Healthcare Cybersecurity

IBM X-Force: Healthcare Cyberattacks Doubled in 2020

Posted by HIPAA Journal

A new report from IBM X-Force shows healthcare cyberattacks doubled in 2020 with 28% of attacks involving ransomware. The massive increase in healthcare industry cyberattacks saw the sector rise from last place to 7th, with the finance and insurance industry the most heavily targeted, followed by manufacturing, energy, retail, professional services, and government. Healthcare accounted for 6.6% of cyberattacks across all industry sectors in 2020.

The 2021 X-Force Threat Intelligence Index report was compiled from monitoring data from over 130 countries and included data from more than 150 billion security events a day, with the data gathered from multiple sources including IBM Security X-Force Threat Intelligence and Incident Response, X-Force Red, IBM Managed Security Services, and external sources such as Intezer and Quad9.

The most common way networks were breached was the exploitation of vulnerabilities in operating systems, software, and hardware, which accounted for 35% of all attacks up from 30% in 2019. This was closely followed by phishing attacks, which were the initial entry point in 33% of attacks, up from 31% in 2019.

2020 was the first year since IBM X-Force started publishing its annual threat index reports that the exploitation of vulnerabilities was more common than phishing as the initial attack vector, which was largely due to the global shift to a distributed workforce in response to the pandemic.

Around 1 in 5 cyberattacks in 2020 involved the exploitation of vulnerabilities in Citrix servers, which were used to support remote workforces. Out of all attacks involving the exploitation of Citrix vulnerabilities, healthcare placed third with 17% of all attacks. Credential theft-related attacks secured third place in the initial attack vector list and accounted for 18% of attacks, down from 29% in 2019.

In healthcare especially, ransomware attacks increased sharply. Overall, 23% of security events in 2020 involved ransomware, up from 20% in 2019. 28% of all cyberattacks on the healthcare industry involved ransomware. These attacks often involved data theft prior to file encryption to pressure victims into paying the ransom to prevent the exposure or sale of stolen data. 59% of ransomware attacks in 2020 involved the use of this double-extortion tactic.

Sodinokibi was used in 22% of all ransomware attacks. The researchers estimate that the Sodinokibi gang generated $123 million in ransom payments in 2020. Other highly active ransomware operations included RagnarLocker, Netwalker, Maze, and Ryuk, which each had a share of 7% of the attacks.

Ransomware was the leading attack type, followed by data theft, and server access. Data theft increased 160% year-over-year, with a large proportion of the attacks due to the Emotet Trojan. Server access increased 233% in the past 12 months, mostly involving the exploitation of vulnerabilities and the use of stolen credentials. Remote Access Trojan (RAT) attacks had a notable increase from 2% of attacks in 2019 to 6% in 2020. Business email compromise attacks decreased in 2020, falling from 14% of attacks in 2019 to 9% in 2020. Insider breaches fell from 6% to 5% of attacks, with misconfigurations unchanged, accounting for 5% of attacks.

The second and third most common types of healthcare cyberattacks were server access and BEC attacks, each accounting for 18% of attacks in 2020. Data theft, insider incidents, and misconfigurations accounted for 9% of attacks each.

The increase in healthcare industry cyberattacks was largely due to the industry being heavily targeted by ransomware gangs and threat actors targeting COVID-19-related research organizations. It could have been far worse for the healthcare industry. Security researchers became aware that the Ryuk ransomware gang was planning a targeted campaign in October that would have seen 400 hospitals attacked. Fortunately, efforts by cybersecurity companies and law enforcement limited the attacks to just 9 out of the 400 hospitals.

The post IBM X-Force: Healthcare Cyberattacks Doubled in 2020 appeared first on HIPAA Journal.

Microsoft Patches 4 Actively Exploited Flaws in Microsoft Exchange Server

Posted by HIPAA Journal

Microsoft has released out-of-band security updates to fix four zero-day Microsoft Exchange Server vulnerabilities that are being actively exploited by a Chinese Advanced Persistent Threat (APT) group known as Hafnium.

The attacks have been ongoing since early January, with the APT group targeting defense contractors, law firms, universities, NGOs, think tanks, and infectious disease research organizations in the United States. Exploitation of the flaws allows the attackers to exfiltrate mailboxes and other data from vulnerable Microsoft Exchange servers, run virtually any code on the servers, and upload malware for persistent access.

