Healthcare Cybersecurity

October 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

October saw well above average numbers of data breaches reported the HHS’ Office for Civil Rights. There were 63 reported breaches of 500 or more records, which is a 33.68% reduction from September but still 41.82% more breaches than the monthly average over the last 12 months. The elevated numbers of breaches can be partly explained by continued reports from healthcare organizations that were impacted by the ransomware attack on the cloud software firm Blackbaud.

Healthcare data breaches Sept 2019 to Oct 2020

The protected health information of more than 2.5 million individuals were exposed or compromised in those 63 breaches, which is 74.08% fewer records than September, but still 26.81% more than the monthly average number of breached records over the past 12 months.

Healthcare records breaches in the past 12 months

Largest Healthcare Data Breaches Reported in October 2020

Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected Breach Cause
Luxottica of America Inc. Business Associate Hacking/IT Incident 829,454 Ransomware Attack
AdventHealth Orlando Healthcare Provider Hacking/IT Incident 315,811 Blackbaud Ransomware
Presbyterian Healthcare Services Healthcare Provider Hacking/IT Incident 193,223 Phishing Attack
Sisters of Charity of St. Augustine Health System Healthcare Provider Hacking/IT Incident 118,874 Blackbaud Ransomware
Timberline Billing Service, LLC Business Associate Hacking/IT Incident 116,131 Ransomware Attack
Greenwich Hospital Healthcare Provider Hacking/IT Incident 95,000 Blackbaud Ransomware
OSF HealthCare System Healthcare Provider Hacking/IT Incident 94,171 Blackbaud Ransomware
Geisinger Healthcare Provider Hacking/IT Incident 86,412 Blackbaud Ransomware
CCPOA Benefit Trust Fund Health Plan Hacking/IT Incident 80,000 Ransomware Attack
Ascend Clinical, LLC Healthcare Provider Hacking/IT Incident 77,443 Phishing and Ransomware Attack
Centerstone of Tennessee, Inc. Healthcare Provider Hacking/IT Incident 50,965 Phishing Attack
Georgia Department of Human Services Healthcare Clearing House Hacking/IT Incident 45,732 Phishing Attack
Connecticut Department of Social Services Health Plan Hacking/IT Incident 37,000 Phishing Attack
State of North Dakota Healthcare Provider Hacking/IT Incident 35,416 Phishing Attack
AdventHealth Shawnee Mission Healthcare Provider Hacking/IT Incident 28,766 Blackbaud Ransomware

Causes of October 2020 Healthcare Data Breaches

As the above table shows, the healthcare industry in the United States has faced a barrage of ransomware attacks. Two thirds of the largest 15 data breaches reported in October involved ransomware. CISA, the FBI, and the HHS issued a joint alert in October after credible evidence emerged indicating the Ryuk ransomware gang was targeting the healthcare industry, although that is not the only ransomware gang that is conducting attacks on the healthcare sector.

Phishing attacks continue to plague the healthcare industry. Phishing emails are often used to deliver Trojans such as Emotet and TrickBot, along with the Bazar Backdoor, which act as ransomware downloaders.

Phishing and ransomware attacks are classed as hacking/IT incidents on the HHS breach portal. In total there were 46 hacking/IT incidents reported to the HHS’ Office for Civil Rights in October – 73% of all reported breaches in October – and 2,450,645 records were breached in those incidents – 97.39% of all records breached in the month. The mean breach size was 53,275 records and the median breach size was 13,069 records.

There were 12 unauthorized access/disclosure incidents reported in October involving 54,862 healthcare records. The mean breach size was 4,572 records and the median breach size was 1,731 records. There were 4 reported cases of theft of paperwork or electronic devices containing PHI. The mean breach size was 4,290 records and the median breach size was 1,293 records. One incident was reported that involved the improper disposal of computer equipment that contained the ePHI of 4,290 individuals.

causes of October 2020 Healthcare Data Breaches

The graph below shows where the breached records were located. The high number of network server incidents shows the extent to which malware and ransomware was used in attacks. Almost a third of the attacks involved ePHI stored in email accounts, most of which were phishing attacks. Several breaches involved ePHI stored in more than one location.

