Healthcare Cybersecurity

HC3 Warns HPH Sector About Critical FortiSIEM Vulnerability and Ongoing Emotet Malware Threat

The Health Sector Cybersecurity Coordination Center (HC3) has warned healthcare organizations that use Fortinet’s FortiSIEM platform to patch a critical vulnerability that is likely to be targeted by malicious actors and has issued a threat brief on Emotet malware.

FortiSIEM Command Injection Vulnerability – CVE-2023-36553

A critical vulnerability has been identified by Fortinet in its FortiSIEM platform. The vulnerability has been assigned a CVSS v3.1 severity score of 9.8 out of 10 and can be exploited remotely by malicious actors to execute arbitrary commands. The flaw is related to a bug discovered and patched by Fortinet in October 2023 – CVE-2023-34992. While there have been no known instances of the vulnerability being exploited in attacks, Fortinet vulnerabilities are actively targeted by malicious actors and exploitation of the flaw is likely.

“An improper neutralization of special elements used in an OS command vulnerability in FortiSIEM report server may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests,” said Fortinet in a recent security advisory.

The vulnerability affects the following FortiSIEM versions: 4.7, 4.9, 4.10, 5.0, 5.1, 5.2, 5.3, and 5.4. Users should upgrade to a fixed version as soon as possible. The vulnerability has been fixed in versions: 7.1.0, 7.0.1, 6.7.6, 6.6.4, 6.5.2, 6.4.3, or later.

Emotet Malware – A Persistent Threat to the HPH Sector

Emotet malware was first identified in 2014 and started life as a banking Trojan; however, the malware has evolved over the years and is now commonly used as a first-stage malware for delivering other malware payloads such as banking Trojans, multi-purpose malware, information stealers, and ransomware, including the infamous TrickBot Trojan. Devices infected with Emotet are added to a botnet under the control of the operator of the malware, a group tracked as Mummy Spider, also known as TA542, GOLD CABIN & Mealybug, which is believed to operate out of Ukraine.

At its height, Emotet was called the world’s most dangerous malware by Europol, and Check Point data suggests one in every 5 organizations worldwide has been infected with Emotet. Emotet activity follows a rhythm of around 2-3 months of attacks followed by a period of little to no activity, which can last between 3 and 12 months. In January 2021, an international law enforcement operation took control of the botnet’s infrastructure, and an update was pushed out that uninstalled the malware from all infected devices. 10 months later, the botnet had been rebuilt.

While activity did not recover to the levels at the height of its success, the botnet continues to grow and still poses a significant threat. There were activity spikes in late spring 2022 before activity dropped off, and activity spiked again in Spring 2022. According to Check Point, the botnet now consists of around 130,000 unique devices in 179 countries and Emotet was the most prolific malware variant in February 2023. Emotet is used to gain initial access to networks, can elevate privileges, evade defenses, steal credentials, move laterally, exfiltrate data, and download other malware payloads and has been, and still is, one of the most potent weapons against the health sector. Recent activity includes the delivery of ransomware variants such as Quantum and BlackCat.

Emotet malware is most commonly delivered via phishing emails containing malicious URLs that link to a document containing a malicious macro that downloads the Emotet payload. The malware achieves persistence through Windows registry keys which ensure the malware executes on each reboot. The malware may also achieve persistence via the Windows Startup folder or via scheduled tasks and can also run as a Windows service that is executed automatically. HC3’s Emotet Threat Brief includes recommendations for healthcare and public health sector organizations on defense and mitigations.

The post HC3 Warns HPH Sector About Critical FortiSIEM Vulnerability and Ongoing Emotet Malware Threat appeared first on HIPAA Journal.

CISA Publishes Mitigation Guide for the Healthcare and Public Health Sector

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a new mitigation guide for Healthcare and Public Health (HPH) Sector for combating pervasive cyber threats affecting the sector. The guidance is a supplemental companion to the HPH Cyber Risk Summary, published by CISA on July 19, 2023, and maps CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) to the 405(d) Health Industry Cybersecurity Practices (HCIP): Managing Threats and Protecting Patients guidance that was jointly published by the Department of Health and Human Services (HHS) and the Health Sector Coordinating Council (HSCC).

