Healthcare cybersecurity is a growing concern. The last few years have seen hacking and IT security incidents steadily rise and many healthcare organizations have struggled to defend their network perimeter and keep cybercriminals at bay.

2015 was a record year for healthcare industry data breaches. More patient and health plan member records were exposed or stolen in 2015 than in the previous 6 years combined, and by some distance. More than 113 million records were compromised in 2015 alone, 78.8 million of which were stolen in a single cyberattack. 2016 saw more healthcare data breaches reported than any other year, and 2017 looks set to be another record breaker.

Healthcare providers now have to secure more connected medical devices than ever before and there has been a proliferation of IoT devices in the healthcare industry. The attack surface is growing and cybercriminals are developing more sophisticated tools and techniques to attack healthcare organizations, gain access to data and hold data and networks to ransom.

The healthcare industry has been slow to respond and has lagged behind other industries when it comes to cybersecurity. However, cybersecurity budgets have increased, new technology has been purchased, and healthcare organizations are getting better at blocking attacks and keeping their networks secure.

The articles in this healthcare cybersecurity section are intended to help HIPAA covered entities decide on the best technologies to protect their networks from attack and develop effective policies, procedures and security awareness training programs to prevent costly data breaches.

Our healthcare cybersecurity section contains articles and new reports relating to:

New vulnerabilities that could be exploited to gain access to healthcare networks

Security warnings about new attack vectors currently being used by cybercriminals to gain access to healthcare networks and data

Details of new malware and ransomware that threaten the confidentiality, integrity, and availability of protected health information

Healthcare cybersecurity best practices

New guidelines for HIPAA covered entities on data and device security

Updates from the Healthcare Industry Cybersecurity Task Force

Details of cybersecurity frameworks that can be adopted by healthcare organizations to improve security posture

Advice related to the HIPAA Security Rule and the safeguards that must be applied to secure medical devices, networks and healthcare data

The latest healthcare cybersecurity surveys, reports and white papers

Health-ISAC Helps Healthcare Organizations Prepare for Supply Chain Cyberattacks
Apr16

Health-ISAC Helps Healthcare Organizations Prepare for Supply Chain Cyberattacks

Health-ISAC, in conjunction with the American Hospital Association (AHA), has published guidance for healthcare information security teams to help them improve resilience against supply chain cyberattacks such as the recent SolarWinds Orion incident. The white paper – Strategic Threat Intelligence: Preparing for the Next “SolarWinds” Event – provides insights into the cyberattack and explores the characteristics that made such an attack possible. The document provides technical recommendations for senior business leaders, C-suite executives, and IT and information security teams to help them prevent and mitigate similar attacks. Solutions such as SolarWinds Orion have privileged access to the assets they are used to manage, and those supply chain dependencies and inherent trust models were exploited in the SolarWinds Orion attack. The attackers exploited a software update mechanism to inject a backdoor into the network monitoring platform. The update was downloaded and applied by around 18,000 customers and selected companies were then targeted in more in-depth compromises,...

Read More
NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities
Apr16

NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities

Tension is growing between Russia and the United States over the continuous cyberattacks on the U.S. government and public and private sector organizations by Russian government hackers. Yesterday, a joint alert was issued by the National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), warning of the continued exploitation of software vulnerabilities by the Russian Foreign Intelligence Service (SVR). The attacks have been attributed to the Cozy Bear Advanced Persistent Threat (APT) Group – aka APT29/The Dukes – which is part of the SVR. The APT group is conducting widespread scanning and exploitation of software flaws in vulnerable systems to gain access to credentials that allow them to gain further access to devices and networks for espionage activities. The NSA, CISA, and the FBI have shared details of five software vulnerabilities that continue to be successfully exploited by the SVR to gain access to devices and networks. The NSA, CISA, and the FBI have previously shared mitigations that can be...

Read More
COVID-19 Vaccine Cold Chain Continues to Be Targeted by Threat Groups
Apr15

COVID-19 Vaccine Cold Chain Continues to Be Targeted by Threat Groups

The global COVID-19 vaccine cold chain continues to be targeted advanced persistent threat groups, according to an updated report from IBM Security X-Force. X-Force researchers previously published a report in December 2020 warning that cyber adversaries were targeting the COVID-19 cold chain to gain access to vaccine data and attacks continue to pose a major threat to vaccine distribution and storage. There are currently more than 350 logistics partners that are part of the cold chain and are involved in the delivery and storage of vaccines at low temperatures. Since the initial report was published on cold chain phishing attacks, IBM X-Force researchers have identified a further 50 email message files tied to spear phishing campaigns, which have targeted 44 companies in 14 countries throughout Europe, the Americas, Africa, and Asia. The companies being targeted underpin the transport, warehousing, storage, and distribution of COVID-19 vaccines, with the most targeted organizations involved in transportation, IT and electronics, and healthcare such companies in biomedical...

Read More
100 Million+ Devices Affected by NAME:WRECK DNS Vulnerabilities
Apr14

100 Million+ Devices Affected by NAME:WRECK DNS Vulnerabilities

Researchers at Forescout and JSOF have identified 9 vulnerabilities in Internet-connected devices that could be exploited in denial-of-service and remote code execution attacks. The flaws have been identified in certain implementations of the Domain Name System (DNS) protocol in TCP/IP network communication stacks. The flaws are mostly due to how parsing of domain names occurs, which can breach DNS implementations, and problems with DNS compression, which devices use to compress data to communicate over the Internet using TCP/IP. This class of vulnerabilities has been named NAME:WRECK. They affect common IoT and operational technology systems, including FreeBSD, IPnet, Nucleus NET, and NetX. While the use of these IoT/OP systems does not necessarily mean devices are vulnerable, many will be. The researchers suggest that around 1% of IoT devices are likely to be susceptible to the flaws, which is more than 100 million devices worldwide. Vulnerable devices are used in a range of industry sectors, including healthcare, retail, manufacturing, and the government, with healthcare...

Read More
Immediate Patching Required for 4 New Critical Microsoft Exchange Server Vulnerabilities
Apr14

Immediate Patching Required for 4 New Critical Microsoft Exchange Server Vulnerabilities

The U.S. National Security Agency (NSA) has identified four zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 which are used for on-premises Microsoft Exchange Servers. Immediate patching is required as the flaws are likely to be targeted by threat actors. The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to patch all vulnerable on-premises Exchange Servers by 12.01 AM on Friday April 16, 2021 due to the high risk of exploitation of the flaws. At the time of issuing the patches there have been no known cases of exploitation of the flaws in the wild, but it is likely that now the flaws have been publicly disclosed, the patches could be reverse engineered and working exploits developed. All four of the vulnerabilities could lead to remote execution of arbitrary code and would allow threat actors to take full control of vulnerable Exchange Servers as well as persistent access and control of enterprise networks. Two of the vulnerabilities can be exploited remotely by unauthenticated attackers with no user...

Read More
HHS OIG: HHS Information Security Program Rated ‘Not Effective’
Apr12

HHS OIG: HHS Information Security Program Rated ‘Not Effective’

The Department of Health and Human Services’ Office of Inspector General has published the findings of its annual evaluation of the HHS information security programs and practices, as required by the Federal Information Security Modernization Act of 2014 (FISMA). It was determined that the HHS information security program has not yet reached the level of maturity to be considered effective. The independent audit was conducted on behalf of the HHS’ OIG by Ernst & Young (EY) to determine compliance with FISMA reporting metrics and to assess whether the overall security program of the HHS met the required information security standards. The HHS was assessed against the Identify, Protect, Detect, Respond, and Recover functional areas of the Cybersecurity Framework across the FISMA domains: Risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring (ISCM), incident response, and contingency planning. The levels of maturity for information security are Level 1 (Ad hoc...

Read More
CISA Releases Tool for Assessing Post Compromise Activity in Microsoft 365 Environments
Apr09

CISA Releases Tool for Assessing Post Compromise Activity in Microsoft 365 Environments

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to accompany the open-source PowerShell-based Sparrow detection tool released in December 2020 to help network defenders detect potential compromised accounts in their Azure, Microsoft 365, and Office 365 environments. Sparrow was created following the SolarWinds cyberattack to help network defenders identify whether their cloud environments had been compromised. The new tool, named Aviary, is a Splunk-based dashboard that can be used to visualize and analyze data outputs from the Sparrow tool to identify post-compromise threat activity in Azure, Microsoft 365, and Office 365 accounts. The Aviary dashboard helps network defenders analyze PowerShell logs and analyze mailbox sign-ins to determine if the activity is legitimate. Through the dashboard, PowerShell usage by employees can also be examined along with Azure AD domains to determine if they have been modified. CISA is encouraging network defenders to review the previously released AA21-008A alert on detecting post compromise activity in...

Read More
Vulnerabilities in Mission Critical SAP Systems Actively Exploited by Multiple Threat Groups
Apr08

Vulnerabilities in Mission Critical SAP Systems Actively Exploited by Multiple Threat Groups

Researchers at security firm Onapsis have observed cybercriminals exploiting multiple vulnerabilities in mission-critical SAP systems. Since mid-2020, there have been more than 300 observed attacks exploiting one or more of six unpatched vulnerabilities. Vulnerabilities in SAP systems are highly sought after by cybercriminals due to the widespread use of SAP systems. SAP says 92% of the Forbes Global 2000 use SAP to power their operations, including the majority of pharmaceutical firms, critical infrastructure and utility companies, food distributors, defense contractors and others. Over 400,000 organizations use SAP globally and 77% of the world’s transactional revenue touches a SAP system. Onapsis reports critical SAP vulnerabilities are typically weaponized within 72 hours of patches being released. Unprotected SAP applications in cloud environments are often discovered and compromised in less than 3 hours. Despite the high risk of exploitation, many organizations are slow to apply patches. One of the vulnerabilities currently being exploited is 11 years old, while the others...

Read More
FBI/CISA Warn of Ongoing Attacks Targeting Vulnerable Fortinet FortiOS Servers
Apr06

FBI/CISA Warn of Ongoing Attacks Targeting Vulnerable Fortinet FortiOS Servers

Vulnerabilities in the Fortinet FortiOS operating system are being targeted by advanced persistent threat (APT) actors and are being used to gain access to servers to infiltrate networks as pre-positioning for follow-on data exfiltration and data encryption attacks. In a recent Joint Cybersecurity Advisory, the Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency warned users of the Fortinet FortiOS to immediately patch three vulnerabilities, tracked under the CVE numbers CVE-2018-13379, 2020-12812, and 2019-5591. Patches were released to correct the flaws in May 2019, July 2019, July 2020. Fortinet communicated with affected companies and published multiple blog posts urging customers to update the FortiOS to a secure version; however, some customers have yet to apply the patches to correct the flaws and are at risk of attack. CVE-2018-13379 is a vulnerability due to improper limitation of a pathname to a restricted directory and is present in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12. Under SSL VPN web...

Read More
VMware Patches High Severity Flaws in vRealize Operations, Cloud Foundation and vRealize Suite Lifecycle Manager
Apr02

VMware Patches High Severity Flaws in vRealize Operations, Cloud Foundation and vRealize Suite Lifecycle Manager

VMware has released patches to correct two high severity vulnerabilities in its AI-powered IT operations management platform for private, hybrid, and multi-cloud environments – vRealize Operations. The flaws also affect VMware Cloud Foundation and vRealize Suite Lifecycle Manager. CVE-2021-21975 is a server side request forgery flaw which could be exploited by a remote attacker to abuse the functionality of a server and access or manipulate information that should not be directly accessible. The flaw could be exploited by sending a specially crafted request to a vulnerable vRealize Operations Manager API endpoint which would allow the attacker to steal administrative credentials. The vulnerability has been assigned a CVSS score of 8.6 out of 10. The second vulnerability, tracked as CVE-2021-21983, is an arbitrary file write vulnerability in the vRealize Operations Manager API. The flaw has been assigned a CVSS score of 7.2 out of 10. Exploitation of the vulnerability would allow an attacker to write files to the underlying photon operating system. An attacker would first need...

Read More
What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?
Apr02

What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996, and was updated by the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005, but how did the Health Information Technology for Economic and Clinical Health (HITECH) Act change HIPAA and what is the relationship between HITECH, HIPAA, and electronic health and medical records? What is the Relationship Between HITECH and HIPAA and Medical Records? Title I of HIPAA is concerned with the portability of health insurance and protecting the rights of workers between jobs to ensure health insurance coverage is maintained, which have nothing to do with the HITECH Act. However, there is a strong relationship between HITECH and HIPAA Title II. Title II of HIPAA includes the administrative provisions, patient privacy protections, and security controls for health and medical records and other forms of protected health information (PHI). One of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives for...

Read More
Iranian APT Group Linked to Spear Phishing Campaign Targeting Senior Staffers at Medical Research Firms
Apr01

Iranian APT Group Linked to Spear Phishing Campaign Targeting Senior Staffers at Medical Research Firms

Security firm Proofpoint reports that the Advanced Persistent Threat (APT) group Charming Kitten was behind a spear phishing campaign in late 2020 targeting senior professionals at medical research organizations in the United States and Israel. Charming Kitting, aka Phosphorus, Ajax, and TA453, is an APT group with links to the Islamic Revolutionary Guard Corps (IRCG) in Iran. Charming Kitting has been active since at least 2014 and is primarily involved in espionage campaigns involving spear phishing attacks and custom malware. The attacks previously linked to the APT group have been on dissidents, academics, and journalists, so the latest spear phishing campaign targeting medical research organizations is a departure from the group’s usual targets. The phishing campaign, dubbed BadBlood, attempted to steal Microsoft Office credentials and coincided with growing tensions between Iran, the United States, and Israel. It is unclear at this stage whether the targeting of very senior professionals in medical research firms is part of a wider campaign or was simply an outlier event. The...

