Healthcare Cybersecurity

H-ISAC Publishes Framework for Managing Identity in Healthcare

Posted May 26, 2020 by HIPAA Journal

The Health Information Sharing and Analysis Center (H-ISAC) has published a framework for CISOs to manage identity and defend their organization against identity-based cyberattacks. This is the second white paper to be published by H-ISAC covering the identity-centric approach to security. The first white paper explains why an identity-centric approach to cybersecurity is now needed, with the latest white paper detailing how that approach can be implemented.

By adopting the framework, CISOs will be able to manage the full identity lifecycle of employees, patients, practitioners, and business partners in a way that guards against cyberattacks on identity, lowers risk, and increases operational efficiencies.

The framework has been developed for CISOs at healthcare organizations of all sizes. As such, it does not offer a one-size-fits-all approach. Instead, components of the framework can be applied differently based on different environments and use cases. CISOs will need to assess the resources available and their unique risks and decide how best to apply the framework.

The framework details the different components that are required in a modern identity-centric approach to cybersecurity and outlines how those components integrate and inter-relate to secure the enterprise.

The central concept of the framework is simple. How to allow users to access resources in a way that protects against cyberattack. At the heart of the framework is an identity governance and administration system, which serves as the central nervous system that ties in all the other components and ensures they work seamlessly together.

The identity governance and administration system allows organizations to establish set rules and processes related to the creation, removal, and updating of accounts, manage policies and processes of all aspects of their identity and access management (IAM) system, manage privilege escalation requests, conduct audits for compliance purposes, and take actions to remediate any misuses of the IAM system.

The framework uses identity directories as an authoritative identity store for an organization, which detail roles, accounts, attributes, and the privileges associated with different roles and accounts. The white paper details three guiding principles for authorization: Granting privileges, managing privileges, and reviewing privileges. Privileges must be tightly controlled and assigned based on roles, rights, and responsibilities. Processes must be defined to manage privileges and update them as circumstances change. Reviews should also be conducted to ensure that users have only been assigned rights that are appropriate for their role and responsibilities.

A few years ago, all that was required to gain access to resources was a password, but threat actors are now adept at stealing passwords and as a result the security utility of passwords has diminished. H-ISAC therefore recommends multi-factor authentication. The framework takes MFA one step further and includes device authentication, human authentication, analytics, and privileged access management to enable continuous, risk-based authentication.

Device authentication ensures only trusted devices are granted access to resources. Human authentication is then required to ensure that the correct person is using that device. Analytics are then used to identify anomalies that could indicate attempts by unauthorized individuals to access resources, such as a device being used to access resources from California and then five minutes later being used in New York. Privileged access management solutions should also be used for session monitoring and to implement additional layers of authentication to prevent credential compromise and limit privilege escalation.

The framework also outlines four different use cases: On-boarding new employees, managing users and changing privileges when an employee’s role changes, credentialing a third-party business partner for limited systems access, and credentialing new patients.

The post H-ISAC Publishes Framework for Managing Identity in Healthcare appeared first on HIPAA Journal.

Web Application Attacks Double as Threat Actors Target Cloud Data

Posted May 21, 2020 by HIPAA Journal

The 2020 Verizon Data Breach Investigations Report shows malware attacks are falling as threat actors target data in the cloud. This is the 13^th year that the report has been produced, which this year contains an analysis of 32,002 security incidents and 3,950 confirmed data breaches from 81 global contributors in 81 countries.

The report confirms that the main motivator for conducting attacks is financial gain. 86% of all security breaches were financially motivated, up from 71% last year. 70% of breaches were due to external actors, with 55% of attacks conducted by cybercriminals.

67% of breaches were the result of credential theft or brute forcing of weak credentials (37%) and phishing and other social engineering attacks (25%). 22% of those breaches involved human error.

Only 20% of breaches were due to the exploitation of vulnerabilities. It should be noted that it is much easier to conduct attacks using stolen credentials rather than exploiting vulnerabilities, so the relatively low number of vulnerability-related attacks may not be due to organizations patching vulnerabilities more promptly.