Location of PHI in October 2020 Healthcare Data Breaches

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in October with 54 breaches reported, followed by health plans with 3 breaches and one breach at a healthcare clearinghouse. While there were only 5 data breaches reported by business associates of covered entities, business associates were involved in 23 data breaches in October, with 18 of the incidents being reported by the affected covered entity.

October 2020 Healthcare Data Breaches by Covered Entity Type

Healthcare Data Breaches by State

October’s 63 data breaches were spread across 27 states. Connecticut was the worst affected state with 7 breaches, followed by California and Texas with 5 each, Florida, Ohio, Pennsylvania, and Virginia with 4 apiece, Iowa and Washington with 3, and Arkansas, Michigan, New Mexico, New York, Tennessee, and Wisconsin with 2. A single breach was reported in each of Georgia, Hawaii, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Missouri, North Dakota, New Jersey, and South Carolina.

HIPAA Enforcement Activity in October 2020

2020 has seen more financial penalties imposed on covered entities and business associates than any other year since the HIPAA Enforcement Rule gave OCR the authority to issue financial penalties for noncompliance.  Up to October 30, 2020, OCR has announced 15 settlements to resolve HIPAA violation cases, including 4 financial penalties in October.

The health insurer Aetna paid a $1,000,000 penalty to resolve multiple HIPAA violations that contributed to the exposure of HIV medication information in a mailing. OCR investigators found issues with the technical and nontechnical evaluation in response to environmental or operational changes affecting the security of PHI, an identity check failure, a minimum necessary information failure, insufficient administrative, technical, and physical safeguards, and an impermissible disclosure of the PhI of 18,849 individuals.

The City of New Haven, CT paid a $202,400 penalty to resolve its HIPAA case with OCR that stemmed from a failure to promptly restrict access to systems containing ePHI following the termination of an employee. That failure resulted in an impermissible disclosure of the ePHI of 498 individuals. OCR also determined there had been a risk analysis failure and a failure to issue unique IDs to allow system activity to be tracked.

Two of the penalties were issued as part of OCR’s HIPAA Right of Access enforcement initiative, with the fines imposed for the failure to provide patients with timely access to their medical records at a reasonable cost. Dignity Health, dba St. Joseph’s Hospital and Medical Center, settled its case with OCR and paid a $160,000 penalty and NY Spine settled for $100,000.

State attorneys general also play a role in the enforcement of HIPAA compliance. October saw Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC settle a multi-state action related to a breach of the ePHI of 6.1 million individuals in 2014. The investigators determined there had been a failure to implement and maintain reasonable security practices. The case was settled for $5 million.

The post October 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Microsoft Warns of Ongoing Sophisticated Phishing Campaign Targeting Office 365 Users

Posted by HIPAA Journal

Office 365 users have been warned about an ongoing phishing campaign which harvests user credentials. The campaign uses sophisticated techniques to bypass email security gateways and social engineering tactics to fool company employees into visiting websites where credentials are harvested.

A variety of lures are used in the phishing emails which target remote workers, such as fake password update requests, information on teleconferencing, SharePoint notifications, and helpdesk tickets. The lures are plausible and the websites to which Office 365 users are directed are realistic and convincing, complete with replicated logos and color schemes.

The threat actors have used a range of techniques to bypass secure email gateways to ensure the messages are delivered to inboxes. These include redirector URLs that can detect sandbox environments and will direct real users to the phishing websites and security solutions to benign websites, to prevent analysis. The emails also incorporate heavy obfuscation in the HTML code.

Microsoft notes that the redirector sites have a unique subdomain that includes a username and the targeted organization’s domain name to add realism to the campaign. The phishing URLs have an extra dot after the top-level domain, after which is the Base64 encoded email address of the recipient. The phishing URLs are often added to compromised websites, rather than used on attacker owned domains. Since many different subdomains are used, it is possible to send large volumes of phishing emails and evade security solutions.

