Healthcare Cybersecurity

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020.

Sept 2020 healthcare data breach report monthly breaches

Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records.

Sept 2020 healthcare data breach report monthly breached records

Causes of September 2020 Healthcare Data Breaches

The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers.

Blackbaud was able to contain the breach; however, prior to the deployment of the ransomware, the attackers exfiltrated some customer data. The breach was initially thought to only include limited data about donors and prospective donors, but further investigations revealed Social Security numbers and financial information were also exfiltrated by the hackers.

Blackbaud negotiated a ransom payment and paid to prevent the publication or sale of the stolen data. Blackbaud has reported it has received assurances that all stolen data were deleted. Blackbaud has engaged a company to monitor dark web sites but no data appears to have been offered for sale.

Blackbaud announced the ransomware attack in July 2020 and notified all affected customers. HIPAA-covered entities affected by the breach started to report the data breach in August, with most reporting in September.

It is currently unclear exactly how many U.S. healthcare organizations were affected by the breach and the final total may never be known. Databreaches.net has been tracking the Blackbaud breach reports and, at last count, at least 80 healthcare organizations are known to have been affected. The records of more than 10 million patients are thought to have been compromised as a result of the ransomware attack.

Sept 2020 healthcare data breach report causes of breaches

Unsurprisingly, given the numbers of healthcare providers affected by the Blackbaud breach, hacking/IT incidents dominated the breach reports. 83 breaches were attributed to hacking/IT incidents and 9,662,820 records were exposed in those breaches – 99.50% of all records reported as breached in September.  The mean breach size was 116,420 records and the median breach size was 27,410 records.

There were 7 unauthorized access/disclosure incidents reported in September involving a total of 34,995 records. The mean breach size was 4,942 records and the median breach size was 1,818 records. There were 4 loss/theft incidents reported involving 12,029 records, with a mean breach size of 3,007 records and a median size of 2,978 records. There was 1 improper disposal incident reported involving 1,076 records.

Most of the compromised records were stored on network servers, although there were a sizable number of breaches involving PHI stored in email accounts.

Sept 2020 healthcare data breach report - location of PHI

Largest Healthcare Data Breaches Reported in September 2020

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause
Trinity Health Business Associate 3,320,726 Hacking/IT Incident Blackbaud Ransomware Attack
Inova Health System Healthcare Provider 1,045,270 Hacking/IT Incident Blackbaud Ransomware Attack
NorthShore University HealthSystem Healthcare Provider 348,746 Hacking/IT Incident Blackbaud Ransomware Attack
SCL Health – Colorado (affiliated covered entity) Healthcare Provider 343,493 Hacking/IT Incident Blackbaud Ransomware Attack
Nuvance Health (on behalf of its covered entities) Healthcare Provider 314,829 Hacking/IT Incident Blackbaud Ransomware Attack
The  Baton Rouge Clinic, A Medical Corporation Healthcare Provider 308,169 Hacking/IT Incident Ransomware Attack
Virginia Mason Medical Center Healthcare Provider 244,761 Hacking/IT Incident Blackbaud Ransomware Attack
University of Tennessee Medical Center Healthcare Provider 234,954 Hacking/IT Incident Blackbaud Ransomware Attack
Legacy Community Health Services, Inc. Healthcare Provider 228,009 Hacking/IT Incident Phishing Attack
Allina Health Healthcare Provider 199,389 Hacking/IT Incident Blackbaud Ransomware Attack
University of Missouri Health Care Healthcare Provider 189,736 Hacking/IT Incident Phishing Attack
The Christ Hospital Health Network Healthcare Provider 183,265 Hacking/IT Incident Blackbaud Ransomware Attack
Stony Brook University Hospital Healthcare Provider 175,803 Hacking/IT Incident Blackbaud Ransomware Attack
Atrium Health Healthcare Provider 165,000 Hacking/IT Incident Blackbaud Ransomware Attack
University of Kentucky HealthCare Healthcare Provider 163,774 Hacking/IT Incident Blackbaud Ransomware Attack
Children’s Minnesota Healthcare Provider 160,268 Hacking/IT Incident Blackbaud Ransomware Attack
Roswell Park Comprehensive Cancer Center Healthcare Provider 141,669 Hacking/IT Incident Blackbaud Ransomware Attack
Piedmont Healthcare, Inc. Healthcare Provider 111,588 Hacking/IT Incident Blackbaud Ransomware Attack
SCL Health – Montana (affiliated covered entity) Healthcare Provider 93,642 Hacking/IT Incident Blackbaud Ransomware Attack
Roper St. Francis Healthcare Healthcare Provider 92,963 Hacking/IT Incident Blackbaud Ransomware Attack

