Ransomware Gangs Increasingly Exploiting 0Day and 1Day Vulnerabilities

Posted by Steve Alder

Ransomware gangs use a variety of methods for initial access to victims’ networks and while phishing is still one of the most common initial access vectors, researchers at the cybersecurity firm Akamai have identified a trend toward zero-day and day-one vulnerabilities for initial access.  Several threat groups are conducting their own research to find exploitable vulnerabilities or are purchasing exploits from gray-market sources.

Ransomware attacks have increased significantly over the past year. Between Q1, 2022, and Q1, 2023 there was a 143% increase in ransomware attacks and there has been a growing trend of data theft and extortion without the use of ransomware to encrypt files. File encryption can cause massive disruption to business operations; however, file encryption is noisy and more resource intensive. Simply accessing victims’ networks, stealing data, and threatening to publish or sell that data is often enough to prompt the victim to pay up. These attacks require fewer resources and are far faster, and are less likely to be detected and blocked by security teams. While data theft was once secondary to file encryption in ransomware attacks, the reverse now appears to be true, with data theft far more effective for extortion than file encryption.

The Clop ransomware group is one of several threat actors to opt for data theft and extortion without file encryption and is also one of the gangs focussing on vulnerability exploitation. The group mass exploited a zero-day vulnerability in Fortra’s GoAnywhere file transfer solution in February 2023 and attacked dozens of companies. Then a few months later, mass exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution to attack hundreds of companies. When claiming responsibility for the attack, a spokesperson for the group claimed that data encryption was an option, but the decision was taken not to encrypt files. KonBriefing is tracking the MOVEit Transfer attacks and says at least 611 organizations were attacked and the records of between 35.8 million and 40.7 million individuals were stolen by Clop.

The Akamai researchers conducted an analysis of the data leak sites of 90 ransomware groups, where the groups publish the names of their victims and release stolen data when ransoms are not paid. The groups often provide details about whether data was encrypted, the amount of data stolen, and how the attack was conducted. The researchers found that in addition to Clop, several other ransomware groups were favoring zero-day and day-one exploits of vulnerabilities in software and operating systems and, like Clop, were conducting research in-house or were seeking and paying for exploits from third parties. Other ransomware operations that have exploited recently disclosed vulnerabilities include LockBit and ALPHV (BlackCat) which rapidly exploited vulnerabilities before vendors could release patches. For example, the PaperCut vulnerabilities CVE-2023-27350 and CVE-2023-27351 and the VMware ESXi hypervisor vulnerability, CVE-2021-21974.

The main sectors targeted by ransomware gangs in the period studied were manufacturing, healthcare, and financial services. The researchers also identified a much higher percentage of attacks on small- and medium-sized firms compared to larger organizations. 65% of the attacks the researchers analyzed were on small- and medium-sized businesses, compared to 12% on larger organizations. The researchers also found a high probability of a victim experiencing a second attack within 3 months of the first.

The post Ransomware Gangs Increasingly Exploiting 0Day and 1Day Vulnerabilities appeared first on HIPAA Journal.

Healthcare Data Breach Risk Doubles in 2-Year Window Around M&As

Posted by Steve Alder

The risk of a data breach at hospitals doubles in the year before and after mergers and acquisitions (M&As), according to a recent study by University of Texas at Dallas PhD candidate, Nan Clement.

Clement analyzed data breach data from the HHS’ Office for Civil Rights (OCR) from 2010 to 2022 and compared the reported data breaches to M&A records over the same period and found that the probability of a data breach was 3% for hospitals that merged over the analyzed period, but the risk doubled to 6% for merger targets, buyers and sellers over a two year period – one year before and one year after the deal was closed. Clement also found that incidents involving hacking and insider misconduct increased when a hospital merger or acquisition was announced and that Google Trends data showed an increase in searches for the target hospital’s name following the announcement, and a connection was found with hacking activity.