Office 365 credentials are highly sought after. Email accounts can be accessed and used for further phishing attacks, business email compromise scams, and the accounts often contain a wealth of sensitive data, including protected health information. Once an attacker has access to the Office 365 environment, they can access sensitive stored documents, and conduct further attacks on the organization.

Microsoft explained that Microsoft 365 Defender for Office 365 can detect phishing emails in this campaign and resolve attacks, but a recent study by IRONSCALES has shown that many email security gateways fail to block these sophisticated phishing threats.

The Israel-based security firm recently published data from a test of the leading secure email gateways and found they failed to block around half of advanced phishing attempts, including spear phishing and social engineering attacks. The company used its Emulator to test the effectiveness of five of the top secure email gateways, including Microsoft’s Advanced Threat Protection (APT), and simulated real-world phishing scenarios to see how each performed.

For the tests, IRONSCALES conducted 162 emulations (16,200 emails) against the top 5 secure email gateways and found 47% of the emails were delivered to inboxes – 7,614 emails.  The penetration rate – the percentage of emails that bypassed the secure email gateways – ranged from 35% to 55% across the 5 tested security solutions.

The leading secure email gateways were effective at blocking emails containing malicious attachments, with only 4% being delivered to inboxes, and just 3% of emails containing links to malicious files were delivered. However, they were far less effective at blocking social engineering and email impersonation attacks, which accounted for 30% of all successfully delivered emails. Domain name impersonations accounted for 25% of the delivered emails. These emails linked to a domain name that had the right records set in the DNS. Emails containing links to URLs containing fake login pages were delivered 16% of the time.

The tests highlighted the need for AI-driven security solutions that have natural language understanding and the importance of providing security awareness training to the workforce, as many of these advanced phishing threats will reach end user inboxes.

The post Microsoft Warns of Ongoing Sophisticated Phishing Campaign Targeting Office 365 Users appeared first on HIPAA Journal.

ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector

Posted by HIPAA Journal

The HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) has issued an update on ransomware activity targeting the healthcare and public health sectors, sating, “At this time, we consider the threat to be credible, ongoing, and persistent.”

In late October, a joint alert was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the HHS warning of an imminent increase in ransomware activity targeting the healthcare sector. Within a week of the alert being issued, six healthcare providers reported ransomware attacks in a single day. More than a dozen healthcare organizations have reported being attacked in the past two months, with over 62 attacks reported by healthcare organizations so far in 2020.

Human-operated ransomware attacks have previously seen attackers gain access to networks many weeks and even months prior to the deployment of ransomware. ASPR notes that in many recent ransomware attacks, the time from the initial compromise to the deployment of ransomware has been very short, just a matter of days or even hours.

A long period between compromise and deployment gives victim organizations time to identify the compromise and take steps to eradicate the hackers from the network in time to prevent file encryption. The short duration makes this far more difficult.

“CISA, FBI, and HHS urge health delivery organizations and other HPH sector entities to work towards enduring and operationally sustainable protections against ransomware threats both now and in the future.”

A variety of techniques are now being used to deploy ransomware, including other malware variants such as TrickBot and BazarLoader, which are commonly delivered via phishing emails, as well as manual deployment after networks have been compromised by exploiting vulnerabilities.

Healthcare organizations should take steps to combat the ransomware threat by addressing the vulnerabilities that are exploited to gain access to healthcare networks. This includes conducting vulnerability scans to identify vulnerabilities before they are exploited and ensuring those vulnerabilities are addressed. Anti-spam and anti-phishing solutions should be implemented to block the email attack vector, and healthcare organizations should adopt a 3-2-1 backup approach to ensure files can be recovered in the event of an attack. The 3-2-1 approach involves 3 copies of backups, on two different media, with one copy stored securely off-site. The recent ransomware attack on Alamance Skin Center highlights the importance of this backup strategy. Patient information was permanently lost as a result of the attack when the ransom was not paid.

“Organizations should balance their operational needs with the current threat level and develop processes and postures for normal operating status and higher threat periods,” explained ASPR. “The threat from ransomware is ongoing and entities should develop effective deterrent procedures while maintaining effective care delivery.”