September 2020 Data Breaches by Covered Entity Type

88 healthcare providers reported data breaches of 500 or more records in September and 2 breaches were reported by health plans. 5 breaches were reported by business associates of HIPAA-covered entities, but a further 53 breaches involved a business associate, with the breach reported by the covered entity. Virtually all of those 53 breaches were due to the ransomware attack on Blackbaud.

Sept 2020 healthcare data breach report - covered entity type

September 2020 Data Breaches by State

Covered entities and business associates in 30 states and the district of Columbia reported data breaches of 500 or more records in September.

New York was the worst affected state with 10 breaches, 6 breaches were reported in each of California, Minnesota, and Pennsylvania, 5 in each of Colorado, South Carolina, and Texas, 4 in Florida, Georgia, Massachusetts, Ohio, and Virginia, 3 in each of Iowa, Kentucky, Louisiana, and Michigan, and 2 in each of Connecticut, Maryland, North Carolina, Tennessee, and Wisconsin.

One breach was reported in each of Alabama, Delaware, Illinois, Indiana, Missouri, New Hampshire, New Jersey, Oklahoma, Washington, and the District of Columbia.

HIPAA Enforcement Activity in September 2020

Prior to September, the HHS’ Office for Civil Rights had only imposed three financial penalties on covered entities and business associates to resolve HIPAA violations, but there was a flurry of announcements about HIPAA settlements in September with 8 financial penalties announced.

The largest settlement was agreed with Premera Blue Cross to resolve HIPAA violations discovered during the investigation of its 2014 data breach that affected 10.4 million of its members. OCR found compliance issues related to risk analyses, risk management, and hardware and software controls. Premera agreed to pay a financial penalty of $6,850,000 to resolve the case. This was the second largest HIPAA fine ever imposed on a covered entity.

CHSPSC LLC, a business associate of Community Health Systems, agreed to pay OCR $2,300,000 to resolve its HIPAA violation case which stemmed from a breach of the PHI of 6 million individuals in 2014. OCR found compliance issues related to risk analyses, information system activity reviews, security incident procedures, and access controls.

Athens Orthopedic Clinic PA agreed to pay a $1,500,000 penalty to resolve its case with OCR which stemmed from the hacking of its systems by TheDarkOverlord hacking group. The PHI of 208,557 patients was compromised in the attack. OCR’s investigation uncovered compliance issues related to risk analyses, risk management, audit controls, HIPAA policies and procedures, business associate agreements, and HIPAA Privacy Rule training for the workforce.

Five of the September settlements resulted from OCR’s HIPAA Right of Access enforcement initiative and were due to the failure to provide patients with timely access to their medical records.

Entity Settlement
Beth Israel Lahey Health Behavioral Services $70,000
Housing Works, Inc. $38,000
All Inclusive Medical Services, Inc. $15,000
Wise Psychiatry, PC $10,000
King MD $3,500

 

There was one settlement to resolve a multistate investigation by state attorneys general, with Anthem Inc. agreeing to pay a financial penalty of $48.2 million to resolve multiple violations of HIPAA and state laws in relation to its 78.8 million record data breach in 2015, which is on top of the $16 million financial penalty imposed by OCR in October 2018.

The post September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised appeared first on HIPAA Journal.

6 Russian Hackers Indicted for Offensive Cyber Campaigns Including 2017 NotPetya Wiper Attacks

The U.S. Department of Justice has announced 6 Russian hackers have been indicted for their role in the 2017 NotPetya malware attacks and a long list of offensive cyber campaigns on multiple targets in the United States and other countries.

The six individuals are suspected members of the GRU: Russia’s Main Intelligence Directorate, specifically GRU Unit 74455, which is also known as Sandworm. The Sandworm unit is believed to be behind a long list of offensive cyber campaigns spanning several years.

Sandworm is suspected of being instrumental in attempts to influence foreign elections, including the 2016 U.S. presidential election and the 2017 French Presidential election. One of the most destructive offensive campaigns involved the use of NotPetya malware in 2017. NotPetya was a wiper malware used in destructive attacks worldwide that leveraged the Microsoft Windows Server Message Block (SMBv1) vulnerability.