CISA has identified vulnerabilities and insecure configurations across the HPH sector that present opportunities for mitigating risks before they can be exploited by threat actors. The top vulnerabilities in the HPH sector are web application vulnerabilities, encryption weaknesses, unsupported software and Windows operating systems, known exploited vulnerabilities, and vulnerable services. These vulnerabilities are commonly exploited in phishing, ransomware, and denial of service attacks, and often lead to data breaches. The 25-page guidance document outlines three mitigation strategies for improving defenses against the most common attack vectors and includes recommendations and cybersecurity best practices for asset management and security, identity management and device security, and vulnerability, patch, and configuration management.

Knowing what assets are on the organization’s network is fundamental to cybersecurity. All assets must be known, as well as their relationships and interdependencies, the functions of each asset, what each exposes, and the software/firmware that each is running.  Organizations that have not implemented and maintained a complete inventory of all assets risk exposing vulnerabilities and services that can be exploited by threat actors. Once the asset inventory has been created, healthcare organizations can focus on securing all assets, segmenting networks to limit the potential for lateral movement, and using demilitarized zones (DMZs) and firewalls to shield assets from unauthorized access. The guidance includes recommendations for network segmentation, securing vulnerable and exploitable services, and asset security mitigations.

As the HPH sector continues to transition from on-premises to online systems, is vital that devices and digital accounts are properly secured through effective identity management and device security controls. The guidance suggests several focus areas, including email security and phishing prevention, access management, password policies, data protection and data loss prevention strategies, and logging and monitoring for unauthorized access.

Vulnerabilities and weak configurations are commonly exploited by cyber actors to gain initial access to internal systems and data. CISA stresses the importance of proactively scanning devices and systems for vulnerabilities or technology flaws that threat actors could exploit, and engaging in a continuous process of identifying vulnerabilities, assessing and prioritizing threats, mitigating vulnerabilities, verifying vulnerabilities have been addressed, and improving defenses. In addition to vulnerability management, HPH entities should implement security configuration management (SecCM) to identify and address misconfigurations in default system settings.

In addition to the recommendations for healthcare organizations, CISA has urged technology manufacturers to employ secure by design principles and ensure their products have the necessary security measures built in for the entire product lifecycle and to ensure that their default configurations are secure.

The post CISA Publishes Mitigation Guide for the Healthcare and Public Health Sector appeared first on HIPAA Journal.

October 2023 Healthcare Data Breach Report

For the second consecutive month, the number of reported data breaches of 500 or more healthcare records has fallen, with October seeing the joint-lowest number of reported data breaches this year. After the 29.4% fall in reported data breaches from August to September, there was a further 16.7% reduction, with 40 data breaches reported by HIPAA-regulated entities in October – the opposite trend to what was observed in 2022, when data breaches increased from 49 in August 2022 to 71 breaches in October 2022. October’s total of 40 breaches is well below the 12-month average of 54 breaches per month (median:52 breaches).

October 2023 healthcare data breach report - 12 month breaches

For the third consecutive month, the number of breached healthcare records has fallen, from more than 18 million records in July 2023 to 3,569,881 records in October – a month-over-month percentage decrease of 52.76%. October’s total is well below the 12-month average of 7,644,509 breached records a month (median: 5,951,455 records). While this is certainly good news, it should noted that 2023 has been a particularly bad year for healthcare data breaches. Between January 1, 2023, to October 31, 2023, more than 82.6 million healthcare records have been exposed or impermissibly disclosed, compared to 45 million records in 2021 and 51.9 million records in 2023. As of November 17, 2023, more than 100 million records have been breached.

October 2023 healthcare data breach report - 12 month breached records

Largest Healthcare Data Breaches Reported in October 2023

14 breaches of 10,000 or more records were reported in October, the largest of which occurred at Postmeds Inc., the parent company of Truepill, a provider of a business-to-business pharmacy platform that uses APIs for order fulfillment and delivery services for direct-to-consumer brands. While victims of the breach do not face an immediate risk of identity theft since no Social Security numbers were compromised, they do face an increased risk of phishing and social engineering attacks. As is now common in breach notifications, little information about the incident has been disclosed, other than it being a hacking incident involving unauthorized access to its network between August 30 and September 1, 2023.  The Postmeds data breach was the 21st data breach of 1 million or more records to be reported this year.