Indicators of Compromise (IoCs), suggested mitigations, and ransomware best practices are detailed in the October 28, 2020 CISA/FBI/HHS alert.

The post ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector appeared first on HIPAA Journal.

Vendor Access and HIPAA Compliance: Are you Secured?

Posted by HIPAA Journal

It can be hard to remember a time before the Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in 1996. These were the days that paper files were still stored in cabinets and sensitive information was generally delivered by hand, or if you were really sophisticated, it was sent via a fax machine.

Fast forward almost 25 years later and unsurprisingly, the world in the healthcare industry looks completely different, except some do still use fax machines. Nothing surprising here, but everything is now stored on computers and transmitted over the internet, which has led to obvious increases in terms of efficiency, but, with this comes risk. We’ve seen an increase in serious data breaches tied to healthcare entities that are exposing highly sensitive personal health information. And not just any type of data breach, these are the ones that are tied to third-party and vendor access, which are known to be more costly in terms of fines and reputational damage.

A hacker can quickly access hundreds of patient files and cause widespread damage, including a release of private information, deletion of crucial health reports, large-scale identify theft, and the increasingly popular route of ransomware.

Gone are the days where healthcare companies only had to deal with issues related to patient care because they now find themselves grappling with complicated cybersecurity issues far outside the medical space.

Considering the risks of HIPAA noncompliance, healthcare companies generally benefit from hiring third-party vendors that specifically handle HIPAA regulatory compliance. To fully protect patients, these vendors should have clear policies that restrict access, remain transparent and auditable, and maintain the most updated data security measures.

How to Restrict Vendor Access

Who has access to the patients’ information, how are they accessing the information, and how much access do they have (or should they have)? These are crucial questions for any technology vendor.

First, each member of the IT team should have only the level of access required to ensure both HIPAA compliance and data security, including restrictions on time, scope, and job function. Each vendor rep should use a unique username and password to log into the system and go through multi-level authentication that’s attached to their identities. On top of that, an automatic logoff upon a short period of inactivity can prevent unauthorized access under another’s credentials.

Why Auditable Reports are Necessary

An automatic audit system permits healthcare companies to screen for unauthorized access and to trace the source of the data breach. An effective audit system maintains detailed login information of every support connection system and delivers a complete history of every login, including time, place, personnel and scope of access to the patients’ records, and other sensitive information.

These reports are not only necessary for internal security purposes, but are integral for proving HIPAA compliance in relation to allowing vendors on your network.

The Importance of Data Integrity and Security

The weak link in data security generally occurs at the points of access and transmission. However, regular updates to security settings protect data from corruption and prevent a breach of data during transmission. To protect the data’s integrity and security, recommendations include customer control of configurable encryption, advanced transmission standards (AES) in 128-, 192-, and 256-bit modes, and data encryption standards (DES) of Triple DES10.

Be Sure, Be Secure

Ultimately, the healthcare business bears the burden if patient information is compromised. A third-party IT security vendor should, therefore, have the knowledge and experience to meet the highest standards for HIPAA compliance. If you’re worried about your vendors not having your compliance in mind, it is of the utmost importance to ensure you are vetting them before onboarding them, as well as checking in on them and doing an “audit” of some sort to make sure you have a ledger of all vendors.

Remote access to a healthcare facility’s networks and systems is an often overlooked area that can represent significant potential exposure for HIPAA breaches. Know your vendors, why they’re connecting, and ensure compliance.

Author: Ellen Neveux, SecureLink

SecureLink provides a remote-access platform that reduces the risks associated with providing remote access to internal networks to vendors and clients

The post Vendor Access and HIPAA Compliance: Are you Secured? appeared first on HIPAA Journal.

Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development

Posted by HIPAA Journal

Advanced Persistent Threat (APT) groups in Russia and North Korea are targeting companies involved in research into COVID-19 and vaccine development, according to Microsoft. Six large pharmaceutical firms and a clinical research company are known to have been targeted by three APT groups who are attempting to gain access to research and vaccine data.

