Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, has demanded answers from the Department of Health and Human Services (HHS) about a 2023 cyberattack that resulted in the theft of millions of dollars of grant funds and the failure of the HHS to notify Congress about the incident.

In January this year, Bloomberg published a report about a hacking incident at the HHS. According to the report, hackers had access to an HHS system that processed civilian grant payments between March 2023 and November 2023 and stole $7.5 million. The money should have been transferred to five accounts to provide support for at-risk populations, including children, pregnant women, and patients in rural communities.

Hackers are thought to have used spear phishing emails to target HHS staff, who were tricked into disclosing credentials that allowed access to the grantees’ accounts. The HHS provided a statement at the time confirming the incident had been reported to the HHS’ Office of Inspector General; however, in January, an HHS OIG spokesperson could neither confirm nor deny that an investigation had been launched into the incident.

In his letter to HHS Secretary Xavier Becerra, Sen. Cassidy said the HHS did not notify Congress about the incident and has so far failed to publicly acknowledge the breach, even though federal law requires government agencies to disclose major cyberattacks. Sen. Cassidy said any disruption to grant funding can place healthcare facilities under significant financial strain and the delay in receiving grant awards could delay life-saving care to patients. Cyberattacks on healthcare organizations are increasing and the HHS has issued regular guidance to HIPAA-regulated entities on the steps that should be taken to improve cybersecurity and has recently announced voluntary cybersecurity performance goals for the HPH sector. Senator Cassidy said, “This attack raises serious questions about HHS’ ability to safeguard its own systems and protect taxpayer funds and sensitive data.”

Senator Cassidy also criticized the HHS for the lack of transparency about the breach and its incident response.  “HHS’ lack of transparency and communication regarding this breach, including communication to Congress as required by law, undermines the public trust and suggests that the Federal government is not prepared to protect patients against cybersecurity attacks,” wrote Sen. Cassidy. “Americans entrust HHS to safeguard taxpayer dollars from cyberattacks. An unauthorized breach of this nature requires transparency from HHS about the facts at issue, and leadership from HHS to take the necessary steps to ensure that it does not happen again.”

Sen. Cassidy has demanded answers about when the HHS identified the breach of its Payment Management Services (PMS) system, when the system was accessed by hackers, how many grantees were affected, how much was stolen, when the HHS notified the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) about the breach, whether the attack delayed any payments of grant awards, and what steps the HHS has taken to try to recover the stolen funds. Questions were also asked about the safeguards that were in place prior to the attack, its internal incident response plan, the steps that have been taken to identify and address any vulnerabilities in HHS systems, and how the HHS can justify failing to notify Congress. Sen. Cassidy has requested answers on a question-by-question basis by April 5, 2024.

A spokesperson for the HHS confirmed that the HHS has been in regular contact with Congress about the incident and is working to ensure that the affected grantees will have access to the funds that they were awarded. “The event in December was a targeted fraud campaign against the Payment Management System, not a cyberattack,” said the HHS spokesperson. “HHS promptly reported the incident to the HHS Office of Inspector General. As federal stewards of the taxpayer dollar, we take this issue with the utmost importance.”

The post Senator Cassidy Demands Answers About HHS Cyberattack and $7.5M Theft appeared first on HIPAA Journal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and other U.S. and international partners have issued a joint fact sheet warning critical infrastructure entities to take the threat of attacks by Chinese state-sponsored actors seriously. The warning follows on from a February 2024 cybersecurity alert about an advanced persistent threat group known as Volt Typhoon, which was discovered to have embedded itself in the networks of many critical infrastructure entities, including transportation, energy, communications, and water and wastewater systems. The intrusions are believed to be strategic, with the threat actors maintaining persistent access to potentially disrupt or destroy critical services in the event of increased geopolitical tension or military conflicts.

Volt Typhoon uses living-of-the-land techniques rather than malware to maintain access to compromised networks and conduct its activities to evade detection. The extent of the compromises has yet to be determined but they could be extensive. Many critical infrastructure entities have had systems compromised and efforts are ongoing to ensure the threat actors are removed from those systems.

The fact sheet provides leaders of critical infrastructure entities with guidance to help them prioritize the protection of critical infrastructure and functions. The issuing agencies urge leaders to recognize cyber risk as a core business risk, which is essential for good governance and national security. Leaders should empower cybersecurity teams to make informed resourcing decisions to better detect and defend against Volt Typhoon intrusions and malicious cyber activities, such as implementing cybersecurity performance goals. Cybersecurity teams should also be empowered to effectively apply detection and hardening best practices, the staff should receive continuous cybersecurity training and skill development, and organizations should develop and test comprehensive information security plans and drive a cybersecurity culture in their organization.

