Healthcare Cybersecurity

CISA/FBI Warn of Targeted Attacks by Iranian Hacking Groups

Posted by HIPAA Journal

A hacking group with links to the Iranian government has been observed exploiting several vulnerabilities in attacks on U.S. organizations and government agencies, according to a recent joint cybersecurity advisory released by the Cybersecurity Security and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). The alert closely follows a similar cybersecurity advisory warning about hackers linked to the Chinese government conducting attacks exploiting some of the same vulnerabilities.

The Iranian hacking group, known as UNC757 and Pioneer Kitten, has been exploiting vulnerabilities in F5 networking solutions, Citrix NetScaler, and Pulse Secure VPNs to gain access to networks. The hacking group has also been observed using open source tools such as Nmap to identify vulnerabilities, such as open ports within vulnerable networks.

Exploited Vulnerabilities

Two vulnerabilities in Pulse Secure products are being exploited. The first, CVE-2019-11510, affects Pulse Secure Connect enterprise VPN servers and is a file reading vulnerability. The second is an authentication command injection vulnerability, CVE-2019-11539, in Pulse Secure Pulse Connect Secure software.

The remote code execution vulnerability CVE-2019-19781, which affects Citrix Gateway and Citrix SD-WAN WANOP appliances, is also being exploited along with the CVE-2020-5902 remote code execution vulnerability in F5’s BIG-IP network products.

Once access to networks has been gained, the hackers obtain admin credentials and install web shells such as ChunkyTuna, Tiny, and China Chopper for further entrenchment. They rely heavily on open source and operating system tooling to conduct operations, such as Lightweight Directory Access Protocol (LDAP) directory browser, ngrok, and fast reverse proxy (FRP). Plink and TightVNC are often used for lateral movement.

The hackers have been observed using several methods to evade detection, such as hiding tasks and services, software packing, compile after delivery, and masquerading files as legitimate Dynamic Link Library files. The hackers have also been observed cleaning files on compromised NetScaler devices every 30 minutes to minimize their footprint.

CISA suspects the hackers are stealing data due to the use of tools such as 7-Zip and the ChunkyTuna web shell, although no evidence has been found confirming that to be the case. The hackers are also known to have viewed sensitive documents on compromised networks and have been selling access to compromised organizations on a hacking forum.

While Pioneer Kitten has links to the Iranian government and supports the government’s interests, the hackers also conduct attacks for financial gain and are suspected of having the capabilities to deploy ransomware on victims’ networks.

Pioneer Kitten has attacked government agencies and organizations in several different sectors including healthcare, information technology, finance, insurance, and media organizations in the United States.

Detecting and Preventing Attacks

Many of the attacks involve the exploitation of vulnerabilities for which patches have been released, but not yet applied. The best defense against attacks is to apply patches promptly.

In addition to patching the F5, Citrix, and Pulse Secure vulnerabilities, it is important to investigate whether the vulnerabilities have already been exploited.

The hacking group makes significant use of ngrok to expose a local port to the Internet. This activity may appear as TCP port 443 connections to external cloud-based infrastructure and FRPC is used over port 7557.

CISA has included other Indicators of Compromise (IoCs) in the cybersecurity advisory along with several mitigations that should be implemented to further reduce the risk of attack.

The post CISA/FBI Warn of Targeted Attacks by Iranian Hacking Groups appeared first on HIPAA Journal.

CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws

Posted by HIPAA Journal

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning hackers affiliated with China’s Ministry of State Security (MSS) are conducting targeted cyberattacks on U.S. government agencies and private sector companies.

The attacks have been ongoing for more than a year and often target vulnerabilities in popular networking devices such as Citrix and Pulse Secure VPN appliances, F5 Big-IP load balancers, and Microsoft Exchange email servers. The hacking groups use publicly available information and open source exploit tools in the attacks such as China Chopper, Mimikatz, and Cobalt Strike. The hacking groups, which have varying levels of skill, attempt to gain access to federal computer networks and sensitive corporate data and several attacks have been successful.