The ease of conducting attacks using stolen or brute forced credentials has seen malware attacks become less popular. That said, ransomware is proving to be an attractive option, which has seen an increase from 24% to 27% of all malware related attacks.

There was a significant increase in web application attacks over the past 12 months, which doubled to 43% of all breaches. 80% of those breaches involved credential theft. With more organizations moving their data from traditional domain controllers and internal infrastructure, it is no surprise that there has been a sizeable increase in attacks on the cloud.

The data collected for the report does not cover the period of the COVID-19 public health emergency, when many organizations accelerated their cloud migration plans to allow more employees to work from home. It is likely that next year’s report will see an even higher percentage of attacks on cloud resources.

“As remote working surges in the face of the global pandemic, end-to-end security from the cloud to employee laptop becomes paramount,” said Tami Erwin, CEO, Verizon Business. “In addition to protecting their systems from attack, we urge all businesses to continue employee education as phishing schemes become increasingly sophisticated and malicious.”

Attack Trends Over the Past 6 Years

Source: Verizon

Cyberattacks and Insider Breaches in Healthcare

Financially motivated cyberattacks accounted for 88% of healthcare breaches, with many of the attacks involving ransomware. 4% of healthcare cyberattacks were conducted for fun and 3% of attacks were conducted out of convenience.

Verizon reports a significant increase in healthcare data breaches in the past 12 months. Last year’s report included 304 healthcare data breaches but this year the number has increased to 521 breaches. The figure below shows the patterns for cyberattacks in the healthcare industry. Crimeware includes malware and ransomware, which is the most common type of attack on healthcare organizations. As in other industry sectors, attacks on web applications are increasing.

Source: Verizon

The healthcare industry usually has a higher than average number of cases of privilege misuse, where insiders with access to sensitive data abuse their access rights to view or steal data. With so many employees given access to patient data and its high value on the black market, this is to be expected.

There is some good news in this year’s report. For the first time privilege misuse has dropped out of the top three causes of healthcare data breaches. This is part of a trend that can be seen across all industry sectors, which suggests that employees are thinking twice about accessing data without authorization and healthcare providers are getting better at protecting data.

Verizon notes that there has also been a decrease in breaches involving multiple actors, which is usually a third-party such as an identity thief working with an insider who supplies the data. In the 2019 report, 4% of breaches involved multiple actors whereas in 2020 the percentage dropped to 1%. The percentage of breaches caused by internal actors vs external actors also changed significantly. In the 2019 report, 59% of healthcare breaches were caused by internal actors with 42% caused by external attackers. This year’s report sees internal actors responsible for 48% of breaches with external actors accounting for 51% of breaches.

This year, the biggest cause of breaches in healthcare were miscellaneous errors and breaches of web applications. The main cause of those miscellaneous breaches was misdirection, which is the sending of emails to incorrect recipients and mass mailings that see letters sent to incorrect patients, such as happens when there is a mail merge error.

The post Web Application Attacks Double as Threat Actors Target Cloud Data appeared first on HIPAA Journal.

Guidance on Managing the Cybersecurity Tactical Response in a Pandemic

Posted May 19, 2020 by HIPAA Journal

Joint guidance on has been issued by the Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) on managing the cybersecurity tactical response in emergency situations, such as a pandemic.

Threat actors will try to exploit emergency situations to conduct attacks, which has been clearly seen during the COVID-19 pandemic. In many cases, the duration of an emergency will limit the potential for threat actors to take advantage, but in a pandemic the period of exposure is long. The SARS-CoV-2 outbreak was declared a public health emergency on January 30, 2020, giving threat actors ample time to exploit COVID-19 to conduct attacks on the healthcare sector.

The key to dealing with the increased level of cybersecurity threat during emergency situations is preparation. Without preparation, healthcare organizations will find themselves constantly fighting fires and scrambling to improve security at a time when resources are stretched thin.

The new guidance was created during the COVID-19 pandemic by HSCC’s Cybersecurity Working Group (CWG), H-ISAC, and healthcare industry and government cybersecurity experts and is intended to help healthcare organizations develop a tactical response for managing cybersecurity threats that increase during emergencies and to help them improve their level of preparedness.