Leaders have also been advised to secure their supply chains by establishing strong vendor risk management processes, exercising due diligence, selecting vendors that adhere to secure-by-design principles, ensuring vendors have patching plans, and limiting usage of any product that breaks the principle of least privilege.

The post Five Eyes Agencies Urge Critical Infrastructure to Take Volt Typhoon Threat Seriously appeared first on HIPAA Journal.

Healthcare organizations have been warned about the threat of email bombing attacks, which are a type of denial-of-service (DoS) attack that targets email systems. As with other types of DoS attacks, the aim is to render systems unavailable. These attacks, also known as mail bomb or letter bomb attacks, usually involve a botnet – a network of malware-infected computers under the control of an attacker.

Once a target is selected, an email server is flooded with hundreds or thousands of email messages that overload the email system. These attacks are an inconvenience for the victim; however, these attacks can hide other malicious activities. For example, security warnings may be hidden within all the emails making it easier for those warnings to be missed. Those warning emails may be about account sign-in attempts, updates to account information such as changes to contact information, information about financial transactions, or online order confirmations. These attacks can also be used as a smokescreen to draw the attention of security teams while other systems are attacked. When email servers are targeted in email bombing attacks, network performance is often downgraded which can potentially lead to direct business downtime.

There are various types of email bombing attacks, one of the most common of which is registration bombs. These attacks use automated bots to crawl the web to find newsletter sign-up forms on legitimate websites. The targeted user is then signed up to hundreds or thousands of newsletters all at once, resulting in the user getting a steady flow of unwanted emails. An alternative form of this attack involves link listing, where email addresses are added to multiple subscription services that do not require verification. These attacks can result in emails being received for months or even years after the initial attack. In addition, victims’ email addresses are often added to various smalling, phishing, and malware lists.

Attachment attacks involve sending multiple emails with large attachments, which are designed to slow down mail delivery and overload server storage space, rendering email servers unresponsive. A zip bomb attack, aka a decompression bomb or zip of death attack, involves a large, compressed archive being sent to an email address, which consumes available server resources when decompressed, thus impacting server performance. Email bombing attacks may be conducted by a single actor or a group of actors, and threat actors offer these types of services on the dark web. One well-known seller of these services charges $15 for every 5,000 messages, with costs reducing based on the volume of messages required. E.g. $30 for 20,000 messages.

In a recent HC3 Sector Alert, the HHS Health Sector Cybersecurity Coordination Center (HC3) provided an example of a damaging attack in 2016 where an unknown group of assailants subjected thousands of  .gov email inboxes to an email bombing attack that used subscription requests for legitimate companies. The attack rendered the email system unavailable for several days. “Organizations and individuals are encouraged to implement protections, security policies, and address user behavior in order to prevent future attacks,” said HC3. “Given the potential implications of such an attack on the HPH sector, especially concerning unresponsive email addresses, downgraded network performance, and potential downtime of servers, this type of attack remains relevant to all users.”

HC3 offered advice on how to defend against these attacks and mitigations for organizations that experience an email bombing attack. To defend against attacks, user behavior, and technical processes are suggested, such as covering these types of attacks in security awareness training and advising employees not to sign up for non-work-related services with their work email addresses. Online exposure can also be limited by using contact forms that do not expose email addresses. Employees should be told how they can recognize an attack in progress, and if one occurs, told never to engage as doing so can easily result in escalation. In the event of an attack, employees should immediately contact their IT or cybersecurity team.

Businesses can protect against these attacks using reCAPTCHA, which determines if a human is using the platform. reCAPTCHA prevents bots from hijacking sign-up processes that could facilitate email bombing attacks. In the event of an attack, email administrators should contact their email provider, who may be able to offer assistance in deleting the spam/junk emails from the email system.

The post HPH Sector Warned About Email Bombing Attacks appeared first on HIPAA Journal.

A typical U.S. hospital has between 10 and 15 medical devices per bed, which means a 1,000-bed hospital could have around 15,000 medical devices. Those devices include imaging devices, clinical IoT devices, and surgery devices, and they significantly increase the attack surface. A vulnerability in any of those devices could be exploited by a threat actor to gain access to the internal network and sensitive data, especially vulnerabilities in internet-facing devices.