The software vulnerabilities exploited by the hackers are all well-known and patches have been released to correct the flaws, but there are many potential targets that have yet to apply the patches and are vulnerable to attack.

Some of the most exploited vulnerabilities include:

CVE-2020-5902 – A vulnerability in the F5 Big-IP Traffic Management Interface which, if exploited, allows threat actors to execute arbitrary system commands, disable services, execute java code, and create/delete files.

CVE-2019-19781– A vulnerability in Citrix VPN appliances which can be exploited to achieve directory traversal.

CVE-2019-11510 – A vulnerability in Pulse Secure VPN appliances which can be exploited to gain access to internal networks.

CVE-2020-0688 – A vulnerability in MS Exchange which can be exploited to gain access to Exchange servers and execute arbitrary code.

There is no single action that can be taken to block these threats, but many of the successful attacks have exploited known vulnerabilities. Scans are often conducted within hours or days of a vulnerability being made public. Since many public and private sector organizations do not apply patches promptly, it gives hackers the opportunity to gain access to networks. Applying patches promptly is therefore one of the best forms of defense.

“Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks,” explained CISA in its security advisory. “If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.”

Scans are being conducted using tools such as the Shodan search engine to identify potential targets that may be susceptible to attacks. The hackers also leverage the Common Vulnerabilities and Exposure (CVE) and the National Vulnerabilities (NVD) databases to obtained detailed information about vulnerabilities that can be exploited.

“Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits,” explained CISA. “These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.”

Other tactics often used by these threat actors include spear phishing and brute force attempts to guess weak passwords. It is therefore essential to enforce the use of strong passwords, provide phishing awareness training to the workforce, and implement software solutions capable of detecting/blocking phishing attacks.

The post CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws appeared first on HIPAA Journal.

8 Vulnerabilities Identified in Philips Patient Monitoring Devices

Posted by HIPAA Journal

8 low- to moderate-severity vulnerabilities have been identified in Philips patient monitoring devices. Exploitation of the vulnerabilities could result in information disclosure, interrupted monitoring, denial of service, and an escape from the restricted environment with limited privileges.

The vulnerabilities affect the following Philips patient monitoring devices:

  • Patient Information Center iX (PICiX) Versions B.02, C.02, C.03
  • PerformanceBridge Focal Point Version A.01
  • IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior
  • IntelliVue X3 and X2 Versions N and prior

Vulnerabilities

CVE-2020-16212 – CVSS 6.8/10 – Moderate Severity. A resource is exposed to wrong control sphere, which could allow an unauthorized individual to gain access to the resource and escape the restricted environment with limited privileges. Physical access to a vulnerable device is required to exploit the flaw.

CVE-2020-16216 – CVSS 6.5/10 – Moderate Severity. The product does not validate or incorrectly validates input or data to ensure it has the necessary properties to allow it to be handled safely. Exploitation could trigger a denial of service condition through a system restart.

CVE-2020-16224 – CVSS 6.5/10 – Moderate Severity. When the software parses a formatted message or structure, it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. This could trigger a restart of the surveillance station resulting in interrupted monitoring.

CVE-2020-16228 – CVSS 6.0/10 – Moderate Severity. The software incorrectly checks the revocation status of a certificate, potentially allowing a compromised certificate to be used.

CVE-2020-16222 – CVSS 5.0/10 – Moderate Severity. When individuals claim to have a particular identity, there is insufficient authentication to prove the identity of that individual, potentially allowing unauthorized access to data.

CVE-2020-16214 – CVSS 4.2/10 – Moderate Severity. User-provided information is saved into a CSV file, but since special elements are not correctly neutralized, they could be interpreted as a command when the CSV file is opened using spreadsheet software.

CVE-2020-16218 – CVSS 3.5/10 – Low Severity. The product incorrectly neutralizes user-controllable input before it is placed in output that is then used as a webpage and served to other users. Exploitation could give an attacker read-only access to patient data.