Several hospitals and medical clinics were affected by NotPetya and had data wiped and computer systems taken out of action. NotPetya hit the pharmaceutical giant Merck, Danish shipping firm Maersk, and FedEx subsidiary TNT Express. The attack on Merck has been estimated to have cost $1.3 billion. In total, the malware caused more than $10 billion in damages and affected more than 300 companies worldwide.

Sandworm was also behind attempts to disrupt the 2018 Winter Olympics using Olympic Destroyer malware, and the hackers attempted to disrupt the investigation of the Novichok poisonings of former Russian spy Sergei Skripal and his daughter by the Organization for the Prohibition of Chemical Weapons and the U.K.’s Defense Science and Technology Laboratory.

Sandworm was also behind destructive attacks on Ukraine’s energy grid between December 2015 and December 2016 and other government targets using KillDisk, BlackEnergy, and Industroyer malware, along with attacks on government entities and companies in Georgia in 2018.

“The crimes committed by these defendants and Unit 74455 are truly breathtaking in their scope, scale and impact,” said U.S. Attorney for the Western District of Pennsylvania, Scott Brady. “These are not acts of traditional spying against governments. Instead, these are crimes committed by Russian government officials against real victims who suffered real harm.”

The alleged Russian operatives are Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko and Petr Nikolayevich Pliskin. Each has been charged with 7 counts – one count of  conspiracy to commit computer fraud and abuse, one count of conspiracy to commit wire fraud, one count of intentional damage to a protected computer, two counts of wire fraud, and two counts of aggravated identity theft, with the indictment also alleging false registration of domain names. In total, the maximum possible sentence if found guilty on all counts is 71 years in prison. The indictment also includes details of the specific roles each defendant played in the attacks, confirmed the detailed nature of the intelligence collected on each individual by intelligence agencies, law enforcement, foreign governments, and private companies.

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said Assistant Attorney General for National Security John C. Demers.  “Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware.  No nation will recapture greatness while behaving in this way.”

Russian has responded by denying any involvement in the cyberattacks attributed to the hackers. A spokesperson for the Russian embassy in Washington said, “Russia does not and did not have intentions to engage in any kind of destabilizing operations around the world. This does not correspond to our foreign policy, national interests or our understanding of how relations between states are built. Russia respects the sovereignty of other countries and does not interfere in their affairs.”

It is unlikely that the indicted hackers will ever face a trial, as there is no extradition treaty between Russia and the United States.

The post 6 Russian Hackers Indicted for Offensive Cyber Campaigns Including 2017 NotPetya Wiper Attacks appeared first on HIPAA Journal.

Active Threat Warning Issued About SharePoint RCE Vulnerability

The UK National Cyber Security Centre (NCSC) has recently issued a security alert advising organizations to patch a serious remote code execution vulnerability in Microsoft SharePoint. The DHS Cybersecurity and infrastructure Security Agency is also urging organizations to patch the flaw promptly to prevent exploitation.

The vulnerability, tracked as CVE-2020-16952, is due to the failure of SharePoint to check the source markup of an application package. If exploited, an attacker could run arbitrary code in the context of the SharePoint application pool and SharePoint server farm account, potentially with administrator privileges.

To exploit the vulnerability an attacker would need to convince a user to upload a specially crafted SharePoint application package to a vulnerable version of SharePoint. This could be achieved in a phishing campaign using social engineering techniques.

The vulnerability has been assigned a CVSS v3 base score of 8.6 out of 10 and affects the following SharePoint releases:

  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019

SharePoint Online is not affected by the vulnerability.

SharePoint vulnerabilities are attractive to hackers as SharePoint is commonly used by enterprise organizations. Previous SharePoint vulnerabilities have been extensively exploited, two of which were listed in CISA’s list of the top 10 most exploited vulnerabilities between 2016 and 2019.

Microsoft issued an out-of-band patch to correct the flaw this week. The patch needs to be applied to correct the vulnerability as there are no mitigations to prevent exploitation of the flaw. The patch changes the way SharePoint checks the source markup of application packages.

A proof of concept exploit for the vulnerability has been publicly released on GitHub by security researcher Steven Seeley, who discovered the flaw and reported it to Microsoft. The PoC could easily be weaponized so there is a high risk of exploits being developed and used in attacks on organizations. At the time of the release of the patch, Microsoft was unaware of any cases of exploitation of the flaw in the wild.

