Healthcare Cybersecurity

EFF Warns of Privacy and Security Risks with Google and Apple’s COVID-19 Contact Tracing Technology

The contact tracing technology being developed by Apple and Google to help track people who have come into close contact with individuals confirmed as having contracted COVID-19 could be invaluable in the fight against SARS-CoV-19; however, the Electronic Frontier Foundation (EFF) has warned that in its current form, the system could be abused by cybercriminals.

Google and Apple are working together on the technology, which is expected to be fully rolled out next month. The system will allow app developers to build contact tracing apps to help identify individuals who may have been exposed to SARS-CoV-2. When a user downloads a contact tracing app, each time they come into contact with another person with the app installed on their phone, anonymous identifier beacons called rolling proximity identifiers (RPIDs) will be exchanged via Bluetooth Low Energy.

How Does the Contact-Tracing System Work?

RPIDs will be exchanged only if an individual moves within a predefined range – 6 feet – and stays in close contact for a set period of time. Range can be determined by strength of the pings sent out by users’ smartphones. Should a person be diagnosed with COVID-19 and enters the information into the app, all individuals that the person has come into contact with over the previous 14 days will be sent an electronic notification.

The data sent is anonymously, so notifications will not provide any information about the person that has contracted COVID-19. The RPIDs will change every 10-20 minutes, which will prevent a person from being tracked and data will be stored on smartphones rather than being sent to a central server and RPIDs will only be retained for 14 days. Permission is also required from a user before a public health authority can share the user’s temporary exposure key that confirms the individual has contracted COVID-19, which will prevent false alarms.

When a COVID-19 diagnosis is confirmed, a diagnosis key will be logged in a public registry which will be accessible by all app users and will be used for generating alerts. The diagnosis keys contain all of the RPIDs for a particular user to allow all individuals who have been in contact with them to be notified.

Electronic Frontier Foundation Concerned About Privacy and Security Risks

The public registry is one of the problems with the system, as EFF’s Bennett Cypher and Gennie Gebhart explained in a recent blog post, “any proximity tracking system that checks a public database of diagnosis keys against RPIDs on a user’s device—as the Apple-Google proposal does—leaves open the possibility that the contacts of an infected person will figure out which of the people they encountered is infected.”

Each day, users of the apps will share their diagnosis keys, which opens up the possibility of linkage attacks. It would be possible for a threat actor to collect RPIDs from many different places simultaneously through the use of static Bluetooth beacons in public places. This would only provide information about where pings occurred and would not allow an individual to be tracked. However, when the diagnosis keys are broadcast, an attacker could link the RPIDs together and determine a person’s daily routine from their RPIDs. Since a person’s movements would be unique, it would potentially be possible to identify that individual and discover their movements and where they live and work. EFF suggests that risk could be reduced by sending diagnosis keys more frequently, such as every hour rather than once a day.

Another problem with the system in its current form is there is currently no way of verifying that a device sending contact-tracing data is the device that generated the RPID. This means a malicious actor could intercept RPIDs and rebroadcast them.

“Imagine a network of Bluetooth beacons set up on busy street corners that rebroadcast all the RPIDs they observe,” explained. “Anyone who passes by a ‘bad’ beacon would log the RPIDs of everyone else who was near any one of the beacons. This would lead to a lot of false positives, which might undermine public trust in proximity-tracing apps—or worse, in the public-health system as a whole.”

Concern has also been raised about the potential for developers to centralize the data collected by the apps, which EFF warns could expose people to more risk. EFF recommends developers stick to the proposal outlined by Apple and Google and keep users’ data on their phones rather than in a central repository. EFF also says it is important to limit the data sent out over the internet as far as possible and to only send data that is absolutely necessary.

Echoing the advice of more than 300 scientists who recently signed an open letter about the privacy and security risks of contact-tracing technology, EFF said it is also essential for the program to sunset once the COVID-19 public health emergency is over to ensure there will be no secondary uses that could impact personal privacy in the future. They also recommend that app developers must operate with complete transparency and clearly explain to users what data is collected, and should allow users to stop pings should they wish and also access the RPIDs they have received and delete data from their contact history.