Hafnium is a previously unidentified sophisticated APT group that is believed to be backed by the Chinese government. The group is chaining together the four zero-day vulnerabilities to steal sensitive data contained in email communications. While developing the exploits required some skill, using those exploits is simple and allows the attackers to exfiltrate large quantities of sensitive data with ease. While the APT group is based in China, virtual private servers in the United States are leased for use in the attacks, which helps the group stay under the radar.

The flaws are present in all supported Microsoft Exchange Server versions (2013, 2016, 2019) and Exchange Server 2010. Patches have been released to fix the flaws in Exchange Server 2010, 2013, 2015, and 2019. The flaws do not affect Exchange Online and personal email accounts, only on-premises Exchange servers.

Microsoft has credited the cybersecurity firms Volexity and Dubex for helping to discover the attacks, which were first identified on January 6, 2021. Now that the patches have been released attacks are expected to increase as the group rushes to gain access to as many vulnerable Exchange servers before the patches are applied.

The vulnerabilities are:

  • CVE-2021-26855: A server-side request forgery (SSRF) vulnerability that allows HTTP requests to be sent to an on-premises Exchange Server to authenticate as the Exchange server itself.
  • CVE-2021-26857: An insecure deserialization vulnerability in the Unified Messaging service that can be exploited to run any arbitrary code as SYSTEM on the Exchange server.
  • CVE-2021-26858 and CVE-2021-26865 – Two file write vulnerabilities that allow an authenticated user to write files to any path on the server. The flaws are chained with CVE-2021-26855, although could also be exploited using stolen credentials.

Once initial access to the Exchange server is gained, the attackers deploy a web shell that allows them to harvest cached credentials, upload files such as malware for persistent access, execute virtually any command on the compromised system, and exfiltrate mailboxes and other data.

Exploits for the vulnerabilities are not believed to have been released publicly, with the attacks currently only being conducted by Hafnium, although that may not remain the case for long.

Microsoft is advising all users of the vulnerable Microsoft Exchange versions to apply the patches immediately. After applying the patches, an investigation should be conducted to determine if the flaws have already been exploited, as patching will not prevent any further malicious activity or data exfiltration if the attackers have already compromised the server.

Microsoft has provided Indicators of Compromise (IoCs) to help customers identify whether the flaws have already been exploited.

The post Microsoft Patches 4 Actively Exploited Flaws in Microsoft Exchange Server appeared first on HIPAA Journal.

NSA Releases Guidance on Adopting a Zero Trust Approach to Cybersecurity

Posted by HIPAA Journal

The National Security Agency (NSA) has recently released new guidance to help organizations adopt a Zero Trust approach to cybersecurity to better defend against increasingly sophisticated cyber threats.

Zero Trust is a security strategy which assumes that breaches are inevitable or have happened and an intruder is already inside the network. This approach assumes that any device or connection may have been compromised so it cannot be implicitly trusted. Continuous verification is required in real time from multiple sources before access is granted and for system responses.

Adopting a Zero Trust approach to security means adhering to the concept of least-privileged access for every access decision and constantly limiting access to what is needed, with anomalous and potentially malicious activity constantly examined.

“Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries,” explained the NSA in the guidance. “Zero Trust repeatedly questions the premise that users, devices, and network components should be implicitly trusted based on their location within the network.”

The Zero Trust approach provides far greater security against external threat actors and authorized insiders with malicious intentions. When an authorized user or remote cyber attacker uses credentials to gain access to resources, those credentials and the device used are assumed to be malicious until proven otherwise. Sine access to networks and resources is limited, and networks are segmented, the potential harm that can be caused is severely reduced and lateral movement is restricted.

Traditionally, cybersecurity has been focused on protecting internal networks from external threats. Provided the network perimeter is not breached, this approach is effective, but today’s increasingly sophisticated cyber threats often breach the perimeter defenses, after which threat actors are able to move laterally within networks undetected, as occurred in the SolarWinds supply chain attack. A Zero trust approach to security would not prevent a system breach, but the harm caused would be drastically reduced and alerts would be generated to advise network defenders of a potential attack in progress.