Even though the Clop hacking group’s mass exploitation of the zero-day vulnerability in Progress Software’s MOVEIt Transfer solution occurred in late May, healthcare organizations are still reporting MOVEit data breaches. More than 2,300 organizations are now known to have been affected and more than 60 million records were stolen in the attacks.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of breach
Postmeds, Inc. (TruePill) CA Healthcare Provider 2,364,359 Hacking incident (details not disclosed)
Western Washington Medical Group MS Healthcare Provider 350,863 Hacking incident (details not disclosed)
Greater Rochester Independent Practice Association, Inc. NY Healthcare Provider 279,156 Hacking incident (details not disclosed)
Radius Global Solutions PA Business Associate 135,742 Hacking incident – MoveIT Transfer vulnerability exploited
Dakota Eye Institute ND Healthcare Provider 107,143 Hacking incident (details not disclosed)
Walmart, Inc. Associates Health and Welfare Plan AR Health Plan 85,952 Hacking incident (details not disclosed)
Westat, Inc. MD Business Associate 50,065 Hacking incident – MoveIT Transfer vulnerability exploited
Brooklyn Premier Orthopedics NY Healthcare Provider 48,459 Hacking incident (details not disclosed)
PeakMed CO Healthcare Provider 27,800 Hacking incident (Compromised credentials)
Hospital & Medical Foundation of Paris, Inc IL Healthcare Provider 16,598 Hacking incident (details not disclosed)
Fredericksburg Foot & Ankle Center, PLC VA Healthcare Provider 14,912 Hacking incident (details not disclosed)
Cadence Bank MS Business Associate 13,862 Hacking incident – MoveIT Transfer vulnerability exploited
Peerstar LLC PA Healthcare Provider 11,438 Hacking incident (details not disclosed)
Atlas Healthcare CT CT Healthcare Provider 10,831 Hacking incident (details not disclosed)

October 2023 Data Breach Causes and Data Locations

As has been the case throughout 2023, hacking was the most common cause of data breaches in October, accounting for 77.5% of the month’s data breaches (31 incidents) and 99.13% of the breached records (3,538,726 records). The average data breach size in hacking incidents was 114,152 records and the median data breach size was 4,049 records.

The exact nature of these incidents has not been publicly disclosed in many cases, so it is not possible to determine the extent to which ransomware attacks, phishing attacks, and vulnerability exploits are occurring. The exception being the mass hacking of a zero-day vulnerability in the MOVEit Transfer solution, a fairly safe disclosure legally as organizations cannot be expected to patch a vulnerability that is unknown even to the company that developed the software. While the lack of information is undoubtedly intended to reduce legal risk, if victims of the breach are given insufficient information it is difficult for them to accurately gauge the level of risk they face.

There were 8 data breaches classified as unauthorized access/disclosure incidents, across which 30,555 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 3,819 records and the median breach size was 2,111 records. There was one reported incident involving the theft of a desktop computer, which contained the unencrypted protected health information of 600 individuals, and no incidents involving the loss or improper disposal of PHI.

October 2023 healthcare data breach report - causes of breaches

The most common location of breached PHI was network servers, which is unsurprising given the large number of hacking incidents. 8 data breaches involved compromised email accounts.

October 2023 healthcare data breach report - location of breached data

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in October, with 25 reported data breaches. There were 11 data breaches reported by business associates and 4 breaches reported by health plans. These figures do not tell the full story, as the reporting entity may not be the entity that suffered the data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate. To better reflect this and to avoid the underrepresentation of business associates in the healthcare data breach statistics, the charts below show where the data breaches occurred rather than the entity that reported the data breach.

October 2023 healthcare data breach report - affected entities

October 2023 healthcare data breach report - breached records at HIPAA-regulated entities

Geographical Distribution of Healthcare Data Breaches

HIPAA-regulated entities in 23 states reported data breaches of 500 or more records in October. Texas was the worst affected state with 5 large data breaches followed by Mississippi with 4.

