Healthcare Cybersecurity

At Least 41 Healthcare Providers Experienced Ransomware Attacks in the First Half of 2020

The New Zealand-based cybersecurity firm Emsisoft has released ransomware statistics for 2020 that show there have been at least 41 successful ransomware attacks on hospitals and other healthcare providers in the first half of the year.

There were 128 successful ransomware attacks on federal and state entities, healthcare providers, and educational institutions in the first 6 months of 2020, with the healthcare industry accounting for 32% of those attacks.

The large number of ransomware attacks in 2020 follows on from a spike in attacks in late 2019. 2019 saw more than double the number of ransomware attacks as 2018, attacks on healthcare providers increased by 350% in the final quarter of 2019. 966 entities were successfully attacked with ransomware across all industry sectors in 2019 and those attacks are estimated to have cost $7.5 billion.

2020 started badly for the healthcare industry with 10 successful ransomware attacks on healthcare providers in January, followed by a further 16 successful ransomware attacks in February. There was a marked decrease in attacks in March as COVID-19 spread throughout the United States. Three successful ransomware attacks were reported by healthcare providers in March and April and a further 4 attacks in May. While it is certainly good news that the number of successful attacks has declined as the year has progressed, the figures do not indicate any lowering of risk. The number of successful attacks has declined, but the number of attempted attacks has remained fairly constant. Emsisoft has predicted an increase in ransomware attacks on healthcare providers over the summer, as often happens at this time of year. Employees are also starting to return to the office. Ransomware attacks decreased as the COVID-19 pandemic hit the United States, but Emsisoft has started to see attacks increase once again.

One in Ten Ransomware Attacks See Data Stolen Prior to Encryption

Several threat actors are now conducting double extortion attacks, where data is stolen before the ransomware payload is deployed. The Maze ransomware gang was the first to start stealing data and issuing threats to publish the files if the ransom is not paid. The gang followed through on the threat and started publishing data on its website in November 2019. Several other ransomware gangs have also adopted similar tactics, including REvil/Sodinokibi, DoppelPaymer, and NetWalker.

With these groups, ransomware is often deployed many days, weeks, or even months after the initial system breach. During that time, the attackers move laterally to gain access to as many devices as possible and then time their attacks to cause maximum disruption. It is likely that several healthcare providers have already had their systems compromised, but the ransomware has not yet been deployed.

These prolific ransomware gangs have concentrated their attacks on entities in sectors that have the most to lose from the publication or sale of their data, including legal firms, healthcare providers, and firms in the financial sector. These attacks often make headline news, but they only account for around 1 in 10 successful ransomware attacks. From January 1, 2020 to June 30, 2020, ID Ransomware received 100,001 submissions about ransomware attacks and only around 11% – 11,642 submissions – involved ransomware variants used by groups known to steal data prior to encrypting files.

Emsisoft notes however that while several ransomware gangs alert the victim to the theft of their data to increase the probability of the ransom being paid, other ransomware gangs are likely to covertly steal data.

“All ransomware groups have the ability to exfiltrate data. While some groups overtly steal data and use the threat of its release as additional leverage to extort payment, other groups likely covertly steal it,” explained Emsisoft. While groups that steal covertly may not exfiltrate as much data as groups seeking to use it as leverage, they may well extract any data that has an obvious and significant market value or which can be used to attack other organizations.”

Ransomware Prevention and Damage Limitation

As long as ransomware attacks remain profitable and relatively low risk, the attacks will continue. Healthcare organizations therefore need to take steps to improve their defenses against attacks. To prevent attacks and limit the harm caused if they are successful, Emsisoft recommends healthcare organizations should patch promptly, limit admin rights, use multi-factor authentication, disable PowerShell when not needed, use web and email filtering, segment the network, and disable RDP if it is not being used… and lock it down if it is. Employees should be provided with regular security awareness training and all vendors that have access to healthcare systems should be audited to make sure they are adhering to best practices.

The post At Least 41 Healthcare Providers Experienced Ransomware Attacks in the First Half of 2020 appeared first on HIPAA Journal.