The NSA provides examples in the guidance of how the Zero Trust approach blocks attempts by a threat actor using a legitimate user’s stolen credentials to access network resources using their own or the user’s device.

Source: National Security Agency

The Zero Trust approach is also effective at blocking supply chain attacks, when a threat actor adds malicious code to a device or application. In these attacks, communication between the device or app and the attacker would not be possible as the compromised device or app would not be trusted.

The transition to this new approach to security requires security teams to adopt a Zero Trust mindset which requires coordinated and aggressive system monitoring, system management, and defensive operations capabilities. All requests for access to critical resources, network traffic, devices and infrastructure must be assumed to be malicious, and acceptance that access approvals to critical resources incur risk, therefore security teams must be prepared to perform rapid damage assessment, control, and recovery operations.

Adopting a Zero Trust approach to security requires major changes to existing information systems and considerable time and effort, and there are likely to be many challenges. Fortunately, the change to Zero Trust can be implemented in stages starting with fundamental integrated capabilities, then refining capability integration and further refining capabilities, before deploying advanced protections and controls with robust analytics and orchestration. When Zero Trust functionality is introduced incrementally in accordance with a strategic plan, risk will be reduced accordingly at each step.

The NSA guidance provides an outline of the Zero Trust approach to security, recommendations and best practices for transitioning to Zero Trust, resources required for a successful transition, and how the Zero Trust implementation can be matured to ensure success.

The post NSA Releases Guidance on Adopting a Zero Trust Approach to Cybersecurity appeared first on HIPAA Journal.

CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity authorities Australia, New Zealand, Singapore, and the United Kingdom have issued an alert for users of the Accellion File Transfer Appliance (FTA) about 4 vulnerabilities which are being actively exploited by a threat actor to gain access to sensitive data.

The Accellion FTA is a legacy file transfer appliance used to share large files. Accellion identified a zero-day vulnerability in the product in mid-December and released a patch to address the flaw, although further vulnerabilities have since been identified.

The vulnerabilities are tracked as:

  • CVE-2021-27101 – SQL injection vulnerability via a crafted HOST header
  • CVE-2021-27102 – Operating system command execution vulnerability via a local web service
  • CVE-2021-27103 – Server-side request forgery via a crafted POST request
  • CVE-2021-27104 – Operating system command execution vulnerability via a crafted POST request

The SQL injection flaw (CVE-2021-27011) allows unauthorized individual to run remote commands on targeted devices. An exploit for the vulnerability has been combined with a webshell, with the latter used receive commands sent by the attacker and exfiltrate data and clean up logs. The removal of clean up logs allows the attacker to avoid detection and hampers analysis of the attack.

Once sensitive data have been exfiltrated, the attacker attempts to extort money from the victim. Threats are issued to publicly expose the stolen data on a ransomware data leak site if the ransom is not paid. FireEye/Mandiant have linked the attacks with the FIN11 and CL0P ransomware operation, although ransomware is not being used in the attacks.

Accellion became aware of attacks exploiting the vulnerabilities in January 2021 and reports fewer than 100 clients have been affected and around 2 dozen clients are believed to have suffered significant data theft. Kroger has recently reported that some pharmacy and little Clinic customers have been affected, and Centene has similarly suffered a data breach via the exploitation of the vulnerabilities. Other victims include Transport for New South Wales in Australia, the Canadian Aircraft manufacturer Bombardier, the Reserve Bank of New Zealand, the Australian financial regulator ASIC, the Office of the Washington State Auditor, and the University of Colorado.

CISA has provided Indicators of Compromise (IoCs) in its cybersecurity alert (AA21-055A) which can be used by Accellion customers to determine if the vulnerabilities have been exploited, along with advice should malicious activity be detected.

In addition to performing an analysis to identify if the flaws have been exploited, CISA recommends isolating systems hosting the software from the Internet and updating Accellion FTA to version FTA_9_12_432 or later. It is also recommended by Accellion and CISA to migrate from this legacy product to a supported file sharing platform. The Accellion FTA reaches end-of-life on April 30, 2021. Accellion recommends upgrading to its Kiteworks file sharing platform, which has enhanced security features.