State Breaches
Texas 5
Mississippi 4
Illinois, New York & Pennsylvania 3
California, Colorado, Florida & Georgia 2
Arkansas, Connecticut, Delaware, Iowa, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, New Jersey, North Dakota, Oklahoma, Oregon & Virginia 1

HIPAA Enforcement Activity in October 2023

In October, the HHS’ Office for Civil Rights (OCR) announced its 10th HIPAA compliance enforcement action of the year. Doctors’ Management Services, a Massachusetts-based medical management company that offers services such as medical billing and payor credentialing, opted to settle an OCR investigation of a data breach. In April 2017, a threat actor accessed its network via Remote Desktop Protocol and gained access to the protected health information of 206,695 individuals.

OCR determined there had been a risk analysis failure, a failure to review records of system activity, and a failure to implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule. Those failures resulted in an impermissible disclosure of the PHI of 206,695 individuals. Doctors’ Management Services paid a financial penalty of $100,000 and agreed to a corrective action plan to address the HIPAA compliance issues discovered by OCR.

State Attorneys General also have the authority to investigate HIPAA-regulated entities and impose financial penalties for HIPAA violations, although they often choose to impose penalties for equivalent violations of state laws. Three settlements were agreed in October with HIPAA-regulated entities to resolve allegations of data security and breach notification failures.

Blackbaud, a Delaware corporation headquartered in Charleston, South Carolina that provides donor relationship management software, chose to settle alleged violations of the HIPAA Security Rule, HIPAA Breach Notification Rule, and state consumer protection laws with 49 states and the District of Columbia and paid a $49.5 million penalty and agreed to make substantial data security improvements. Blackbaud suffered a ransomware attack in May 2020, which exposed the protected health information of 5,500,000 individuals. The multi-state investigation identified a lack of appropriate safeguards to ensure data security and breach response failures.

Inmediata, a Puerto Rico-based healthcare clearinghouse settled a multi-state data breach investigation involving more than 35 state attorneys general. A server has been left unsecured, which allowed sensitive data to be indexed by search engines, allowing it to be found by anyone with Internet access. The protected health information of 1,565,338 individuals was exposed. The multi-state investigation identified a failure to implement reasonable and appropriate security measures, as required by the HIPAA Security Rule, a failure to conduct a secure code review, and violations of the HIPAA Breach Notification Rule and state breach notification rules for failing to provide timely and complete information to victims of the breach. The investigation was settled for $1.4 million and Inmediata agreed to make improvements to its information security program and strengthen its data breach notification practices.

Personal Touch Holding Corp, a home health company that does business as Personal Touch Home Care, opted to settle an investigation by the Office of the New York Attorney General into a breach of the protected health information of 753,107 individuals, including 316,845 New York residents. An employee responded to a phishing email which resulted in malware being installed. The threat actor exfiltrated data and then used ransomware to encrypt files. The New York Attorney General alleged Personal Touch only had an informal information security program, insufficient access controls, no continuous monitoring system, a lack of encryption, and inadequate staff training. Personal Touch paid a $350,000 financial penalty and agreed to make improvements to its information security and training programs.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on November 11, 2023.

The post October 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

FDA Releases Guidance on Managing Legacy Medical Device Cybersecurity Risks

The U.S. Food and Drug Administration (FDA) has published a report it commissioned that makes recommendations on how to manage the cybersecurity risks of legacy medical devices. Legacy medical devices are classed as devices that can no longer be reasonably protected against current cybersecurity threats, even though they may still adequately perform their primary function and have a useful life beyond the declared end-of-support or end-of-life date.

When medical devices reach end-of-life, patches stop being released to fix vulnerabilities, and unpatched vulnerabilities can be exploited to gain access to the devices and networks to which they are connected. In many cases, the vendors of the devices cannot continue to issue software patches due to outdated technology and compatibility issues and healthcare delivery organizations (HDOs) may not be able to replace them due to the high cost of doing so. If the devices were to be removed from use, it could have serious implications for patient safety and clinical operations.

Medical devices are regulated by the FDA, which was tasked by Congress in 2022 to ensure the cybersecurity of medical devices. The FDA has already issued final guidance on premarket submissions for medical devices, which must now meet minimum standards for cybersecurity in order to be approved for use in the United States by the FDA. While the final guidance addresses cybersecurity risks associated with new medical devices that come onto the market, it does nothing to address the cybersecurity of the millions of devices that are already in use at hospitals across the United States.