During the COVID-19 crisis, cyber threat actors have conducted a range of attacks on healthcare organizations including phishing attacks, domain attacks, and malware and ransomware attacks. The attacks came at a time when healthcare organizations were attempting to provide care for highly infectious patients, deploy remote diagnostic and treatment services, and transition to teleworking to prevent the spread of COVID-19. The change in working practices significantly increased the attack surface and introduced new vulnerabilities and attack vectors.

“For each gain delivered by automation, interoperability, and data analytics, the vulnerability from malicious cyber-actors increases as well,” explained HSCC/H-ISAC in the guidance document. “To thwart these attacks before they occur, it is essential for healthcare organizations to establish, implement, and maintain current and effective cybersecurity practices.”

The guidance document can be used by healthcare organizations of all sizes to improve their cybersecurity programs and prepare for emergency situations. Smaller healthcare organizations can use the guidance to help them choose appropriate measures to improve their security posture, while larger organizations that have already planned their tactical crisis response can use the guide as a checklist to ensure nothing has been missed.

The guidance document divides techniques, practices, and activities into four main sections: Education and Outreach; Enhance Prevention Techniques; Enhance Detection and Response; and Take Care of the Team.

The cybersecurity response to a crisis is largely dependent on technical controls, but HSCC/H-ISAC explains that education and outreach play an important part in the success of the response strategy. In emergency situations, even the best laid plans can come unstuck without proper education and outreach. Organizations that communicate their plans effectively will reduce confusion, improve response times, and maximize the effectiveness of their cybersecurity plan. The guide explains how to develop a communication plan and conduct policy and procedure reviews effectively.

Preventing cyberattacks is critical. Most healthcare organizations will have implemented a range of measures to thwart cyberattacks prior to the public health emergency, but HSCC/H-ISAC suggests three practices should be reviewed: Limiting the potential attack surface, bolstering remote access, and leveraging threat intelligence feeds.

Reducing the attack surface requires effective vulnerability management, accelerated patching, securing medical devices and endpoints, and managing third party network access. The guidance document suggests some of the ways that remote access can be secured, and how to leverage threat intelligence feeds to prevent attacks and accelerate the response.

Many attacks are difficult to prevent, so it is critical for mechanisms to be developed and implemented to detect successful attacks and respond quickly. The guidance document suggests some of the steps that can be taken to enhance detection and response to attacks.

It is also important to take care of the team. In crisis situations, health, well-being, job security, and financial stability are all key concerns for healthcare employees. It is important for organizations to communicate effectively with their workers and address these concerns and share how the organization will support employees during the crisis.

You can view and download the guidance document on this link. A second guidance document was released by HSCC earlier this month that details steps healthcare organizations can take to protect trade secrets and research. The guidance document is available for download here.

The post Guidance on Managing the Cybersecurity Tactical Response in a Pandemic appeared first on HIPAA Journal.

Study Suggests Paying a Ransom Doubles the Cost of Recovery from a Ransomware Attack

Posted May 15, 2020 by HIPAA Journal

Organizations that experience a ransomware attack may be tempted to pay the ransom to reduce downtime and save on recovery costs, but a survey commissioned by Sophos suggests organizations that pay the ransom actually end up spending much more than those that recover files from backups.

The FBI does not recommend paying a ransom as giving attackers money enables them to conduct more attacks and could see a victim targeted further and there is no guarantee that valid keys will be supplied to decrypt data. The increased cost can now be added to the list of reasons not to pay.

The survey was conducted by market research firm Vanson Bourne between January and February 2020 on approximately 5,000 IT decision makers at companies with between 100 and 5,000 employees across 26 countries including the United States, Canada, and the United Kingdom.

51% of the people surveyed said they had experienced a ransomware attack in the previous 12 months, 73% of whom said the attack resulted in the encryption of data. 26% of attacked organizations paid the ransom and 73% did not. 56% of firms said they were able to recover their files from backups. Out of the firms that paid the ransom, 95% said they were able to recover their data. 1% of firms that paid the ransom said they were unable to recover their data.