Further, any app must be extensively tested to ensure it functions as it should and does not have any vulnerabilities that can be exploited. Post-release, testing will need to continue to find vulnerabilities and patches and updates will need to be developed and rolled out rapidly to correct flaws that are discovered. In order for the system to work as it should, a high percentage of the population will need to be using the system, which would likely make it an attractive target for cybercriminals and nation state hacking groups. The latter are already conducting campaigns spreading disinformation about COVID-19 and are conducting cyberattacks to disrupt the COVID-19 response.

No contact tracing system is likely to be free of privacy risks, as there must be a trade-off to perform this type of contact tracing, but EFF says that steps must be taken to reduce those privacy risks as far as possible. The whole system is based on trust and, if trust is undermined, the system will not be able to achieve its aims.

The post EFF Warns of Privacy and Security Risks with Google and Apple’s COVID-19 Contact Tracing Technology appeared first on HIPAA Journal.

WHO Confirms Fivefold Increase in Cyberattacks on its Staff

The World Health Organization is one of the leading agencies combating COVID-19 and has proven to be an attractive target for hackers and hacktivists, who have stepped up attacks on the organization during the COVID-19 pandemic. Cyberattacks on WHO are at five times the level they were at this time last year.

Last month, WHO confirmed hackers had tried to gain access to its network and those of its partners by spoofing an internal WHO email system and the attacks have kept on coming. Last week, SITE Intelligence Group discovered the credentials of thousands of individuals involved in the fight against COVID-19 had been dumped online on 4chan, Pastebin, Telegram, and Twitter. Around 25,000 email and password combos were leaked in total, including around 2,700 credentials for WHO staff members. WHO said the data had come from an old extranet system and most of the credentials were no longer valid, but 457 were current and still active.

In response, WHO said it performed a password reset to ensure the credentials could no longer be used, internal security has been strengthened, a more secure authentication system has been implemented, and security awareness training for its staff is being improved.

The remainder of the dumped credentials came from organizations such as the Gates Foundation, Centers for Disease Control and Prevention, and the National Institutes of Health. It is not clear where the data came from or who leaked it online, but the credentials have been used far right groups to attack organizations working on vaccines and conducting other activities related to COVID-19.

“Ensuring the security of health information for member states and the privacy of users interacting with us is a priority for WHO at all times, but also particularly during the COVID-19 pandemic,” said WHO CIO, Bernardo Mariano. “We are grateful for the alerts we receive from Member States and the private sector. We are all in this fight together.”

Mariano also confirmed that ongoing phishing campaigns are being conducted that spoof WHO to trick people into making donations to a fictitious fund similar to the COVID-19 Solidarity Response Fund that is overseen by WHO and the United Nations. Campaigns are also being conducted by nation-state hacking groups that spoof WHO to trick people into downloading malware that is used for espionage.

Malicious attacks using COVID-19 and coronavirus themes have soared over the past few weeks. Data released by cybersecurity firm Zscaler shows there has been a 30,000% increase in COVID-themed attacks in March compared. In March there were around 380,000 attempted COVID-19 themed attacks, compared to around 1,200 in January and 10,000 in February.

There was an 85% increase in COVID-19-themed phishing attacks on remote enterprise users, a 17% increase in threats directed at enterprise clients, and the company blocked 25% more malicious websites and malware samples in March. The company also detected 130,000 suspicious or malicious newly registered domains that included words such as Wuhan, test, mask, and kit.

Many of the attacks are succeeding. Figures from the FTC indicate around $19 million has been lost to COVID-19 related scams since January 2020, with $7 million lost in the past 10 days. Figures released by Google earlier this month revealed that in a single week it blocked 18 million COVID-19 phishing emails. While the number of COVID-19 themed attacks has increased sharply, overall the number of attacks has remained fairly constant. Microsoft reports that the number of cyberattacks has not significantly increased during the COVID-19 pandemic. Threat actors are simply repurposing their infrastructure and switching from their regular campaigns to COVID-19 related attacks.