The post CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities appeared first on HIPAA Journal.

Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity

Posted by HIPAA Journal

Throughout the pandemic, cybercriminals have taken advantage of new opportunities and have been attacking hospitals, clinics and other businesses and organizations on the front line in the fight against COVID-19.

Ransomware attacks on the healthcare industry soared in 2020, especially in the fall when a coordinated campaign claimed many healthcare victims. Ransomware remains a major threat to the healthcare sector and the high numbers of attacks have continued into 2021.

A recent report from the CTIL League provides further information on these attacks and some of the other ways the healthcare industry was targeted in 2020. The report highlights the work conducted by the CTIL Dark team, which monitors the darknet and deep web for signs of data breaches and cybercriminal activity that has potential to impact the healthcare industry or general public health.

This is the first report to be released that highlights the discoveries and achievements of the CTIL Dark team, and delves into realm of healthcare ransomware attacks and the dark markets where access to healthcare networks are traded.

In 2020, the CTIL Dark team’s research determined the main ransomware gangs targeting the healthcare sector to be Maze, Conti, Netwalker, REvil, and Ryuk. Between these five operations more than 100 ransomware attacks were conducted on the healthcare sector, two thirds of which were in North America and Europe. The attacks by these groups accounted for 75% of all attacks on the sector in 2020.

The increase in ransomware attacks in 2020 was attributed to the ease at which the industry could be attacked and the increased prominence of the industry during the pandemic, and no healthcare organization was immune. In fact while attacks on large healthcare organizations with the means to pay large ransom demands were favored, in the fall there was a significant increase in attacks on small- to medium-sized hospitals and clinics.

Ransomware attacks tend to dominate the news reports due to the major impact these attacks have on healthcare providers and their patients. Hospitals are forced to switch to pen and paper, appointments often have to be cancelled, and patient information is frequently leaked online and made available to a wide range of cybercriminals. What is less well understood is the supply chain that makes many of these attacks possible.

During the pandemic, demand for backdoor access to healthcare networks increased considerably, as did the number of criminals providing access. The supply chains established to provide credentials for healthcare networks to ransomware gangs and other threat actors saw the barrier to entry into cyberattacks on the sector significantly lowered.

2020 saw an increase in the number of Initial Access Brokers. These are the hackers who target and breach vulnerable networks and sell on access to the highest bidder, including ransomware gangs and their affiliates. The CTIL Dark team reports a doubling of the number of Initial Access Brokers between Q2, 2020 and Q4, 2020. Skilled hackers that can breach healthcare networks often sign up to ransomware-as-a-service operations as affiliates themselves. In 2020, several RaaS operations started recruitment drives targeting individuals who already had access to healthcare networks and could conduct large numbers of attacks.

The CTIL Dark team notes that ransomware attacks are becoming more extensive, targeted, and coordinated, with threat groups often partnering and sharing resources and information. In 2020, the ransomware activity investigated by the team most commonly involved attacks on perimeter vulnerabilities such as unpatched systems and weak passwords in remote connectivity solutions, rather than phishing attacks.

The CTIL Dark team also identified an increase in the number of databases containing PHI being sold on darknet forums for use in targeted attacks on patients, and employee databases for targeting healthcare employees to gain access to healthcare networks.

Phishing attacks increased in 2020, with opportunistic threat actors abandoning their regular campaigns and switching to COVID-19 themed campaigns that closely mirrored equipment shortages and knowledge gaps. Scams were conducted in response to the shortage in COVID-19 tests and PPE, followed by fake offers of antibody blood. When hydroxyquinoline was touted as a game changer for COVID-19 treatment, darknet vendors switched from offering cocaine to offering doses of the drug. Now, as the vaccine rollout gathers pace, scammers have switched to offering fake vaccines.

CTIL has predicted attacks targeting the healthcare sector will most likely increase in 2021 rather than decline, so it is essential for healthcare organizations to remain on high alert and leverage data from cybersecurity vendors, health-ISACs, law enforcement, and organizations such as CTIL league and implement policies, procedures, and protections to combat these threats.

The post Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity appeared first on HIPAA Journal.