84% of organizations said they had a cyber insurance policy, but only 64% said that policy covered ransomware attacks. Out of the 64% that did have coverage for ransomware attacks, 94% said the ransom was paid by their insurance company.

Victims of ransomware attacks were asked to provide an estimate cost of the attack, including downtime, staff costs, equipment costs, lost business, and other associated costs. The average cost in cases where the ransom was not paid was $732,520 whereas the cost was around twice that amount at organizations that paid the ransom -$1,448,458.

The ransom payment must be covered, which is often sizable, and many of the costs associated with an attack have to be covered even if the ransom is paid. It may be an attractive option to pay the ransom to recover more quickly, but the reality is recovery may not be shortened considerably even if the ransom is paid. Oftentimes a separate decryption key is required for each endpoint so recovery will still be an incredibly time-consuming process, which may not be straightforward. It is also not unusual for data to be corrupted during encryption and decryption.

The take home message is to make sure that you have the option of recovering files from backups, which means ensuring multiple backups are made with one copy stored on an air-gapped device. Backups must also be tested to make sure data hasn’t been corrupted and file recovery is possible. You should then follow the FBI’s recommendations and not pay the ransom unless you have no other choice.

The post Study Suggests Paying a Ransom Doubles the Cost of Recovery from a Ransomware Attack appeared first on HIPAA Journal.

Chinese Hacking Groups are Targeting COVID-19 Research Organizations

Posted May 14, 2020 by HIPAA Journal

Organizations involved in research into SARS-CoV-2 and COVID-19 have been warned that they are being targeted by hackers affiliated with the Peoples Republic of China (PRC) and should take steps to protect their systems from attack.

The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and the Federal Bureau of Investigation (FBI) have warned that organizations in the health care, pharmaceutical, and research sectors that are working on testing procedures, SARS-CoV-2 vaccines, and new treatments for COVID-19 are being targeted by hackers looking to gain access to research data to advance PRC’s research program. The Trump Administration has also warned that cyber espionage campaigns targeting COVID-19 research organizations are now being conducted by hackers linked to Iran.

In the alert, CISA and the FBI warn that the theft of intellectual property in these attacks jeopardizes the delivery of secure, effective, and efficient treatment options. All organizations involved in COVID-19 research have been advised to apply the recommended mitigations as soon as possible to prevent surreptitious review and theft of COVID-19 related data.

CISA warns that press attention affiliating an organization with COVID-19 research is likely to result in increased interest and cyber activity and it is best to assume that targeted cyber attacks will occur. Patching efforts should be stepped up and critical vulnerabilities should be addressed on all systems. If patches cannot be applied to address vulnerabilities, mitigations should be implemented until the patches can be applied. Priority should be given to vulnerabilities known to have been exploited by these threat actors and vulnerabilities on internet-connected servers and software processing internet data.

Scans should be conducted on all web applications to identify anomalous activity that could indicate unauthorized access and checks conducted to identify any modifications that have been made to the applications. Authentication measures should be strengthened, and multi-factor authentication should be implemented.

Scans should be performed to identify unusual user activity. When anomalous behavior is detected, access should be immediately suspended pending further investigation. When suspicious or criminal activity is detected, the local FBI field office should be alerted. CISA and the FBI will be releasing technical information about threats and cyberattacks in the coming days.

The post Chinese Hacking Groups are Targeting COVID-19 Research Organizations appeared first on HIPAA Journal.

CISA and FBI Publish List of Top 10 Exploited Vulnerabilities

Posted May 14, 2020 by HIPAA Journal

On Tuesday, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint public service announcement detailing the top 10 most exploited vulnerabilities between 2016 and 2019. These vulnerabilities have been exploited by sophisticated nation state hackers to attack organizations in the public and private sectors to gain access to their networks to steal sensitive data.

The vulnerabilities included in the list have been extensively exploited by hacking groups with ties to China, Iran, Russia and North Korea with those cyber actors are still conducting attacks exploiting the vulnerabilities, even though patches have been released to address the flaws. In some cases, patches have been available for more than 5 years, but some organizations have still not applied the patches.