The post WHO Confirms Fivefold Increase in Cyberattacks on its Staff appeared first on HIPAA Journal.

Senators Call for CISA and U.S. Cyber Command to Issue Healthcare-specific Cybersecurity Guidance

A bipartisan group of Senators has written to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and U.S. Cyber Command requesting healthcare-specific cybersecurity guidance on how to deal with coronavirus and COVID-19-related threats.

Richard Blumenthal, (D-CT), Mark Warner (D-VA), Tom Cotton (R-AR), David Perdue (R-GA), and Edward J. Markey (D-MA) penned the letter in response to the escalating cyber espionage and cybercriminal activity targeting the healthcare, public health, and research sectors during the COVID-19 pandemic.

The letter cites a report from cybersecurity firm FireEye which identified a major campaign being conducted by the Chinese hacking group, APT41, targeting the healthcare sector. The hacking group is exploiting vulnerabilities in networking equipment, cloud software and IT management tools to gain access to healthcare networks – The same systems that are now being used by telecommuting workers for providing telehealth during the pandemic. Several other threat groups with links to China have also stepped up their attacks and are using COVID-19-themed campaigns on U.S. targets.

Threat actors in Russia, Iran, and North Korea have also been conducting attacks on international health organizations and public health institutions of U.S. allies. There have also been several misinformation campaigns that have been linked to Russia, Iran, and China which are attempting to derail the response of the United States to the pandemic.

The healthcare industry was already struggling to defend against attacks from nation state hackers and cybercriminal gangs before the SARS-CoV-2 pandemic. Healthcare organizations are now stretched and stressed due to the COVID-19 pandemic and the situation is now critical. If the cyberattacks succeed, there is a major risk of disruption of the public health response.

Hospitals are dependent on electronic data such as electronic medical records, email, and their internal networks, many of which are heavily reliant on legacy equipment. Any attack that causes disruption will see resources diverted and critical time lost. Even a relatively minor attack has potential to cause major disruption. As an example, the Senators cited an attack on the Department of Health and Human Services. A relatively minor technical issue was experienced with email, but it was enough to hamper the efforts of the HHS to coordinate the federal government’s service.

Ransomware attacks that take EHRs out of action have even greater potential to cause disruption, and the consequences of these attacks can be grave. “During this moment of national crisis, the cybersecurity and digital resilience of our healthcare, public health, and research sectors are literally matters of life-or-death,” wrote the Senators.

The Senators have called for the two agencies to use the expertise and resources that have been developed to defend against these threats and to take the necessary measures to protect the healthcare industry during the coronavirus pandemic.

The Senators have requested private and public cyber threat intelligence such as indicators of compromise from attacks on the healthcare, public health, and research sectors to be broadly shared to help network defenders block the attacks. They have also requested the agencies coordinate with the HHS, Federal Trade Commission (FTC), and Federal Bureau of Investigation (FBI) to help increase awareness of cyberespionage, cybercrime, and disinformation campaigns.

The Senators have asked for the National Guard Bureau to be provided with threat assessments, resources, and additional guidance to support personnel supporting state public health departments and local emergency management agencies to ensure they have the information they need to defend critical infrastructure from cybersecurity breaches.

The agencies have been asked to consult with partners in the private healthcare, public health, and research sectors on the resources and information needed to improve defenses against attacks, such as vulnerability detection tools and threat hunting.

To counter the disinformation campaigns that are being conducted, the Senators have asked the agencies to consider issuing public statements “to put advisories on notice”, similar to the joint statement issued in relation to election interference on March 2nd.

Finally, they asked the agencies to evaluate further necessary action to defend forward to detect and deter attempts to intrude, exploit, and interfere with the healthcare, public health, and research sectors.

The post Senators Call for CISA and U.S. Cyber Command to Issue Healthcare-specific Cybersecurity Guidance appeared first on HIPAA Journal.