According to NCSC, “This PoC can be detected by identifying HTTP headers containing the string runat=’server’ – as well as auditing SharePoint page creations.”

Rapid7 researchers have warned that the vulnerability has a very high value to hackers due to the ease at which the vulnerability can be exploited to gain privileged access.

“The bug is exploitable by an authenticated user with page creation privileges, which is a standard permission in SharePoint, and allows the leaking of an arbitrary file, notably the application’s web.config file, which can be used to trigger remote code execution (RCE) via .NET deserialization,” explained Rapid7.  The patch should be applied as soon as possible to prevent exploitation.

The post Active Threat Warning Issued About SharePoint RCE Vulnerability appeared first on HIPAA Journal.

Universities Targeted in Silent Librarian Spear Phishing Campaign

The Iran-based hacking group known as Silent Librarian – aka Cobalt Dickens and TA407 – has recommenced spear phishing attacks on universities in the United States and around the world. The hacking group has been conducting attacks since 2013 to gain access to login credentials and steal intellectual property and research data. Credentials and data stolen in the attacks are subsequently sold via the hacking group’s portals.

The U.S. Department of Justice indicted 9 Iranians in connection with the attacks in 2018, but the indictments have had no effect on the campaigns which have continued. Those individuals have yet to be brought to justice.

The spear phishing campaigns usually recommence in September to coincide with the start of the new academic year. The hackers have developed many different phishing websites which are used in the campaigns, and while many of these sites are taken down, sufficient numbers are used to ensure the campaigns can continue. This year, the group is known to be using sites hosted in Iran, which could hamper efforts to have the sites shut down due to a lack of cooperation between Iran and the United States and Europe.

Spear phishing emails are highly targeted and are sent to relatively few individuals at each targeted institution. The emails often spoof university libraries and prompt users to click links and login to the university’s web portal.

The domains used in the campaign closely resemble the official domains used by the universities. For instance, attacks on Western University Canada use login.proxy1.lib.uwo.ca.sftt.cf instead of login.proxy1.lib.uwo.ca, and the campaign targeting Stony Brook University uses the domain blackboard.stonybrook.ernn.me instead of blackboard.stonybrook.edu.

The threat group is known to use URL shortening services for links to the phishing domains to mask the true destination URL. Malwarebytes, which discovered the latest campaign, reports that Silent Librarian is using Cloudflare this year for most of their phishing hostnames to hide the real origin of the sites, which are mostly hosted in Iran this year.

The landing pages on the phishing pages are virtual carbon copies of those used by the universities being targeted, so if a user lands on one of those pages and fails to identify the incorrect URL, there is a strong likelihood that login credentials will be entered and captured by the group.

This year’s campaign could be even more effective. Many students and staff are remote due to COVID-19, which could potentially be exploited to steal more credentials and data.

The hacking group is known to have conducted attacks on at least 40 organizations and more than 140 educational institutions since 2013 and was discovered to have stolen more than 30 TB of data between 2013 and 2017. Malwarebytes reports that well over a dozen universities are known to have been targeted in the latest campaign, but says only a small sample of the emails have been intercepted and the campaign is likely to be far more extensive.

The post Universities Targeted in Silent Librarian Spear Phishing Campaign appeared first on HIPAA Journal.

Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Flaw Now, Warns CISA

On October 2020 Patch Tuesday, Microsoft released a patch to correct a critical remove code execution vulnerability in the Microsoft Windows Transmission Control Protocol (TCP)/IP stack. The flaw concerns how the TCP/IP stack handles Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. The flaw was assigned a CVSS v3 score of 9.8 out of 10.

While all patches should be applied promptly to prevent exploitation, there is usually a delay between patches being released and exploits being developed and used offensively against organizations; however, due to the severity of the flaw and the ease at which it can be exploited, patching this vulnerability is especially important. So much so that the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) took to Twitter to urge all organizations to apply the patch immediately.

An attacker could exploit the flaw remotely in a Denial of Service attack, resulting in a ‘blue screen of death’ system crash; however, exploitation could also allow the remote execution of arbitrary code on the vulnerable systems. To exploit the flaw, an unauthenticated hacker need only send specially crafted ICMPv6 Router Advertisement to a vulnerable Windows computer – A device running Windows 10 1709 to 2004, Windows Server versions 1903 to 2004, or Windows Server 2019.