Exploiting the vulnerabilities in the top 10 list requires fewer resources compared to zero-day exploits, which means more attacks can be conducted. When patches are applied to address the top 10 vulnerabilities, nation state hackers will be forced to develop new exploits which will limit their ability to conduct attacks.

“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries,” explains CISA and FBI in the alert.

CISA and the FBI hope the list will help organizations to prioritize patching and are urging all organizations to invest more time and resources into patching and develop a program that will keep all system patching up to date moving forward.

Top 10 Routinely Exploited Vulnerabilities

The top 10 list of routinely exploited vulnerabilities includes flaws in Microsoft Office, Microsoft Windows, Microsoft SharePoint, Microsoft .NET Framework, Apache Struts, Adobe Flash Player, and Drupal. Out of the top ten, most nation state hacking groups have concentrated on just three vulnerabilities – CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158 – all of which concern Microsoft’s OLE technology. Microsoft’s Object Linking and Embedding (OLE) allows content from other applications to be embedded in Word Documents. The fourth most commonly exploited vulnerability – CVE-2017-5638 – is present in the web framework, Apache Struts. These vulnerabilities have been exploited to deploy a range of different malware payloads including Loki, FormBook, Pony/FAREIT, FINSPY, LATENTBOT, Dridex, JexBos, China Chopper, DOGCALL, WingBird, FinFisher, and Kitty.

Priority	Vulnerability	Affected Products
1	CVE-2017-11882	Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products
2	CVE-2017-0199	Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1
3	CVE-2017-5638	Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
4	CVE-2012-0158	Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0
5	CVE-2019-0604	Microsoft SharePoint
6	CVE-2017-0143	Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT
7	CVE-2018-4878	Adobe Flash Player before 28.0.0.161
8	CVE-2017-8759	Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
9	CVE-2015-1641	Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
10	CVE-2018-7600	Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1

A warning has also been issued about two vulnerabilities that have been exploited in attacks in 2020. These vulnerabilities both concern Virtual Private Network (VPN) solutions and have been exploited by nation state hackers and cybercriminal groups: The Citrix vulnerability CVE-2019-19781 and the Pulse Secure VPN vulnerability CVE-2019-11510.

The rush to implement cloud collaboration services such as Microsoft Office 365 to allow employees to work remotely due to COVID-19 has given hackers new options for attacking organizations. Hasty deployments of these solutions have led to oversights in security configurations which makes them vulnerable to attack. Cybersecurity weaknesses are also being targeted, such as poor employee education about phishing and social engineering. A lack of system recovery and contingency plans has also placed organizations at risk of ransomware attacks.

The post CISA and FBI Publish List of Top 10 Exploited Vulnerabilities appeared first on HIPAA Journal.

Zoom Reaches Settlement with NY Attorney General Over Privacy and Security Issues

Posted May 12, 2020 by HIPAA Journal

Zoom reached an agreement with the New York Attorney General’s office and has committed to implementing better privacy and security controls for its teleconferencing platform. New York Attorney General Letitia James launched an investigation into Zoom after researchers uncovered a number of privacy and security issues with the platform earlier this year.

Zoom has proven to be one of the most popular teleconferencing platforms during the COVID-19 pandemic. In March, more than 200 million individuals were participating in Zoom meetings with usership growing by 2,000% in the space of just three months. As the number of users grew and the platform started to be used more frequently by consumers and students, flaws in the platform started to emerge.

Meeting participants started reporting cases of uninvited people joining and disrupting private meetings. Several of these “Zoombombing” attacks saw participants racially abused and harassed on the basis of religion and gender. There were also several reported cases of uninvited individuals joining meetings and displaying pornographic images.

Then security researchers started uncovering privacy and security issues with the platform. Zoom stated on its website that Zoom meetings were protected with end-to-end encryption, but it was discovered that Zoom had used AES 128 bit encryption rather than AES 256 bit encryption and its end-to-end encryption claim was false. Zoom was also discovered to have issued encryption keys through data centers in China, even though meetings were taking place between users in the United States.