CVE-2020-16220 – CVSS 3.5/10 – Low Severity. Product does not validate or incorrectly validates input to ensure it complies with the syntax, which could be exploited to cause the service to crash.

The vulnerabilities were identified by security researchers at ERNW Research GmbH, ERNW Enno, and Rey Netzwerke GmbH who reported the flaws to Philips. Philips reported the flaws to CISA and other government agencies under the company’s coordinated vulnerability disclosure policy.

There have been no reported cases of any of the vulnerabilities being exploited in the wild. Updates will be issued starting in 2020; however, in the meantime Philips recommends the following mitigations to make it harder for the vulnerabilities to be exploited:

  • Physically or logically isolate the devices from the hospital local area network (LAN).
  • Implement access control lists that restrict access in and out of the patient monitoring network for only necessary ports and IP addresses.
  • Limit exposure by ensuring the SCEP service is not running unless it is actively being used to enroll new devices.
  • Enter a unique password of 8-12 unpredictable and randomized digits when enrolling new devices using SCEP
  • Physically secure the devices to prevent unauthorized login attempts and ensure servers are located in locked data centers.
  • Control access to patient monitors at nurses’ stations
  • Block remote access to PIC iX servers if not required, and if remote access is necessary, only grant remote access on a must-have basis
  • Apply the principle of least privilege and only allow access to bedside monitors to trusted users.

Users should contact their local or regional Philips service support teams for further information on updating the affected patient monitoring devices and applying mitigating measures.

The post 8 Vulnerabilities Identified in Philips Patient Monitoring Devices appeared first on HIPAA Journal.

Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats

Posted by HIPAA Journal

September 2020 is the second annual National Insider Threat Awareness Month (NITAM). Throughout the month, resources are being made available to emphasize the importance of detecting, deterring, and reporting insider threats.

NITAM is a collaborative effort between several U.S. government agencies including the National Counterintelligence and Security Center (NCSC), Office of the Under Secretary of Defense Intelligence and Security (USD(I&S)), National Insider Threat Task Force (NITTF), Department of Homeland Security (DHS), and the Defense Counterintelligence and Security Agency (DCSA). NITAM was devised last year to raise awareness of the risks posed by insiders and to encourage organizations to take action to manage those risks.

Security teams often concentrate on protecting their networks, data, and resources from hackers and other external threat actors, but it is also important to protect against insider threats. An insider is an individual within an organization who has been granted access to hardware, software, data, or knowledge about an organization. Insiders include current and former employees, contractors, interns, and other individuals who have been given access to data or systems. Those trusted insiders could accidentally or deliberately take actions which are disruptive to the business. Those actions could cause damage to company facilities, systems, or equipment, result in financial harm, or expose or disclose intellectual property and sensitive data.

To combat insider threats, organizations need to establish an insider threat mitigation program to detect, deter, and respond to threats from malicious and unintentional insiders. The program should protect critical assets against unauthorized access and malicious acts, and the workforce should be trained how to identify insider threats and conditioned to report any suspicious behavior or activities. The program should also involve the collection and analysis of information to help identify and mitigate insider threats quickly.

The SARS-CoV-2 pandemic has created a new set of challenges. The changes made by organizations in response to the pandemic, such as the expansion of remote working to include the entire workforce, has increased the risk of espionage, unauthorized disclosures, fraud, and data theft. It is more important than ever for organizations to have an effective insider threat mitigation program.

The main focus of NITAM 2020 is improving resilience to insider threats. This can be achieved by improving awareness through education of the workforce, using the resources made available in September to learn how to detect and mitigate the actions of insider threats, and to improve protection against those threats.

The DHS Cybersecurity and Infrastructure Security Agency (CISA) is helping to raise awareness of insider threats and has published resources that can be used by healthcare organizations to improve organizational resilience and mitigate risks posed by insider threats. Games, videos, graphics, posters, and case studies to promote NITAM are available here.

