.9% of attacks on email accounts.

The post Ransomware Attacks Account for Almost Half of Healthcare Data Breaches appeared first on HIPAA Journal.

FBI Issues Warning Following Spike in Vishing Attacks

Posted by HIPAA Journal

Many data breaches start with a phishing email, but credential phishing can also occur via other communication channels such as instant messaging platforms or SMS messages. One often overlooked way for credentials to be obtained is phishing over the telephone. These phishing attacks, termed vishing, can give attackers the credentials they need to gain access to email accounts and cloud services and escalate privileges.

Recently, the Federal Bureau of Investigation (FBI) issued an alert after a spike in vishing incidents to steal credentials to corporate accounts, including credentials for network access and privilege escalation. The change to remote working in 2020 due to COVID-19 has made it harder for IT teams to monitor access to their networks and privilege escalation, which could allow these attacks to go undetected.

The FBI warned that it has observed a change in tactics by threat actors. Rather than only targeting credentials of individuals likely to have elevated privileges, cybercriminals are now trying to obtain all credentials. While the credentials of low-ranking employees may not give them the access to systems, networks, or data they seek, those credentials give them a foothold that can be used to get greater network access, including the ability to escalate privileges.

Threat actors are using VoIP platforms to target corporate employees over the telephone to obtain credentials. One way this is achieved is by convincing an employee to login to a phishing webpage that harvests credentials. For instance, a member of the IT team could be impersonated, and the employee told to visit a webpage to update their software or for security reasons.

In one of the recent attacks, cybercriminals identified an employee of the targeted company in its chatroom, then made contact and convinced the employee to login to a fake VPN page. They stole the employee’s credentials, logged in remotely to the VPN, and performed reconnaissance to find an employee with higher privileges. The aim was to find an employee with permissions to change usernames and email credentials. When an individual was identified, contact was made, and the scam was performed again using a chatroom messaging service to phish that employee’s credentials.

This is the second FBI warning to have been issued on vishing in the past year, and the tactic has been used in attacks since at least December 2019. To improve defenses against these attacks the FBI made the following recommendations:

  • Implement multi-factor authentication for accessing employee accounts.
  • Grant network access for new employees on a least privilege scale
  • Regularly review network access for employees to identify weak spots.
  • Scan and monitor for unauthorized network access and changes to permissions.
  • Adopt network segmentation to control the flow of network traffic.
  • Provide administrators with two accounts: One with admin privileges for system changes and the other for use deploying updates and for email and report generation.

The post FBI Issues Warning Following Spike in Vishing Attacks appeared first on HIPAA Journal.