Zoom used Facebook’s SDK for iOS to allow users of the iOS mobile app to login through Facebook, which meant that Facebook was provided with technical data related to users’ devices each time they opened the Zoom app. While Zoom did state in its privacy policy that third-party tools may collect information about users, data was discovered to have been passed to Facebook even when users had not used the Facebook login with the app. There were also privacy issues associated with the LinkedIn Sales Navigator feature, which allowed meeting participants to view the LinkedIn profiles of other meeting participants, even when they had taken steps to remain anonymous by adopting pseudonyms. The Company Directory feature of the platform was found to violate the privacy of some users by leaking personal information to other users if they had the same email domain.

Zoom responded quickly to the privacy and security issues and corrected most within a few days of discovery. The firm also announced that it was halting all development work to concentrate on privacy and security. The company also enacted a CISO Council and Advisory Board to focus on privacy and security and Zoom recently announced that it has acquired the start-up firm Keybase, which will help to implement end-to-end encryption for Zoom meetings.

Under the terms off the settlement with the New York Attorney General’s office, Zoom has agreed to implement a comprehensive data security program to ensure its users are protected. The program will be overseen by Zoom’s head of security. The company has also agreed to conduct a comprehensive security risk assessment and code review and will fix all identified security issues with the platform. Privacy controls will also be implemented to protect free accounts, such as those used by schools.

Under the terms of the settlement, Zoom must continue to review privacy and security and implement further protections to give its users greater control over their privacy. Steps must also be taken to regulate abusive activity on the platform.

“This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don’t have to worry while participating in a video call,” said Attorney General James.

The post Zoom Reaches Settlement with NY Attorney General Over Privacy and Security Issues appeared first on HIPAA Journal.

Government Healthcare Agencies and COVID-19 Research Organizations Targeted by Nigerian BEC Scammers

Posted May 8, 2020 by HIPAA Journal

Business email compromise scammers operating out of Nigeria have been targeting government healthcare agencies, COVID-19 research organizations, and pandemic response organizations to obtain fraudulent wire transfer payments and spread malware.

The attacks were detected by Palo Alto Networks’ Unit 42 team researchers and have been attributed to a cybercriminal organization called SilverTerrier. SilverTerrier actors have been highly active over the past 12 months and are known to have conducted at least 2.1 million BEC attacks since the Unit 42 team started tracking their activity in 2014. In 2019, the group conducted an average of 92,739 attacks per month, with activity peaking in June when 245,637 attacks were conducted.

The gang has been observed exploiting the CVE-2017-11882 vulnerability in Microsoft Office to install malware, but most commonly uses spear phishing emails targeting individuals in the finance department. The gang uses standard phishing lures such as fake invoices and payment advice notifications to trick recipients into opening malicious email attachments that install malware. A wide range of malware variants have been used by the gang, including information stealers such as Lokibot, Pony, and PredatorPain and remote administration tools to maintain persistent access to compromised systems. The gangs use malware to steal sensitive information and gain access to bank accounts and payroll systems. BEC attacks are also conducted to obtain fraudulent wire transfer payments.

Unit 42 researchers have tracked the activity of three threat actors from the group over the past 3 months who, between them, have conducted 10 COVID-19 themed malware campaigns on organizations involved in the national response to COVID-19 in Australia, Canada, Italy, the United Kingdom, and the United States.

Recent targets have included government healthcare agencies, local and regional governments, medical publishing companies, research firms, insurance companies, and universities with medical programs and medical centers. 170 distinct phishing emails have been identified by the researchers, several of which related to supplies of face masks and other personal protective equipment.

SilverTerrier attacks increased by 172% in 2019 and Palo Alto Networks reports there is no indication that the attacks will slow in 2020. “In light of this trend, we encourage government agencies, healthcare and insurance organisations, public utilities, and universities with medical programs to apply extra scrutiny to Covid-19-related emails containing attachments,” said the researchers. Since the attacks are mostly conducted by email, the best defense is training for staff to help them identify spear phishing emails and an advanced spam filtering solution to prevent the emails from being delivered to inboxes. It is also important to check to make sure that the CVE-2017-11882 Microsoft Office vulnerability and to continue to apply patches promptly.