FBI Issues Flash Alert About COVID-19 Phishing Scams Targeting Healthcare Providers

The FBI has issued a fresh warning following an increase in COVID-19 phishing scams targeting healthcare providers. In the alert, the FBI explains that network perimeter cybersecurity tools used by US-based healthcare providers started detecting COVID-19 phishing campaigns from both domestic and international IP addresses on March 18, 2020 and those campaigns are continuing.

These campaigns use malicious Microsoft Word documents, Visual Basic Scripts, 7-zip compressed files, JavaScript, and Microsoft Executables to gain a foothold in healthcare networks. While the full capabilities of the malicious code are not known, the FBI suggests that the purpose is to gain a foothold in the network to allow follow-on exploitation, persistence, and data exfiltration.

In the alert, the FBI provides indicators of compromise for the ongoing phishing campaigns to allow network defenders to take action to block the threats and protect their environments against attack.

Indicators of Compromise

Email Sender Email Subject Attachment Filename Hash
srmanager@combytellc.com PURCHASE ORDER PVT Doc35 Covid Business Form.doc babc60d43781c5f7e415e2354cf32a6a24badc96b971a3617714e5dd2d4a14de
srmanager@combytellc.com Returned mail: see transcript for details Covid-19_UPDATE_PDF.7z de85ca5725308913782d63d00a22da480fcd4ea92d1bde7ac74558d5566c5f44
srmanager@combytellc.com COVID-19 UPDATE !! Covid-19_UPDATE_PDF.7z de85ca5725308913782d63d00a22da480fcd4ea92d1bde7ac74558d5566c5f44
admin@pahostage.xyz Information about COVID-19 in the United States covid50_form.vbs d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c
help@pahofinity.xyz Coronavirus (COVID-19) covid27_form.vbs d231d81538b16728c2e31c3f9e0f3f2e700d122119599b052b9081c2c80ecd5c
monique@bonnienkim.us Business Contingency alert -COVID 19 COVID-19 Circular.jar eacc253fd7eb477afe56b8e76de0f873259d124ca63a9af1e444bfd575d9aaae
info@mohap.gov.ae Todays Update on COVID-19 Todays Update on COVID-19.exe 7fd2e950fab147ba39fff59bf4dcac9ad63bbcdfbd9aadc9f3bb6511e313fc9c
erecruit@who.int World Health Organization/ Let’s fight Corona Virus together COVID-19 WHO RECOMENDED V.exe d150feb631d6e9050b7fb76db57504e6dcc2715fe03e45db095f50d56a9495a5

 

In addition to taking steps to reduce risk, the FBI has requested healthcare providers who have been targeted in one of these COVID-19 phishing attacks to share copies of the emails they receive, including email attachments and full email headers. If any of the attacks are successful, the FBI has requested victims retain and share logs and images of infected devices, and perform memory capture of all affected equipment. That information can be used in the response by the FBI.

The FBI warns all users to be wary about emails containing unsolicited attachments, regardless of who sent the email. Threat actors can spoof messages to make them appear to have been sent by a known, trusted individual. If an email attachment seems suspicious, it should not be opened even if antivirus software suggests the attachment is clean and does not include malware. Antivirus software can only detect known malware and new malicious code is constantly being released. The FBI also advises against allowing the automatic downloading of attachments.

Patches should be applied promptly and all software should be updated to the latest version. Additional security practices should be adopted, such as filtering certain types of attachments through email security software and firewalls.

It is also recommended to create multiple accounts on computers and restrict the use of admin accounts. The FBI warns that some viruses require administrator privileges to infect computers, so emails should only be read on an account with restricted privileges to reduce risk.

The post FBI Issues Flash Alert About COVID-19 Phishing Scams Targeting Healthcare Providers appeared first on HIPAA Journal.

CISA Warns of Continuing Attacks on Pulse Secure VPNs After Patching

The Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA) has issued a warning to all organizations using Pulse Secure VPN servers that patching vulnerabilities will not necessarily prevent cyberattacks. CISA is aware of attacks occurring even after patches have been applied to address known vulnerabilities.

CISA issued an alert about a year ago warning organizations to patch a vulnerability (CVE-2019-1151) in Pulse Secure Virtual Private Network appliances due to a high risk of exploitation. Many companies were slow to apply the patch, and hackers took advantage.