100% of Tested mHealth Apps Vulnerable to API Attacks

Posted by HIPAA Journal

The personally identifiable health information of millions of individuals is being exposed through the Application Programming Interfaces (APIs) used by mobile health (mHealth) applications, according to a recent study published by cybersecurity firm Approov.

Ethical hacker and researcher Allissa Knight conducted the study to determine how secure popular mHealth apps are and whether it is possible to gain access to users’ sensitive health data. One of the provisos of the study was she would not be permitted to name any of the apps if vulnerabilities were identified. She assessed 30 of the leading mHealth apps and discovered all were vulnerable to API attacks which could allow unauthorized individuals to gain access to full patient records, including personally identifiable information (PII) and protected health information (PHI), indicating security issues are systemic.

mHealth apps have proven to be invaluable during the COVID-19 pandemic and are now increasingly relied on by hospitals and healthcare providers. According to Pew Research, mHealth apps are now generating more user activity than other mobile device apps such as online banking. There are currently an estimated 318,000 mHealth apps available for download from the major app stores.

The 30 mHealth apps analyzed for the study are used by an estimated 23 million people, with each app downloaded an average of 772,619 times from app stores. These apps contain a wealth of sensitive data, from vital signs data to pathology reports, test results, X-rays and other medical images and, in some cases, full medical records. The types of information stored in or accessible through the apps carries a high value on darknet marketplaces and is frequently targeted by cybercriminals. The vulnerabilities identified in mHealth apps makes it easy for cybercriminals to gain access to the information.

“Look, let’s point the pink elephant out in the room. There will always be vulnerabilities in code so long as humans are writing it. Humans are fallible,” said Knight. “But I didn’t expect to find every app I tested to have hard-coded keys and tokens and all of the APIs to be vulnerable to broken object level authorization (BOLA) vulnerabilities allowing me to access patient reports, X-rays, pathology reports, and full PHI records in their database.”

BOLA vulnerabilities allow a threat actor to substitute the ID of a resource with the ID of another. “When the object ID can be directly called in the URI, it opens the endpoint up to ID enumeration that allows an adversary the ability to read objects that don’t belong to them,” explained Knight. “These exposed references to internal implementation objects can point to anything, whether it’s a file, directory, database record or key.” In the case of mHealth apps, that could provide a threat actor with the ability to download entire medical records and personal information that could be used for identity theft.

APIs define how apps can communicate with other apps and systems and are used for sharing information. Out of the 30 mHealth apps tested, 77% had hard-coded API keys which made them vulnerable to attacks that would allow the attacker to intercept information as it is exchanged. In some cases, those keys never expired and 7% of the API keys belonged to third-party payment processors that strongly advise against hard coding these private keys in plain text, yet usernames and passwords had still been hard coded.

All of the apps lacked certificate pinning, which is used to prevent man-in-the-middle attacks. Exploiting this flaw would allow sensitive health and personal information to be intercepted and manipulated. Half of the tested apps did not authenticate requests with tokens, and 27% did not have code obfuscation protections, which made them vulnerable to reverse engineering.

Knight was able to access highly sensitive information during the study. 50% of records included names, addresses, dates of birth, Social Security numbers, allergies, medications, and other sensitive health data. Knight also found that if access is gained to one patient’s records, other patient records can also be accessed indiscriminately.  Half of all APIs allowed medical professionals to view pathology, X-ray, and clinical results of other patients and all API endpoints were found to be vulnerable to BOLA attacks, which allowed Knight to view the PHI and PII of patients not assigned to her clinical account. Knight also found replay vulnerabilities that allowed her to replay FaceID unlock requests that were days old and take other users’ sessions.

Part of the problem is mHealth apps do not have security measures baked in. Rather than build security into the apps at the design stage, the apps are developed, and security measures are applied afterwards. That can easily result in vulnerabilities not being fully addressed.

“The fact is that leading developers and their corporate and organizational customers consistently fail to recognize that APIs servicing remote clients such as mobile apps need a new and dedicated security paradigm,” said David Stewart, founder and CEO of Approov. “Because so few organizations deploy protections for APIs that ensure only genuine mobile app instances can connect to backend servers, these APIs are an open door for threat actors and present a real nightmare for vulnerable organizations and their patients.”