The post Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats appeared first on HIPAA Journal.

CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued guidance for network defenders and incident response teams on identifying malicious activity and mitigating cyberattacks.  The guidance details best practices for detecting malicious activity and step by step instructions for investigating potential security incidents and securing compromised systems.

The purpose of the guidance is “to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.” The guidance will help incident response teams collect the data necessary to investigate suspicious activity within the network, such host-based artifacts, conduct a host analysis review and analysis of network activity, and take the right actions to mitigate a cyberattack.

The guidance document was created in collaboration with cybersecurity authorities in the United States, United Kingdom, Australia, New Zealand and Canada and includes technical help for security teams to help them identify malicious attacks in progress and mitigate attacks while reducing the potential for negative consequences.

When incident response teams identify malicious activity, the focus is often on terminating a threat actors’ access to the network. While it is important to terminate any access a threat actor has to a device, network, or system, it is important that the correct approach is taken to avoid alerting the attacker that their presence has been detected.

“Although well intentioned to limit the damage of the compromise, some of those actions have the adverse effect of modifying volatile data that could give a sense of what has been done and tipping the threat actor that the victim organization is aware of the compromise and forcing the actor to either hide their tracks or take more damaging actions (like detonating ransomware),” said CISA. 

When responding to a suspected intrusion it is first necessary to collect and remove relevant artifacts, logs, and data that will allow the incident to be thoroughly investigated. If these elements are not obtained before any mitigations are implemented, the data could easily be lost, which will hamper any efforts to investigate the breach. Systems also need to be protected, as a threat actor may realize that the intrusion has been detected and change their tactics. Once systems have been protected and artifacts obtained, mitigating steps can be taken with care taken not to alert the threat actor that their presence in the network has been discovered.

When suspicious activity is detected, CISA recommends considering seeking support from a third-party cybersecurity company. Cybersecurity companies have the necessary expertise to eradicate an attacker from a network and ensure that security issues are avoided that could be exploited in further attacks on the organization once the incident has been remediated and closed.

Responding to a security breach requires a variety of technical approaches to uncover malicious activity. CISA recommends conducting a search for known indicators of compromise (IoCs), using confirmed IoCs from a wide range of sources. A frequency analysis is useful for identifying anomalous activity. Network defenders should calculate normal traffic patterns in network and host systems that can be used to identify inconsistent activity. Algorithms can be used to identify when there is activity that is not consistent with normal patterns and identify inconsistencies in timing, source location, destination location, port utilization, protocol adherence, file location, integrity via hash, file size, naming convention, and other attributes.

A pattern analysis is useful for detecting automated activity by malicious scripts and malware, and regular repeating actions by human threat actors. An analyst review should also be conducted based on the security team’s knowledge of system administration to identify errors in collected artifacts and find anomalous activity that could be indicative of threat actor activity.

The guidance details some of the common mistakes that are made when responding to incidents and lists technical measures and best practices for investigation and remediation processes.

Source: CISA

CISA also makes general recommendations on defense techniques and programs that will make it much harder for a threat actor to gain access to the network or system and remain there undetected. While these measures may not stop a threat actor from compromising a system, they will help to slow down any attack which will give incident response teams the time they need to identify and respond to an attack.

You can view the CISA guidance here: Technical Approaches to Uncovering and Remediating Malicious Activity (AA20-245A)

The post CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity appeared first on HIPAA Journal.

Cisco Warns of Active Exploitation of Zero Day Flaws in IOS XR Software Used by Cisco Carrier-Grade Routers

Posted by HIPAA Journal

Two zero-day vulnerabilities in the IOS XR software used by Cisco Network Converging System carrier-grade routers are being actively exploited by hackers. The first attempts at exploitation of the vulnerabilities were detected by Cisco on August 25, 2020.

While patches have yet to be released by Cisco to correct the vulnerabilities, there are workarounds that can be used to reduce the risk of the vulnerabilities being exploited.