FBI and CISA Issue Joint Alert About Threat of Malicious Cyber Activity Through Tor

A joint alert was recently issued by the FBI and the DHS’ Cybersecurity Infrastructure Security Agency (CISA) regarding cybercriminals’ use of The Onion Router (Tor) in cyberattacks.

Tor is free, open source software that was developed by the U.S. Navy in the mid-1990s. Today, Tor is used to browse the internet anonymously. When using Tor, internet traffic is encrypted multiple times and a user is passed through a series of nodes in a random path to a destination server. When a user is connected to the Tor network, their online activity cannot easily be traced back to their IP address. When a Tor user accesses a website, rather than their own IP address being recorded, the IP address of the exit node is recorded.

Unsurprisingly, given the level of anonymity provided by Tor, it has been adopted by many threat actors to hide their location and IP address and conduct cyberattacks and other malicious activities anonymously. Cybercriminals are using Tor to perform reconnaissance on targets, conduct cyberattacks, view and exfiltrate data, and deploy malware, ransomware, and conduct Denial of Service (DoS) attacks. According to the alert, cybercriminals are also using Tor to relay commands to malware and ransomware through their command and control servers (C2).

Since malicious activities can be conducted anonymously, it is hard for network defenders to respond to attacks and perform system recovery. CISA and the FBI recommend that organizations conduct a risk assessment to identify their risk of compromise via Tor. The risk related to Tor will be different for each organization so an assessment should determine the likelihood of an attack via Tor, and the probability of success given the mitigations and security controls that have been put in place. Before a decision can be made about whether to block Tor traffic, it is important to assess the reasons why legitimate users may be choosing to use Tor to access the network. Blocking Tor traffic will improve security but will also block legitimate users of Tor from accessing the network.

CISA and the FBI warn that Tor has been used in the past by a range of different threat actors, from nation-state sponsored Advanced Persistent Threat (APT) actors to individual, low skill hackers. Organizations that do not take steps to either block inbound and outbound traffic via Tor, or monitor traffic from Tor nodes closely, will be at a heightened risk of being attacked.

In these attacks, reconnaissance is conducted, targets are selected, and active and passive scans are performed to identify vulnerabilities in public facing applications which can be exploited in anonymous attacks. Standard security tools are not sufficient to detect and block attacks, instead a range of security solutions need to be implemented and logging should be enabled to allow analysis of potentially malicious activity using both indicator and behavior-based analyses.

“Using an indicator-based approach, network defenders can leverage security information and event management (SIEM) tools and other log analysis platforms to flag suspicious activities involving the IP addresses of Tor exit nodes,” according to the report. A list of all Tor exit node IP addresses is maintained by the Tor Project’s Exit List Service, and these can be downloaded. Security teams can use the list to identify any substantial transactions associated with those IP addresses by analyzing their netflow, packet capture (PCAP), and web server logs

“Using a behavior-based approach, network defenders can uncover suspicious Tor activity by searching for the operational patterns of Tor client software and protocols,” such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports.

“Organizations should research and enable the pre-existing Tor detection and mitigation capabilities within their existing endpoint and network security solutions, as these often employ effective detection logic. Solutions such as web application firewalls, router firewalls, and host/network intrusion detection systems may already provide some level of Tor detection capability,” suggest the FBI and CISA.

While it is possible to reduce risk by blocking all Tor web traffic, this highly restrictive approach will not totally eliminate risk as additional Tor network access points are not all listed publicly. This approach will also block legitimate Tor traffic. Tailor monitoring, analysis, and blocking of web traffic to and from public Tor entry and exit nodes may be a better solution, although this approach is likely to be resource intensive.

Details of how to block, monitor and analyze Tor traffic are provided in the alert, a PDF copy of which is available for download here.

The post FBI and CISA Issue Joint Alert About Threat of Malicious Cyber Activity Through Tor appeared first on HIPAA Journal.

Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps

A large-scale phishing campaign conducted in 62 countries has been shut down by Microsoft.  The campaign was first identified by Microsoft’s Digital Crimes Unit (DCU) in December 2019. The phishing campaign targeted businesses and was conducted to obtain Office 365 credentials. Those credentials were then used to access victims’ accounts to obtain sensitive information and contact lists. The accounts were then used for business email compromise (BEC) attacks to obtain fraudulent wire transfers and redirect payroll.

Initially, the emails used in the campaign appeared to have been sent by an employer and contained business-related reports with a malicious email attachment titled Q4 Report – Dec19. Recently, the phishing campaign changed and the attackers switched to COVID-19 lures to exploit financial concerns related to the pandemic. One of the lures used the term “COVID-19 bonus” to get victims to open malicious email attachments or click malicious links.

When the email attachments were opened or links clicked, users were directed to a webpage hosting a malicious application. The web apps closely resemble legitimate web apps that are often used by businesses to improve productivity and security and support remote workers. Users were requested to grant Office 365 OAuth applications access to their Office 365 accounts.

When permission is granted, the attackers obtained access and refresh tokens that allowed them to gain access to the victims’ Office 365 accounts. In addition to gaining access to contact lists, emails, attachments, notes, tasks, and profiles, they also had access to the SharePoint document management system and OneDrive for Business, and any files in those cloud storage accounts.

Microsoft implemented technical measures to block the phishing emails and filed a civil case in the U.S. District Court for the Eastern District of Virginia to obtain a court order to seize six domains being used by the scammers to host the malicious apps. Recently, the court order was obtained and Microsoft has now disabled the domains. Without access to their infrastructure, the cybercriminals are no longer able to conduct cyberattacks. The campaign is believed to be the work of a cybercriminal organization rather than a nation state-sponsored group.

“This unique civil case against COVID-19-themed BEC attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers,” explained Microsoft.

Microsoft also shared best practices to help organizations to improve defenses against phishing and BEC attacks. The first step to take is to enable multifactor authentication on all email accounts, both business and personal. Businesses should provide training to employees to teach them how to identify phishing and BEC attacks and security alerts should be enabled for suspicious links and files.

Any email forwarding rules should be checked to identify suspicious activity and organizations should educate staff on how Microsoft permissions and the consent framework works.  Audits should be conducted on apps and consent permissions to ensure that applications are only granted access to the data they need.

The post Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps appeared first on HIPAA Journal.

NSA Issues Guidance on Securing IPsec Virtual Private Networks

The U.S. National Security Agency (NSA) has issued guidance to help organizations secure IP Security (IPsec) Virtual Private Networks (VPNs), which are used to allow employees to securely connect to corporate networks to support remote working.

While IPsec VPNs can ensure sensitive data in traffic is protected against unauthorized access through the use of cryptography, if IPsec VPNs are not correctly configured they can be vulnerable to attack. During the pandemic, many organizations have turned to VPNs to support their remote workforce and the large number of employees working remotely has made VPNs a key target for cybercriminals. Many attacks have been performed on vulnerable VPNs and flaws and misconfigurations have been exploited to gain access to corporate networks to steal sensitive information and deploy malware and ransomware.

The NSA warns that maintaining a secure VPN tunnel can be complex and regular maintenance is required. As with all software, regular software updates are required. Patches should be applied on VPN gateways and clients as soon as possible to prevent exploitation. It is also important for default VPN settings to be changed. Default credentials are publicly available and can be used by malicious actors to login and gain a foothold in the network.

Admins need to take steps to reduce the VPN gateway attack surface. Since VPNs are often accessible from the internet, they can be prone to brute force attacks, network scanning, and zero-day vulnerabilities. To reduce risk, admins should apply filtering rules to restrict ports, protocols, and IP addresses of network traffic to VPN devices. If it is not possible to restrict access, an intrusion prevention system should be implemented in front of the gateway to monitor for malicious traffic and inspect IPsec session negotiations.