In November 2023, the FDA contracted with MITRE to produce a report on legacy medical devices, which were legally sold and had cybersecurity controls that were effective at the point of purchase but can no longer be reasonably protected. In an ideal world, these devices should be replaced; however, the issue is complex, and it must be managed in a way that minimizes negative impacts on patient care and safety.

To produce the report, Next Steps Toward Managing Legacy Medical Device Cybersecurity Risks, MITRE interviewed medical device manufacturers, healthcare providers, and cybersecurity experts to identify potential solutions for reducing the cybersecurity risks associated with legacy devices, and the report includes recommendations for reducing cyber risks for hospitals that do not have the resources and budgets to replace the devices. The recommendations address the challenges of shared responsibility over the medical device lifecycle, vulnerability management, workforce development, and mutual aid for less well-resourced healthcare delivery organizations (HDOs).

The 8 recommendations made in the report are:

  • Collection of quantitative and qualitative data to allow HDOs and medical device manufacturers (MDMs) to make informed decisions about the risks and costs of replacement versus the continued use of legacy devices.
  • Development of information sharing agreement templates to increase transparency and ensure appropriate expectations are included for managing legacy medical device security risks.
  • Establishment of a security architecture working group including a broad range of stakeholders to identify and prioritize security controls that may be implemented within an HDO’s infrastructure to improve cyber risk management.
  • Development of a research program in modular design for medical devices. If medical devices were designed to be modular, HDOs could have the option of replacing legacy software or hardware components rather than having to totally replace devices.
  • Conduction of a study on vulnerability management coordination to explore approaches to streamline and improve vulnerability management processes, which are often costly and resource-intensive.
  • Development of competency models for roles related to legacy cyber risk management to help less well-resourced HDOs and support workforce training.
  • Participation in mutual aid partnerships, including ad-hoc relationships, private sector partnerships, and state/local government partnerships.

The post FDA Releases Guidance on Managing Legacy Medical Device Cybersecurity Risks appeared first on HIPAA Journal.

Feds Issue Updated Mitigations for Blocking Rhysida Ransomware Attacks

A joint cybersecurity advisory has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) about Rhysida ransomware.

Rhysida ransomware is a ransomware-as-a-service (RaaS) operation that first emerged in May 2023. The group engages in double extortion tactics, involving data theft and encryption, with ransom payment required to obtain the keys to decrypt files and prevent the public release of stolen data. Researchers at Check Point identified significant similarities between Rhysida ransomware and Vice Society, one of the most prolific ransomware groups since 2021 that aggressively targeted the education and healthcare sectors.

In August 2023, the HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued its own advisory about Rhysida ransomware following several attacks on the healthcare sector, including the attack on Prospect Medical Holdings, which affected 17 hospitals and 166 clinics across the United States. The latest cybersecurity advisory includes an update on the tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IoCs) from malware analyses and recent incident response investigations to help network defenders and incident response teams detect and block attacks in progress.

Rhysida ransomware actors have been observed using a variety of techniques for gaining initial access to victims’ networks, including leveraging external-facing remote services such as virtual private networks (VPNs), commonly through the use of compromised credentials. These attacks have proven successful against organizations that have failed to implement multi-factor authentication for VPN connections. Rhysida ransomware actors have also exploited unpatched vulnerabilities, such as the Zerologon (CVE-2020-1472) vulnerability in Microsoft’s Netlogon Remote Protocol, and commonly use phishing emails. Once initial access has been achieved, the group often creates Remote Desktop Protocol (RDP) connections for lateral movement, establishes VPN access, and uses PowerShell and native network administration tools to perform operations, which helps them to evade detection by hiding their activity within normal Windows systems and network activities.

The FBI, CISA, and the MS-ISAC suggest several mitigations for hardening security, including steps that can be taken to block the main attack vectors, restrict lateral movement, and detect attacks in progress. These include enabling phishing-resistant multifactor authentication, especially for webmail, VPNs, and accounts that access critical systems; disabling command-line and scripting activities and permissions; restricting the use of PowerShell; enhancing PowerShell logging and logging within processes; restricting the use of RDP; and securing remote access through application controls.