CVE-2019-1151 is an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances. The vulnerability was identified in the spring of 2019 and Pulse Secure released a patch to address the vulnerability in April 2019. Several advanced persistent threat groups are known to have exploited the vulnerability to steal data and install malware and ransomware. By exploiting the vulnerability and stealing credentials, the attackers were able to gain persistent access to networks even after the vulnerability was patched, if credentials were not also changed at the same time.

CISA observed threat actors exploiting the vulnerability to deploy ransomware at several government agencies and hospitals, even after patches had been applied. First, the vulnerability was exploited to gain access to the network through vulnerable VPN devices. The threat actors were then able to obtain plaintext Active Directory credentials, and those accounts were used with external remote services for access, remote services for lateral movement, and the attackers then deployed ransomware and malware and/or exfiltrated and sold sensitive company data.

The attackers used Tor infrastructure and virtual private servers to minimize the chance of detection when they were connected to victims’ VPN appliances. Many victims failed to detect the compromise as their antivirus and intrusion detection systems did not detect the remote access as suspicious, as genuine login credentials and remote services were used. Some attackers used LogMeIn and TeamViewer to ensure they had persistent access even if the primary connection was lost.

When patches are applied to address vulnerabilities that are known to be actively exploited in real world attacks, organizations then need to conduct analyses to determine if the vulnerability has already been exploited to gain access to their networks. Patching will prevent any further threat actors from exploiting the vulnerability, but if a network compromise has already occurred, applying the patch will not kick the attackers out of systems.

CISA has now developed a tool that can be used by organizations to determine if the Pule Secure VPN vulnerability has already been exploited. The tool can be used to scan the log files of Pulse Secure VPN servers to determine if the gateway has been compromised. In addition to helping system administrators triage logs, the tool will also scan for Indicators of Compromise (IoCs) associated with exploitation of the Pulse Security vulnerability.

“If organizations find evidence of malicious, suspicious, or anomalous activity or files, they should consider reimaging the workstation or server and redeploying back into the environment. CISA recommends performing checks to ensure the infection is gone even if the workstation or host has been reimaged,” wrote CISA.

In addition to performing the scans, CISA recommends changing Active Directory passwords and conducting a search for unauthorized applications, scheduled tasks, and any remote access tools that have been installed that have not been approved by the IT departments. Scans should also be performed to identify any remote access Trojans and other malware that may have been installed.

Many organizations that use VPN servers to allow remote access do not use multi-factor authentication, which means that any stolen credentials can be used to gain access to networks via the VPN gateways. With multi-factor authentication in place, use of stolen credentials becomes much harder, as a second factor will be required before access is granted.

The post CISA Warns of Continuing Attacks on Pulse Secure VPNs After Patching appeared first on HIPAA Journal.

AHA and AMA Release Joint Cybersecurity Guidance for Telecommuting Physicians

The American Medical Association (AMA) and the American Hospital Association (AHA) have issued joint cybersecurity guidance for physicians working from home due to the COVID-19 pandemic to help them secure their computers, mobile devices, and home networks to and safely provide remote care to patients.

Physicians are able to use their mobile devices to access patients’ medical records over the internet as if they were in the office, and teleconferencing solutions allow them to conduct virtual visits using video, audio, and text to diagnose and treat patients. However, working from home introduces risks that can jeopardize the privacy and security of patient data.

The AMA/AHA guidance is intended to help physicians secure their home computers and home network to protect patient data and keep their work environment safe from cyber threats such as malware and ransomware, which could have a negative impact on patent safety and well-being.

“For physicians helping patients from their homes and using personal computers and mobile devices, the AMA and AHA have moved quickly to provide a resource with important steps to help keep a home office as resilient to viruses, malware and hackers as a medical practice or hospital,” explained AMA President. Patrice A. Harris.