IPsec VPN configurations require the Internet Security Association and Key Management Protocol (ISAKMP) or Internet Key Exchange (IKE) policy, along with an IPsec policy. It is important that SAKMP/IKE and IPsec policies do not allow obsolete cryptographic algorithms. If these weak algorithms are permitted, it could place the VPN at risk. A downgrade attack could be performed where the VPN is forced into using non-compliant or weak cryptography suites. The NSA notes that extra SAKMP/IKE and IPsec policies are often incorporated by default.

Organizations should check CNSSP and NIST guidance on the latest cryptographic requirements and standards and ensure that these cryptographic algorithms are being used.

The NSA guidance on securing IPsec VPNs can be found here.

The post NSA Issues Guidance on Securing IPsec Virtual Private Networks appeared first on HIPAA Journal.

Serious Vulnerabilities Identified in Apache Guacamole Remote Access Software

Several vulnerabilities have been identified in the remote access system, Apache Guacamole.  Apache Guacamole has been adopted by many companies to allow administrators and employees to access Windows and Linux devices remotely. The system has proven popular during the COVID-19 pandemic for allowing employees to work from home and connect to the corporate network. Apache Guacamole is also embedded into many network accessibility and security products such as Fortress, Quali, and Fortigate and is one of the most prominent tools on the market with more than 10 million Docker downloads.

Apache Guacamole is a clientless solution, meaning remote workers do not need to install any software on their devices. They can simply use a web browser to access their corporate device. System administrators only need to install the software on a server. Depending on how the system is configured, a connection is made using SSH or RDP with Guacamole acting as an intermediary between the browser and the device the user wants to connect to, relaying communications between the two.

Check Point Research evaluated Apache Guacamole and found several reverse RDP vulnerabilities in Apache Guacamole 1.1.0 and earlier versions, and a similar vulnerability in FreeRDP, Apache’s free implementation of RDP. The vulnerabilities could be exploited by remote attackers to achieve code execution, allowing them to hijack servers and intercept sensitive data by eavesdropping on conversations on remote sessions. The researchers note that in a situation where virtually all employees are working remotely, exploitation of these vulnerabilities would be akin to gaining full control of the entire organizational network.

According to Check Point Research, the flaws could be exploited in two ways. If an attacker already has a foothold in the network and has compromised a desktop computer, the vulnerabilities could be exploited to attack the Guacamole gateway when a remote worker attempts to login and access the device. The attacker could then take full control of the gateway and any remote connections. The flaws could also be exploited by a malicious insider to gain access to the computers of other workers in the organziation.

The vulnerabilities could allow Heartbleed-style information disclosure, as was demonstrated by the researchers, and also allow read and write access to the vulnerable server. The researchers chained the vulnerabilities together, elevated privileges to admin, then achieved remote code execution. The vulnerabilities, grouped together under the CVEs CVE-2020-9497 and CVE-2020-9498, were reported to the Apache Software Foundation and patches were released on June 28, 2020.

The researchers also found the vulnerability CVE-2018-8786 in FreeRDP could also be exploited to take control of the gateway. All versions of FreeRDP prior to January 2020 – version 2.0.0-rc4 – are using vulnerable versions of FreeRDP with the CVE-2020-9498 vulnerability.

All organizations that have adopted Apache Guacamole should ensure they have the latest version of Apache Guacamole installed on their servers.

The post Serious Vulnerabilities Identified in Apache Guacamole Remote Access Software appeared first on HIPAA Journal.

Serious Vulnerabilities identified in the OpenClinic GA Integrated Hospital Information Management System

12 vulnerabilities have been identified in the open source integrated hospital information management system, OpenClinic GA.

OpenClinic GA is used by many hospitals and clinics for the management of administrative, financial, clinical, lab and pharmacy workflows, and is used for bed management, medical billing, ward management, in-patient and out-patient management, and other hospital management functions.

Brian D. Hysell has been credited with finding the vulnerabilities, three of which are rated critical and 6 are rated high severity. Exploitation of the vulnerabilities could allow an attacker to bypass authentication, gain access to restricted information, view or manipulate database information, and remotely execute malicious code.