The post Feds Issue Updated Mitigations for Blocking Rhysida Ransomware Attacks appeared first on HIPAA Journal.

Updates on Royal Ransomware, LockBit 3.0 and Hunters International Ransomware Groups

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an updated cybersecurity advisory about Royal ransomware, which is thought to be about to shut down and rebrand.

Royal ransomware first emerged in September 2022 and is thought to have split from the Conti ransomware operation, with a brief spell operating as Quantum in between. Royal ransomware has been a prolific ransomware operation, having conducted more than 350 attacks since September 2022 and has issued ransom demands in excess of $275 million, according to the FBI. Royal ransomware is a private ransomware group that has targeted organizations in healthcare and public health (HPH), education, manufacturing, and communications. The number of attacks on HPH sector organizations prompted an earlier cybersecurity advisory from CISA, the FBI, and the HHS, which shared the latest tactics, techniques, and procedures (TTPs) used by the group and Indicators of Compromise (IoCs). They have been updated in the latest advisory.

In May 2023, a new ransomware variant was detected that had several coding similarities to Royal ransomware, and similar intrusion techniques were used. Researchers at Trend Micro found the two ransomware variants were almost identical, with 98% similar functions, 98.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff. The two groups have been observed using similar software and open source tools in their attacks such as Chisel and Cloudflared for network tunneling, Secure Shell (SSH) Client, OpenSSH, and MobaXterm for SSH connections, Mimikatz and Nirsoft for credential harvesting, and the attacks involved similar remote access tools.

Along with those similarities was the timing of the emergence of the new ransomware variant – Blacksuit – which led security researchers to believe that Royal was about to rebrand. Royal has just conducted a major attack on the city of Dallas which attracted considerable attention from law enforcement and, as is common after major attacks, ransomware groups often rebrand. Royal did not rebrand immediately, and it has been suggested that all did not go well with the new ransomware variant, and the rebrand was delayed. Alternatively, Blacksuit could be a spinoff variant of Royal. CISA and the FBI are convinced that the two ransomware variants are linked.

LockBit 3.0 Exploiting Citrix Bleed Vulnerability

The LockBit 3.0 group has been exploiting the critical Citrix Bleed vulnerability that affects Citrix NetScaler ADC and Gateway to gain access to the systems of its victims. The vulnerability, tracked as CVE-2023-4966, was patched by Citrix in October 2023; however, many organizations have been slow to patch and are running vulnerable appliances.

According to Security researcher Kevin Beaumont, who has been tracking the group’s attacks, several of the group’s recent victims had exposed Citrix servers that were vulnerable to the Citrix Bleed flaw, and that appears to have been exploited using a publicly available exploit.

Currently, there are more than 3,000 Citrix servers in the United States that are exposed to the Internet and vulnerable to the Citrix Bleed flaw which can be exploited remotely with no user interaction. Immediate patching is strongly recommended to prevent exploitation of the flaw.

Hunters International Ransomware Group Takes over from Hive

Hive, one of the most notorious ransomware groups in recent years, was shut down in January this year following an international law enforcement operation. The group had obtained more than $100 million in ransom payments and conducted more than 1,500 attacks worldwide, including many attacks on healthcare organizations.

Following law enforcement takedowns, ransomware groups often go quiet and then reemerge months later with a new ransomware variant. A new threat group, Hunters International, has since emerged and several similarities have been found with Hive, including coding overlaps and a 60% match between the group’s code, according to security researcher BushidoToken.

According to a recent report from Martin Zugec, technical solutions director at Bitdefender, a member of the Hunter’s International group issued a statement confirming that Hive and Hunter’s International are two separate groups and Hive’s source code and infrastructure were acquired. The Hive spokesperson said Hive sold their source code, website, and old Goland and C versions, and Hunter’s purchased them. The spokesperson for Hunter’s said encryption isn’t its primary goal, which is why the group didn’t develop everything from scratch. Bitdefender’s research uncovered evidence to suggest the adoption of Hive’s code rather than a rebrand, thus corroborating the Hunter’s International statement. Bitdefender’s analysis, recommendations, and IoCs can be found here.