The guidance includes a checklist for computers, which lists several actions that should be taken to strengthen security and reduce susceptibility to threats such as phishing, malware, and ransomware. The guidance also provides a set of best practices to follow, such as the use of multi-factor authentication, lockout features for accounts, additional verbal authentication procedures, and regularly backing up data.

The AMA and AHA recommend the use of virtual private networks (VPNs) when accessing EHRs and other data repositories and suggest physicians should contact their EHR vendors to obtain recommendations on the use of VPNs and cloud-based technologies to improve security.

The guidance also covers mobile and tablet security and provides a similar checklist for securing those devices. THE AMA and AHA suggest physicians can use applications on mobile devices and tablets to connect to the office to order medications and tests. Apps such as TigerTouch can also be used on these devices to allow physicians to provide telemedicine services to patients. These apps also fully integrate with EHRs.

In addition to securing devices, steps should be taken to strengthen security for home networks. Vulnerabilities in home networks could be exploited to compromise any device that connects to the network, which could give an attacker access to patient data. The guidance also explains how to work with medical devices and identify and mitigate cyber risks.

The guidance on working from home during the COVID-19 pandemic can viewed on this link.

The post AHA and AMA Release Joint Cybersecurity Guidance for Telecommuting Physicians appeared first on HIPAA Journal.

Scammers Target Healthcare Buyers Trying to Purchase PPE and Medical Equipment

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are attempting to steal money from state agencies and healthcare industry buyers that are trying to purchase personal protective equipment (PPE) and medical supplies.

Healthcare industry buyers have been told to be on high alert following a rise in the number of scams related to the procurement of PPE and essential medical equipment such as ventilators, which are in short supply due to increased demand.

The FBI has received reports of several cases of advance fee scams, where government agencies and healthcare industry buyers have wired funds to brokers and sellers of PPE and medical equipment, only to discover the suppliers were fake.

There have also been several reported cases of business email compromise (BEC) scams related to PPE and medical equipment procurement. In these scams, brokers and vendors of goods and services are impersonated. The scammers use email addresses that are nearly identical to the legitimate broker or seller and request wire transfer payments for the goods and services. The scams are often only detected after the money has been transferred and withdrawn from the accounts.

The FBI cites one case where an individual was duped by a scammer into wire transferring funds to an entity that claimed to have an existing business relationship with the purchasing agency. When the potential scam was uncovered, the funds had already been transferred beyond the reach of U.S law enforcement and could not be recovered.

Prepayment for goods such as PPE and ventilators is commonplace, but it increases risk of being defrauded and, in many cases, prepayment for goods eliminates potential recourse.

Healthcare equipment buyers should be wary of the following signs of a potential scam:

  • Contact is initiated by a broker or seller of medical equipment or PPE, often through a channel that makes verification of the legitimacy of the seller or broker difficult. I.e. initial contact comes from a personal email address or the offer is received over the phone.
  • The origin of the equipment is not clearly explained, including how the broker or vendor has secured a supply given the current high level of demand.
  • It is not possible to verify with the manufacturer of the goods that the person offering them for sale is a legitimate vendor or distributor of the product, or it is not possible to verify a legitimate supply chain.
  • Any unexplained urgency for payment or last-minute changes to previously used payment methods.

Any contact made by a vendor or broker who claims to have a business relationship with an existing supplier should be verified through previously established communication channels to verify the legitimacy of the relationship.

If contact is made by a known or trusted vendor, carefully check the contact information and email address to make sure it is legitimate. Look out for transposed letters and misspellings in email addresses.

Where possible, arrange for an independent third party to verify that the items being offered for sale are physically present, and of the correct make, model, and type and take delivery immediately when payment is made. If not possible, ensure payment is made through a domestic escrow account which will only release funds when the goods are received and verified to be correct.

The post Scammers Target Healthcare Buyers Trying to Purchase PPE and Medical Equipment appeared first on HIPAA Journal.

Small- and Medium-Sized Healthcare Providers Most Likely to Be Attacked with Ransomware

Ransomware gangs are concentrating their attacks on smaller healthcare providers and clinics, according to a new report from RiskIQ. Healthcare providers with fewer than 500 employees are key targets for the gangs, with these organizations accounting for 70% of all successful healthcare ransomware attacks since 2016.