Read More
New Report Provides Deep Dive into COVID-19 Themed Phishing Tactics
Mar30

New Report Provides Deep Dive into COVID-19 Themed Phishing Tactics

In early 2020, phishers started to take advantage of the pandemic and switched from their standard lures to a wide variety of pandemic-related themes for their campaigns. To coincide with the one-year anniversary of the pandemic, researchers at the Palo Alto Networks Unit 42 Team analyzed the phishing trends over the course of the past year to review the changes in the tactics, techniques, and procedures (TTPs) of phishers and the extent to which COVID-19 was used in their phishing campaigns. The researchers analyzed all phishing URLs detected between January 2020 and February 2021 to determine how many had a COVID-19 theme, using specific keywords and phrases related to COVID-19 and other aspects of the pandemic. The researchers identified 69,950 unique phishing URLs related to COVID-19 topics, with almost half of those URLs directly related to COVID-19. Phishing campaigns were promptly adapted to the latest news and thoughts on the coronavirus and closely mirrored the latest pandemic trends. Following the World Health Organization’s declaration of the pandemic in March 2020 there...

Read More
FBI Issues Warning About Mamba Ransomware
Mar29

FBI Issues Warning About Mamba Ransomware

An increase in cyberattacks involving Mamba ransomware has prompted the Federal Bureau of Investigation and the Department of Homeland Security to issue a flash alert warning organizations and companies in multiple sectors about the dangers of the ransomware. In contrast to many ransomware variants that have their own encryption routines, Mamba ransomware has weaponized the open source full disk encryption software DiskCryptor. DiskCryptor is a legitimate encryption tool that is not malicious and is therefore unlikely to be detected as such by security software. The FBI has not provided any details of the extent to which the ransomware has been used in attacks, which have so far mostly targeted government agencies and transportation, legal services, technology, industrial, commercial, manufacturing, construction companies. Several methods are used to gain access to systems to deploy the ransomware, including exploitation of vulnerabilities in Remote Desktop Protocol (RDP) and other unsecured methods of remote access. Rather than searching for certain file extensions to encrypt,...

Read More
FBI Warns of Increase in Business Email Compromise Attacks on Local and State Governments
Mar23

FBI Warns of Increase in Business Email Compromise Attacks on Local and State Governments

State, local, tribal, and territorial (SLTT) governments have been warned they are being targeted by Business Email Compromise (BEC) scammers. In a March 17, 2021 Private Industry Notification, the Federal Bureau of Investigation (FBI) explained it has observed an increase in BEC attacks on SLTT government entities between 2018 and 2020. Losses to these attacks range from $10,000 to $4 million. BEC attacks involve gaining access to an email account and sending messages impersonating the account holder with a view to convincing the target to make a fraudulent transaction. The email account is often used to send messages to the payroll department to change employee direct deposit information or to individuals authorized to make wire transfers, to request changes to bank account details or payment methods. In 2020, the FBI’s Internet Crime Complaint Center (IC3) was notified about 19,369 BEC attacks and losses of almost $1.9 billion were reported. In July 2019, a small city government was scammed out of $3 million after receiving a spoofed email that appeared to be from a contractor...

Read More
Verkada Surveillance Camera Hacker Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft
Mar22

Verkada Surveillance Camera Hacker Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft

The Swiss hacktivist who gained access to the security cameras of the California startup Verkada in March 2021 has been indicted by the US government for computer crimes from 2019 to present, including accessing and publicly disclosing source code and proprietary data of corporate and government victims in the United States and beyond. Till Kottmann, 21, aka ‘tillie crimew’ and ‘deletescape’ resides in Lucerne, Switzerland and is a member of a hacking collective self-named APT 69420 / Arson Cats. Most recently, Kottman admitted accessing the Verkada surveillance cameras used by many large enterprises, including Tesla, Okta, Cloudflare, Nissan, as well as schools, correctional facilities, and hospitals. Live streams of surveillance camera and archived footage were accessed between March 7 and March 9, 2021, screenshots and videos of which were published online. Ethical hackers often exploit vulnerabilities and gain access to systems and their efforts often result in vulnerabilities being addressed before they can be exploited by bad actors. The vulnerabilities are reported to the...

Read More
February 2021 Healthcare Data Breach Report
Mar19

February 2021 Healthcare Data Breach Report

There was a 40.63% increase in reported data breaches of 500 or more healthcare records in February 2021. 45 data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights by healthcare providers, health plans and their business associates in February, the majority of which were hacking incidents. After two consecutive months where more than 4 million records were breached each month there was a 72.35% fall in the number of breached records. 1,234,943 records were exposed, impermissibly disclosed, or stolen across the 45 breaches. Largest Healthcare Data Breaches Reported in February 2021 Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach The Kroger Co. OH Healthcare Provider 368,100 Hacking/IT Incident Ransomware BW Homecare Holdings, LLC (Elara Caring single affiliated covered entity) TX Healthcare Provider 100,487 Hacking/IT Incident Phishing RF EYE PC dba Cochise Eye and Laser AZ Healthcare Provider 100,000 Hacking/IT Incident Ransomware Gore Medical Management, LLC GA Healthcare Provider...

Read More
FBI: $4.2 Billion Lost to Cybercrime in 2020
Mar18

FBI: $4.2 Billion Lost to Cybercrime in 2020

The Federal Bureau of Investigation (FBI) has published its annual Internet Crime Report. 791,790 complaints were made to the FBI’s Internet Crime Complaint Center (IC3) in 2020, which is a 69% increase from 2019. More than $4.2 billion was lost to cybercrime in 2020, an increase of 20% from 2019. Since 2016, there have been reported losses to cybercrime of more than $13.3 billion. In 2020, the most reported cybercriminal activity was phishing, which accounted for 30.5% of all complaints to IC3. 2.45% of complaints were about business email compromise (BEC) attacks. Business email compromise scams involve compromising a business email account through social engineering or phishing and using the account to arrange fraudulent transfers of funds. While these incidents were far less numerous than phishing, they were the biggest cause of losses. $1,866,642,107 was lost to BEC attacks in 2020. 2020 saw a 19% reduction in BEC attacks compared to 2019, although losses increased by 0.1 billion. In 2020, cybercriminals exploited the COVID-19 pandemic to scam businesses and individuals. IC3...

Read More
CISA/FBI Issue Joint Alert About Spear Phishing Attacks Delivering TrickBot Malware
Mar18

CISA/FBI Issue Joint Alert About Spear Phishing Attacks Delivering TrickBot Malware

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert about TrickBot malware. TrickBot was first identified in 2016 and started out as a banking Trojan; but the malware has since had a host of new capabilities added and is now extensively used as a malware loader for delivering other malware variants, including ransomware such as Ryuk and Conti. “TrickBot has evolved into a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities,” explained CISA/FBI in the alert. In late 2019, TrickBot survived an attempt by Microsoft and its partners to disrupt its infrastructure and spam campaigns distributing the malware soon recommenced, with TrickBot activity surging in recent weeks. Earlier this month, Check Point researchers warned about an increase in TrickBot infections following the takedown of the Emotet botnet. TrickBot was the 4th most prevalent malware variant in 2020 and rose to third in January 2021; however, since...

Read More
2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches
Mar16

2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches

2021 was a challenging year for healthcare organizations. Not only was the industry on the frontline in the fight against COVID-19, hackers who took advantage of overrun hospitals to steal data and conduct ransomware attacks. The 2021 Breach Barometer Report from Protenus shows the extent to which the healthcare industry suffered from cyberattacks and other breaches in 2020. The report is based on 758 healthcare data breaches that were reported to the HHS’ Office for Civil Rights or announced via the media and other sources in 2020, with the data for the report provided by databreaches.net. The number of data breaches has continued to rise every year since 2016 when Protenus started publishing its annual healthcare breach report. 2020 saw the largest annual increase in breaches with 30% more breaches occurring than 2019. Data was obtained on 609 of those incidents, across which 40,735,428 patient and health plan members were affected. 2020 was the second consecutive year that saw more than 40 million healthcare records exposed or compromised. Healthcare Hacking Incidents Increased...

Read More
What is a HIPAA Violation?
Mar14

What is a HIPAA Violation?

Barely a day goes by without a news report of a hospital, health plan, or healthcare professional violating HIPAA, but what is a HIPAA violation and what happens when a violation occurs? What is a HIPAA Violation? The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs. There have been notable updates to HIPAA to improve privacy protections for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule. A HIPAA violation is a failure to comply with any aspect of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164. The combined text of all HIPAA regulations published by the Department of Health and Human Services...

Read More
Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras
Mar12

Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras

A hacking collective has gained access to the systems of the Californian security camera startup Verkada Inc. and viewed live feeds and archived footage from cloud-connected surveillance cameras used by large corporations, schools, police departments, jails, and hospitals. As initially reported by Bloomberg, Verkada’s systems were accessed by a white hat hacking collective named Advanced Persistent Threat 69420 using credentials they found on the Internet. Those credentials gave the group super admin level privileges, which provided root access to the security cameras and, in some cases, the internal networks of the company’s clients. The hackers also said they were able to obtain the full list of Verkada clients and view the company’s private financial information. Verkada’s systems were not accessed with a view to conducting any malicious actions, instead the aim was to raise awareness of the ease at which the systems could be hacked. Malicious threat actors could also have easily gained access to the Verkada’s systems for a range of malicious purposes. Till Kottmann, one of the...

Read More
HIPAA Social Media Rules
Mar12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees. Healthcare organizations must therefore implement a HIPAA social media policy to reduce the risk of privacy violations. There are many benefits to be gained from using social media. Social media channels allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media websites. However, there is also considerable potential for HIPAA Rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media The first rule of using social media in healthcare is to never disclose...

Read More
Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion
Mar11

Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion

Ransomware attacks on the healthcare industry skyrocketed in 2020. In 2020, at least 91 US healthcare organizations suffered ransomware attacks, up from 50 the previous year. 2020 also saw a major ransomware attack on the cloud software provider Blackbaud, with that attack known to have affected at least 100 US healthcare organizations. The first known ransomware attack occurred in 1989 but early forms of ransomware were not particularly sophisticated and attacks were easy to mitigate. The landscape changed in 2016 when a new breed of ransomware started to be used in attacks. These new ransomware variants use powerful encryption and delete or encrypt backup files to ensure data cannot be easily recovered without paying the ransom. Over the past 5 years ransomware has been a constant threat to the healthcare industry, with healthcare providers being increasingly targeted in recent years. Attacks now see sensitive data stolen prior to file encryption, so even if files can be recovered from backups, payment is still required to prevent the exposure or sale of stolen data. Healthcare...

Read More
The HIPAA Password Requirements and the Best Way to Comply With Them
Mar09

The HIPAA Password Requirements and the Best Way to Comply With Them

The HIPAA password requirements stipulate procedures must be put in place for creating, changing and safeguarding passwords unless an alternative, equally-effective security measure is implemented. We suggest the best way to comply with the HIPAA password requirements is with two factor authentication. The HIPAA password requirements can be found in the Administrative Safeguards of the HIPAA Security Rule. Under the section relating to Security Awareness and Training, §164.308(a)(5) stipulates Covered Entities must implement “procedures for creating, changing and safeguarding passwords”. Experts Disagree on Best HIPAA Compliance Password Policy Although all security experts agree the need for a strong password (the longest possible, including numbers, special characters, and a mixture of upper and lower case letters), many disagree on the best HIPAA compliance password policy, the frequency at which passwords should be changed (if at all) and the best way of safeguarding them. Whereas some experts claim the best HIPAA compliance password policy involves changing passwords every...

Read More
Small and Medium Sized Practices Under Increased Pressure from Cyberattacks
Mar05

Small and Medium Sized Practices Under Increased Pressure from Cyberattacks

2020 saw cyberattacks on healthcare organizations increase significantly. While large healthcare organizations are being targeted by Advanced Persistent Threat (APT) groups and ransomware gangs, there has also been a marked increase in attacks on small- to medium-sized healthcare organizations. A cyberattack on a large healthcare organization could allow the hackers to steal large quantities of protected health information and ransomware attacks typically see ransom demands issued for millions of dollars. The rewards from these attacks are considerable, but large healthcare organizations tend to invest heavily in cybersecurity and often have their own IT security teams to protect and monitor their IT networks. Cyberattacks on these organizations require more skill and they can be difficult and time consuming. Medium-sized healthcare organizations also store large amounts of sensitive data, yet their networks tend to be less well protected, which makes cyberattacks much easier and still highly profitable. Cyberattacks on Small- and Medium-Sized Healthcare Organizations are...

Read More
IBM X-Force: Healthcare Cyberattacks Doubled in 2020
Mar03

IBM X-Force: Healthcare Cyberattacks Doubled in 2020

A new report from IBM X-Force shows healthcare cyberattacks doubled in 2020 with 28% of attacks involving ransomware. The massive increase in healthcare industry cyberattacks saw the sector rise from last place to 7th, with the finance and insurance industry the most heavily targeted, followed by manufacturing, energy, retail, professional services, and government. Healthcare accounted for 6.6% of cyberattacks across all industry sectors in 2020. The 2021 X-Force Threat Intelligence Index report was compiled from monitoring data from over 130 countries and included data from more than 150 billion security events a day, with the data gathered from multiple sources including IBM Security X-Force Threat Intelligence and Incident Response, X-Force Red, IBM Managed Security Services, and external sources such as Intezer and Quad9. The most common way networks were breached was the exploitation of vulnerabilities in operating systems, software, and hardware, which accounted for 35% of all attacks up from 30% in 2019. This was closely followed by phishing attacks, which were the initial...

Read More
Multiple Threat Groups Exploiting Zero Day Microsoft Exchange Server Flaws
Mar03

Multiple Threat Groups Exploiting Zero Day Microsoft Exchange Server Flaws

Microsoft has released out-of-band security updates to fix four zero-day Microsoft Exchange Server vulnerabilities that are being actively exploited by a Chinese Advanced Persistent Threat (APT) group known as Hafnium. The attacks have been ongoing since early January, with the APT group targeting defense contractors, law firms, universities, NGOs, think tanks, and infectious disease research organizations in the United States. Exploitation of the flaws allows the attackers to exfiltrate mailboxes and other data from vulnerable Microsoft Exchange servers, run virtually any code on the servers, and upload malware for persistent access. Hafnium is a previously unidentified sophisticated APT group that is believed to be backed by the Chinese government. The group is chaining together the four zero-day vulnerabilities to steal sensitive data contained in email communications. While developing the exploits required some skill, using those exploits is simple and allows the attackers to exfiltrate large quantities of sensitive data with ease. While the APT group is based in China, virtual...