The post Updates on Royal Ransomware, LockBit 3.0 and Hunters International Ransomware Groups appeared first on HIPAA Journal.

Stricter Cybersecurity Regulations Proposed for New York Hospitals

New York has proposed tighter cybersecurity regulations for hospitals throughout New York State in response to a series of crippling attacks that have caused disruption to healthcare services, delays to patient care, and have put patient safety at risk.

Governor Kathy Hochul announced the proposed measures on Monday, which are expected to be published in the State Register on December 6, 2023, provided they are adopted by the Public Health and Health Planning Council this week. The new cybersecurity requirements will then undergo a 60-day public comment period, which will end on February 5, 2033. When the new regulations are finalized, hospitals will be given a 1-year grace period to ensure full compliance.

The proposed regulations include the requirement for New York hospitals to appoint a Chief Information Security Officer if they have not done so already, implement defensive infrastructure and cybersecurity tools including multifactor authentication, and conduct regular risk analyses to identify cyber risks. Any in-house applications must be developed using secure software design principles, and processes must be developed and implemented for testing the security of third-party software. Hospitals in the state will also be required to develop and test incident response plans to ensure that care can continue to be provided to patients in the event of a cyberattack.

New York hospitals already have cybersecurity responsibilities under the Health Insurance Portability and Accountability Act (HIPAA), which sets minimum standards for cybersecurity. The proposed regulations are intended to complement the HIPAA Security Rule and include similar requirements, but while the HIPAA Security Rule is largely technology agnostic, the proposed regulations in New York include specific measures that hospitals must implement. “Our interconnected world demands an interconnected defense against cyber-attacks, leveraging every resource available, especially at hospitals,” said Governor Hochul. “These new proposed regulations set forth a nation-leading blueprint to ensure New York State stands ready and resilient in the face of cyber threats.”

There has been a massive increase in healthcare cyberattacks in recent years. The HHS’ Office for Civil Rights recently announced there has been a 77% in hacking incidents in 2023 and a 278% increase in ransomware attacks over the past 4 years. While reported data breaches of 500 or more records are down slightly from 2022, more than 79 million healthcare records have been exposed in those attacks – almost twice the number of compromised records in 2022.

These attacks clearly show that hospitals and health systems are struggling to prevent unauthorized access to their systems and that more needs to be done to improve cybersecurity than complying with the HIPAA Security Rule. There are often competing priorities in healthcare, and while investment in cybersecurity has increased, some hospitals have struggled to find the necessary funding to improve cybersecurity. To help ease the financial burden, Governor Hochul’s FY24 budget includes $500 million in funding for healthcare facilities to enable them to upgrade their technology systems to comply with the proposed regulations and pay for necessary cybersecurity tools, electronic health records, advanced clinical technologies, and other technological upgrades to improve quality of care, patient experience, accessibility, and efficiency.

“When it comes to protecting New Yorkers from cyberattacks that have become more numerous and more sophisticated, safeguarding our hospitals is an essential part of New York’s aggressive and comprehensive whole-of-state approach,” said New York State Chief Information Officer Dru Rai. “We thank the Governor and our agency partners for their ongoing commitment and are pleased that the state’s hospitals will be getting the uniform guidance and resources necessary to further enhance their own cybersecurity, thereby protecting patients and the critical systems that provide quality care all across New York.”

The post Stricter Cybersecurity Regulations Proposed for New York Hospitals appeared first on HIPAA Journal.

SysAid Zero-Day Vulnerability Exploited to Deploy Clop Ransomware

A zero-day vulnerability in the SysAid IT service management solution is being exploited by the Lace Tempest (aka FIN11, DEV-0950, TA505) threat group to gain access to SysAid servers, steal data, and deploy Clop ransomware.

The threat group is well known for exploiting zero-day vulnerabilities. Before the latest campaign, the group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution, stole data, and attempted to extort more than 2,000 victims. Earlier this year, a zero-day vulnerability was exploited in another file transfer solution, Fortra’s GoAnywhere MFT, and before that in 2021, the group exploited a zero-day vulnerability in the Accellion FTA.