While there have been no known exploits of the vulnerability in the wild, the flaw will be attractive to hackers. McAfee Labs reports that a proof-of-concept exploit for the flaw was sent to Microsoft Active Protection Program members that it reports is “extremely simple and perfectly reliable.”  In addition to being easy to exploit, the vulnerability is potentially wormable, so attacking one device could easily see all other vulnerable devices on the network similarly compromised.

McAfee Labs nicknamed the vulnerability “Bad Neighbor” as it resides in the ICMPv6 Neighbor Discovery “Protocol”, using the Router Advertisement type, and is due to the TCP/IP stack improperly handling ICMPv6 Router Advertisement packets that use Option Type 25 (Recursive DNS Server Option) and a length field value that is even.

If it is not possible to patch immediately, mitigations need to be implemented to reduce the potential for exploitation.

Microsoft recommends administrators disable ICMPv6 RDNSS to prevent exploitation. This can be achieved using a simple PowerShell command:

netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

However, this option will disable RA-based DNS configuration, so cannot be used on network infrastructure that relies on RA-based DNS configuration. Also, this mitigating measure is only effective on Windows 10 1709 and later versions.

Alternatively, it is possible to prevent exploitation by disabling ipv6 traffic on the NIC or at the network perimeter, but this is only possible if ipv6 traffic is not essential.

The post Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Flaw Now, Warns CISA appeared first on HIPAA Journal.

CISA/FBI: APT Groups Chaining Legacy Vulnerabilities with Netlogon Flaw

A joint advisory has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warning about sophisticated advanced persistent threat actors chaining exploits for multiple vulnerabilities in cyberattacks against federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure, and election support systems. While there have been successful attacks on the latter, no evidence has been found to suggest any election data have been compromised to date.

Several legacy vulnerabilities are being targeted along with more recently discovered vulnerabilities, such as the Windows Server Netlogon remote protocol vulnerability – CVE-2020-1472 – also known as Zerologon. A patch for the flaw was issued by Microsoft on August 2020 Patch Tuesday but patching has been slow.

Chaining vulnerabilities in a single cyberattack is nothing new. It is a common tactic used by sophisticated threat groups to compromise networks and applications, elevate privileges, and achieve persistent access to victims’ networks

The advisory did not specify which APT groups are conducting the attacks, although Microsoft recently issued an alert about the Mercury APT group – which has links to Iran – exploiting the Zerologon flaw to gain access to government networks. Those attacks have been ongoing for at least two weeks.

CISA and the FBI explained in the advisory that attacks start with the exploitation of legacy vulnerabilities in VPNs and network access devices. In several attacks, initial access to networks was gained by exploiting the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability – CVE-2018-13379 and, to a lesser extent, the MobileIron vulnerability – CVE-2020-15505. The latter vulnerability is also being exploited by ransomware gangs following the publication of a PoC exploit for the flaw.

While the latest campaigns have been conducted exploiting the above vulnerabilities, CISA/FBI warn that other legacy vulnerabilities in Internet facing infrastructure could similarly be exploited in attacks such as:

  • Citrix Gateway/Citrix SD WAN WANOP vulnerability – CVE-2019-19781
  • Pulse Secure vulnerability – CVE-2019-11510
  • F5 BIG-IP vulnerability – CVE-2020-5902
  • Palo Alto Networks vulnerability – CVE-2020-2021
  • Citrix NetScaler vulnerability – CVE2019-19751
  • Juniper vulnerability – CVE-2020-1631

Once a flaw has been exploited to gain access to the target’s network, the attackers then exploit more recently discovered vulnerabilities such as the Zerologon flaw, which allows them to elevate privileges to administrator, steal usernames and passwords, and access Windows Active Directory servers and establish persistent access to networks. Legitimate tools such as MimiKatz and CrackMapExec are often used in the attacks.

Due to the high potential for exploitation of the Zerologon flaw, Microsoft issued multiple alerts urging organizations to apply the patch as soon as possible, as have CISA and the CERT Coordination Center.

CISA and the FBI have suggested several mitigations to block these attacks, the most important of which is patching the above vulnerabilities. Patching vulnerabilities in software and equipment promptly and diligently is the best defense against APT groups.