Research conducted by the cyber-physical systems (CPS) protection company Claroty – published in Claroty’s State of CPS Security Report: Healthcare 2023 Report – has revealed hospitals are not keeping their medical devices up to date. The researchers found that 63% of the vulnerabilities in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog can be found on healthcare networks, 23% of medical devices have at least one known exploited vulnerability, and 14% of medical devices are running an unsupported or end-of-life operating system.

The study found 22% of hospitals have connected devices that bridge guest networks and internal networks and 4% of the medical devices used in surgeries can be accessed from guest networks at hospitals. Guest networks provide visitors and patients with Wi-Fi access and they are generally the least well-secured and the most exposed place for medical devices to be connected. The researchers looked at medical devices that are remotely accessible and found many of the remotely accessible devices have a high consequence of failure, such as devices that defibrillators, robotic surgery systems, and defibrillator gateways. 66% of imaging devices, 54% of surgical devices, and 40% of patient devices were found to be remotely accessible.

The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood that a software vulnerability will be exploited in the wild. The researchers examined devices with high EPSS scores and 11% of patient devices – such as infusion pumps – and 10% of surgical devices had vulnerabilities with high EPSS scores. 85% of devices with unsupported operating systems had vulnerabilities with high EPSS scores.

Keeping medical devices up to date is challenging. Medical devices are in constant use, and updating software or firmware and applying patches means those devices are made temporarily unavailable. Hospitals must also contend with 360 medical device manufacturer (MDM) patch certification programs to ensure compliance requirements and verify that products provide reasonable protection against risk. While the majority (93%) of critical vulnerabilities in CISA’s KEV Catalog can be fixed with an operating system update or vendor patch, it often takes months for MDMs to certify a patch before it can be applied to an individual device. During that time, devices are vulnerable to attack. Another problem with defending medical devices is hospitals often do not have a complete and up-to-date inventory of all medical devices connected to the network, and defenders cannot adequately protect devices that they are blind to.

Claroty recommendations are for hospitals to develop cybersecurity policies and strategies that stress the need for resilient medical devices and systems that can withstand intrusions. They should limit remote access to endpoints, secure remote access through proper provisioning of credentials, ensure that multifactor authentication is enabled, restrict third-party connections from vendors and contractors, and conduct regular and continuous vulnerability scanning of assets that are exposed to the internet. Hospitals must also ensure they have complete visibility into the medical devices connected to their networks and the inventories should list whether assets are internet-facing. Defenders can then prioritize patching those assets as they are the ones that are most likely to be targeted by threat actors.

The post 63% of Known Exploited Vulnerabilities Can be Found in Hospital Networks appeared first on HIPAA Journal.

In 2023, the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) received record numbers of complaints about cybercrime with losses increasing by 22% to a record-breaking $12.5 billion, according to the 2023 FBI Internet Crime Report. ICR registered 880,418 complaints in 2023, up 10% from 2022, with phishing/spoofing the most commonly reported cybercrime with 298,878 complaints, followed by personal data breaches (55,851 complaints) and non-payment/non-delivery (50,523 complaints).

The costliest type of cybercrime was investment fraud, with losses increasing from $3.31 billion in 2022 to $4.57 billion in 2023 – a 38% increase. The second biggest cause of losses to cybercrime was business email compromise (BEC) with $2.9 billion in reported losses across 21,489 complaints, followed by tech support scams with 37,560 complaints and $1.3 billion in reported losses. IC3 received 2,825 complaints related to ransomware, including 1,193 ransomware complaints from critical infrastructure entities, up 18% from 2022. Healthcare was the worst affected sector with 249 reports about ransomware attacks, followed by critical manufacturing with 218 reported attacks, and government facilities with 156 reported attacks. Out of the 16 critical infrastructure sectors, 14 sectors had at least one member that fell victim to a ransomware attack. There was also a 74% increase in ransom payments, with $59.6 million paid to ransomware groups to recover encrypted data and prevent the sale or exposure of stolen data, up from $34.4 million in 2022.

Losses to ransomware are far higher, as many victims do not report attacks to the FBI or disclose their losses. For instance, a law enforcement operation targeting the Hive ransomware group in 2023 saw the FBI gain access to the Hive group’s infrastructure which revealed that only 20% of the group’s victims had reported the attack to the FBI. The FBI encourages victims to report attacks regardless of whether the ransom is paid. By reporting the incident, the FBI may be able to provide information on decryption, help recover stolen data, and potentially seize/recover ransom payments. Reporting attacks allows the FBI to gain insights into adversary tactics and ultimately bring the perpetrators to justice.