RiskIQ’s analysis of 127 healthcare ransomware attacks revealed there has been a 35% increase in attacks between 2016 and 2019. Hospitals and healthcare centers accounted for 51% of ransomware attacks, 24% of attacks were on medical practices, with 17% on health and wellness centers.

The cybersecurity defenses at smaller healthcare organizations are likely to be far less effective than those at larger healthcare systems. RiskIQ reports that 85% of small- and medium-sized hospitals do not have a qualified IT security person on staff, so there is a higher chance of gaps in security being left unaddressed. Ransom payments are more likely to be paid to avoid the costly downtime that is often caused by an attack. It can often take several weeks for an organization to fully recover when the ransom is not paid.

A Perfect Storm of New Targets and Methods

The RiskIQ intelligence brief – Ransomware in the Health Sector 2020 – says there has been “a perfect storm of new targets and methods,” due to the digital revolution in healthcare, but recent events have left the healthcare industry even more exposed to attack. The 2019 Novel Coronavirus pandemic has forced healthcare providers to make major changes. “Almost overnight, workforces and business operations decentralized and were flung around the world, widening the protection gaps and decreasing visibility into their attack surfaces,” explained RiskIQ.

Some ransomware groups have claimed they will not attack healthcare organizations during the COVID-19 public health emergency, but there are some groups that are making no such allowances. Attacks have become easier and they are taking advantage. “Cybercriminals are capitalizing on coronavirus concerns, which has led to a spike in malicious online activity that we assess will increasingly impact healthcare facilities and COVID-19 responders.”

Paying the Ransom Does Not Guarantee Recovery

16% of healthcare victims have reported they paid the ransom to obtain the keys to unlock their files. The report suggests the average ransom payment in those attacks was $59,000. While paying the ransom is an option, it is discouraged by the FBI as it just encourages further attacks and there is no guarantee that files can be recovered. The RiskIQ report cites a Wall Street Journal article that suggests fewer than 50% of the decryption keys are effective, so some data loss is inevitable even if the ransom is paid. There have also been cases where ransom payments have been made only for the attackers to then demand a further payment to provide the keys to unlock encryption. Paying a ransom also sends a message to other attackers that payment is likely if they are attacked, so the organization may be targeted again by the same or different threat actors.

Ransomware gangs are using a variety of methods to gain access to healthcare networks to deploy ransomware. Spam email is commonly used to trick healthcare employees into clicking malicious links that trigger a ransomware download or opening malicious email attachments containing ransomware downloaders. Vulnerabilities in software are commonly exploited, with many attacks taking advantage of vulnerabilities in Remote Desktop Protocol. The high number of workers now accessing healthcare networks remotely using Virtual Private Networks (VPNs) has seen VPN vulnerabilities targeted by ransomware gangs. Several vulnerabilities have been identified in VPN infrastructure over the past year, and while patches have been released to correct flaws, they are often not applied.

Steps to Take to Reduce Risk and Prevent Ransomware Attacks

The advice to all organizations has long been to ensure backups are regularly made to allow files to be recovered in the event of an attack, but having backups is no guarantee that they can be used to restore data. Several threat groups have been conducting manual ransomware attacks and spend long periods of time with network access before deploying ransomware. In addition to moving laterally and gaining access to large parts of the network, they have also been able to insert their ransomware into backup systems to ensure that backups are also encrypted.

RiskIQ advises healthcare organizations to ensure backups are created often and stored offline, or at least on different networks. Encryption of stored data is also important. There has been an increase in data theft prior to ransomware deployment. If data is encrypted, even if it is stolen it will ensure that the attackers cannot access the data.

RiskIQ emphasizes the importance for having an incident response plan, as this will help ensure attacks can be mitigated quickly to minimize the damage caused. Prompt patching is also essential. The importance of patching cannot be overstated, warns RiskIQ.

It is especially important during the COVID-19 crisis to ensure all digital assets that connect to the organization from outside the protection of the firewall are tracked and protected, as attackers are actively searching for these devices. they often provide an easy entry point to healthcare networks.