Other important steps to take are concerned with more traditional network hygiene and user management such as:

  • Implement multi-factor authentication on all VPN connections, ideally using physical security tokens which are the most secure method of MFA, or alternatively using authenticator app-based MFA.
  • Strong passwords should be set for all users and vendors who need to connect via VPNs.
  • Discontinue unused VPN servers.
  • Conduct audits of configuration and patch management programs.
  • Monitor network traffic for unexpected or unapproved protocols, especially outbound traffic to the Internet.
  • Use separate admin accounts on separate administration workstations.
  • Update all software to the latest versions and configure updates to be applied automatically where possible.
  • Block public access to vulnerable unused ports such as port 445 and 135.
  • Secure Netlogon channel connections by updating all domain controllers and read-only domain controllers.

CISA and the FBI suggest any organization with Internet facing infrastructure should adopt an “assume Breach” mentality.

“If there is an observation of CVE-2020-1472 or Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed,” explained CISA/FBI in the alert.

Since fully resetting an AD forest is difficult and complex, organizations should consider seeking assistance from third-party cybersecurity firms with experience of successfully completing the task.

The post CISA/FBI: APT Groups Chaining Legacy Vulnerabilities with Netlogon Flaw appeared first on HIPAA Journal.

CISA Issues Alert Following Increase in Emotet Malware Attacks

Following a period of dormancy between February 2020 and July 2020, the Emotet botnet sprang back to life and recommenced spam runs distributing the Emotet Trojan. Since August 2020, attacks on state and local governments have increased sharply, prompting the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to issue a cybersecurity alert for all industry sectors.

The Emotet botnet resumed activity in July with a massive phishing campaign using messages with malicious Word attachments and hyperlinks. Since then, multiple spam runs have been conducted which typically consist of more than 500,000 emails. The Emotet Trojan is a dangerous banking Trojan which is used as a downloader of other types of malware, notably the TrickBot and Qbot Trojans. The secondary payloads in turn deliver other malware payloads, including Ryuk and Conti ransomware.

One infected device could easily result in further infections across the network. Emotet infects other devices in a worm-like fashion, creating multiple copies of itself which are written to shared drives. Emotet also brute forces credentials and distributes copies of itself via email. Emotet is capable of hijacking genuine email threads and inserting malicious files. Since the emails appear to have been sent by known contacts in response to previously sent messages, there is a higher probability of the email attachments being opened.

The Trojan is continuously evolving using dynamic link libraries and regularly has new capabilities added. The capabilities of the Trojan make it difficult to eliminate from networks. The Trojan can be removed from infected devices, but they can quickly be reinfected by other compromised devices on the network.

CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have been collecting data on Emotet attacks and Emotet loader downloads since botnet activity resumed in July. CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, identified around 16,000 alerts about Emotet activity since July, including potentially targeted attacks on state and local governments. Compromises have also been reported in Canada, France, Italy, Japan, New Zealand, and the Netherlands.

CISA regards Emotet as one of the most prevalent ongoing threats, and its secondary malware payloads of TrickBot and Qbot are also significant threats, as are the ransomware payloads they deliver.

The phishing emails used to distribute the Emotet loader are diverse and often change. COVID-19 themes emails have been used this year along with many lures aimed at businesses. The email attachments are typically malicious Word documents, although password protected zip files have also been used to evade anti-spam and anti-phishing solutions. The emails often claim that attachments have been created on mobile device and require the user to enable content (and by doing so enable macros) to view the files.

To prevent Emotet malware attacks, CISA and MS-ISAC recommend adopting cybersecurity best practices which include applying protocols to block suspicious attachments, including attachments that cannot be scanned by AV solutions such as password-protected files. Antivirus software should be used on all devices and set to update automatically, suspicious IPs should be blocked, DMARC authentication and multi-factor authentication should be implemented, organizations should adhere to the principle of least privilege, and should segment and segregate networks and disable file and printer sharing services (if possible).

The full list of recommended mitigations are detailed in the CISA alert.

The post CISA Issues Alert Following Increase in Emotet Malware Attacks appeared first on HIPAA Journal.

CISA Releases Telework Toolkit to Help Businesses Transition to a Permanent Telework Environment

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has published a Telework Essentials Toolkit to help business leaders, IT staff, and end users transition to a permanent teleworking environment.