The vulnerabilities require a low level of skill to exploit, several can be exploited remotely, and there are public exploits for some of the flaws. The vulnerabilities have been assigned CVSS v3 base codes ranging from 5.4 to 9.8.

The flaws were identified in OpenClinic GA Versions 5.09.02 and 5.89.05b.

The most serious flaws include:

CVE-2020-14495 – The use of third-party components that have reached end of life and contain known vulnerabilities that could potentially lead to remote execution of arbitrary code – CVSS v3 – 9.8 – Critical

CVE-2020-14487 – Hidden default user account could be used by an attacker to login to the system and execute arbitrary commands, unless the account has been expressly turned off by an administrator – CVSS v3 – 9.4 – Critical

CVE-2020-14485 – Client-side access controls could be bypassed to initiate a session with limited functionality, which could allow admin functions to such as SQL commands to be executed – CVSS v3 9.4 – Critical

CVE-2020-14493 – Low privileged users could use SQL syntax to write arbitrary files to the server and execute arbitrary commands – CVSS v3 8.8 – High Severity

CVE-2020-14488 – A lack of verification of uploaded files could allow a low privilege user to upload and execute arbitrary files on the system – CVSS-v3 8.8 – High Severity

Further information on the vulnerabilities can be found in the CISA medical advisory.

OpenClinic GA has been made aware of the vulnerabilities and steps are being taken to correct the flaws, but no confirmation has been issued as to whether the flaws have been corrected.

All healthcare organizations that use OpenClinic GA have been advised to ensure that the software is updated to the latest version to reduce the risk of exploitation and to ensure the software is kept up to date.

CISA recommends applying the principle of least privilege, minimizing network exposure for control system devices/systems, and ensuring the system is not accessible over the internet. All systems should be located behind a firewall, and if remote access is required, access should require a VPN. VPNs should be updated to the latest version and patches applied promptly.

The post Serious Vulnerabilities identified in the OpenClinic GA Integrated Hospital Information Management System appeared first on HIPAA Journal.

University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack

University of California San Francisco has paid a $1.14 million ransom to the operators of NetWalker ransomware to resolve an attack that saw data on servers within the School of Medicine encrypted. The attack occurred on June 1, 2020. UCSF isolated the affected servers, but not in time to prevent file encryption.

UCSF School of Medicine is engaged in research to find a cure for COVID-19 and the university is heavily involved in antibody testing. The ransomware attack did not impede the work being conducted on COVID-19, patient care delivery operations were not affected, and UCSF does not believe the attackers gained access to patient data, although some files were stolen in the attack.

The encrypted data was essential to research being conducted by the university, and since it was not possible to recover files from backups, UCSF had little option other than to negotiate with the attackers. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained,” explained UCSF.

The BBC received an anonymous tip-off about a live chat on the dark web between the negotiators and the NetWalker ransomware operators and followed the negotiations. According to the report, a sample of data stolen in the attack was posted online by the attackers, but after UCSF made contact via email the data was taken offline while the ransom was negotiated. Initially, a ransom payment of $780,000 was offered by UCSF, but the NetWalker gang demanded a payment of $3 million. A payment of 116.4 Bitcoin – $1,140,895 – was finally negotiated a day later.

The investigation into the ransomware attack indicates that neither UCSF nor the School of Medicine were targeted in the attack. “Our investigation is ongoing but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted,” explained UCSF on its website. UCSF reported the attack to the FBI and is assisting with the investigation.

UCSF was one of three Universities in the United States to be attacked with NetWalker ransomware in the space of a week in early June. Attacks were also conducted on Columbia College, Chicago and Michigan State University. Data stolen in the attack on Columbia College has now been removed from the NetWalker website, which suggests the college also paid the ransom.

The post University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack appeared first on HIPAA Journal.

Surge in Attacks Prompts Fresh Warning to Patch Microsoft Exchange Server Vulnerability

Microsoft has issued a further warning to all Exchange users to patch the critical Microsoft Exchange memory corruption vulnerability CVE-2020-0688.