The post Government Healthcare Agencies and COVID-19 Research Organizations Targeted by Nigerian BEC Scammers appeared first on HIPAA Journal.

CISA Issues Fresh Alert About Ongoing APT Group Attacks on Healthcare Organizations

Posted May 7, 2020 by HIPAA Journal

Advanced Persistent Threat (APT) groups are continuing to target healthcare providers, pharmaceutical firms, research institutions, and others involved in the COVID-19 response, prompting a further joint alert from cybersecurity authorities in the United State and United Kingdom.

The latest warning from the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) follows on from an earlier joint alert issued on April 8, 2020 and provides further information on the tactics, techniques, and procedures being used by the APT groups to gain access to networks and sensitive data.

In the latest alert, CISA/NCSC explained that APT groups are targeting organizations involved in COVID-19 research to obtain sensitive information on the COVID-19 response and research data to further the domestic research efforts in countries that fund the APT groups.

APT groups often target healthcare organizations to obtain personal information of patients, intellectual property, and intelligence that aligns with national priorities. APT groups do not appear to be conducting higher numbers of attacks, they have just shifted their focus and are now concentrating attacks on organizations engaged in the response to COVID-19. CISA/NCSC warn that efforts to obtain sensitive data are continuing with national and international healthcare organizations being targeted in order to acquire sensitive COVID-19 research data.

One of the ways that the attacks are being conducted is to target supply chains, which are seen as a weak link that can be exploited to gain access to higher value targets. Many employees of organizations in the supply chain are now working from home due to the COVID-19 lockdown, and new vulnerabilities have been introduced as a result.

The APT groups are using a variety of methods to infiltrate networks, gain persistence, and steal sensitive data. The alert raises awareness of two tactics that have been observed over the past few weeks: Exploitation of vulnerabilities and password spraying.

Many employees have been forced to work from home during the pandemic to help control the spread of the virus and are accessing their corporate networks using virtual private networks (VPNs). Several commercial VPN solutions have been found to have exploitable vulnerabilities which are now being exploited. In 2019, VPN solutions from Palo Alto Networks, Pulse Secure, and Fortinet were found to have vulnerabilities and patches were released to correct the flaws. Many organizations are also vulnerable to the Citrix vulnerability, CVE-2019-19781. Patches to correct these flaws were released several months ago but many organizations have not yet applied the patches and are vulnerable to attack. APT groups have been observed conducting scans to identify organizations that have not yet patched the Citrix and VPN vulnerabilities and are actively exploiting the flaws.

APT groups are also conducting password spraying attacks to gain access to corporate systems. Password spraying is a type of brute force attack that involves the use of commonly used passwords. These attacks involve using a commonly used passwords to see if it allows access to a system. The same password is then tried on multiple accounts before the process is repeated with a second password. That process continues until the correct password is found.

CISA/NCSC warn that this tactic is often successful, as within any large group of users there will be commonly used passwords. The approach of using one password on many different accounts before moving on to the next also helps the attackers conduct attacks undetected, as this would be less likely to trigger account lockouts due to too many failed password attempts in a short period of time.

Once an attack succeeds and a correct password is found, the password is used to access other accounts where the password has been reused. Attackers also download global address lists which are used for further password spraying attacks on the organization. The attackers also attempt to move laterally to steal additional credentials and sensitive data.

CISA/NCSC have provided mitigations that will help healthcare organizations harden security against these attacks. These include ensuring VPN clients and infrastructure are updated and running the latest versions of software and patching all other software and operating systems promptly. Multi-factor authentication should be configured to prevent stolen or brute forced passwords from being used to access accounts, the management interfaces of critical systems should also be protected to prevent attackers from gaining privileged access to vital assets, and monitoring capability should be stepped up to identify network intrusions.

You can view the CISA/NCSC alert, mitigations, and other useful resources on this link.

The post CISA Issues Fresh Alert About Ongoing APT Group Attacks on Healthcare Organizations appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information