Read More
NSA Releases Guidance on Adopting a Zero Trust Approach to Cybersecurity
Mar02

NSA Releases Guidance on Adopting a Zero Trust Approach to Cybersecurity

The National Security Agency (NSA) has recently released new guidance to help organizations adopt a Zero Trust approach to cybersecurity to better defend against increasingly sophisticated cyber threats. Zero Trust is a security strategy which assumes that breaches are inevitable or have happened and an intruder is already inside the network. This approach assumes that any device or connection may have been compromised so it cannot be implicitly trusted. Continuous verification is required in real time from multiple sources before access is granted and for system responses. Adopting a Zero Trust approach to security means adhering to the concept of least-privileged access for every access decision and constantly limiting access to what is needed, with anomalous and potentially malicious activity constantly examined. “Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries,” explained the NSA in the guidance....

Read More
CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities
Feb25

CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity authorities Australia, New Zealand, Singapore, and the United Kingdom have issued an alert for users of the Accellion File Transfer Appliance (FTA) about 4 vulnerabilities which are being actively exploited by a threat actor to gain access to sensitive data. The Accellion FTA is a legacy file transfer appliance used to share large files. Accellion identified a zero-day vulnerability in the product in mid-December and released a patch to address the flaw, although further vulnerabilities have since been identified. The vulnerabilities are tracked as: CVE-2021-27101 – SQL injection vulnerability via a crafted HOST header CVE-2021-27102 – Operating system command execution vulnerability via a local web service CVE-2021-27103 – Server-side request forgery via a crafted POST request CVE-2021-27104 – Operating system command execution vulnerability via a crafted POST request The SQL injection flaw (CVE-2021-27011) allows unauthorized individual to run remote commands on targeted devices. An exploit for the...

Read More
Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity
Feb23

Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity

Throughout the pandemic, cybercriminals have taken advantage of new opportunities and have been attacking hospitals, clinics and other businesses and organizations on the front line in the fight against COVID-19. Ransomware attacks on the healthcare industry soared in 2020, especially in the fall when a coordinated campaign claimed many healthcare victims. Ransomware remains a major threat to the healthcare sector and the high numbers of attacks have continued into 2021. A recent report from the CTI League provides further information on these attacks and some of the other ways the healthcare industry was targeted in 2020. The report highlights the work conducted by the CTIL Dark team, which monitors the darknet and deep web for signs of data breaches and cybercriminal activity that has potential to impact the healthcare industry or general public health. This is the first report to be released that highlights the discoveries and achievements of the CTIL Dark team, and delves into realm of healthcare ransomware attacks and the dark markets where access to healthcare networks are...

Read More
100% of Tested mHealth Apps Vulnerable to API Attacks
Feb16

100% of Tested mHealth Apps Vulnerable to API Attacks

The personally identifiable health information of millions of individuals is being exposed through the Application Programming Interfaces (APIs) used by mobile health (mHealth) applications, according to a recent study published by cybersecurity firm Approov. Ethical hacker and researcher Allissa Knight conducted the study to determine how secure popular mHealth apps are and whether it is possible to gain access to users’ sensitive health data. One of the provisos of the study was she would not be permitted to name any of the apps if vulnerabilities were identified. She assessed 30 of the leading mHealth apps and discovered all were vulnerable to API attacks which could allow unauthorized individuals to gain access to full patient records, including personally identifiable information (PII) and protected health information (PHI), indicating security issues are systemic. mHealth apps have proven to be invaluable during the COVID-19 pandemic and are now increasingly relied on by hospitals and healthcare providers. According to Pew Research, mHealth apps are now generating more user...

Read More
Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers
Feb12

Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers

The Conti ransomware gang has dumped a large batch of healthcare data online that was allegedly stolen from Leon Medical Centers in Florida and Nocona General Hospital in Texas. Leon Medical Centers suffered a Conti ransomware attack in early November 2020, which was initially reported to the HHS’ Office for Civil Rights on January 8, 2021 as affecting 500 individuals. Leon Medical Centers explained in its substitute breach notice that the incident involved the use of malware and the investigation confirmed the attackers accessed the personal and protected health information of certain patients. It is unclear when the ransomware attack on Nocona General Hospital occurred, as notification letters do not appear to have been sent to affected individuals, no breach notice has been posted on its website, and the incident is not listed on the HHS’ Office for Civil Rights breach portal. According to NBC, which spoke with an attorney representing the hospital, none of its systems appeared to have been breached, files were apparently not encrypted, and no ransom note had been identified by...

Read More
Feds Release Ransomware Fact Sheet
Feb09

Feds Release Ransomware Fact Sheet

A ransomware factsheet has been released by the National Cyber Investigative Joint Task Force (NCIJTF) to raise awareness of the threat of ransomware attacks and provide insights that can be leveraged to prevent and mitigate attacks. The fact sheet was developed by an interagency group of more than 15 government agencies and is primarily intended for use by police and fire departments, state, local, tribal and territorial governments, and critical infrastructure entities. The factsheet was released as part of the “Reduce the Risk of Ransomware Campaign” launched by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) in January 2021. The fact sheet explains the impact ransomware attacks have had on the public sector, provides information on U.S. government efforts to combat ransomware threats, and details the most common methods used by threat actors to gain access to networks to deploy ransomware payloads: Phishing emails, Remote Desktop Protocol (RDP) vulnerabilities, and software vulnerabilities. Phishing emails contain either a malicious link or file attachment. If...

Read More
VMWare Carbon Black Explores the State of Healthcare Cybersecurity in 2020
Feb08

VMWare Carbon Black Explores the State of Healthcare Cybersecurity in 2020

Throughout 2020, the healthcare industry was on the frontline of the pandemic providing medical care to patients suffering from COVID-19 but also had to deal with increasing numbers of cyberattacks, as cybercriminals stepped up their attacks on hospitals and health systems. Recently, VMware Carbon Black conducted a retrospective review of the state of healthcare cybersecurity in 2020 that revealed the extent to which the healthcare industry was targeted by cybercriminals, how those attacks succeeded, and what healthcare organizations need to do to prevent cyberattacks in 2021. VMware Carbon Black analyzed data from attacks on its healthcare customers in 2020 and found 239.4 million cyberattacks were attempted in 2020, which equates to an average of 816 attempted attacks per endpoint. That represents a 9,851% increase from 2019. As it became clear that the outbreak in Wuhan was turning into a pandemic, cyberattacks on healthcare providers started to increase. Between January and February 2020, cyberattacks on healthcare customers increased by 51% and continued to increase throughout...

Read More
FDA Appoints Kevin Fu as its First Director of Medical Device Security
Feb05

FDA Appoints Kevin Fu as its First Director of Medical Device Security

The U.S. Food and Drug Administration (FDA) has announced the appointment of University of Michigan associate professor Kevin Fu as its first director of medical device security. Fu will serve a one-year term as acting director of medical device security at the FDA’s Center for Devices and Radiological Health (CDRH) and the recently created Digital Health Center of Excellence, starting on January 1, 2021. Fu will help “to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.” Fu will help to develop the CDRH cybersecurity programs, public-private partnerships, and premarket vulnerability assessments to ensure the safety of medical devices including insulin pumps, pacemakers, imaging machines, and healthcare IoT devices and protect them against digital security threats. Fu has considerable experience in the field of medical device cybersecurity. Fu currently serves as chief scientist at the University of Michigan’s Archimedes Center for Medical Device Security, which he founded, he co-founded the healthcare...

Read More
Global Law Enforcement Action Disrupts NetWalker Ransomware Operation
Jan29

Global Law Enforcement Action Disrupts NetWalker Ransomware Operation

The U.S. Department of Justice (DOJ) has announced a dark web website used by the NetWalker ransomware gang has been seized as part of a global action to disrupt operations and bring the individuals responsible for the file-encrypting extortion attacks to justice. The action was taken in coordination with the United States Attorney’s Office for the Middle District of Florida, the Computer Crime and Intellectual Property Section of the Department of Justice, with substantial assistance provided by the Bulgarian National Investigation Service and General Directorate Combatting Organized Crime. The announcement comes just a few hours after Europol an international effort that resulted in the takedown of the Emotet Botnet. The NetWalker ransomware gang is one of around 20 ransomware-as-a-service (RaaS) operators that recruit affiliates to distribute ransomware for a cut of any ransom payments they generate. The NetWalker gang started operating in late 2019. Since then, the ransomware has proven popular with affiliates and many attacks have been conducted. It has been estimated that in...

Read More
Multinational Law Enforcement Operation Takes Down the Emotet Botnet
Jan28

Multinational Law Enforcement Operation Takes Down the Emotet Botnet

Europol has announced the notorious Emotet Botnet has been taken down as part of a multinational law enforcement operation. Law enforcement agencies in Europe, the United States, and Canada took control of the Emotet infrastructure, which is comprised of hundreds of servers around the world. The Emotet botnet was one of the most prolific malware botnets of the last decade and the Emotet Trojan was arguably the most dangerous malware variant to emerge in recent years. The Emotet operators ran one of the most professional and long-lasting cybercrime services and was one of the biggest players in the cybercrime world. Around 30% of all malware attacks involved the Emotet botnet. The Emotet Trojan was first identified in 2014 and was initially a banking Trojan, but the malware evolved into a much more dangerous threat and became the go-to solution for many cybercriminal operations. The Emotet Trojan acted as a backdoor into computer networks and access was sold to other cybercriminal gangs for data theft, malware distribution, and extortion, which is what made the malware so dangerous....

Read More
Ransomware Attacks Account for Almost Half of Healthcare Data Breaches
Jan28

Ransomware Attacks Account for Almost Half of Healthcare Data Breaches

A new report published by Tenable has revealed almost half of all healthcare data breaches are the result of ransomware attacks, and in the majority of cases the attacks were preventable. According to the Tenable Research 2020 Threat Landscape Retrospective Report, 730 data breaches were reported across all industry sectors in the first 10 months of 2020 and more than 22 billion records were exposed. 8 million of those records were exposed in healthcare data breaches. Healthcare registered the highest number of data breaches of any industry sector between January and October 2020, accounting for almost a quarter (24.5%) of all reported data breaches, ahead of technology (15.5%), education (13%), and the government (12.5%). Due to the high number of healthcare data breaches, Tenable researchers analyzed those breaches to identify the main causes and found that ransomware attacks accounted for 46.4% of all reported data breaches, followed by email compromise attacks (24.6%), insider threats (7.3%), app misconfigurations (5.6%) and unsecured databases (5%). Across all industry...

Read More
FBI Issues Warning Following Spike in Vishing Attacks
Jan25

FBI Issues Warning Following Spike in Vishing Attacks

Many data breaches start with a phishing email, but credential phishing can also occur via other communication channels such as instant messaging platforms or SMS messages. One often overlooked way for credentials to be obtained is phishing over the telephone. These phishing attacks, termed vishing, can give attackers the credentials they need to gain access to email accounts and cloud services and escalate privileges. Recently, the Federal Bureau of Investigation (FBI) issued an alert after a spike in vishing incidents to steal credentials to corporate accounts, including credentials for network access and privilege escalation. The change to remote working in 2020 due to COVID-19 has made it harder for IT teams to monitor access to their networks and privilege escalation, which could allow these attacks to go undetected. The FBI warned that it has observed a change in tactics by threat actors. Rather than only targeting credentials of individuals likely to have elevated privileges, cybercriminals are now trying to obtain all credentials. While the credentials of low-ranking...

Read More
At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020
Jan20

At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020

Ransomware attacks have had a massive impact on businesses and organizations in the United States, and 2020 was a particularly bad year. The healthcare industry, education sector, and federal, state, and municipal governments and agencies have been targeted by ransomware gangs and there were at least 2,354 attacks on these sectors in 2020, according to the latest State of Ransomware report from the New Zealand-based cybersecurity firm Emsisoft. The number of ransomware attacks increased sharply toward the end of 2019, and while the attacks slowed in the first half of 2020, a major coordinated campaign was launched in September when attacks dramatically increased and continued to occur in large numbers throughout the rest of the year. In 2020 there were at least 113 ransomware attacks on federal, state, and municipal governments and agencies, 560 attacks on healthcare facilities in 80 separate incidents, and 1,681 attacks on schools, colleges, and universities. These attacks have caused significant financial harm and in some cases the disruption has had life threatening...

Read More
2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020
Jan19

2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website. In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year. More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010. Key Takeaways 25% year-over-year increase in healthcare data breaches. Healthcare data breaches have doubled since 2014. 642 healthcare data breaches of 500 or more records were reported in 2020. 1.76 data breaches of 500 or more healthcare records were reported each day in 2020. 2020 saw more than 29 million healthcare records breached. One breach involved more than 10...

Read More
December 2020 Healthcare Data Breach Report
Jan18

December 2020 Healthcare Data Breach Report

2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average. There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 642 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website.   December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached. Largest Healthcare Data Breaches Reported in December 2020 Name of...

Read More
CISA Warns of Hackers Exploiting Poor Cyber Hygiene to Access Cloud Environments
Jan15

CISA Warns of Hackers Exploiting Poor Cyber Hygiene to Access Cloud Environments

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that threat actors are exploiting poor cyber hygiene to gain access to enterprise cloud environments. The alert was issued after CISA observed a surge in attacks on organizations that have transitioned to a largely remote workforce in response to the pandemic. While some of the tactics outlined in the report may have been used by the hackers behind the SolarWinds Orion supply chain attack, these tactics have not been tied to any specific threat group and are being used by multiple threat actors to gain access cloud environments and obtain sensitive data. According to the alert, threat actors are using a variety of tactics, techniques, and procedures to attack cloud environments, including brute force attacks to guess weak passwords, phishing attacks, and the exploitation of unpatched vulnerabilities and weaknesses in cloud security practices. Phishing is commonly used to obtain credentials to remotely access cloud resources and applications. The phishing emails typically include hyperlinks to...