Microsoft released an update to correct the vulnerability in February 2020 and an alert was issued in March when the flaw started to be exploited by APT groups, yet even though the vulnerability was being actively exploited in the wild, patching was still slow. Now Microsoft has detected a surge in attacks on vulnerable Exchange servers and is advising all Exchange customers to ensure the flaw is patched immediately.

Any vulnerability in Microsoft Exchange should be treated as high priority. By exploiting Exchange flaws, an attacker can gain access to the email system, which often contains an extensive amount of highly sensitive information, and often protected health information in healthcare. As is the case with this vulnerability, attackers can gain access to highly privileged accounts and not only compromise the entire email system, but also gain administrative rights to the server and from there take control of the network.

“Exchange servers have traditionally lacked antivirus solutions, network protection, the latest security updates, and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions,” warns Microsoft. “Attackers know this, and they leverage this knowledge to gain a stable foothold on a target organization.”

Microsoft explained that the CVE-2020-0688 vulnerability is an attacker’s dream. They do not need to use phishing and social engineering tactics to try to gain access to an admin account, they can simply attack the server directly.

An analysis of attacks conducted in April show APT groups are deploying web shells, running exploratory commands to perform reconnaissance, and uses EternalBlue to identify other machines on the network to attack. If the server has been misconfigured, attackers have been able to gain the highest level of privileges and access to the server without having to use remote access tools.

A new account is added that makes the attacker a domain admin with unrestricted access to users or group in the organization. The attackers have used the compromised servers to gain access to the credentials of some of the most sensitive users and groups in an organization.

Attackers are exploiting the vulnerability and gaining a stable foothold in the targeted organization’s network. They tamper with security tools, achieve lateral movement, establish remote access bypassing security restrictions, and have exfiltrated data, including entire mailboxes. The failure to apply the patch to correct the flaw could result in an extensive and costly data breach.

In addition to applying the patch, Microsoft recommends remediating any further vulnerabilities in Exchange servers immediately, installing antivirus software on Exchange servers and keeping the software up to date, and also turning on tamper protection features to prevent attackers from disabling security services.

The principle of least-privilege should be practiced, credential hygiene should be maintained, and reviews should be conducted to identify any highly privileged groups that have been added. Security teams are also advised to respond immediately to alerts about suspicious activities on Exchange servers.

The post Surge in Attacks Prompts Fresh Warning to Patch Microsoft Exchange Server Vulnerability appeared first on HIPAA Journal.

Vulnerability identified in Philips Ultrasound Systems

Philips has discovered an authentication bypass issue affecting Philips Ultrasound Systems that could potentially be exploited by an attacker to view or modify information. The flaw is due to the presence of an alternative path or channel that can be used to bypass authentication controls.

The flaw has been assigned CVE-2020-14477 but is considered a low severity flaw and has been assigned a CVSS v3 base score of 3.6 out of 10. To exploit the vulnerability, an attacker would require local access to a vulnerable system. The vulnerability cannot be exploited remotely and does not place patient safety at risk.

The flaw affects the following Philips Ultrasound Systems:

  • Ultrasound ClearVue Versions 3.2 and prior
  • Ultrasound CX Versions 5.0.2 and prior
  • Ultrasound EPIQ/Affiniti Versions VM5.0 and prior
  • Ultrasound Sparq Version 3.0.2 and prior and
  • Ultrasound Xperius all versions

The flaw has been corrected for Ultrasound EPIQ/Affiniti systems in the VM6.0 release. Users of these systems should contact their Philips representative for further information on installing the update.

Users of all other affected systems will have to wait until Q4, 2020 for an update to be released. Philips will correct the flaw in Ultrasound ClearVue Version 3.3, Ultrasound CX Version 5.0.3, and Ultrasound Sparq Version 3.0.3 release in Q4 2020.

In the meantime, as an interim measure, Philips recommends users ensure their services providers guarantee device integrity during service and repair operations. It is also advisable to implement physical security measures to prevent unauthorized access to the devices.

The post Vulnerability identified in Philips Ultrasound Systems appeared first on HIPAA Journal.