A joint research project by Health-ISAC, Finite State, and Securin has revealed exploitable vulnerabilities in medical devices have increased by almost 60% since 2022. The researchers identified almost 1,000 vulnerabilities in 966 medical products, which is a 59% year-over-year increase from 2022. 993 vulnerabilities were identified that could be exploited by malicious actors to gain access to healthcare networks, 160 of the identified vulnerabilities have already been weaponized, and a further 101 are trending in the wild. Advanced Persistent Threat (APT) actors are known to be actively exploiting 9 of the vulnerabilities, and 7 are being actively exploited by ransomware gangs.

A recent study by Akamai found cybercriminal groups, and ransomware gangs in particular, are increasingly exploiting vulnerabilities in software, firmware, and operating systems to gain initial access to networks. Threat actors are devoting resources to in-house research to identify zero-day vulnerabilities in software solutions that can be mass exploited in attacks. The Clop threat group, for example, identified a zero-day vulnerability in Fortra’s GoAnywhere MFT solution and exploited it to gain access to the sensitive data of dozens of organizations, while the zero-day vulnerability in Progress Software’s MOVEit Transfer solution was used to attack at least 621 organizations worldwide. Cyber threat actors are also purchasing exploits for known vulnerabilities and exploiting vulnerabilities before organizations have time to apply the patches and before vendors have released patches.

The increase in high severity and critical vulnerabilities in the software and firmware of connected medical devices is a major cause of concern. The research project found a 437% year-over-year increase in remote code execution and privilege escalation vulnerabilities, which are especially attractive to hackers and particularly dangerous for healthcare organizations. “Our research unveils a disturbing year-over-year increase in firmware vulnerabilities within connected medical products and devices, underscoring an urgent need for robust software supply chain security,” said Larry Pesce, Director of Product Security Research and Analysis at Finite State. “The rise of weaponized exploits demands immediate, collective action to safeguard not only our technological integrity but, ultimately, patient safety.”

The 2023 IBM Security Cost of a Data Breach Report revealed healthcare data breaches now cost almost $11 million, although far more serious than the financial cost is the risk to patient safety. Hackers could alter patient data resulting in a misdiagnosis or incorrect treatment being delivered, treatment is often delayed due to cyberattacks that take electronic medical record systems and other essential IT systems offline, and cyberattacks often cause financial harm to patients, with attacks often leading to identity theft and fraud. There have also been multiple cases recently where highly sensitive medical information of patients has been leaked online, including naked images, and threat actors have been attempting to extort patients directly.

The report makes several recommendations for protecting against attacks that exploit vulnerabilities: ensure a regular penetration testing cadence; prioritize patching based on known risks; incorporate binary analysis tools into the security strategy to generate a Software Bill of Materials (SBOM) and use the results for pen testing; and mandate that all vendors follow a secure-by-design methodology. The report is available on this link: 2023 State of Cybersecurity for Medical Devices and Healthcare Systems,

The post 59% Year-over-year Increase in Exploitable Vulnerabilities in Medical Devices appeared first on HIPAA Journal.

The Cyber Safety Review Board (CSRB) has published an analysis of cyberattacks by the Lapsus$ threat group and has made recommendations for the public and private sectors on how to improve cybersecurity defenses against attacks by Lapsus$ and similar threat actors.

The CSRB was established by President Biden’s Executive Order on Improving the Nation’s Cybersecurity and has been tasked with reviewing major cyber events and making recommendations on improvements that can be made by public and private sector organizations to better defend against attacks. The CSRB consists of 15 cybersecurity leaders from the federal government and private sector and is chaired by Robert Silvers, Under Secretary for Policy at the U.S. Department of Homeland Security.

Lapsus$ is a cyber threat actor primarily focused on data theft and extortion and has been conducting attacks globally on large companies and government agencies around the world since 2021. The group breaches defenses to gain access to internal networks, steals sensitive data such as source code, and demands payment, although rarely follows up. The group is also known to post political messages in online forums and swiftly moves on to other targets after a successful compromise.

Lapsus$ is thought to be a loosely organized threat group that includes several juveniles. Many of the group’s attacks appear to have been conducted for public notoriety rather than financial gain. The group has successfully breached some of the most well-resourced and well-defended companies and government agencies around the world with apparent ease, using relatively simple techniques without particularly complex or advanced tooling.

The group identifies weak points in systems and then exploits them, and often attacks downstream vendors and telecommunications providers before pivoting to the intended target. The group is particularly adept at targeting individuals using social engineering and tricking them into providing network access. For instance, stealing phone numbers and phishing employees via text and voice calls, The group is also adept at bypassing multi-factor authentication.

The CSRB found commonalities between several different threat groups when investigating Lapsus$. Since the techniques used by the group are also used by other threat groups, cyber intelligence and attribution is fragmented. Similar techniques are used by the ransomware affiliate group, Yanluowang; the financially motivated threat group, Oktapus (Roasted Oktapus); the data extortion group, Karakurt; the financially motivated Lapsus$ splinter group, Nwgen Team; and two groups tracked as #NotLapsus1 and #NotLapsus2. Evidence has been found that proves ties between members of these groups and Lapsus$.

“We uncovered deficiencies in how companies ensure the security of their vendors; how cell phone carriers protect their customers from SIM swapping; and how organizations authenticate users on their system,” said CSRB Chair, Robert Silvers. “The Board put forward specific recommendations to address these issues and more, in line with the Board’s mandate to conduct comprehensive after-action reviews of the most significant cyber incidents.”

Since many of the attacks involve credential theft, one of the most effective defenses is moving to passwordless technologies and, in the meantime, ensuring phishing-resistant multi-factor authentication (MFA) is implemented. The CSRB found the MFA implementations broadly used by companies and individuals are not sufficient to protect against Lapsus$ attacks. The Lapsus$ attacks highlight the importance of implementing zero-trust architectures that assume that there has already been a breach and attackers are inside the network, verifying authentication and authorization for every request.

The group exploits vulnerabilities in the systems of telecommunications providers, who need to implement better processes and systems to prevent attackers from hijacking their mobile phone services. Many of the attacks are conducted via vendors so it is vital for organizations to design their security programs to cover their own information technology environments as well as any vendors that host critical data or maintain direct access to their networks. The CSRB also recommends giving law enforcement the means to disrupt all types of threat actors, and since the group is known to include teenagers, ensuring that young people are given the opportunity to use their technical skills for positive purposes.

“Lapsus$ and related threat actors are using basic techniques to gain an entry point into companies. Their primary attack vectors — SIM swap attacks and phishing employees — can be easily addressed, especially for companies like Microsoft and Okta that are so well resourced,” Rosa Smothers, former CIA cyber threat analyst and current KnowBe4 executive told the HIPAA Journal. “Hardware authentication requires in-person direct engagement preventing remote, phone-based attacks. And training employees to spot and report social engineering attempts like phishing should be the basis of any company’s security awareness training program.”

The CSRB provides 10 actionable recommendations in the report on how to improve defenses against these attacks. The CSRB report on attacks by Lapsus$ and related threat groups can be found here.

The post Even Well-Defended Companies are Vulnerable to Lapsus$ Attacks appeared first on HIPAA Journal.