The SysAid vulnerability was identified on November 2, 2023, after it had been exploited. The vulnerability, tracked as CVE-2023-47246, was identified by Microsoft, which notified SysAid. The attacks detected by Microsoft were attributed to the Lace Tempest group.

CVE-2023-47246 is a path traversal vulnerability in SysAid’s on-premises software that can be exploited to execute unauthorized code. In one of the attacks, the threat actor exploited the flaw to upload a Web Application Resource (WAR) archive containing a webshell to the webroot of the SysAid Tomcat web service. The webshell allowed the threat actor to execute PowerShell scripts to load GraceWire malware into a legitimate process such as spoolsv.exe, msiexec.exe, or svchost.exe. The malware checks for Sophos security software, and if not present, will be used to deploy additional scripts. In one attack, a Cobalt Strike listener was deployed on compromised hosts. After exfiltrating sensitive data, Clop ransomware was deployed and executed.

Given the speed at which the group has exploited vulnerabilities in the past, immediate action is required to fix the flaw. SysAid has released a patch and all SysAid users are being strongly encouraged to update to version 23.3.36 or later as soon as possible to prevent exploitation. After upgrading to the latest version, servers should be checked for signs of compromise. SysAid has published a list of Indicators of Compromise (IoCs) in its recent report on the attacks exploiting the flaw. SysAid also recommends reviewing any credentials or other information that would have been available to someone with full access to the SysAid server an to check any relevant activity logs for suspicious behavior.

The post SysAid Zero-Day Vulnerability Exploited to Deploy Clop Ransomware appeared first on HIPAA Journal.

CISA Issues Software Bill of Materials Guidance

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, Office of the Director of National Intelligence, and partners have released guidance on software bill of materials (SBOM) generation and consumption, as part of ongoing efforts to better secure the software supply chain.

The guidance was developed by the Software Supply Chain Working Panel, which was established by the Enduring Security Framework (ESF) and is a collaborative partnership across private industry, academia, and government. The Working Panel has developed a three-part Recommended Practices Guide series, that covers best practices to help ensure a more secure software supply chain for developers, suppliers, and customer stakeholders.

The latest guidance is aimed at software developers and suppliers, and includes industry best practices and principles, including managing open source software and SBOM to maintain and provide awareness about the security of software.

Cyber actors are increasingly targeting the software supply chain and are searching for software vulnerabilities that can be exploited to allow them to attack all users of the software, such as the 2020 cyberattack on the SaaS provider SolarWinds. The attack is believed to have been conducted by the Russian state-sponsored hacking group Cozy Bear, which compromised the SolarWinds Orion IT performance and monitoring solution and added a backdoor. When a software update was rolled out to customers, so was the backdoor, resulting in the compromising of an estimated 18,000 systems. The hackers then conducted follow on activities on selected high value targets.

Cyber actors also take advantage of vulnerabilities in open source software and third-party components, such as the Log4Shell vulnerability in the Log4j logging tool, which is used by millions of computers worldwide. When a critical vulnerability was identified and patches were released, they could only be applied if it was known that Log4j was used. Because Log4j was a component of many different software solutions, the vulnerability went unaddressed as many users were unaware that they were vulnerable.

One of the ways that the security of the software supply chain can be improved is by having a complete SBOM that includes all software components and dependencies. The SBOM can be rapidly queried to determine if a vulnerable software component is used and steps can then be taken to address the problem. The latest guidance document is part of the ESF Software Supply Chain Working Panel’s second phase of guidance, which provides further details on the SBOMs that were recommended in the Phase 1 Recommended Practices Guides.

According to CISA, the guidance can be used as a basis for describing, assessing, and measuring security practices relative to the software lifecycle and the suggested practices can be applied across the acquisition, deployment, and operational phases of a software supply chain. The guidance includes recommendations in line with industry best practices and principles which software developers and software suppliers are encouraged to reference, and includes managing open source software and SBOMs to maintain and provide awareness about the security of software.

While the guidance provides recommendations for SBOM generation and consumption processes, implementing these recommendations will be a challenge for many organizations as it will require considerable investment and resources that many organizations currently lack.

The post CISA Issues Software Bill of Materials Guidance appeared first on HIPAA Journal.