The vulnerabilities, tracked as CVE-2020-3566 and CVE-2020-3569, are present in the distance vector multicast routing protocol (DVMRP) and affect all Cisco devices that use the IOS XR version of its Internetworking Operating System, if the software has been configured to use multicast routing. Multicast routing is used to save bandwidth and involves sending certain data in a single stream to multiple recipients.

An unauthenticated attacker could exploit the flaws to exhaust the process memory of a device by remotely sending specially crafted internet group management protocol (IGMP) packets to the device. If the flaws are successfully exploited it would cause memory exhaustion resulting in a denial of service and could cause instability of other processes, such as interior and exterior routing protocols.

The flaws have been assigned a CVSS v3 base score of 8.6 out of 10.Cisco says the risk of exploitation is high, so it is important for patches to be applied as soon as they are released, but for mitigations to be implemented until patches are made available. The mitigations suggested by Cisco are not complete workarounds but will reduce the risk of exploitation.

Users of vulnerable Cisco products should rate limit IGMP traffic. Administrators must determine what their normal rate of IGMP traffic is and should then set a rate lower than the average rate. This will not prevent exploitation of the flaws, but by reducing the traffic rate, the time taken to exploit the flaws will be increased, which would allow administrators extra time to perform recovery actions.

Customers can also implement an access control entry (ACE) to an existing interface control list (ACL) which will help to block attacks, or a new ACL can be created for a specific interface that denies DVMRP traffic inbound on that interface.

Instructions for determining whether multicast routing is enabled and implementing the mitigations are detailed in the Cisco security advisory. Cisco is currently working on patches to correct the flaws.

The post Cisco Warns of Active Exploitation of Zero Day Flaws in IOS XR Software Used by Cisco Carrier-Grade Routers appeared first on HIPAA Journal.

Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE

Posted by HIPAA Journal

A sophisticated COVID-19 themed phishing campaign has been detected that spoofs chemical manufacturers and importers and exporters offering the recipient personal protective equipment (PPE) such as disposable face masks, forehead temperature thermometers, and other medical supplies to help in the fight against COVID-19.

The campaign was detected by researchers at Area 1 Security, who say the campaign has been active since at least May 2020 and has so far targeted thousands of inboxes. The threat actors behind the campaign regularly change their tactics, techniques, and procedures (TTPs) to evade detection by security tools, typically every 10 days.

The threat actors regularly rotate IP addresses for each new wave of phishing emails, frequently change the companies they impersonate, and revise their phishing lures. In several of the intercepted emails, in addition to spoofing a legitimate company, the names of real employees along with their email addresses and contact information are used to add legitimacy. The emails use the logos of the spoofed companies and the correct URL of the company in the signature. By including correct contact information, should any checks be performed by the recipient they may be led to believe the message is genuine.

Source: Area 1 Security

The aim of the threat actors is to deliver the Agent Tesla Trojan. Agent Tesla is an advanced remote access Trojan (RAT) that gives the attackers access to an infected device, allowing them to perform a range of malicious actions. The RAT is capable of logging keystrokes on an infected device and stealing sensitive information from the user’s AppData folder, which is sent to the command and control server via SMTP. The malware can also steal data from web browsers, email, FTP and VPN clients.

The RAT is offered on hacking forums as malware-as-a-service and has proven popular due to the ease of conducting campaigns and the low cost of using the malware, although the researchers note that Agent Tesla can be downloaded for free via a torrent available on Russian websites. The malware includes a User interface (UI) that allows users to track infections and access data stolen by the malware.

The RAT is delivered a compressed file attachment. If the attachment is extracted, the recipient will be presented with an executable file with a double extension, that will appear to be a .pdf file. Since Windows is configured by default to hide known file extensions, the extracted file will appear to be a.pdf file when it is actually an executable file. The display name is “Supplier-Face Mask Forehead Thermometer.pdf”, but the actual file is “Supplier-Face Mask Forehead Thermometer.pdf.exe” or “Supplier-Face Mask Forehead Thermometer.pdf.gz”.