The most active ransomware group in 2023 was LockBit, which conducted 175 attacks on critical infrastructure entities, followed by ALPHV/BlackCat (100), Akira (95), Royal (63), and Black Basta (41). In February this year, a law enforcement operation disrupted the LockBit group, but the disruption was short-lived, with the group bouncing back quickly after the takedown. The ALPHV/BlackCat group survived a December 2023 takedown and reacted to the disruption by allowing its affiliates to attack previously prohibited sectors and encouraging them to attack healthcare organizations. After a ransomware attack on Change Healthcare in February 2024, the group refused to pay the affiliate, pocketed the $22 million ransom payment, and shut down its operation.

ALPHV/Blackcat was a major player in the ransomware market; however, attacks are unlikely to fall as a result of the operation shutting down. ALPHV/Blackcat is expected to rebrand and return with a new operation and even if that doesn’t happen, the affiliates that worked with the group will simply switch to an alternative ransomware-as-a-service group and continue conducting attacks. The ALPHV/Blackcat attack on Change Healthcare serves as a warning to other organizations that are considering paying the ransom. $22 million was paid to have the stolen data deleted but after being cheated out of their share of the ransom, the affiliate behind the attack retained the stolen data. Ransomware gangs are continuing to adjust their tactics to increase the probability of their victims paying the ransom. The FBI has identified emerging ransomware trends such as the use of multiple ransomware strains against the same victim and data destruction tactics to pressure victims into negotiating and paying the ransom.

The post FBI Data Shows Ransomware Attack Surge as Cybercrime Losses Reach $12.5 Billion appeared first on HIPAA Journal.

The Five Eyes Cybersecurity Agencies have issued a warning that previously disclosed vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways are being actively exploited by multiple threat actors and have been since early December 2023.

The flaws – CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 – affect all supported versions (9.x and 22.x) and can be chained to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. According to the alert, Ivanti’s internal and previous external Integrity Checker Tool (ICT) failed to detect malicious activity associated with exploitation. CISA demonstrated in a test environment that the ICT is not sufficient to detect compromise and that it is possible to gain root-level persistence despite issuing factory resets.

Alphabet’s Mandiant has been investigating the exploitation of the zero day vulnerabilities and said the exploitation had likely impacted thousands of devices across multiple industry verticals. Some of those attacks were linked with a suspected Chinese cyber espionage group it tracks as UNC5325. The threat actor used living-of-the-land techniques and novel malware to achieve persistence. Mandiant said the patches released by Ivanti are effective at preventing exploitation, provided UNC5325 did not exploit the vulnerability before the patches were applied. Mandiant said UNC5325 has maintained access even after customers have initiated factory resets, patching, and applying the recommended security updates.

The Five Eyes agencies recommend that network defenders assume that user and service account credentials stored in affected Ivanti VPN appliances are likely compromised and should hunt for malicious activity using the detection mechanisms and IoCs details in its alert, and should also run the latest version of Ivanti’s external ICT. If the vulnerabilities have yet to be patched, network defenders should ensure they are applied as soon as possible and should follow the recommendations detailed in the latest Ivanti security advisory. Mandiant also recommends following the guidance provided in its updated Ivanti Connect Secure Hardening Guide.

The post Five Eyes Agencies Warn of Ongoing Exploitation of Ivanti Connect Secure and Policy Secure Flaws appeared first on HIPAA Journal.

Two high-severity vulnerabilities have been identified in the free-to-use MicroDicom DICOM Viewer, which is used to view and manipulate DICOM images. Successful exploitation of the vulnerabilities could lead to remote code execution and memory corruption.

The first is a heap-based buffer overflow vulnerability tracked as CVE-2024-22100 which can be exploited in a low-complexity attack by tricking a user into opening a malicious DCM file, which would allow a remote attacker to execute arbitrary code on vulnerable versions of the DICOM Viewer.

The second vulnerability is an out-of-bounds write issue due to a lack of proper validation of user-supplied data. Successful exploitation of the flaw could result in memory corruption within the application. The vulnerability is tracked as CVE-2024-25578.

The vulnerabilities affect MicroDicom DICOM Viewer versions 2023.3 (Build 9342) and prior versions and have been fixed in version 2024.1. Users have been advised to update to the latest version as soon as possible. There are currently no indications that the vulnerabilities have been exploited in attacks.