Read More
Healthcare Industry Web Application Attacks Have Increased by 51% in the Past Two Months
Jan14

Healthcare Industry Web Application Attacks Have Increased by 51% in the Past Two Months

There has been a significant increase in healthcare industry web application attacks according to new data published by cybersecurity firm Imperva. Imperva Research Labs monitored a 51% increase in web application attacks between November 2020 and December 2020, which coincided with the start of the rollout of COVID-19 vaccines. Imperva SVP Terry Ray said 2020 had been an unprecedented year of cyber activity, with healthcare web application attack volume up 10% year-over-year. On average there were 187 million web application attacks on healthcare targets each month in 2020, with each organization monitored by Imperva experiencing an average of 498 attack a month. The top targets were located in the United States, United Kingdom, Brazil, and Canada. In December, Imperva Research Labs detected significant increases in four types of attacks. The largest increase was seen in protocol manipulation attacks, which increased 76% from the previous month and were the third most common attack type. There was a 68% increase in remote code execution / remote file inclusion attacks, although...

Read More
Hackers Leak Data Stolen in European Medicines Agency Cyberattack
Jan14

Hackers Leak Data Stolen in European Medicines Agency Cyberattack

In December, the European Medicines Agency (EMA) suffered a cyberattack and hackers gained access to third party documents. Some of the data stolen in the attack has now been leaked online. The EMA is the agency responsible for regulating the assessments and approvals of COVID-19 vaccines, treatments, and research in the EU. The EMA had previously issued an update on investigation into the cyberattack and said only one IT application had been compromised. The EMA said all third parties had been notified about the attack, although those companies were not named. In the updates on the investigation, the EMA said the primary goal of the attackers was to gain access to COVID-19 medicine and vaccine information. While it was clear that documents had been accessed, the EMA has only just confirmed that data was exfiltrated by the attackers. Prior to the cyberattack, BioNTech and Pfizer submitted their vaccine data to the EMA as part of the approval process and the server accessed by the hackers contained documents related to the regulatory submissions by Pfizer and BioNTech. Pfizer and...

Read More
2020 HIPAA Violation Cases and Penalties
Jan13

2020 HIPAA Violation Cases and Penalties

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. Penalties for Noncompliance with the HIPAA Right of Access In late 2019, the OCR announced a new HIPAA enforcement initiative to tackle noncompliance with the Right of Access standard of the HIPAA Privacy Rule. Since then, OCR has been highly active and has imposed 14 financial penalties for noncompliance, 11 of which were announced in 2020. The HIPAA Right of Access standard – 45 C.F.R. § 164.524(a) – gives patients the right to access, inspect, and obtain a copy of their own protected health information in a designated record set.  When a request is received from an individual or their personal representative, the records must be provided within 30 days. A reasonable, cost-based fee may be charged for providing a copy of...

Read More
HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law
Jan12

HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law

On January 5, 2020, President Trump added his signature to a bill (HR 7898) that amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and creates a safe harbor for companies that have implemented recognized security best practices prior to experiencing a data breach. While the bill does not go as far as preventing the Department of Health and Human Services’ Office for Civil Rights from imposing financial penalties for HIPAA compliance issues that contributed to a data breach, the amendment requires OCR to take into consideration the security measures that were in place to reduce cybersecurity risk in the 12 months prior to a data breach. The main aim of the bill is to incentivize healthcare organizations to adopt an established, formalized, and recognized cybersecurity framework and adhere to industry security best practices, as doing so will provide a degree of insulation against regulatory enforcement actions. The bill requires the HHS to consider an entity’s use of recognized security best practices when investigating reported data breaches...

Read More
FBI Issues Warning About Increasing Egregor Ransomware Activity
Jan11

FBI Issues Warning About Increasing Egregor Ransomware Activity

The Federal Bureau of Investigation (FBI) has issued a Private Industry Alert about the growing threat of Egregor ransomware attacks. Egregor ransomware is a ransomware-as-a-service operation that was first identified in September 2020. The threat actors behind the operation recruit affiliates to distribute their ransomware and give them a cut of any ransoms they generate. The affiliates have been highly active over the past three months and have conducted attacks on many large enterprises. High-profile victims include Barnes & Noble, Ubisoft, Kmart, Crytek, and the Canadian transportation agency TransLink. The threat group claims to have gained access to more than 150 corporate networks and deployed their ransomware, with the ransom demands exceeding $4 million. Many affiliates have been recruited by the Egregor ransomware gang and each has their preferred method of distributing the ransomware. With a wide range of tactics, techniques, and procedures used to deliver the ransomware, defending against attacks can be a challenge for network defenders. Initial access to corporate...

Read More
New HIPAA Regulations in 2021
Jan10

New HIPAA Regulations in 2021

Tt has been several years since new HIPAA regulations have been introduced but that is likely to change very soon. The last update to the HIPAA Rules was the HIPAA Omnibus Rule changes in 2013, which introduced new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. There are, however, expected to be several 2021 HIPAA changes as OCR has issued a Notice of Proposed Rulemaking in December 2020 that outlines several changes to the HIPAA Privacy Rule. The Trump Administration’s policy of two regulations out for every new one introduced was always likely to mean any new HIPAA regulations in 2020 would be limited, as first there would need to be some removal of regulations. In 2019 and 2020, updates under consideration included changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS is considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of substance abuse disorder patients who seek treatment at federally...

Read More
Vulnerabilities Identified in Innokas Yhtymä Oy Vital Signs Monitors
Jan08

Vulnerabilities Identified in Innokas Yhtymä Oy Vital Signs Monitors

Two medium-severity vulnerabilities have been identified in Innokas Yhtymä Oy vital signs monitors which allow communications between downstream devices to be modified and certain features of the monitors to be disabled. The vulnerabilities affect All versions of VC150 patient monitors prior to software version 1.7.15. Vulnerable patient monitors have a stored cross-site scripting (XSS) vulnerability which allows a web script or HTML to be injected via the filename parameter to update multiple endpoints of the administrative web interface. The vulnerability is due to improper neutralization of input during web page generation. The vulnerability is tracked as CVE-2020-27262 and has been assigned a severity score of 4.6 out of 10. The second vulnerability, tracked as CVE-2020-27260, is due to improper neutralization of special elements in the output used by downstream components. HL7 v2.x injection vulnerabilities allow physically proximate attackers with a connected barcode reader to inject HL7 v2.x segments into HL7 v2.x messages via multiple expected parameters. The vulnerability...

Read More
Federal Task Force Says SolarWinds Supply Chain Attack Likely Russian in Origin
Jan07

Federal Task Force Says SolarWinds Supply Chain Attack Likely Russian in Origin

A joint statement has been issued by the Federal Bureau of Investigation (FBI), the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) on behalf of the Trump Administration attributing the supply chain attack on SolarWinds Orion software to Russian threat actors. Following the attack, the National Security Council created a task force known as the Cyber Unified Coordination Group (UCG) to investigate the breach, which consisted of the FBI, CISA, and ODNI, with support provided by the NSA. The task force is still investigating the scope of the data security incident but has announced that the attack was conducted by an Advanced Persistent Threat (APT) actor and was “likely Russian in origin.” Evidence has been mounting that the SolarWinds software was compromised as part of an intelligence gathering operation run by Russia. While several media outlets have previously reported the security breach as being a Russia-led operation, and Secretary of State Mike Pompeo and former...

Read More
NSA Releases Guidance on Eliminating Weak Encryption Protocols
Jan06

NSA Releases Guidance on Eliminating Weak Encryption Protocols

The National Security Agency (NSA) has released guidance to help organizations eliminate weak encryption protocols, which are currently being exploited by threat actors to decrypt sensitive data. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols were developed to create protected channels using encryption and authentication to ensure the security of sensitive data between a server and a client.  The algorithms used by these protocols to encrypt data have since been updated to improve the strength of encryption, but obsolete protocol configurations are still in use. New attacks have been developed that exploit weak encryption and authentication protocols, which are being actively used by threat actors to decrypt and obtain sensitive data. The NSA explains that most products that use obsolete TLS versions, cipher suites, and key exchange methods have been updated, but implementations have often not kept up and continued use of these out-of-date TLS configurations carries an elevated risk of exploitation. Continued use of outdated protocols provides a false sense...

Read More
Healthcare Industry Cyberattacks Increase by 45%
Jan06

Healthcare Industry Cyberattacks Increase by 45%

In the fall of 2020, a warning was issued to the healthcare and public health sector following a spike in ransomware activity. The joint CISA, FBI, and HHS cybersecurity advisory explained that the healthcare industry was being actively targeted by threat actors with the aim of infecting systems with ransomware. Several ransomware gangs had stepped up attacks on the healthcare and public health sector, with the Ryuk and Conti operations the most active. A new report from Check Point shows attacks continued to increase in November and December 2020, when there was a 45% increase in cyber-attacks on healthcare organizations globally. The increase was more than double the percentage rise in attacks on all industry sectors worldwide over the same period. Globally, there was an average of 626 cyberattacks on healthcare organizations each week in November and December, compared to 430 attacks in October. The vectors used in the attacks have been varied, with Check Point researchers identifying an increase in ransomware, botnet, remote code execution, and DDoS attacks in November and...

Read More
Hidden Backdoor Identified in 100,000 Zyxel Devices
Jan05

Hidden Backdoor Identified in 100,000 Zyxel Devices

A vulnerability has been identified in Zyxel devices such as VPN gateways, firewalls, and access point (AP) controllers that could be exploited by threat actors to gain remote administrative access to the devices. By exploiting the vulnerability, threat actors would be able to make changes to firewall settings, allow/deny certain traffic, intercept traffic, create new VPN accounts, make internal services publicly accessible, and gain access to internal networks behind Zyxel devices. Around 100,000 Zyxel devices worldwide have the vulnerability. Zyxel manufacturers networking equipment and its devices are popular with small to medium sized businesses and are also used by large enterprises and government agencies. The vulnerability, tracked as CVE-2020-29583, was identified by Niels Teusink of the Dutch cybersecurity firm EYE, who discovered a hidden user account in the latest version of Zyxel firmware (4.60 patch 0).  The user account, zyfwp, which was not visible in the user interface of the products, was discovered to have a hardcoded plain-text password which Teusink found in one...

Read More
Largest Healthcare Data Breaches in 2020
Jan01

Largest Healthcare Data Breaches in 2020

2020 was the worst ever year for healthcare industry data breaches. 616 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights. 28,756,445 healthcare records were exposed, compromised, or impermissibly disclosed in those breaches, which makes 2020 the third worst year in terms of the number of breached healthcare records. The chart below clearly shows how healthcare industry data breaches have steadily increased over the past decade and the sharp rise in breaches in the past two years. The Largest Healthcare Data Breaches in 2020 When a breach occurs at a business associate of a HIPAA-covered entity, it is often the covered entity that reports the breach rather than the business associate. In 2020, a massive data breach was experienced by the cloud service provider Blackbaud Inc. Hackers gained access to its systems and stole customer fundraising databases before deploying ransomware. Blackbaud was issued with a ransom demand and a threat that the stolen data would be released publicly if the ransom was not paid. Blackbaud decided to pay the ransom...

Read More
CISA Launches SolarWinds Supply Chain Compromise Website and Free Malicious Activity Detection Tool
Dec30

CISA Launches SolarWinds Supply Chain Compromise Website and Free Malicious Activity Detection Tool

The DHS’ Cybersecurity and Infrastructure Security Agency has launched a website providing resources related to the ongoing cyber activities of the advanced persistent threat (APT) group responsible for compromising the SolarWinds Orion software supply chain. The threat actors behind the attack gained access to the networks of federal, state, and local governments, critical infrastructure entities, and private sector organizations around the world. In addition to compromising the software update mechanism of SolarWinds Orion, the hackers also exploited vulnerabilities in commonly used authentication mechanisms to gain persistent access to networks. According to Microsoft, the main goal of the attackers appears to be to gain persistent local access to networks by delivering the Sunburst/Solarigate backdoor, then pivot to victims’ cloud assets. Recently it has become clear that more than one threat group is conducting cyber espionage after the discovery of a different malware variant that was introduced through the SolarWinds Orion software update feature. Microsoft and Palo Alto...

Read More
NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem
Dec22

NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has released final guidance for healthcare delivery organizations on securing the Picture Archiving and Communication System (PACS) ecosystem. PACS is a medical imaging technology that is used to securely store and digitally transmit medical images such as MRIs, CT scans, and X-rays and associated clinical reports and is ubiquitous in healthcare. These systems eliminate the need to store, send, and receive medical images manually, and assist healthcare delivery organizations by allowing the images to be securely and cheaply stored offsite in the cloud. PACS allows medical images to be easily retrieved using PACS software from any location. PACS is a system that by design cannot operate in isolation. In healthcare delivery organizations, PACS is usually integrated into highly complex environments and interfaces with many interconnected systems. The complexity of those environments means securing the PACS ecosystem can be a major challenge and it is easy for...

Read More
FBI Warns of DoppelPaymer Ransomware Attacks Targeting Critical Infrastructure
Dec21

FBI Warns of DoppelPaymer Ransomware Attacks Targeting Critical Infrastructure

The Federal Bureau of Investigation (FBI) has issued a private industry notification warning of an increase in DoppelPaymer ransomware activity and a change in tactics by the threat actors to pressure victims into paying. DoppelPaymer ransomware first emerged in the summer of 2019 and has since been used in attacks on a range of verticals including healthcare, education, and the emergency services. The ransomware is believed to be operated by the Evil Corp (TA505) threat group, which was behind Locky ransomware and the Dridex banking Trojan. Like many human-operated ransomware operations, the threat group exfiltrates data prior to the encryption of files and uses the stolen data as leverage to get the ransom paid. While victims may be able to recover encrypted files from backups, the threat of the public release or sale of stolen data is sufficient to get them to pay the ransom demand. The threat group is known for demanding large ransom payments, often as high as seven figures. The gang is also believed to have been the first to start cold calling victims to pressure them into...

Read More
NSA Warns of Authentication Mechanism Abuse to Gain Access to Cloud Resources
Dec21

NSA Warns of Authentication Mechanism Abuse to Gain Access to Cloud Resources

The U.S. National Security Agency (NSA) has issued an alert that warns about two hacking techniques that are currently being used by threat groups to gain access to cloud resources containing protected data. These techniques abuse authentication mechanisms and allow attackers to steal credentials and maintain persistent access to networks. These techniques have been used by the threat actors who compromised SolarWinds Orion platform. The hackers behind the attacks have yet to be identified, but some evidence has emerged that suggest this is a nation state attack by a Russian threat group, possibly APT29 (Cozy Bear). Secretary of State Mike Pompeo said in a radio interview on Friday that “now we can say pretty clearly that it was the Russians that engaged in this activity,” although on Saturday President Trump downplayed the attack and suggested there is a possibility China is responsible, although President Trump is largely alone in having that viewpoint. The SolarWinds Orion platform supply chain attack was used to push malware out to customers through the SolarWinds...