The hash is frequently changed to avoid being detected as malware by security solutions. When the hash is changed, the malware will not be detected by signature-based security solutions until definitions are updated to include the new hash.

The attackers also take advantage of flaws in the configuration of email authentication protocols such as DMARC, DKIM, and SPF when spoofing the domains of legitimate companies.

According to the researchers, the attackers are mostly using a shotgun approach, rather than spear phishing emails on a select number of targets; that said, the researchers have identified some targeted attacks on executives of Fortune 500 companies.

Since the campaign is regularly updated to evade detection by security solutions, it is important to raise awareness of the campaign with employees to prevent them inadvertently installing the malware.

The post Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE appeared first on HIPAA Journal.

OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory

Posted by HIPAA Journal

The risk analysis is one of the most important requirements of the HIPAA Security Rule, yet it is one of the most common areas of noncompliance discovered during Office for Civil Rights data breach investigations, compliance reviews, and audits. While there have been examples of HIPAA-covered entities ignoring this requirement entirely, in many cases noncompliance is due to the failure to perform a comprehensive risk analysis across the entire organization.

In order to perform a comprehensive risk analysis to identity all threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI), you must first know how ePHI arrives in your organization, where it flows, where all ePHI is stored, and the systems that can be used to access that information. One of the common reasons for a risk analysis compliance failure, is not knowing where all ePHI is located in the organization.

In its Summer 2020 Cybersecurity Newsletter, OCR highlighted the importance of maintaining a comprehensive IT asset inventory and explains how it can assist with the risk analysis process. An IT asset inventory is a detailed list of all IT assets in an organization, which should include a description of each asset, serial numbers, names, and other information that can be used to identify the asset, version (operating system/application), its location, and the person to whom the asset has been assigned and who is responsible for maintaining it.

“Although the Security Rule does not require it, creating and maintaining an up-to-date, information technology (IT) asset inventory could be a useful tool in assisting in the development of a comprehensive, enterprise-wide risk analysis, to help organizations understand all of the places that ePHI may be stored within their environment, and improve their HIPAA Security Rule compliance,” explained OCR in the newsletter.

An IT asset inventory should not only include physical hardware such as mobile devices, servers, peripherals, workstations, removable media, firewalls, and routers. It is also important to list software assets and applications that run on an organization’s hardware, such as anti-malware tools, operating systems, databases, email, administrative and financial records systems, and electronic medical/health record systems.

IT solutions such as backup software, virtual machine managers/hypervisors, and other administrative tools should also be included, as should data assets that include ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media.

“Understanding one’s environment – particularly how ePHI is created and enters an organization, how ePHI flows through an organization, and how ePHI leaves an organization – is crucial to understanding the risks ePHI is exposed to throughout one’s organization.”

For smaller healthcare organizations, an IT asset inventory can be created and maintained manually, but for larger, more complex organizations, dedicated IT Asset Management (ITAM) solutions are more appropriate. These solutions include automated discovery and update processes for asset and inventory management and will help to ensure that no assets are missed.

When creating an IT asset inventory to aid the risk analysis, it is useful to include assets that are not used to create, receive, process, or transmit ePHI, but may be used to gain access to ePHI or to networks or devices that store ePHI.  IoT devices may not store or be used to access ePHI, but they could be used to gain access to a network or device that would allow ePHI to be viewed.

“Unpatched IoT devices with known vulnerabilities, such as weak or unchanged default passwords installed in a network without firewalls, network segmentation, or other techniques to deny or impede an intruder’s lateral movement, can provide an intruder with a foothold into an organization’s IT network,” suggests OCR. “The intruder may then leverage this foothold to conduct reconnaissance and further penetrate an organization’s network and potentially compromise ePHI.” There have been multiple incidents where hackers have exploited a vulnerability in one of these devices to penetrate an organization’s network and access sensitive data.