The COVID-19 pandemic forced businesses to rapidly change from having a largely office-based workforce to allowing virtually all employees to work from home to reduce the risk of infection. The speed at which the transition had to be made potentially introduced security vulnerabilities that weakened organizational cybersecurity defenses. The CISA Toolkit is intended to provide support to organizations to help them re-evaluate and strengthen their cybersecurity defenses and fully transition into a long-term teleworking solution.

The Toolkit includes three personalized modules that include best practices for executive leaders, IT professionals and teleworkers, and include the security considerations appropriate to each role.

Executive leaders are provided with information to help them drive cybersecurity strategy, investment, and develop a cyber secure hybrid culture in their organization. Resources are provided to help business leaders develop organizational policies and procedures for remote working, implement cybersecurity training to improve understanding on risks and threats when accessing organizational systems and data remotely, and moving organizational assets beyond the traditional perimeter where they may not be accessible to the organization’s monitoring and response capabilities. Advice is provided on addressing the basics of cyber hygiene with the workforce and providing clear and regular updates on cybersecurity best practices.

Guidance for IT professionals is focused on the policies, procedures, and tools that need to be implemented to ensure teleworkers can work and access the resources they need remotely. The guidance explains the importance of patching promptly and implementing effective vulnerability management practices, the need for zero trust architecture, multi-factor authentication, regular data backups, and DMARC validation to address the risks of phishing and business email compromise in relation to remote working environments. IT leaders must also stipulate the tools and applications that must be used when working remotely and provide training on how to use those tools securely.

Everyone has a role to play in the transition from temporary to permanent remote working, including end users. The third module is aimed at teleworkers and provides advice on the steps that need to be taken to work securely from home. These include making sure home networks are properly configured and hardened, following organizational secure practices and policies, increasing awareness of phishing and social engineering threats, and promptly communicating any suspicious activities to the IT security team.

The CISA Telework Essentials Toolkit can be downloaded on this link.

The post CISA Releases Telework Toolkit to Help Businesses Transition to a Permanent Telework Environment appeared first on HIPAA Journal.

Treasury Department Warns of Sanctions Risks if Facilitating or Paying a Ransomware Payment

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has warned that companies that facilitate ransom payments to cybercriminals on behalf of victims of the attacks could face sanctions risks for violating OFAC regulations. Victims of ransomware attacks that pay ransoms to cyber actors could similarly face steep fines from the federal government if it is discovered that the criminals behind the attacks are already under economic sanctions.

“Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business,” explained OFAC in its advisory on potential sanctions risks for facilitating ransomware payments. “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

Several individuals involved in ransomware attacks over the past few years have been sanctioned by OFAC, including the Lazarus Group from North Korea which was behind the WannaCry 2.0 ransomware attacks in May 2017, two Iranians believed to be behind the SamSam ransomware attacks that started in late 2015, Evil Corp and its leader, Maksim Yakubets, who are behind Dridex malware, and Evgeniy Mikhailovich Bogachev, who was designated the developer of Cryptolocker ransomware, first released in December 2016.

Paying ransoms to sanctioned persons or jurisdictions threatens U.S. national security interests. “Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims,” explained OFAC.

“U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes,” wrote OFAC.

Civil monetary penalties may be imposed for sanctions violations, even if the person violating sanctions was unaware that they were engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC. Any facilitator or payer of ransom demands to sanctioned individuals, entities, or regimes could face a financial penalty up to $20 million.

Many entities do not disclose ransomware attacks or report them to law enforcement to avoid negative publicity and legal issues, but by failing to report they are hampering law enforcement investigations into attacks. OFAC explained in its advisory that the financial intelligence and enforcement agency will “consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”

The advisory also includes contact information for victims of ransomware attacks to discover if there are sanctions imposed on threat actors, and whether payment of a ransom may involve a sanctions nexus.

OFAC has advised against paying any ransom demand. Not only does payment of a ransom risk violating OFAC regulations, there is no guarantee that payment of the ransom will result in valid keys being supplied, the criminals may not delete stolen data, and they could issue further ransom demands. Payment of a ransom may also embolden cyber actors to engage in further attacks.

OFAC has only offered advice and warned of sanctions risks if payments are made to certain threat actors. Aside from implementing a ban on paying any ransom payment, the attacks are likely to remain profitable and will continue. Only when the attacks cease to be profitable are cybercriminals likely to stop conducting attacks.

The post Treasury Department Warns of Sanctions Risks if Facilitating or Paying a Ransomware Payment appeared first on HIPAA Journal.