Read More
OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules
Dec18

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules. The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their...

Read More
House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices
Dec16

House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices

A new bill (HR 7898) has been passed by the House Energy and Commerce Committee which seeks to amend the HITECH Act to require the Department of Health and Human Services to recognize whether cybersecurity best practices have been adopted by HIPAA-covered entities and business associates when making certain determinations, such as financial penalties following security breaches or for other regulatory purposes. The HIPAA Safe Harbor Bill, if signed into law, would reward covered entities and business associates that have met cybersecurity practices through reduced financial penalties and shorter compliance audits. The legislation calls for the HHS Secretary to consider whether the entity has adequately demonstrated recognized security practices have been in place for no less than 12 months, which may mitigate financial penalties, result in an early, favorable termination of an audit, or mitigate other remedies which may otherwise have been agreed with respect to resolving potential HIPAA Security Rule violations. The bill defines ‘Recognized Security Practices’ as “standards,...

Read More
CISA: SolarWinds Orion Software Under Active Attack
Dec15

CISA: SolarWinds Orion Software Under Active Attack

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that sophisticated hackers are actively exploiting SolarWinds Orion IT monitoring and management software. The cyberattack, which is ongoing, is believed to be the work of a highly sophisticated, evasive, nation state hacking group who created a Trojanized version of Orion software that has been used to deploy a backdoor into customers’ systems dubbed SUNBURST. The supply chain attack has impacted around 18,000 customers, who are understood to have downloaded the Trojanized version of SolarWinds Orion and the SUNBURST backdoor. SolarWinds Orion is used by large public and private organizations and government agencies. SolarWinds customers include all five branches of the U.S. military, the Pentagon, State Department, NASA and National Security Agency. Its solutions are also used by 425 of the 500 largest publicly traded U.S. companies. The US Treasury, US National Telecommunications and Information Administration (NTIA), and Department of Homeland Security are known to have been attacked. The campaign...

Read More
Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers
Dec14

Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers

Three serious vulnerabilities have been identified in Medtronic MyCareLink (MCL) Smart Patient Readers, which could potentially be exploited to gain access to and modify patient data from the paired implanted cardiac device. Exploitation of the vulnerabilities together could permit remote code execution on the MCL Smart Patient Reader, allowing an attacker to take control of a paired cardiac device. In order to exploit the vulnerabilities, an attacker would need to be within Bluetooth signal proximity to the vulnerable product. The flaws are present in all versions of the MCL Smart Model 25000 Patient Reader. The first vulnerability, tracked as CVE-2020-25183, is an authentication protocol vulnerability. The method used to authenticate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app can be bypassed. An attacker using another mobile device or malicious app on the patient’s smartphone could authenticate to the patient’s MCL Smart Patient Reader, tricking it into believing it is communicating with the patient’s smartphone app. The vulnerability has been...

Read More
What is Considered PHI?
Dec13

What is Considered PHI?

In response to questions sent to HIPAA Journal, we have written a series of posts answering some of the most basic elements of HIPAA, the latest being what is considered PHI? What is PHI, PII, and IIHA? Terms such as PHI and PII are commonly referred to in healthcare, but what do they mean and what information do they include? PHI is an acronym of Protected Health Information, while PII is an acronym of Personally Identifiable Information. Before explaining these terms, it is useful to first explain what is meant by health information, of which protected health information is a subset. Health information is information related to the provision of healthcare or payment for healthcare services that is created or received by a healthcare provider, public health authority, healthcare clearinghouse, health plan, business associate of a HIPAA-covered entity, or a school/university or employer. Health information relates to past, present, and future health conditions or physical/mental health that is related to the provision of healthcare services or payment for those services. Personally...

Read More
Russian State-Sponsored Hackers Exploiting Vulnerability in VMWare Virtual Workspaces
Dec10

Russian State-Sponsored Hackers Exploiting Vulnerability in VMWare Virtual Workspaces

The U.S. National Security Agency (NSA) has issued a cybersecurity advisory warning Russian state-sponsored hacking groups are targeting a vulnerability in VMWare virtual workspaces used to support remote working. The flaw, tracked as CVE-2020-4006, is present in certain versions of VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products and is being exploited to gain access to enterprise networks and protected data on the affected systems. The flaw is a command-injection vulnerability in the administrative configurator component of the affected products. The vulnerability can be exploited remotely by an attacker with valid credentials and access to the administrative configurator on port 8443. If successfully exploited, an attacker would be able to execute commands with unrestricted privileges on the operating system and access sensitive data. VMWare released a patch to correct the vulnerability on December 3, 2020 and also published information to help network defenders identify networks that have already been compromised, along...

Read More
Critical Vulnerabilities Identified in More Than 100 GE Healthcare Imaging and Ultrasound Products
Dec09

Critical Vulnerabilities Identified in More Than 100 GE Healthcare Imaging and Ultrasound Products

Two critical severity vulnerabilities have been identified in GE Healthcare medical imaging devices that allow remote code execution and access/alteration of sensitive patient data. The vulnerabilities affect GE Healthcare’s proprietary management software and impact more than 100 GE Healthcare imaging devices including MRI, Ultrasound, Advanced Visualization, Interventional, X-Ray, Mammography, Computed Tomography, Nuclear Medicine and PET/CT devices. Affected GE Healthcare Products Device Product Families MRI Brivo, Optima, Signa Ultrasound EchoPAC, Image Vault, LOGIQ, Vivid, Voluson Advanced Visualization AW Interventional Innova, Optima X-Ray AMX, Brivo, Definium, Discovery, Optima, Precision Mammography Seno, Senographe Pristina Computed Tomography BrightSpeed, Brivo, Discovery, Frontier LightSpeed, Optima, Revolution Nuclear Medicine, PET/CT Brivo, Discovery, Infinia Optima, PET Discovery, PETtrace, Ventri, Xeleris The vulnerabilities were identified by Lior Bar Yosef and Elad Luz of CyberMDX who reported them to GE Healthcare in May 2020. CyberMDX has dubbed the flaws...

Read More
COVID-19 Vaccine Cold Chain Organizations Targeted in Global Phishing Campaign
Dec04

COVID-19 Vaccine Cold Chain Organizations Targeted in Global Phishing Campaign

The Cybersecurity Infrastructure and Security Agency has issued a warning about a global spear phishing campaign targeting organizations in the cold storage and supply chain that are involved with the distribution of COVID-19 vaccines. Two of the first vaccines to be produced must be kept and low temperatures during storage and transit prior to being administered. The Pfizer/BioNTech vaccine must be kept at -94°F (-70°C) and the Moderna vaccine at -4°F (-20°C), so cold chain organizations are a key element of the supply chain. At the start of the pandemic, IBM X-Force established a cyber threat task force to track threats targeting organizations involved in the fight against COVID-19. The task force recently published a report about an ongoing spear phishing campaign that started in September 2020 which is targeting organizations supporting the Cold Chain Equipment Optimization Platform program. The program was launched in 2015 by the United Nations Children’s Fund and partner organizations to distribute vaccines worldwide. Phishing emails have been sent to executives in sales,...

Read More
Vulnerabilities in OpenClinic Application Could Allow Unauthorized PHI Access
Dec03

Vulnerabilities in OpenClinic Application Could Allow Unauthorized PHI Access

Four vulnerabilities have been identified in the OpenClinic application, the most severe of which could allow authentication to be bypassed and protected health information (PHI) to be viewed from the application by unauthorized users. OpenClinic is an open source, PHP-based health record management software that is used in many private clinics, hospitals, and physician practices for administration, clinical and financial tasks. A BishopFox Labs researcher has identified four vulnerabilities in the software which have yet to be corrected. The most serious vulnerability involves missing authentication, which could be exploited to gain access to any patient’s medical test results. Authenticated users of the platform can upload patient’s test results to the application, which are loaded into the /tests/ directory. Requests for files in that directory do not require users to be authenticated to the application to return and display the test results. In order for the test results to be obtained, an unauthenticated user would need to guess the names of the files; however, the BishopFox...

Read More
Researchers Describe Possible Synthetic DNA Supply Chain Attack
Dec02

Researchers Describe Possible Synthetic DNA Supply Chain Attack

A team of researchers at Ben-Gurion University in Israel have described a possible bioterrorist attack scenario in which the supply chain of synthetic DNA could be compromised. DNA synthesis providers could be tricked into producing harmful DNA sequences and delivering them to unsuspecting customers. Synthetic DNA is currently produced for research purposes and is available in many ready-to-use forms. Clients of DNA synthesis providers specify the DNA sequences they require and the DNA synthesis company generates the requested sequences to order and ships them to their customers. There are safety controls in place to prevent DNA being synthesized that could be harmful, but the Ben-Gurion University researchers point out that those safety checks are insufficient. Hackers could potentially exploit security weaknesses and inject rogue genetic information into the synthesis process, unbeknown to the customers or DNA synthesis providers. For example, rogue genetic material could be inserted that encodes for a harmful protein or a toxin. The researchers describe an attack scenario where...

Read More
FBI Issues Warning About Increasing Ragnar Locker Ransomware Activity
Nov26

FBI Issues Warning About Increasing Ragnar Locker Ransomware Activity

Threat actors using Ragnar Locker ransomware have stepped up their attacks and have been targeting businesses and organizations in many sectors, according to a recent private industry alert from the Federal Bureau of Investigation (FBI). Ragnar Locker ransomware was first identified by security researchers in April 2019, with the first known attack targeting a large corporation that was issued with an $11 ransom demand for the keys to decrypt files and ensure the secure deletion of the 10 terabytes of sensitive data stolen in the attack. While not named in the FBI alert, the attack appears to have been on the multinational energy company, Energias de Portugal. The gang was also behind the ransomware attacks on the Italian drinks giant Campari and the Japanese gaming firm Capcom. Since that attack, the number of Ragnar Locker victims has been steadily growing. Attacks have been successfully conducted on cloud service providers, and companies in communication, construction, travel, enterprise software, and other industries. As with other human-operated ransomware attacks, the threat...

Read More
Free Google Services Abused in Phishing Campaigns
Nov26

Free Google Services Abused in Phishing Campaigns

Several phishing campaigns have been identified that are using free Google services to bypass email security gateways and ensure malicious messages are delivered to inboxes. Phishing emails often include hyperlinks that direct users to websites hosting phishing forms that harvest credentials. Email security gateways use a variety of methods to detect these malicious hyperlinks, including blacklists of known malicious websites, scoring of domains, and visiting the links to analyze the content on the destination website. If the links are determined to be suspicious or malicious, the emails are quarantined or rejected. However, by using links to legitimate Google services, phishers are managing to bypass these security measures and ensure their messages are delivered. The use of Google services by phishers is nothing new; however, security researchers at Arborblox have identified an uptick in this activity that has coincided with increased adoption of remote working. The researchers identified 5 campaigns abusing free Google services such as Google Forms, Google Drive, Google Sites,...

Read More
HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations
Nov25

HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations

On Friday last week, the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) and Office of Inspector General (OIG) published final rules that aim to improve the coordination of care and reduce regulatory barriers. Both final rules contain safe harbor provisions that allow hospitals and healthcare delivery systems to donate cybersecurity technology to physician practices. The CMS released the final version of the 627-page Modernizing and Clarifying the Physician Self-Referral Regulations, commonly called Stark Law, and the OIG finalized revisions to the 1,049-page Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Regarding Beneficiary Inducements. Physician practices often have limited resources, which makes it difficult for them to implement solutions to address cybersecurity risks. Without the necessary protections, sensitive healthcare data could be accessed by unauthorized individuals, stolen, deleted, or encrypted by threat actors. Threat actors could also conduct attacks on small physician practices and...

Read More
October 2020 Healthcare Data Breach Report
Nov23

October 2020 Healthcare Data Breach Report

October saw well above average numbers of data breaches reported the HHS’ Office for Civil Rights. There were 63 reported breaches of 500 or more records, which is a 33.68% reduction from September but still 41.82% more breaches than the monthly average over the last 12 months. The elevated numbers of breaches can be partly explained by continued reports from healthcare organizations that were impacted by the ransomware attack on the cloud software firm Blackbaud. The protected health information of more than 2.5 million individuals were exposed or compromised in those 63 breaches, which is 74.08% fewer records than September, but still 26.81% more than the monthly average number of breached records over the past 12 months. Largest Healthcare Data Breaches Reported in October 2020 Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected Breach Cause Luxottica of America Inc. Business Associate Hacking/IT Incident 829,454 Ransomware Attack AdventHealth Orlando Healthcare Provider Hacking/IT Incident 315,811 Blackbaud Ransomware Presbyterian Healthcare Services...

Read More
Microsoft Warns of Ongoing Sophisticated Phishing Campaign Targeting Office 365 Users
Nov19

Microsoft Warns of Ongoing Sophisticated Phishing Campaign Targeting Office 365 Users

Microsoft has issued a warning to Office 365 about an ongoing phishing campaign targeting user credentials. The campaign uses sophisticated techniques to bypass email security gateways and social engineering tactics to fool company employees into visiting websites where credentials are harvested. A variety of lures are used in the phishing emails which target remote workers, such as fake password update requests, information on teleconferencing, SharePoint notifications, and helpdesk tickets. The lures are plausible and the websites to which Office 365 users are directed are realistic and convincing, complete with replicated logos and color schemes. The threat actors have used a range of techniques to bypass secure email gateways to ensure the messages are delivered to inboxes. These include redirector URLs that can detect sandbox environments and will direct real users to the phishing websites and security solutions to benign websites, to prevent analysis. The emails also incorporate heavy obfuscation in the HTML code. Microsoft notes that the redirector sites have a unique...

Read More
ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector
Nov18

ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector

The HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) has issued an update on ransomware activity targeting the healthcare and public health sectors, saying, “At this time, we consider the threat to be credible, ongoing, and persistent.” In late October, a joint alert was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the HHS warning of an imminent increase in ransomware activity targeting the healthcare sector. Within a week of the alert being issued, six healthcare providers reported ransomware attacks in a single day. More than a dozen healthcare organizations have reported being attacked in the past two months, with over 62 attacks reported by healthcare organizations so far in 2020. Human-operated ransomware attacks have previously seen attackers gain access to networks many weeks and even months prior to the deployment of ransomware. ASPR notes that in many recent ransomware attacks, the time from the initial compromise to the deployment of ransomware has been very short, just a...

