Healthcare and financial services were the two most attacked industries, according to Blackberry’s latest Global Threat Intelligence Report. The data for the report was collected from March to May 2023 from its cybersecurity solutions, which blocked more than 1.5 million attacks at a rate of around 11.5 attacks per minute, with 1.7 novel malware samples detected per minute – A 13% increase from the previous reporting period.

During the reporting period, Blackberry detected 13,433 unique malware binaries and prevented over 109,922 disparate attacks across the wider healthcare sector. Ransomware and information stealing malware were highly prevalent. The RedLine information stealer and the Amadey bot were regularly blocked threats. Amadey has information stealing capabilities and is often used to perform reconnaissance before downloading additional malicious payloads. The Emotet, IcedID, and SmokeLoader malware families were also extensively used in attacks on the sector, all of which have information stealing capabilities and can download additional malware payloads.

The healthcare industry continues to be an attractive target for cyber threat actors due to the volume of sensitive data stored by healthcare organizations, the ease of monetizing that data, and the reliance on access to data and computer systems for providing critical services, which makes the sector a highly attractive target for financially motivated threat groups.

It is not only financially motivated cybercriminal groups that are attacking the healthcare industry. State-sponsored threat actors are breaching healthcare defenses and stealing confidential medical data, and cyber threat groups have targeted the sector in retaliation for the U.S. providing support for Ukraine. The RomCom group, for example, targeted U.S. medical groups providing humanitarian aid to Ukrainian refugees.

Two advanced persistent threat (APT) groups were highly active during the reporting period: APT28 (aka Sofacy/Fancy Bear) and Lazarus Group (aka Labyrinth Chollima, Hidden Cobra, Guardians of Peace, Zinc, and Nickel Academy). APT28 is a highly skilled cyber espionage group thought to operate on behalf of the Russian government and Lazarus Group is thought to be a North Korean state-sponsored threat actor.

Attacks on government and public sector services were up 40% on the previous reporting period, with 55,000 attacks on public sector organizations blocked during the 90-day reporting period. Ransomware groups such as LockBit, Royal, BlackCat/ALPHV, and Clop were highly active, accounting for a large percentage of the attacks on city, state, and government systems and public sector organizations. These attacks included the LockBit ransomware attack on the City of Oakland, CA, BlackByte’s Royal ransomware attacks on the cities of Dallas, TX, and Augusta, GA, and the Clop group’s mass exploitation of a zero-day vulnerability in the MOVEit Transfer file transfer solution.

Some of the most common tools used by threat actors include AdFind for stealing information from Active Directory (AD), Mimikatz for credential theft, Cobalt Strike as an attack framework, and Extreme RAT for remote access, malware delivery, and espionage. The most common malware families detected and blocked across all industry sectors were droppers/downloaders such as Emotet, PrivateLoader, and SmokeLoader; information stealers such as RedLine, Racoon Stealer, Vidar, and IcedID; and remote access Trojans such as Agent Tesla. Blackberry’s telemetry shows a 13% increase in unique malware samples, indicating threat actors are diversifying their tooling when compiling their malware. While the malware used is similar, the compilation process produces different hashes for similar samples in order to evade the simple feeds and filters used by more traditional security operations centers.

Blackberry predicts the number of attacks on the healthcare industry will continue to increase and recommends prioritizing detection of the most frequently used tactics in the attacks – discovery and defense evasion. Learning about the tactics, techniques, and procedures used by threat groups can help network defenders significantly reduce the impact of attacks, and will aid their threat hunting, incident response, and recovery efforts.

The post Healthcare and Financial Services Remain Top Targets for Cyber Threat Actors appeared first on HIPAA Journal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and their Five Eyes intelligence partners have issued a joint security advisory detailing the most commonly exploited vulnerabilities in 2022. Cyber threat actors target Internet-facing systems that contain unpatched vulnerabilities to gain initial access to organizations’ internal networks, allowing them to steal sensitive data and conduct other post-exploitation activities. The advisory lists the top 12 Common Vulnerabilities and Exposures (CVEs) that were exploited by malicious actors in 2022 along with a further 30 CVEs that have extensively been exploited by threat actors. This year, the vulnerability list includes associated Common Weakness Enumerations (CWEs), which show the root cause that allowed the vulnerabilities to be exploited.

While sophisticated threat groups actively seek out zero-day vulnerabilities or develop exploits for recently disclosed CVEs, in 2022, malicious actors exploited older vulnerabilities much more frequently than recently disclosed flaws. Many of the vulnerabilities in the list had Proof-of-Concept (PoC) exploits in the public domain, which allowed exploitation of the flaws by a much broader range of threat actors. Top of the list is a five-year-old vulnerability in Fortinet’s SSL VPNs (FortiOs/FortiProxy) – CVE-2018-13379, which was also one of the most frequently exploited vulnerabilities in 2020 and 2021. Despite the vulnerability being the 15^th most commonly exploited vulnerability in 2021 and a patch being available since May 2019, many organizations failed to patch and were vulnerable to attack. The vulnerability has been exploited by Advanced Persistent Threat (APT) actors and cybercriminal groups such as ransomware gangs.

It was a similar story with a group of Microsoft Exchange Server vulnerabilities dubbed Proxy Shell (CVE-2021-34473, CVE-2021-31207 & CVE-2021-34523) which allow security features to be bypassed, escalation of privileges, and remote code execution. The vulnerabilities were identified and patched the previous year, and despite extensive media coverage and security warnings about the vulnerabilities, patches failed to be implemented to fix the flaws. An authentication bypass flaw in Zoho ManageEngine which allowed remote code execution and a code execution flaw in Atlassian’s Confluence Server and Data Center were also disclosed and had patches released the previous year.

Threat actors develop exploits for known vulnerabilities and can typically exploit them successfully for a couple of years in low-cost, high-impact attacks due to the failure of many organizations to patch promptly or implement recommended mitigations. The cybersecurity agencies urge all organizations to use the list as a guide to help them prioritize patching. The failure to apply patches promptly, especially known exploited vulnerabilities, makes it easier for attackers to gain access to organizations’ networks.

In addition to implementing a centralized patch management system, patching promptly, and conducting regular vulnerability scans, the cybersecurity agencies encourage vendors, designers, developers, and end-user organizations to take other steps to reduce the risk of compromise by malicious cyber actors, such as implementing secure-by-design principles, prioritizing secure-by-default configurations, and ensuring disclosed CVEs include the correct CWE stating the root cause of the vulnerability.

Most Commonly Exploited CVEs in 2022

The post Cybersecurity Agencies Share 2022’s Most Commonly Exploited Vulnerabilities appeared first on HIPAA Journal.