The post 100% of Tested mHealth Apps Vulnerable to API Attacks appeared first on HIPAA Journal.

Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers

Posted by HIPAA Journal

The Conti ransomware gang has dumped a large batch of healthcare data online that was allegedly stolen from Leon Medical Centers in Florida and Nocona General Hospital in Texas.

Leon Medical Centers suffered a Conti ransomware attack in early November 2020, which was initially reported to the HHS’ Office for Civil Rights on January 8, 2021 as affecting 500 individuals. Leon Medical Centers explained in its substitute breach notice that the incident involved the use of malware and the investigation confirmed the attackers accessed the personal and protected health information of certain patients.

It is unclear when the ransomware attack on Nocona General Hospital occurred, as notification letters do not appear to have been sent to affected individuals, no breach notice has been posted on its website, and the incident is not listed on the HHS’ Office for Civil Rights breach portal.

According to NBC, which spoke with an attorney representing the hospital, none of its systems appeared to have been breached, files were apparently not encrypted, and no ransom note had been identified by the hospital. The Conti leak site had around 20 files uploaded on February 3, 2021 which contained patient information and Databreaches.net reports that the site included more than 1,760 leaked files on February 10, most of which appeared to be old data. Databreaches.net was contacted by the hospital’s attorney who confirmed that the current systems used by the hospital had not been compromised, instead an old server was compromised that held files relating to patient or patient data transfers. The incident is still under investigation.

The theft of patient data prior to file encryption, often called double extortion, is now commonplace. According to the New Zealand cybersecurity firm Emsisoft, at the start of 2020 only one ransomware group was exfiltrating data prior to file encryption, but by the end of the year at least 17 ransomware groups were exfiltrating data prior to deploying ransomware.

This tactic increases the probability of the ransom being paid. Healthcare organizations may be able to recover files from backups, but they would need to pay the ransom to prevent the stolen data from being dumped on leak sites or sold to other threat actors.

There are signs, however, that this tactic is now proving to be less effective. A recent report by Coveware suggests trust has been eroded and more victims are choosing not to pay the ransom when they can recover their data from backups as there is no guarantee that stolen data will be deleted if the ransom is paid.

Coveware attributed the dramatic reduction in ransom payments in Q4, 2020 to victims choosing not to pay due to a lack of trust that in the attackers. “Coveware continues to witness signs that stolen data is not deleted or purged after payment. Moreover, we are seeing groups take measures to fabricate data exfiltration in cases where it did not occur,” explained Coveware, in its Q4 Ransomware Report.

The post Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers appeared first on HIPAA Journal.

Feds Release Ransomware Fact Sheet

Posted by HIPAA Journal

A ransomware factsheet has been released by the National Cyber Investigative Joint Task Force (NCIJTF) to raise awareness of the threat of ransomware attacks and provide insights that can be leveraged to prevent and mitigate attacks.

The fact sheet was developed by an interagency group of more than 15 government agencies and is primarily intended for use by police and fire departments, state, local, tribal and territorial governments, and critical infrastructure entities. The factsheet was released as part of the “Reduce the Risk of Ransomware Campaign” launched by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) in January 2021.

The fact sheet explains the impact ransomware attacks have had on the public sector, provides information on U.S. government efforts to combat ransomware threats, and details the most common methods used by threat actors to gain access to networks to deploy ransomware payloads: Phishing emails, Remote Desktop Protocol (RDP) vulnerabilities, and software vulnerabilities.

Phishing emails contain either a malicious link or file attachment. If the user opens the attachment or visits the link, code is executed which downloads a malicious payload. That payload may be ransomware or another malware variant which will ultimately be used to deliver ransomware. A recent report from Coveware has revealed phishing emails are now the most common method of ransomware delivery, overtaking the exploitation of RDP vulnerabilities.

Exploitation of RDP vulnerabilities is also common. RDP allows remote workers to access resources and data over the Internet. Brute force tactics are often used to guess weak passwords and stolen credentials are purchased on darknet marketplaces that allow the attackers to remotely access systems and deploy malware or ransomware. While less common, vulnerabilities in software are also exploited to gain control of victim systems and deploy ransomware.