The cyberattacks have been on “pharmaceutical companies in Canada, France, India, South Korea and the United States,” according to Microsoft and three APT groups are known to be conducting attacks – the Russian APT group Strontium (aka Fancy Bear/APT28) and two APT groups with links to North Korea – The Lazarus Group (aka Zinc) and Cerium. Additionally, in the summer of 2020, warnings were issued by several government agencies about attacks on COVID-19 research firms by another Russian APT group, Cozy Bear (aka APT29).

The targeted organizations have contracts with or investments from governments to advance research into COVID-19 and vaccine development. Most of the targeted companies have developed vaccines which are currently in advanced clinical trials. One of the targeted companies has developed a COVID-19 test and the clinical research firm is involved in conducting COVID-19 vaccine trials. While the attacked companies were not named by Microsoft, cyberattacks have been reported by the Indian pharma firms Dr. Reddy’s and Lupin, and the U.S. biotech firm Moderna is known to have been attacked.

Microsoft reports that some of the attacks have been successful, although Microsoft did not say whether that means systems have been breached or if intellectual property and vaccine and research data were obtained.

The Russian Strontium group has favored brute force tactics to crack passwords for employee accounts, while the Lazarus group has been sending spear phishing emails to key employees to obtain passwords. One tactic used by the Lazarus group involves posing as recruiters and sending fake job descriptions. Cerium, which is believed to be a new North Korean hacking group, has also been using phishing emails to gain access to employee credentials. Its campaign involved impersonating the World Health Organization (WHO).

The motivation behind the attacks are clear. Research and vaccine data would give foreign countries a huge strategic advantage, with research and vaccine data potentially worth billions of dollars. These attacks appear to be solely concerned with data theft. The attacks so far do not appear to have been conducted to hamper efforts to conduct research or develop vaccines but there are many cybercriminal groups that are conducting destructive cyberattacks.

Healthcare organizations have faced a barrage of financially motivated cyberattacks by cybercriminals organizations using ransomware in recent months. Recently, CISA, the FBI, and HHS issued a joint advisory following an increase in targeted Ryuk ransomware attacks on healthcare organizations in the United States. The Ryuk and other ransomware gangs have also attacked healthcare organizations in France, Germany, Thailand, Spain, and the Czech Republic. The ransomware attack on a hospital in Germany resulted in the first known patient death due to a ransomware attack, and several attacks in the United States have resulted in major disruption and have forced hospitals to cancel elective procedures and reroute patients to alternative healthcare facilities.

Several industry groups are offering assistance to organizations in the healthcare sector such as the Health Sector Coordinating Council and Health-ISAC, and are providing indicators of compromise (IoCs) and detailed information on recent attacks to help organizations improve their defenses against cyberattacks and better defend their networks and data.

Microsoft has been taking an active role in attack prevention and has recently participated in the Paris Peace forum, a multi-stakeholder coalition working on combating these attacks, in particular to stop attacks on critical infrastructure from succeeding. Prior to the Paris Peace Forum, over 65 healthcare organizations joined the Paris Call for Trust and Security in Cyberspace. The Paris Call is largest multi-stakeholder coalition to date that addresses cybersecurity issues faced by the healthcare industry.

“Microsoft is calling on the world’s leaders to affirm that international law protects healthcare facilities and to take action to enforce the law,” said Tom Burt, Microsoft Vice President for Customer Security & Trust, in a Friday blog post. “We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate – or even facilitate – within their borders. This is criminal activity that cannot be tolerated.”

The post Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development appeared first on HIPAA Journal.

Phishing Campaign Uses Employment Termination Lure to Deliver Bazar and Buer Malware

Posted by HIPAA Journal

A new phishing campaign is being conducted using the TrickBot botnet which delivers the Bazar backdoor and Buer loader malware. The campaign was detected by researchers at Area 1 Security and has been running since early October.

The Bazar backdoor is used to gain persistent access to victims’ networks, while the Buer loader is used to download additional malicious payloads. Previously, Buer has been used to deliver ransomware payloads such as Ryuk and tools such as CobaltStrike.