Read More
Vendor Access and HIPAA Compliance: Are you Secured?
Nov17

Vendor Access and HIPAA Compliance: Are you Secured?

It can be hard to remember a time before the Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in 1996. These were the days that paper files were still stored in cabinets and sensitive information was generally delivered by hand, or if you were really sophisticated, it was sent via a fax machine. Fast forward almost 25 years later and unsurprisingly, the world in the healthcare industry looks completely different, except some do still use fax machines. Nothing surprising here, but everything is now stored on computers and transmitted over the internet, which has led to obvious increases in terms of efficiency, but, with this comes risk. We’ve seen an increase in serious data breaches tied to healthcare entities that are exposing highly sensitive personal health information. And not just any type of data breach, these are the ones that are tied to third-party and vendor access, which are known to be more costly in terms of fines and reputational damage. A hacker can quickly access hundreds of patient files and cause widespread damage, including a...

Read More
Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development
Nov16

Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development

Advanced Persistent Threat (APT) groups in Russia and North Korea are targeting companies involved in research into COVID-19 and vaccine development, according to Microsoft. Six large pharmaceutical firms and a clinical research company are known to have been targeted by three APT groups who are attempting to gain access to research and vaccine data. The cyberattacks have been on “pharmaceutical companies in Canada, France, India, South Korea and the United States,” according to Microsoft and three APT groups are known to be conducting attacks – the Russian APT group Strontium (aka Fancy Bear/APT28) and two APT groups with links to North Korea – The Lazarus Group (aka Zinc) and Cerium. Additionally, in the summer of 2020, warnings were issued by several government agencies about attacks on COVID-19 research firms by another Russian APT group, Cozy Bear (aka APT29). The targeted organizations have contracts with or investments from governments to advance research into COVID-19 and vaccine development. Most of the targeted companies have developed vaccines which are currently...

Read More
Phishing Campaign Uses Employment Termination Lure to Deliver Bazar and Buer Malware
Nov12

Phishing Campaign Uses Employment Termination Lure to Deliver Bazar and Buer Malware

A new phishing campaign is being conducted using the TrickBot botnet to deliver the Bazar backdoor and Buer loader malware. The campaign was detected by researchers at Area 1 Security and has been running since early October. The Bazar backdoor is used to gain persistent access to victims’ networks, while the Buer loader is used to download additional malicious payloads. Previously, Buer has been used to deliver ransomware payloads such as Ryuk and tools such as CobaltStrike. Area 1 Security researchers detected two email lures in this campaign. One is a fake notification about termination of employment and the other a fake customer compliant. The employment termination email appears to have been sent by an authority figure in the head office of the company being targeted and states that the individual has been terminated. Further information on the termination and payout are provided in a document that appears to be hosted on Google Docs. If the link is clicked, the user will be directed to a Google Doc decoy preview page and is advised to click another link if they are not...

Read More
Half of Ransomware Attacks Now Involve the Theft of Data Prior to Encryption
Nov06

Half of Ransomware Attacks Now Involve the Theft of Data Prior to Encryption

Coveware has released its Quarterly Ransomware report for Q3, 2020 highlighting the latest ransomware attack trends. The report confirms that data exfiltration prior to the use of ransomware continues to be a popular tactic, with around half of all ransomware attacks involving data theft. Attacks involving the theft of data doubled in Q3, 2020. In cases where data are stolen prior to file encryption, victims are told that if they do not pay the ransom demand their data will be leaked online or sold to pressure victims into paying, but ransomware victims should carefully consider whether or not to pay. There are no guarantees that paying the ransom will prevent publication of stolen data. Ransomware Gangs Renege on Promises to Delete Data The Maze ransomware gang started the double-extortion trend in 2019 and many ransomware operators soon followed suit. In some cases, two ransomware demands are issued; one to return or delete stolen data and the other for the keys to unlock the encrypted files, The operators of the AKO and Ranzy ransomware variants have adopted this dual ransom...

Read More
Majority of Microsoft 365 Admins Have Not Enabled Multi-Factor Authentication
Oct30

Majority of Microsoft 365 Admins Have Not Enabled Multi-Factor Authentication

A new report published by CoreView has revealed the majority of Microsoft 365 admins have not enabled multi-factor authentication to protect their accounts from unauthorized remote access and are failing to implement other basic security practices. According to the study, 78% of Microsoft 365 administrators have not activated multi-factor authentication and 97% of Microsoft 365 users are not using MFA. “This is a huge security risk – particularly during a time where the majority of employees are remote – that IT departments must acknowledge and address in order to effectively deter cyberattacks and strengthen their organization’s security posture,” explained the researchers. The SANS Institute says 99% of data breaches can be prevented by using MFA, while Microsoft explained in an August 2020 blog post that MFA is the single most important measure to implement to prevent unauthorized account access, explaining that 99.9% of account breaches can be prevented by using MFA. The CoreView study also revealed 1% of Microsoft 365 admins do not use strong passwords, even though hackers are...

Read More
Advisory Warns of Targeted Ryuk Ransomware Attacks on the Healthcare and Public Health Sector
Oct29

Advisory Warns of Targeted Ryuk Ransomware Attacks on the Healthcare and Public Health Sector

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued an advisory warning about increased Ryuk ransomware activity targeting the healthcare and public health sector. Credible evidence has been obtained indicating an increased and imminent threat to hospitals and healthcare providers in the United States. The advisory details some of the tactics, techniques, and procedures (TTPs) used by the operators of Ryuk ransomware and other cybercriminal groups who are assisting with the distribution of the ransomware to help the healthcare sector manage risk and protect their networks from attacks. The advisory explains that Ryuk ransomware is commonly delivered as a secondary payload by the TrickBot Trojan. TrickBot is a banking Trojan that was first identified in 2016 that has since been updated with a host of new functions. In addition to stealing banking credentials, TrickBot is capable of mail exfiltration, cryptomining, data exfiltration from point of sale systems, and acts as...

Read More
Survey Explores Cybersecurity Impact of COVID-19 Enforced Switch to a Remote Working Environment
Oct27

Survey Explores Cybersecurity Impact of COVID-19 Enforced Switch to a Remote Working Environment

Prior to the 2019 Novel Coronavirus pandemic, many companies allowed some of their employees to spend some of the week working from home; however, COVID-19 dramatically changed the way people work, with national lockdowns forcing employers to rapidly change working practices and allow virtually all of their employees to work remotely. When lockdowns were lifted, many employees continued to work from home. The new remote working environment is considered by many to be now be the new normal. Remote working has created many challenges, especially for cybersecurity as it is harder for organizations to prevent, detect, and contain cyberattacks when much of the workforce is working remotely. A recent survey conducted on 2,215 IT and IT security professionals by the Ponemon Institute on behalf of Keeper Security explores the cybersecurity challenges of teleworking and assesses how companies have adapted cybersecurity practices to address the risks of teleworking. One of the key findings from the survey is remote working has significantly reduced the effectiveness of organizations’...

Read More
Office 365 Users Targeted in Microsoft Teams Phishing Scam
Oct26

Office 365 Users Targeted in Microsoft Teams Phishing Scam

A new Office 365 phishing campaign has been detected by researchers at Abnormal Security that spoofs Microsoft Teams to trick users into visiting a malicious website hosting a phishing form that harvests Office 365 credentials. Microsoft Teams has been adopted by many organizations to allow remote workers to maintain contact with the office. In healthcare the platform is being used to provide telehealth services to help reduce the numbers of patients visiting healthcare facilities to control the spread of COVID-19. Microsoft reported in in a June call announcing financial earnings for the quarter ended June 30, 2020 that Microsoft Teams is now used by more than 150 million students and teachers. Over 1,800 different organizations have more than 10,000 Teams users, and 69 organizations have over 100,000 Teams  users. The use of Microsoft Teams in healthcare has also been growing, with 46 million Teams meetings now being conducted for telehealth purposes. The increase in usage due to the pandemic has presented an opportunity for cybercriminals. According to figures from Abnormal...

Read More
FDA Approves Tool for Scoring Medical Device Vulnerabilities
Oct23

FDA Approves Tool for Scoring Medical Device Vulnerabilities

The FDA has approved a new rubric designed by the MITRE Corporation for assigning Common Vulnerability Scoring System (CVSS) scores to medical device vulnerabilities. The CVSS was designed for assigning scores to vulnerabilities in IT systems according to their severity, and while the system works well for many IT systems, it is less well suited to scoring vulnerabilities in medical devices. When vulnerabilities are discovered in medical devices, device manufacturers use the CVSS as a consistent and standardized way of communicating the severity of a vulnerability to the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and other agencies. The scores are used by IT teams in hospitals and clinics for prioritizing patching and software updates. If a vulnerability has a score of 9.0, it naturally takes priority over a vulnerability with a CVSS score of 3.0, for instance. However, CVSS base scores do not adequately reflect the clinical environment and potential patient safety impacts. To address this issue, the FDA contracted the...

Read More
Vulnerabilities Identified in B. Braun OnlineSuite and SpaceCom
Oct23

Vulnerabilities Identified in B. Braun OnlineSuite and SpaceCom

Several vulnerabilities have recently been identified in B. Braun products used by healthcare organizations in the United States. B.Braun OnlineSuite Three vulnerabilities have been identified in B. Braun OnlineSuite, a clinical IT solution for creating and sending drug libraries and managing infusion devices and other medical equipment. If exploited, an attacker could escalate privileges, upload and download arbitrary files, and remotely execute code. The most serious flaws are a relative path traversal vulnerability – CVE-2020-25172 – which allows uploads and downloads of files by unauthenticated individuals, and a remote code execution vulnerability – CVE-2020-25174 – which allows a local attacker to execute code as a high privileged user. The flaws have been assigned CVSS v3 base scores of 8.6 and 8.4 out of 10. An Excel macro vulnerability – CVE-2020-25170 – has also been identified in the export feature, caused by the mishandling of multiple input fields, which has been assigned a CVSS v3 base score of 6.9. The flaws are present in OnlineSuite AP 3.0 and earlier....

Read More
September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised
Oct22

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020. Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records. Causes of September 2020 Healthcare Data Breaches The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers. Blackbaud was able to contain the breach; however, prior...

Read More
6 Russian Hackers Indicted for Offensive Cyber Campaigns Including 2017 NotPetya Wiper Attacks
Oct21

6 Russian Hackers Indicted for Offensive Cyber Campaigns Including 2017 NotPetya Wiper Attacks

The U.S. Department of Justice has announced 6 Russian hackers have been indicted for their role in the 2017 NotPetya malware attacks and a long list of offensive cyber campaigns on multiple targets in the United States and other countries. The six individuals are suspected members of the GRU: Russia’s Main Intelligence Directorate, specifically GRU Unit 74455, which is also known as Sandworm. The Sandworm unit is believed to be behind a long list of offensive cyber campaigns spanning several years. Sandworm is suspected of being instrumental in attempts to influence foreign elections, including the 2016 U.S. presidential election and the 2017 French Presidential election. One of the most destructive offensive campaigns involved the use of NotPetya malware in 2017. NotPetya was a wiper malware used in destructive attacks worldwide that leveraged the Microsoft Windows Server Message Block (SMBv1) vulnerability. Several hospitals and medical clinics were affected by NotPetya and had data wiped and computer systems taken out of action. NotPetya hit the pharmaceutical giant Merck,...

Read More
Active Threat Warning Issued About SharePoint RCE Vulnerability
Oct20

Active Threat Warning Issued About SharePoint RCE Vulnerability

The UK National Cyber Security Centre (NCSC) has recently issued a security alert advising organizations to patch a serious remote code execution vulnerability in Microsoft SharePoint. The DHS Cybersecurity and infrastructure Security Agency is also urging organizations to patch the flaw promptly to prevent exploitation. The vulnerability, tracked as CVE-2020-16952, is due to the failure of SharePoint to check the source markup of an application package. If exploited, an attacker could run arbitrary code in the context of the SharePoint application pool and SharePoint server farm account, potentially with administrator privileges. To exploit the vulnerability an attacker would need to convince a user to upload a specially crafted SharePoint application package to a vulnerable version of SharePoint. This could be achieved in a phishing campaign using social engineering techniques. The vulnerability has been assigned a CVSS v3 base score of 8.6 out of 10 and affects the following SharePoint releases: Microsoft SharePoint Foundation 2013 Service Pack 1 Microsoft SharePoint Enterprise...

Read More
Universities Targeted in Silent Librarian Spear Phishing Campaign
Oct16

Universities Targeted in Silent Librarian Spear Phishing Campaign

The Iran-based hacking group known as Silent Librarian – aka Cobalt Dickens and TA407 – has recommenced spear phishing attacks on universities in the United States and around the world. The hacking group has been conducting attacks since 2013 to gain access to login credentials and steal intellectual property and research data. Credentials and data stolen in the attacks are subsequently sold via the hacking group’s portals. The U.S. Department of Justice indicted 9 Iranians in connection with the attacks in 2018, but the indictments have had no effect on the campaigns which have continued. Those individuals have yet to be brought to justice. The spear phishing campaigns usually recommence in September to coincide with the start of the new academic year. The hackers have developed many different phishing websites which are used in the campaigns, and while many of these sites are taken down, sufficient numbers are used to ensure the campaigns can continue. This year, the group is known to be using sites hosted in Iran, which could hamper efforts to have the sites shut down due...

Read More
Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Flaw Now, Warns CISA
Oct16

Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Flaw Now, Warns CISA

On October 2020 Patch Tuesday, Microsoft released a patch to correct a critical remove code execution vulnerability in the Microsoft Windows Transmission Control Protocol (TCP)/IP stack. The flaw concerns how the TCP/IP stack handles Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. The flaw was assigned a CVSS v3 score of 9.8 out of 10. While all patches should be applied promptly to prevent exploitation, there is usually a delay between patches being released and exploits being developed and used offensively against organizations; however, due to the severity of the flaw and the ease at which it can be exploited, patching this vulnerability is especially important. So much so that the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) took to Twitter to urge all organizations to apply the patch immediately. An attacker could exploit the flaw remotely in a Denial of Service attack, resulting in a ‘blue screen of death’ system crash; however, exploitation could also allow the remote execution of arbitrary code on...