Hacking and ransomware attacks at such a sensitive time were found to occur more frequently during the two-year window around M&As. At such a sensitive time, cybercriminals may feel that there is a higher probability that ransom demands will be paid, and there may be an increase in vulnerabilities that can be exploited due to incompatibilities between two hospitals’ information systems and vulnerabilities and mistakes by employees could easily be exploited by cybercriminals. The Federal Bureau of Investigation previously issued a warning to companies that hackers, and especially ransomware groups, often use significant financial events such as M&As to target companies, as it gives them more leverage. Clement also found an increase in insider misconduct during the two-year period around M&As.

According to the recently published Cost of a Data Breach Study by IBM Security, healthcare data breaches now cost almost $11 million per incident – more than data breaches in any other sector and the HHS’ Office for Civil Rights breach portal data shows there has been a massive increase in hacking incidents in the past few years. “Given the significant cost of data breaches, it is crucial for hospital managers, cybersecurity experts, and health, defense, and finance authorities to work together to enhance cybersecurity measures in hospitals,” suggests Clement in the paper. Clement found that mergers involving publicly traded hospitals often experience a decrease in data breaches during mergers. “Hospital managers should consider adopting the risk management processes commonly employed by professional investors and publicly traded hospitals. This integration of risk management practices can lead to improved overall organizational capital for protecting the hospitals.”

The findings from the peer-reviewed paper, M&A Effect on Data Breaches in Hospitals: 2010-2022, were presented at the 22nd Workshop on the Economics of Information Security in Geneva last month.

The post Healthcare Data Breach Risk Doubles in 2-Year Window Around M&As appeared first on HIPAA Journal.

Tampa General Hospital Sued over 1.2 Million Record Data Breach

Posted by Steve Alder

Tampa General Hospital (TGH) is being sued over a data breach in which hackers gained access to the sensitive data of up to 1.2 million patients. The data breach, one of the largest healthcare data breaches to be experienced in Florida, prompted Senator Rick Scott (R-FL) to write to the FBI and request the investigation of the incident be prioritized to bring the perpetrators to justice.

TGH said the breach investigation confirmed that hackers had access to its network between May 12, and May 30, 2023, and exfiltrated files containing patient information. Those files included names, contact information, dates of birth, Social Security numbers, and health insurance information. The security breach was detected on May 31, 2023. The lawsuit was filed by the law firm Morgan & Morgan and alleges TGH failed to implement appropriate security measures to safeguard the confidentiality, integrity, and availability of patients’ protected health information, and as a result of TGH’s “cavalier attitude toward cybersecurity and patient privacy,” hackers were able to steal highly sensitive patient information. The lawsuit also takes issue with the time taken to detect the breach and alert patients. Hackers had access to the network for 19 days prior to detection and TGH waited until July 19, 2023, to issue notifications to the affected individuals.

The lawsuit was filed on behalf of three plaintiffs and other individuals similarly affected by the data breach. The plaintiffs have chosen to remain anonymous and one of the plaintiffs claims to have already fallen victim to identity theft as a result of the data breach. The lawsuit also points out that this is not the first data breach to have occurred at TGH. TGH experienced a data breach in 2014 which was reported to the HHS’ Office for Civil Rights as an unauthorized electronic medical record access incident affecting 675 patients.

The lawsuit alleges negligence, invasion of privacy, unjust enrichment, breach of fiduciary duty, and breach of confidence and seeks damages, restitution, and injunctive relief. The law firm issued a statement about the lawsuit, which was recently filed in Hillsborough County. “It is our hope that this lawsuit will not only secure justice and accountability for the patients whose privacy and peace of mind have been irrevocably violated, but also will spur Tampa General Hospital to take additional steps to protect their patients’ privacy in a manner appropriate for the current climate of cyber-attacks.”

The post Tampa General Hospital Sued over 1.2 Million Record Data Breach appeared first on HIPAA Journal.