Area 1 Security researchers detected two email lures in this campaign. One is a fake notification about termination of employment and the other a fake customer compliant. The employment termination email appears to have been sent by an authority figure in the head office of the company being targeted and states that the individual has been terminated. Further information on the termination and payout are provided in a document that appears to be hosted on Google Docs.

If the link is clicked, the user will be directed to a Google Doc decoy preview page and is advised to click another link if they are not redirected. That link directs them to a URL where a file download is initiated. The user will be presented with a security warning asking if they want to run the file. Doing so launches a PE32+ executable on Windows systems and triggers a sequence of events that results in the download of either the Buer loader or the Bazar backdoor. Constant Contact links are also being used in this campaign.

The use of cloud services for hosting malicious documents is now commonplace. It is a tactic used to bypass security solutions that scan attached files for malicious code such as macros. By linking to legitimate cloud services, some security solutions will fail to detect the link as malicious and will deliver the emails to users’ inboxes. Should the links in the emails be classified as malicious by URL scanning security solutions, the attackers can simply switch to different URLs.

Last month Microsoft announced a takedown operation that saw it take control of the infrastructure used by the operators of TrickBot. This major operation was only temporarily effective at disrupting the botnet infrastructure. Microsoft said the takedown operation was only likely to be temporary, as the TrickBot operators would likely rebuild their operation on different infrastructure.

Area 1 Security researchers note that this campaign resumed after just two days after the takedown of the botnet and, this time around, the TrickBot gang is using sinkhole resistant EmerDNS TLDs, which make any further takedown attempts difficult.

The post Phishing Campaign Uses Employment Termination Lure to Deliver Bazar and Buer Malware appeared first on HIPAA Journal.

Half of Ransomware Attacks Now Involve the Theft of Data Prior to Encryption

Posted by HIPAA Journal

Coveware has released its Quarterly Ransomware report for Q3, 2020 highlighting the latest ransomware attack trends. The report confirms that data exfiltration prior to the use of ransomware continues to be a popular tactic, with around half of all ransomware attacks involving data theft. Attacks involving the theft of data doubled in Q3, 2020.

In cases where data are stolen prior to file encryption, victims are told that if they do not pay the ransom demand their data will be leaked online or sold to pressure victims into paying, but ransomware victims should carefully consider whether or not to pay. There are no guarantees that paying the ransom will prevent publication of stolen data.

Ransomware Gangs Renege on Promises to Delete Data

The Maze ransomware gang started the double-extortion trend in 2019 and many ransomware operators soon followed suit. In some cases, two ransomware demands are issued; one to return or delete stolen data and the other for the keys to unlock the encrypted files, The operators of the AKO and Ranzy ransomware variants have adopted this dual ransom demand tactic.

The Coveware report reveals that, in some cases, the attackers do not make good on their promise even when the victim pays the ransom in full. There have been several cases where stolen data were leaked or stolen after the ransom was paid, and one gang is known to re-extort victims.

The report lists four ransomware operations known not to delete data after the ransom has been paid. The operators of Sodinokibi ransomware have re-extorted some victims, the Netwalker and Mespinoza operators have subsequently leaked stolen data after the ransom was paid in full, while the operators of Conti ransomware have provided victims with proof that files have been deleted, but the proof was for the deletion of fake files. Maze, Sekhmet, and Egregor have similarly leaked data on occasion, although it is unclear whether the leaks after payment were intentional.

Coveware explains that some ransomware operations see data held by multiple parties, which means that even if the threat actor deletes data, there is no guarantee that all copies will be deleted. There have been cases where stolen data are posted in error on leak sites before the victim is even given the chance to make payment.

Coveware warns its customers that payment of the ransom does not guarantee stolen data will not be shared with other threat groups or be used in further extortion attempts. Coveware tells its customers to assume theft of data is a data breach and ensure all individuals impacted by the breach are notified to give them the opportunity to monitor their accounts and take steps to protect their identities, regardless of whether the ransom demand is paid.