Read More
CISA/FBI: APT Groups Chaining Legacy Vulnerabilities with Netlogon Flaw
Oct13

CISA/FBI: APT Groups Chaining Legacy Vulnerabilities with Netlogon Flaw

A joint advisory has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warning about sophisticated advanced persistent threat actors chaining exploits for multiple vulnerabilities in cyberattacks against federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure, and election support systems. While there have been successful attacks on the latter, no evidence has been found to suggest any election data have been compromised to date. Several legacy vulnerabilities are being targeted along with more recently discovered vulnerabilities, such as the Windows Server Netlogon remote protocol vulnerability – CVE-2020-1472 – also known as Zerologon. A patch for the flaw was issued by Microsoft on August 2020 Patch Tuesday but patching has been slow. Chaining vulnerabilities in a single cyberattack is nothing new. It is a common tactic used by sophisticated threat groups to compromise networks and applications, elevate privileges, and achieve persistent access to victims’...

Read More
CISA Issues Alert Following Increase in Emotet Malware Attacks
Oct07

CISA Issues Alert Following Increase in Emotet Malware Attacks

Following a period of dormancy between February 2020 and July 2020, the Emotet botnet sprang back to life and recommenced spam runs distributing the Emotet Trojan. Since August 2020, attacks on state and local governments have increased sharply, prompting the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to issue a cybersecurity alert for all industry sectors. The Emotet botnet resumed activity in July with a massive phishing campaign using messages with malicious Word attachments and hyperlinks. Since then, multiple spam runs have been conducted which typically consist of more than 500,000 emails. The Emotet Trojan is a dangerous banking Trojan which is used as a downloader of other types of malware, notably the TrickBot and Qbot Trojans. The secondary payloads in turn deliver other malware payloads, including Ryuk and Conti ransomware. One infected device could easily result in further infections across the network. Emotet infects other devices in a worm-like fashion, creating multiple copies of itself which are written to shared drives....

Read More
CISA Releases Telework Toolkit to Help Businesses Transition to a Permanent Telework Environment
Oct05

CISA Releases Telework Toolkit to Help Businesses Transition to a Permanent Telework Environment

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has published a Telework Essentials Toolkit to help business leaders, IT staff, and end users transition to a permanent teleworking environment. The COVID-19 pandemic forced businesses to rapidly change from having a largely office-based workforce to allowing virtually all employees to work from home to reduce the risk of infection. The speed at which the transition had to be made potentially introduced security vulnerabilities that weakened organizational cybersecurity defenses. The CISA Toolkit is intended to provide support to organizations to help them re-evaluate and strengthen their cybersecurity defenses and fully transition into a long-term teleworking solution. The Toolkit includes three personalized modules that include best practices for executive leaders, IT professionals and teleworkers, and include the security considerations appropriate to each role. Executive leaders are provided with information to help them drive cybersecurity strategy, investment, and develop a cyber...

Read More
Treasury Department Warns of Sanctions Risks if Facilitating or Paying a Ransomware Payment
Oct02

Treasury Department Warns of Sanctions Risks if Facilitating or Paying a Ransomware Payment

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has warned that companies that facilitate ransom payments to cybercriminals on behalf of victims of the attacks could face sanctions risks for violating OFAC regulations. Victims of ransomware attacks that pay ransoms to cyber actors could similarly face steep fines from the federal government if it is discovered that the criminals behind the attacks are already under economic sanctions. “Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business,” explained OFAC in its advisory on potential sanctions risks for facilitating ransomware payments. “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” Several individuals involved in ransomware attacks...

Read More
NIST Publishes Updated Security and Privacy Controls Guidance for Information Systems and Organizations
Sep25

NIST Publishes Updated Security and Privacy Controls Guidance for Information Systems and Organizations

The National Institute of Standards and Technology (NIST) has released updated guidance on Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Revision 5). This is the first time that NIST has updated the guidance since 2013 and is a complete renovation rather than a minor update. NIST explained that the updated guidance will “provide a solid foundation for protecting organizations and systems—including the personal privacy of individuals—well into the 21st century.” The updated guidance is the result of years of effort “to develop the first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size, and all types of systems—from super computers to industrial control systems to Internet of Things (IoT) devices.” This is the first control catalog to be released worldwide that includes privacy and security controls in the same catalog. The guidance will help to protect organizations from diverse threats and risks, including cyberattacks, human error, natural disasters, privacy...

Read More
CISA Issues Alert Following Surge in LokiBot Malware Activity
Sep24

CISA Issues Alert Following Surge in LokiBot Malware Activity

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following a surge in LokiBot malware activity over the past two months. LokiBot – also known as Lokibot, Loki PWS, and Loki-bot – first appeared in 2015 and is an information stealer used to steal credentials and other sensitive data from victim machines. The malware targets Windows and Android operating systems and employs a keylogger to capture usernames and passwords and monitors browser and desktop activity. LokiBot can steal credentials from multiple applications and data sources, including Safari, Chrome, and Firefox web browsers, along with credentials for email accounts, FTP and sFTP clients. The malware is also capable of stealing other sensitive information and cryptocurrency wallets and can create backdoors in victims’ machines to provide persistent access, allowing the operators of the malware to deliver additional malicious payloads. The malware establishing a connection with its Command and Control Server and exfiltrates data via HyperText Transfer Protocol....

Read More
August 2020 Healthcare Data Breach Report
Sep22

August 2020 Healthcare Data Breach Report

37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average. The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.     Largest Healthcare Data Breaches Reported in August 2020   Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Incident Northern Light Health Business Associate 657,392 Hacking/IT Incident Network Server, Other Blackbaud ransomware attack Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident Network Server Blackbaud ransomware attack Assured Imaging Healthcare Provider 244,813 Hacking/IT Incident Network Server Ransomware attack MultiCare Health System Healthcare Provider 179,189 Hacking/IT Incident Network Server Blackbaud...

Read More
Hospital Ransomware Attack Results in Patient Death
Sep18

Hospital Ransomware Attack Results in Patient Death

Ransomware attacks on hospitals pose a risk to patient safety. File encryption results in essential systems crashing, communication systems are often taken out of action, and clinicians can be prevented from accessing patients’ medical records. Highly disruptive attacks may force hospitals to redirect patients to alternate facilities, which recently happened in a ransomware attack on the University Clinic in Düsseldorf, Germany. One patient who required emergency medical treatment for a life threatening condition had to be rerouted to an alternate facility in Wuppertal, approximately 21 miles away. The redirection resulted in a one-hour delay in receiving treatment and the patient later died. The death could have been prevented had treatment been provided sooner. The attack occurred on September 10, 2020 and completely crippled the clinic’s systems. Investigators determined that the attackers exploited a vulnerability in “widely used commercial add-on software” to gain access to the network. As the encryption process ran, hospital systems started to crash and medical records could...

Read More
CISA Warns of Public Exploit for Windows Netlogon Remote Protocol Vulnerability
Sep18

CISA Warns of Public Exploit for Windows Netlogon Remote Protocol Vulnerability

CISA has published information on a critical vulnerability in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) now that a public exploit for the flaw has been released. If exploited, an attacker could gain access to a domain controller with administrator privileges. MS-NRPC is a core component of Active Directory that provides authentication for users and accounts. “The Netlogon Remote Protocol (MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel,” explained Microsoft. The vulnerability, tracked as CVE-2020-1472, is an elevation of privilege vulnerability that can be exploited when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller. MS-NRPC reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode, which would allow an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and gain domain administrator privileges. Microsoft is addressing the...

Read More
Vulnerabilities Identified in Philips Clinical Collaboration Platform
Sep18

Vulnerabilities Identified in Philips Clinical Collaboration Platform

5 low- to medium-severity vulnerabilities have been identified in the Philips Clinical Collaboration Platform (Vue PACS). If successfully exploited, an attacker could convince an authorized user to execute unauthorized actions or could result in the disclosure of information that could be used in further attacks. Philips has not received any reports to indicate exploits for the vulnerabilities have been developed or used in real world attacks, and there have been no reports of incidents from clinical use associated with the vulnerabilities. The vulnerabilities affect versions 12.2.1 and prior and range in severity from low (CVSS v3 base score 3.4) to medium (CVSS v3 base score 6.8). CVE-2020-16200 – Resource exposed to the wrong control sphere – Allows unauthorized access to the resource (CVSS 6.8) CVE-2020-16247 – Algorithm downgrade – A failure to control the allocation and maintenance of a limited resource, potentially leading to exhaustion of available resources. (CVSS 6.5) CVE-2020-16198 – Protection mechanism failure – Failure or insufficient checks to verify the identity...

Read More
CISA/FBI Warn of Targeted Attacks by Iranian Hacking Groups
Sep17

CISA/FBI Warn of Targeted Attacks by Iranian Hacking Groups

A hacking group with links to the Iranian government has been observed exploiting several vulnerabilities in attacks on U.S. organizations and government agencies, according to a recent joint cybersecurity advisory released by the Cybersecurity Security and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). The alert closely follows a similar cybersecurity advisory warning about hackers linked to the Chinese government conducting attacks exploiting some of the same vulnerabilities. The Iranian hacking group, known as UNC757 and Pioneer Kitten, has been exploiting vulnerabilities in F5 networking solutions, Citrix NetScaler, and Pulse Secure VPNs to gain access to networks. The hacking group has also been observed using open source tools such as Nmap to identify vulnerabilities, such as open ports within vulnerable networks. Exploited Vulnerabilities Two vulnerabilities in Pulse Secure products are being exploited. The first, CVE-2019-11510, affects Pulse Secure Connect enterprise VPN servers and is a file reading vulnerability. The second is an...

Read More
CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws
Sep15

CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning hackers affiliated with China’s Ministry of State Security (MSS) are conducting targeted cyberattacks on U.S. government agencies and private sector companies. The attacks have been ongoing for more than a year and often target vulnerabilities in popular networking devices such as Citrix and Pulse Secure VPN appliances, F5 Big-IP load balancers, and Microsoft Exchange email servers. The hacking groups use publicly available information and open source exploit tools in the attacks such as China Chopper, Mimikatz, and Cobalt Strike. The hacking groups, which have varying levels of skill, attempt to gain access to federal computer networks and sensitive corporate data and several attacks have been successful. The software vulnerabilities exploited by the hackers are all well-known and patches have been released to correct the flaws, but there are many potential targets that have yet to apply the patches and are vulnerable to attack. Some of the most...

Read More
8 Vulnerabilities Identified in Philips Patient Monitoring Devices
Sep14

8 Vulnerabilities Identified in Philips Patient Monitoring Devices

8 low- to moderate-severity vulnerabilities have been identified in Philips patient monitoring devices. Exploitation of the vulnerabilities could result in information disclosure, interrupted monitoring, denial of service, and an escape from the restricted environment with limited privileges. The vulnerabilities affect the following Philips patient monitoring devices: Patient Information Center iX (PICiX) Versions B.02, C.02, C.03 PerformanceBridge Focal Point Version A.01 IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior IntelliVue X3 and X2 Versions N and prior Vulnerabilities CVE-2020-16212 – CVSS 6.8/10 – Moderate Severity. A resource is exposed to wrong control sphere, which could allow an unauthorized individual to gain access to the resource and escape the restricted environment with limited privileges. Physical access to a vulnerable device is required to exploit the flaw. CVE-2020-16216 – CVSS 6.5/10 – Moderate Severity. The product does not validate or incorrectly validates input or data to ensure it has the necessary properties to allow it...

Read More
Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats
Sep08

Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats

September 2020 is the second annual National Insider Threat Awareness Month (NITAM). Throughout the month, resources are being made available to emphasize the importance of detecting, deterring, and reporting insider threats. NITAM is a collaborative effort between several U.S. government agencies including the National Counterintelligence and Security Center (NCSC), Office of the Under Secretary of Defense Intelligence and Security (USD(I&S)), National Insider Threat Task Force (NITTF), Department of Homeland Security (DHS), and the Defense Counterintelligence and Security Agency (DCSA). NITAM was devised last year to raise awareness of the risks posed by insiders and to encourage organizations to take action to manage those risks. Security teams often concentrate on protecting their networks, data, and resources from hackers and other external threat actors, but it is also important to protect against insider threats. An insider is an individual within an organization who has been granted access to hardware, software, data, or knowledge about an organization. Insiders include...

Read More
CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity
Sep07

CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity

The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued guidance for network defenders and incident response teams on identifying malicious activity and mitigating cyberattacks.  The guidance details best practices for detecting malicious activity and step by step instructions for investigating potential security incidents and securing compromised systems. The purpose of the guidance is “to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.” The guidance will help incident response teams collect the data necessary to investigate suspicious activity within the network, such host-based artifacts, conduct a host analysis review and analysis of network activity, and take the right actions to mitigate a cyberattack. The guidance document was created in collaboration with cybersecurity authorities in the United States, United Kingdom, Australia, New Zealand and Canada and includes technical help for security teams to help them identify malicious attacks in progress and mitigate attacks...

Read More
Cisco Warns of Active Exploitation of Zero Day Flaws in IOS XR Software Used by Cisco Carrier-Grade Routers
Sep02

Cisco Warns of Active Exploitation of Zero Day Flaws in IOS XR Software Used by Cisco Carrier-Grade Routers

Two zero-day vulnerabilities in the IOS XR software used by Cisco Network Converging System carrier-grade routers are being actively exploited by hackers. The first attempts at exploitation of the vulnerabilities were detected by Cisco on August 25, 2020. While patches have yet to be released by Cisco to correct the vulnerabilities, there are workarounds that can be used to reduce the risk of the vulnerabilities being exploited. The vulnerabilities, tracked as CVE-2020-3566 and CVE-2020-3569, are present in the distance vector multicast routing protocol (DVMRP) and affect all Cisco devices that use the IOS XR version of its Internetworking Operating System, if the software has been configured to use multicast routing. Multicast routing is used to save bandwidth and involves sending certain data in a single stream to multiple recipients. An unauthenticated attacker could exploit the flaws to exhaust the process memory of a device by remotely sending specially crafted internet group management protocol (IGMP) packets to the device. If the flaws are successfully exploited it would...