It is also important to prepare the workforce and provide training to help employees identify threats such as phishing attacks. Phishing simulation exercises can help to reduce susceptibility to ransomware attacks. IT teams should also keep up to date on the latest attack trends, as they are constantly changing.

The post Small- and Medium-Sized Healthcare Providers Most Likely to Be Attacked with Ransomware appeared first on HIPAA Journal.

Microsoft Patches Three Actively Exploited Flaws and Delays End of Support for Software and Services

On April 2020 Patch Tuesday, Microsoft released updates to correct 113 vulnerabilities in its operating systems and software solutions, 19 of which have been rated critical. This month’s round of updates includes fixes for at least 3 zero-day vulnerabilities that are being actively exploited in real world attacks.

Two of the actively exploited vulnerabilities were announced by Microsoft in March and Microsoft suggested workarounds to limit the potential for exploitation. The flaws – CVE-2020-0938 and CVE-2020-1020 – both affect the Adobe Font Manager Library and can lead to remote code execution on all supported Windows versions. The flaws are partially mitigated in Windows 10 and could only result in code execution in an AppContainer sandbox with limited privileges and capabilities. The flaws could be exploited if a user is convinced to open a specially crafted document or if it is viewed in the Windows Preview pane.

The third actively exploited zero-day is a Windows Kernel vulnerability that was discovered by Google’s Project Zero team. The flaw, tracked as CVE-2020-1027, could allow remote code execution with elevated privileges. The flaw has been exploited in attacks on Windows 10 devices, but older operating systems are also vulnerable.

A further flaw was initially reported as having been exploited but is now marked as “exploitation likely”. The flaw, tracked as CVE-2020-0968, affects Internet Explorer and concerns how the scripting engine handles objects in the memory.

A further vulnerability, CVE-2020-0935, which affects OneDrive for Windows, is rated important but it has been publicly disclosed. The flaw is due to improper handling of shortcut links. Exploitation of the flaw would allow an attacker to further compromise systems and execute additional payloads. Since OneDrive is installed on many devices and is being used extensively by remote workers for sharing and storing files, it would be an attractive vulnerability for hackers. It should therefore be prioritized along with the critical and actively exploited flaws.

Many of the vulnerabilities could be exploited by convincing an employee to visit a malicious website or open a specially crafted document sent via email, which could then result in the installation of malware, backdoors, information disclosure, and access to devices with full user rights.  With so many work-from-home employees during the COVID-19 pandemic, and with cybercriminals targeting those individuals, it is more important than ever for patches to be applied promptly.

End of Support Delayed by Microsoft for Windows 10, Windows Server, and Software and Services

Microsoft has also announced that it will be delaying end of support for certain operating systems, software, and services in 2020, to ease the pressure on IT departments at this difficult time.

Many IT workers have also been forced to work from home and the increased stress of managing IT and providing support to a largely at-home workforce has meant there has been little time to take the necessary steps to prepare for updates to software and operating systems.

“As a member of the global community, we want to contribute to reducing the stress our customers face right now. To that end, we have delayed the scheduled end of support and servicing dates for the following products to help people and organizations focus their attention on retaining business continuity,” explained Microsoft in a recent support article.

End of support dates have been extended for the following operating systems, software, and services.

  • Windows 10 1709/1809: April 14, 2020 >> October 13, 2020
  • Windows Server 1809: May 12, 2020 >> November 10, 2020
  • Configuration Manager version 1810: May 12, 2020 >> November 10, 2020
  • SharePoint Server 2010, SharePoint Foundation 2010, and Project Serer 2010: >> May 27, 2020 >> December 1, 2020
  • Dynamics 365 Cloud Services: October 13, 2020 >> April 13, 2021
  • Basic Authentication in Exchange Online: September 2020 >> December 2020

End of support dates for all other software and services scheduled for 2020 remain unchanged.

The post Microsoft Patches Three Actively Exploited Flaws and Delays End of Support for Software and Services appeared first on HIPAA Journal.