Ransom Demands Continue to Increase

The report shows the average ransom demand has been steadily increasing over the past 8 quarters, although the quarterly increases have been more substantial each quarter since Q3, 2019. Ransom demands increased once again in Q3, 2020 with the average demand up 31% from Q2, 2020 at $233,817, with the median payment rising by $1,935 to $110,532. The increase in the average payment indicates ransomware gangs are conducting more attacks on large organizations, where the potential returns are much higher for a similar level of effort.

Biggest Ransomware Threats in Q3, 2020

The biggest ransomware threats in Q3, 2020 were Sodinokibi, Maze, Netwalker, Phobos, and DoppelPaymer, with the top two ransomware variants accounting for 16.2% and 13.6% of attacks respectively. Attacks with Maze ransomware peaked in Q3; however, the operators have now shut down their operation, with affiliates involved in the distribution of the ransomware mostly switching to the Sekhmet and Egregor ransomware-as-a-service operations. Attacks involving those ransomware variants increased in Q3 and are expected to continue to increase in Q4.

RDP and Phishing are the Main Attack Vectors

The most common attack vectors used to distribute ransomware have changed little over the past few quarters. Attacks on RDP are still the most common, accounting for more than 50% of infections. This is the attack vector favored by the most prolific ransomware groups such as Sodinokibi and Maze (Sekhmet/Egregor). Almost 30% of attacks see the ransomware distributed via phishing emails, with the number of phishing-related attacks having steadily increased since Q4, 2019. Software vulnerabilities and other forms of compromise are used in less than 10% of attacks.

There are worrying signs that the supply of stolen RDP credentials is now outstripping demand, which is seeing the price for those credentials falling. As the cost goes down it opens up this attack vector to other less technically sophisticated groups, who may choose this method to attack organizations. Coveware warns that this method of attack is the most cost-effective way to compromise organizations, and the importance of properly securing RDP connections cannot be overstated.

The post Half of Ransomware Attacks Now Involve the Theft of Data Prior to Encryption appeared first on HIPAA Journal.

Majority of Microsoft 365 Admins Have Not Enabled Multi-Factor Authentication

Posted by HIPAA Journal

A new report published by CoreView has revealed the majority of Microsoft 365 admins have not enabled multi-factor authentication to protect their accounts from unauthorized remote access and are failing to implement other basic security practices. According to the study, 78% of Microsoft 365 administrators have not activated multi-factor authentication and 97% of Microsoft 365 users are not using MFA.

“This is a huge security risk – particularly during a time where the majority of employees are remote – that IT departments must acknowledge and address in order to effectively deter cyberattacks and strengthen their organization’s security posture,” explained the researchers.

The SANS Institute says 99% of data breaches can be prevented by using MFA, while Microsoft explained in an August 2020 blog post that MFA is the single most important measure to implement to prevent unauthorized account access, explaining that 99.9% of account breaches can be prevented by using MFA.

The CoreView study also revealed 1% of Microsoft 365 admins do not use strong passwords, even though hackers are adept at cracking passwords with automated brute force attacks. Even when strong passwords are used, there is no guarantee that a breach will be prevented. A strong password offers no protection if a user falls for a phishing scam. If passwords are stolen, MFA offers protection and should prevent those passwords from being used to gain access to accounts.

The CoreView M365 Application Security, Data Governance and Shadow IT Report revealed Microsoft 365 administrators are given excessive control and have access to a treasure trove of sensitive information. 57% of Microsoft 365 admins were fund to have excessive permissions to access, modify, and share business-critical data. Further 36% of Microsoft 365 administrators are global admins, giving them full control over their organization’s entire Microsoft 365 environment and 17% of Microsoft 365 admins are also Exchange admins and have access to the email accounts of the entire organization, including C-Suite accounts. Should Microsoft 365 admin accounts be compromised, hackers would have access to the entire Microsoft 365 environment and huge volumes of sensitive data. Not only does the Microsoft 365 environment contain a huge amount of easily monetized data, accounts are also linked to other systems and could be used for a much broader attack on the organization.