The post High Severity Vulnerabilities Identified in MicroDicom DICOM Viewer appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have shared the latest threat intelligence about Phobos ransomware, which has been used to attack municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities. Phobos ransomware is related to multiple ransomware variants, including Elking, Eight, Devos, Backmydata, and Faust ransomware. The Backmydata variant was used in a February 2024 attack in Romania that resulted in systems being taken offline at around 100 healthcare facilities.

Phobos ransomware is a ransomware-as-a-service (RaaS) group that has been active since May 2019. The group commonly gains access to victims’ networks through phishing campaigns that deliver malware via spoofed attachments with hidden payloads, including the Smokeloader backdoor trojan. Affiliates also use IP scanning tools such as Angry IP Scanner to identify vulnerable Remote Desktop Protocol (RDP) ports that are subjected to brute force attacks, and affiliates have been observed leveraging RDP to attack Microsoft Windows devices. Attacks often involve Cobalt Strike, Bloodhound, and Sharphound, Mimikatz to obtain credentials, NirSoft, and Remote Desktop Passview to export browser client credentials.

Phobos engages in double extortion tactics, where sensitive data is exfiltrated in addition to file encryption and victims have to pay for the keys to decrypt data and to prevent the publication of their stolen data on the group’s data leak site. Volume shadow copies are deleted from Windows environments to hinder attempts to recover without paying the ransom. The ransom demands are often of the order of several million dollars.

The Health Sector Cybersecurity Coordination Center issued an alert about Phobos ransomware in July 2021 after several attacks on organizations in the healthcare and public health sector. The latest alert shares updated tactics, techniques, and procedures used by the group in attacks up to February 2024, along with the latest Indicators of Compromise (IoCs), MITRE ATT&CK techniques, and recommended mitigations.

The post CISA, FBI Share Latest Threat Intelligence on Phobos Ransomware appeared first on HIPAA Journal.

A joint cybersecurity alert has been issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) to share known Indicators of Compromise (IoCs) and the latest Tactic, Techniques, and Procedures (TTPs) used by the ALPHV/Blackcat ransomware group.

In December 2023, the U.S. Department of Justice (DoJ) announced that it had disrupted the operations of the ALPHV/Blackcat. An FBI agent posed as an affiliate and gained access to the group’s computer network, resulting in the seizure of several of the websites operated by the group. Around 900 public/private key pairs were obtained which allowed a decryption tool to be developed to help those victims recover their files. Within hours of the DOJ announcement, a spokesperson for the group said it had unseized the websites and issued a threat of retaliation. The group said the restrictions that were in place for affiliates had been removed. “You can now block hospitals, nuclear power plants, anything, anywhere,” wrote ALPHV/Blackcat, and attacks on hospitals were actively encouraged. The only rule that remained was the restriction on attacks within the Commonwealth of Independent States (CIS).

According to the cybersecurity alert, it appears that hospitals have been the main focus for the group. Since December 2023, ALPHV/Blackcat has added the data of 70 victims to its data leak site and the healthcare sector has been the most victimized. While the alert does not reference specific healthcare victims, one of the latest is Change Healthcare. ALPHV/Blackcat claims to have stolen 6TB of data in the attack, including data from all of its clients including Medicare, CVS Caremark, Health Net, and Tricare. Change Healthcare was briefly added to the group’s data leak site the day after the cybersecurity alert was released.

The alert explains that ALPHV/Blackcat affiliates often pose as IT technicians or helpdesk staff to steal credentials from employees to gain initial access to healthcare networks. The group also gains initial access through phishing, using the Evilginx phishing kit to steal multifactor authentication codes, session cookies, and login credentials. They install legitimate remote access and tunneling tools software such as AnyDesk Mega sync, and Splashtop to prepare for data exfiltration, tunneling tools such as Plink and Ngrok, and Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. Affiliates move laterally to extensively compromise networks and use allowlisted applications such as Metasploit to avoid detection.

While many ALPHV/Blackcat affiliates engage in double extortion – data theft and file encryption – some choose not to encrypt files and only steal data, then threaten to publish that data if a ransom is not paid. This approach ensures faster attacks with less chance of detection. The alert shares the latest IoCs, MITRE ATT&CK tactics and techniques, incident response recommendations, and mitigations for improving cybersecurity posture, one of the most important being phishing-resistant multifactor authentication such as FIDO/WebAuthn authentication or public key infrastructure (PKI)-based MFA.

The post Feds Sound Alarm as ALPHV/Blackcat Ransomware Group Targets Healthcare appeared first on HIPAA Journal.