Many of the recent ransomware campaigns have been highly sophisticated and targeted. While it is not possible to eliminate risk entirely, most ransomware attacks can be prevented by following cybersecurity best practices.

NCIJTF suggests:

  1. Backing up data, testing backups, and ensuring a copy is stored securely offline.
  2. Implementing multifactor authentication.
  3. Updating software and patching all systems.
  4. Ensuring security solutions such as antivirus software are kept up to date.
  5. Creating, reviewing, and testing an incident response plan.

The ransomware fact sheet can be accessed on this link.

Further information on preventing and mitigating ransomware attacks can be found here (CISA).

The post Feds Release Ransomware Fact Sheet appeared first on HIPAA Journal.

VMWare Carbon Black Explores the State of Healthcare Cybersecurity in 2020

Posted by HIPAA Journal

Throughout 2020, the healthcare industry was on the frontline of the pandemic providing medical care to patients suffering from COVID-19 but also had to deal with increasing numbers of cyberattacks, as cybercriminals stepped up their attacks on hospitals and health systems.

Recently, VMware Carbon Black conducted a retrospective review of the state of healthcare cybersecurity in 2020 that revealed the extent to which the healthcare industry was targeted by cybercriminals, how those attacks succeeded, and what healthcare organizations need to do to prevent cyberattacks in 2021.

VMware Carbon Black analyzed data from attacks on its healthcare customers in 2020 and found 239.4 million cyberattacks were attempted in 2020, which equates to an average of 816 attempted attacks per endpoint. That represents a 9,851% increase from 2019.

As it became clear that the outbreak in Wuhan was turning into a pandemic, cyberattacks on healthcare providers started to increase. Between January and February 2020, cyberattacks on healthcare customers increased by 51% and continued to increase throughout the year, peaking between September and October when there was an 87% month-over-month increase in attacks. The large spike in attacks in the fall was due to increased ransomware activity, with the Ryuk ransomware gang in particular stepping up attacks on the healthcare industry.

Attacks were conducted to gain access to healthcare data for identity theft and fraud, with the stolen data bought and sold on darknet marketplaces but the biggest threat came from ransomware. “In 2020, we saw ransomware go mainstream. The wide-reaching impact of ransomware has been assisted largely by way of affiliate programs,” explained VMWare Carbon Black. “With many ransomware groups offering ransomware-as-a-service (RaaS), making the deployment of ransomware easily accessible to millions of cybercriminals who previously didn’t have the tools to carry out these attacks.” The high potential rewards for conducting attacks have drawn many individuals into ransomware distribution who would otherwise have not been able to conduct these types of attacks. Cybercriminals are also recruiting insiders that can provide them with access to networks in exchange for large sums of money or a cut of any ransoms that are paid.

Double extortion tactics have also been extensively adopted by ransomware gangs to increase the likelihood of victims paying, if only to prevent the exposure of stolen data rather than for the keys to recover encrypted files. Much of the stolen data is being offered for sale on dark web sites, especially stolen protected health information and COVID-19 test result data.

2020 saw many threat actors join forces and share resources and exchange tactics, with access to systems being provided to other threat groups to conduct their own attacks. Collaboration between threat groups is increasing and threat actors are discovering new ways of gaining access to networks to deploy their malicious payloads.

The researchers have seen attacks increase throughout 2020 and there are no signs that the attacks will slow as 2021 progresses. In fact, it is possible that attacks will continue to increase.

VMWare Carbon Black makes three recommendations for CISOs to ensure that they stay one step ahead of attackers. Most AV solutions only focus on the delivery stage. For much better protection healthcare organizations should deploy next-generation antivirus solutions that protect against every stages of ransomware attacks, from delivery to propagation to encryption. Endpoint protection solutions should be chosen that can be rapidly scaled and deployed to protect new users, while maintaining data privacy, compliance, and security practices.

Lastly, healthcare CISOs need to be proactive and address vulnerabilities before they are exploited. That means IT tracking tools should be deployed that provide full visibility into devices that connect to the network. This will allow CISOs to track configuration drift and quickly remediate issues and ensure all devices are patched and protected.

The post VMWare Carbon Black Explores the State of Healthcare Cybersecurity in 2020 appeared first on HIPAA Journal.