The study also revealed companies have invested heavily in productivity and operations applications that empower employees to communicate, collaborate, and work more efficiently, but there has been a rise in shadow IT, especially SaaS applications. SaaS applications are often used by employees without the knowledge of the IT department. Many of those SaaS applications lack appropriate security and open the door to preventable cyberattacks.

“At a basic level, malicious apps can siphon off critical data. Users could also potentially be sharing sensitive company information through these apps to compromised parties, putting organizations at a substantial risk of a data breach,” explained CoreView in the report. “It’s vital that organizations properly monitor these apps for potential security gaps.”

Organizations that move to Microsoft 365 often underestimate their security and governance responsibilities, mistakenly believing that Microsoft 365 is secure by default and includes the necessary protections to prevent data breaches. While Microsoft 365 can be secure, organizations must be proactive and ensure that security is addressed, there is sufficient oversight of shadow IT, and proper data governance.

The post Majority of Microsoft 365 Admins Have Not Enabled Multi-Factor Authentication appeared first on HIPAA Journal.

Advisory Warns of Targeted Ryuk Ransomware Attacks on the Healthcare and Public Health Sector

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued an advisory warning about increased Ryuk ransomware activity targeting the healthcare and public health sector.

Credible evidence has been obtained indicating an increased and imminent threat to hospitals and healthcare providers in the United States. The advisory details some of the tactics, techniques, and procedures (TTPs) used by the operators of Ryuk ransomware and other cybercriminal groups who are assisting with the distribution of the ransomware to help the healthcare sector manage risk and protect their networks from attacks.

The advisory explains that Ryuk ransomware is commonly delivered as a secondary payload by the TrickBot Trojan. TrickBot is a banking Trojan that was first identified in 2016 that has since been updated with a host of new functions. In addition to stealing banking credentials, TrickBot is capable of mail exfiltration, cryptomining, data exfiltration from point of sale systems, and acts as a downloader of other malware variants, notably Ryuk ransomware.

In 2019, the FBI identified a new module had been added, named Anchor, which sends and receives data from victim machines using DNS tunneling, allowing communications with its command and control infrastructure to go undetected by many security solutions. The advisory provides indicators of compromise (IoCs) to help network defenders identify TrickBot infections.

Once Ryuk ransomware has been deployed, common off-the-shelf products such as Cobalt Strike and PowerShell Empire are used to steal credentials. “Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz,” explained CISA in the alert. “This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.”

The Ryuk threat actors use living-off-the-land techniques using tools such as net view, net computers, and ping to find mapped network shares, domain controllers, and active directory. Native tools such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (RDP), are often used to move laterally through the network, along with third-party tools such as Bloodhound.

The attackers will identify and shut down security applications to prevent detection of the ransomware and may even manually remove certain security applications that would otherwise stop the ransomware from executing. Attempts are also made to delete backup files and Volume Shadow Copies to prevent victims from recovering their files without paying the ransom.

You can view the advisory, IoCs, and suggested mitigations on this link.

Ryuk Operators Transition to Malware as a Service Tool for Distributing Ransomware

While not detailed in the recent advisory, evidence has been found to indicate the operators of Ryuk ransomware are transitioning away from TrickBot and are now using a malware-as-a-service tool to deliver their ransomware payload.

Security firm Sophos has reported the Buer loader is now being used to deliver Ryuk ransomware. The Buer loader first started to be advertised on hacking forums in August 2019 to other malware operators for use in delivering malware and ransomware payloads. According to the Sophos researchers, the operators of TrickBot have been using the Buer loader for several months.

The Buer Loader is primarily distributed using phishing emails, often using malicious Word documents. Sophos notes that the Buer loader uses PowerShell commands to change settings on Windows devices to evade detection, including modifying the Windows Defender exclusion list. A dropper is used to deposit Buer in the memory and execute the loader, which downloads Ryuk ransomware.

While the Buer loader is being used for the initial compromise to gain a foothold in networks, the tactics used by the Ryuk operators once access to the network is gained remains the same.

The post Advisory Warns of Targeted Ryuk Ransomware Attacks on the Healthcare and Public Health Sector appeared first on HIPAA Journal.