Organizations that do not have a comprehensive IT asset inventory could have gaps in recognition and mitigation of risks to ePHI. Only with a comprehensive understanding of the entire organization’s environment will it be possible to minimize those gaps and ensure that an accurate and thorough risk analysis is performed to ensure Security Rule compliance.

Maintaining an IT asset inventory may not be a Security Rule requirement but covered entities must create policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility. An IT asset inventory can also be used for this purpose. The IT asset inventory can also be compared with the results of network scanning and mapping processes to help identify unauthorized devices that have been connected to the network and used as part of vulnerability management to ensure that no devices, software, or other assets are missed when performing software updates and applying security patches.

The NIST Cybersecurity Framework can be leveraged to assist with the creation of an IT asset inventory. NIST has also produced guidance on IT asset management in its Cybersecurity Practice Guide, Special Publication 1800-5. The HHS Security Risk Assessment Tool can also help with IT asset management. It includes inventory capabilities that allow for manual entry or bulk loading of asset information with respect to ePHI.

The post OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory appeared first on HIPAA Journal.

Study Reveals Increase in Credential Theft via Spoofed Login Pages

Posted by HIPAA Journal

A new study conducted by IRONSCALES shows there has been a major increase in credential theft via spoofed websites. IRONSCALES researchers spent the first half of 2020 identifying and analyzing fake login pages that imitated major brands. More than 50,000 fake login pages were identified with over 200 brands spoofed.

The login pages are added to compromised websites and other attacker-controlled domains and closely resemble the genuine login pages used by those brands. In some cases, the fake login is embedded within the body of the email.

The emails used to direct unsuspecting recipients to the fake login pages use social engineering techniques to convince recipients to disclose their usernames and passwords, which are captured and used to login to the real accounts for a range of nefarious purposes such as fraudulent wire transfers, credit card fraud, identity theft, data extraction, and more.

IRONSCALES researchers found the brands with the most fake login pages closely mirrored the brands with the most active phishing websites. The brand with the most fake login pages – 11,000 – was PayPal, closely followed by Microsoft with 9,500, Facebook with 7,500, eBay with 3,000, and Amazon with 1,500 pages.

While PayPal was the most spoofed brand, fake Microsoft login pages pose the biggest threat to businesses. Stolen Office 365 credentials can be used to access corporate Office 365 email accounts which can contain a range of highly sensitive data and, in the case of healthcare organizations, a considerable amount of protected health information.

Other brands that were commonly impersonated include Adobe, Aetna, Alibaba, Apple, AT&T, Bank of America, Delta Air Lines, DocuSign, JP Morgan Chase, LinkedIn, Netflix, Squarespace, Visa, and Wells Fargo.

The most common recipients of emails in these campaigns with individuals working in the financial services, healthcare and technology industries, as well as government agencies.

Around 5% of the fake login pages were polymorphic, which for one brand included more than 300 permutations. Microsoft login pages had the highest degree of polymorphism with 314 permutations. The reason for the high number of permutations of login pages is not fully understood. IRONSCALES suggests this is because Microsoft and other brands are actively searching for fake login pages imitating their brand. Using many different permutations makes it harder for human and technical controls to identify and take down the pages.

The emails used in these campaigns often bypass security controls and are delivered to inboxes. “Messages containing fake logins can now regularly bypass technical controls, such as secure email gateways and SPAM filters, without much time, money or resources invested by the adversary,” explained IRONSCALES. “This occurs because both the message and the sender are able to pass various authentication protocols and gateway controls that look for malicious payloads or known signatures that are frequently absent from these types of messages.”

Even though the fake login pages differ slightly from the login pages they spoof, they are still effective and often successful if a user arrives at the page. IRONSALES attributes this to “inattentional blindness”, where individuals fail to perceive an unexpected change in plain sight.

The post Study Reveals Increase in Credential Theft via Spoofed Login Pages appeared first on HIPAA Journal.