Read More
Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE
Sep01

Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE

A sophisticated COVID-19 themed phishing campaign has been detected that spoofs chemical manufacturers and importers and exporters offering the recipient personal protective equipment (PPE) such as disposable face masks, forehead temperature thermometers, and other medical supplies to help in the fight against COVID-19. The campaign was detected by researchers at Area 1 Security, who say the campaign has been active since at least May 2020 and has so far targeted thousands of inboxes. The threat actors behind the campaign regularly change their tactics, techniques, and procedures (TTPs) to evade detection by security tools, typically every 10 days. The threat actors regularly rotate IP addresses for each new wave of phishing emails, frequently change the companies they impersonate, and revise their phishing lures. In several of the intercepted emails, in addition to spoofing a legitimate company, the names of real employees along with their email addresses and contact information are used to add legitimacy. The emails use the logos of the spoofed companies and the correct URL of...

Read More
OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory
Aug27

OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory

The risk analysis is one of the most important requirements of the HIPAA Security Rule, yet it is one of the most common areas of noncompliance discovered during Office for Civil Rights data breach investigations, compliance reviews, and audits. While there have been examples of HIPAA-covered entities ignoring this requirement entirely, in many cases noncompliance is due to the failure to perform a comprehensive risk analysis across the entire organization. In order to perform a comprehensive risk analysis to identity all threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI), you must first know how ePHI arrives in your organization, where it flows, where all ePHI is stored, and the systems that can be used to access that information. One of the common reasons for a risk analysis compliance failure, is not knowing where all ePHI is located in the organization. In its Summer 2020 Cybersecurity Newsletter, OCR highlighted the importance of maintaining a comprehensive IT asset inventory and explains how it can assist with the...

Read More
Study Reveals Increase in Credential Theft via Spoofed Login Pages
Aug26

Study Reveals Increase in Credential Theft via Spoofed Login Pages

A new study conducted by IRONSCALES shows there has been a major increase in credential theft via spoofed websites. IRONSCALES researchers spent the first half of 2020 identifying and analyzing fake login pages that imitated major brands. More than 50,000 fake login pages were identified with over 200 brands spoofed. The login pages are added to compromised websites and other attacker-controlled domains and closely resemble the genuine login pages used by those brands. In some cases, the fake login is embedded within the body of the email. The emails used to direct unsuspecting recipients to the fake login pages use social engineering techniques to convince recipients to disclose their usernames and passwords, which are captured and used to login to the real accounts for a range of nefarious purposes such as fraudulent wire transfers, credit card fraud, identity theft, data extraction, and more. IRONSCALES researchers found the brands with the most fake login pages closely mirrored the brands with the most active phishing websites. The brand with the most fake login pages – 11,000...

Read More
FBI and CISA Issue Joint Warning About Vishing Campaign Targeting Teleworkers
Aug24

FBI and CISA Issue Joint Warning About Vishing Campaign Targeting Teleworkers

An ongoing voice phishing (vishing) campaign is being conducted targeting remote workers from multiple industry sectors. The threat actors impersonate a trusted entity and use social engineering techniques get targets to disclose their corporate Virtual Private Network (VPN) credentials. The Federal Bureau of Investigation (FBI) and the DHS Cybersecurity and infrastructure Security Agency (CISA) have issued a joint advisory about the campaign, which has been running since mid-July. The COVID-19 pandemic forced many employers to allow their entire workforce to work from home and connect to the corporate network using VPNs. If those credentials are obtained by cybercriminals, they can be used to access the corporate network. The threat group first purchases and registers domains that are used to host phishing pages that spoof the targeted company’s internal VPN login page and SSL certificates are obtained for the domains to make them appear authentic. Several naming schemes are used for the domains to make them appear legitimate, such as [company]-support, support-[company], and...

Read More
Millions of Devices Affected by Vulnerability in Thales Wireless IoT Modules
Aug21

Millions of Devices Affected by Vulnerability in Thales Wireless IoT Modules

A vulnerability in components used in millions of IoT devices could be exploited by hackers and used to steal sensitive information and gain control of vulnerable devices, which could then be used in attacks on internal networks. Thales components are used by more than 30,000 companies, whose products are used across a broad range of industry sectors including energy, telecommunications, and healthcare. The flaw exists in the Cinterion EHS8 M2M module, along with several other products in the same line (BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62). The embedded modules provide processing power and allow devices to send and receive data over wireless mobile connections. The module is also used as a digital secure repository for sensitive information such as passwords, credentials and operational code. The flaw would allow an attacker to gain access to the contents of that repository. X-Force Red researchers discovered a method for bypassing security measures protecting code and files in the EHS8 module. “[The modules] store and run Java code, often containing confidential...

Read More
New FritzFrog P2P Botnet Targets SSH Servers of Banks, Educational Institutions, and Medical Centers
Aug21

New FritzFrog P2P Botnet Targets SSH Servers of Banks, Educational Institutions, and Medical Centers

A new peer-to-peer (P2P) botnet has been discovered that is targeting SSH servers found in IoT devices and routers which accept connections from remote computers. The botnet, named FritzFrog, spreads like a computer worm by brute forcing credentials. The botnet was analyzed by security researchers at Guardicore Labs and was found to have successfully breached more than 500 servers, with that number growing rapidly. FritzFrog is modular, multi-threaded, and fileless, and leaves no trace on the machines it infects. FritzFrog assembles and executes malicious payloads entirely in the memory, making infections hard to detect. When a machine is infected, a backdoor is created in the form of an SSH public key, which provides the attackers with persistent access to the device. Additional payloads can then be downloaded, such as a cryptocurrency miner. Once a machine is compromised, the self-replicating process starts to execute the malware throughout the host server. The machine is added to the P2P network, can receive and execute commands sent from the P2P network, and is used to...

Read More
Three Vulnerabilities Identified in Philips SureSigns Vital Signs Monitors
Aug21

Three Vulnerabilities Identified in Philips SureSigns Vital Signs Monitors

Three low- to medium-severity vulnerabilities have been identified in Philips SureSigns VS4 vital signs monitors. If exploited, an attacker could gain access to administrative controls and system configurations and alter settings to send sensitive patient data to a remote destination. The vulnerabilities were identified by the Cleveland Clinic, which reported the flaws to Philips. Philips is unaware of any public exploits for the vulnerabilities and no reports have been received to date to indicate any of the vulnerabilities have been exploited. The flaws have been categorized as improper input validation (CWE-20), Improper access control (CWE-284), and improper authentication (CWE-287). Philips SureSigns VS4 receives input or data, but there is a lack of input validation controls to check the input has the properties to allow the data to be processed safely and correctly. This vulnerability is tracked as CVE-2020-16237 and has been assigned a CVSS V3 base score of 2.1 out of 10. When a user claims to have a given identity, there are insufficient checks performed to prove that the...

Read More
Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed
Aug17

Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed

A new report has revealed the personal and protected health information of patients and other sensitive data are being exposed online without the knowledge of covered entities and business associates through public GitHub repositories. Jelle Ursem, a security researcher from the Netherlands, discovered at least 9 entities in the United States – including HIPAA-covered entities and business associates – have been leaking sensitive data via GitHub. The 9 leaks – which involve between 150,000 and 200,000 patient records – may just be the tip of the iceberg. The search for exposed data was halted to ensure the entities concerned could be contacted and to produce the report to highlight the risks to the healthcare community. Even if your organization does not use GitHub, that does not necessarily mean that you will not be affected. The actions of a single employee or third-party contracted developer may have opened the door and allowed unauthorized individuals to gain access to sensitive data. Exposed PII and PHI in Public GitHub Repositories Jelle Ursem is an ethical security...

Read More
NIST Publishes Final Guidance on Establishing Zero Trust Architecture to Improve Cybersecurity Defenses
Aug14

NIST Publishes Final Guidance on Establishing Zero Trust Architecture to Improve Cybersecurity Defenses

NIST has published the final version of its zero trust architecture guidance document (SP 800-207) to help private sector organizations apply this cybersecurity concept to improve their security posture. Zero trust is a concept that involves changing defenses from static, network-based perimeters to focus on users, assets, and resources. With zero trust, assets and user accounts are not implicitly trusted based on their physical or network location or asset ownership. Under the zero trust approach, authentication and authorization are discreet functions that occur with subjects and devices before a session is established with an enterprise resource. The use of credentials for gaining access to resources has been an effective security measure to prevent unauthorized access; however, credential theft – through phishing campaigns for instance – is now commonplace, so cybersecurity defenses need to evolve to better protect assets, services, workflows, and network accounts from these attacks. All too often, credentials are stolen and are used by threat actors to gain access to...

Read More
Patches Released to Fix Critical Vulnerabilities in Citrix Endpoint Management / XenMobile Server
Aug13

Patches Released to Fix Critical Vulnerabilities in Citrix Endpoint Management / XenMobile Server

Two critical flaws have been found in Citrix Endpoint Management (CEM) / XenMobile Server. The flaws could be exploited by an unauthenticated attacker to access domain account credentials, take full control of a vulnerable XenMobile Server, and access VPN, email, and web applications and obtain sensitive corporate and patient data. CEM/ XenMobile Server is used by many businesses to manage employees’ mobile devices, apply updates, manage security settings, and the toolkit is used to support many in-house applications. The nature of the flaws make it likely that hackers will move to develop exploits quickly, so immediate patching is essential. The two critical flaws are tracked as CVE-2020-8208 and CVE-2020-8209. Information has only been released on one of the critical flaws – CVE-2020-8209 – which is a path traversal vulnerability due to insufficient input validation. If exploited, an unauthenticated attacker could read arbitrary files on the server running an application. Those files include configuration files and encryption keys could be obtained, which would allow sensitive...

Read More
More Than 1,000 Companies Targeted in New Business Email Compromise Scam
Aug11

More Than 1,000 Companies Targeted in New Business Email Compromise Scam

More than 1,000 companies worldwide have been targeted in a business email compromise (BEC) campaign that has been running since March 2020. The scam was uncovered by researchers at Trend Micro who report that more than 800 sets of Office 365 credentials have been compromised so far. Trend Micro has attributed the campaign to a cybercriminal group called Water Nue. While the group is not particularly technically sophisticated, the attacks have proven to be successful and the gang is extremely proficient. Trend Micro identified the campaign when it appeared that a large number of email domains were being used to phish for credentials and most of the victims were individuals in high corporate positions. The attackers target the Office 365 accounts of executives, particularly those working in finance. Cloud-based email distribution services are used to send emails containing malicious hyperlinks that direct the recipient to a fake Office 365 login page. The emails claim a voicemail message has been left and a hyperlink is included that must be clicked to listen to the message....

Read More
FBI Urges Enterprises to Upgrade Windows 7 Devices to a Supported Operating System
Aug06

FBI Urges Enterprises to Upgrade Windows 7 Devices to a Supported Operating System

The FBI Cyber Division has issued a Private Industry Notification advising enterprises still using Windows 7 within their infrastructure to upgrade to a supported operating system due to the risk of security vulnerabilities in the Windows 7 operating system being exploited. The FBI has observed an increase in cyberattacks on unsupported operating systems once they reach end-of-life status. Any organization that is still using Windows 7 on devices faces an increased risk of cybercriminals exploiting vulnerabilities in the operating system to remotely gain network access. “As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered,” warned the FBI. The Windows 7 operating system reached end-of-life on January 14, 2020 and Microsoft stopped releasing free patches to correct known vulnerabilities. Microsoft is only providing security updates for Windows 7 Professional, Windows 7 Enterprise, and Windows 7 Ultimate if users sign up for the Extended Security Update (ESU) program. The ESU program will only run...

Read More
CISA Warns of Increase in Cyberattacks by Chinese Nation State Threat Groups using the Taidoor RAT
Aug05

CISA Warns of Increase in Cyberattacks by Chinese Nation State Threat Groups using the Taidoor RAT

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a high priority alert warning enterprises of the risk of cyberattacks involving Taidoor malware, a remote access Trojan (RAT) used by the Chinese government in cyber espionage campaigns. Taidoor was first identified in 2008 and has been used in many attacks on enterprises. The alert was issued after CISA, the FBI and the Department of Defense (DoD) identified a new variant of the Taidoor RAT which is being used in attacks on US enterprises. Strong evidence has been found suggesting the Taidoor RAT is being used by threat actors working for the Chinese government. CISA explains in the alert that the threat actors are using the malware in conjunction with proxy servers to hide their location and gain persistent access to victims’ networks and for further network exploitation. Two versions of the malware have been identified which are being used to target 32-bit and 64-bit systems. Taidoor is downloaded onto victims’ systems as a service dynamic link library (DLL) and consists of two...

Read More
Vulnerability Identified in Philips DreamMapper Software
Aug03

Vulnerability Identified in Philips DreamMapper Software

A vulnerability has been identified in Philips DreamMapper software, a mobile app that is used to monitor and manage sleep apnea. The app is not used to provide therapy to patients, so exploitation of the flaw does not place patient safety at risk, but the vulnerability could be exploited to gain access to log files, obtain guidance from the information in the log files, and insert additional data. The vulnerability was identified by Lutz Weimann, Tim Hirschberg, Issam Hbib, and Florian Mommertz of SRC Security Research & Consulting GmbH. The flaw was reported to the Federal Office for Information Security (BSI) in Germany, who alerted Philips to the vulnerability. Philips alerted the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) about the flaw under its responsible disclosure policy, and CISA issued an advisory about the flaw on July 30, 2020. The vulnerability affects version 2.24 and prior versions of the software and is being tracked as CVE-2020-14518. The flaw has been assigned a CVSS v3 base score of 5.3 out of 10 – Medium...

Read More
$53 Million Cash Injection Proposed to Improve Cybersecurity and Protect COVID-19 Research Data
Jul30

$53 Million Cash Injection Proposed to Improve Cybersecurity and Protect COVID-19 Research Data

There is a considerable weight of evidence suggesting nation state hacking groups are targeting organizations involved in COVID-19 research and vaccine development to obtain information to further the research programs in their respective countries. Security agencies in the United States, Canada and United Kingdom have recently warned that there is strong evidence that state-sponsored hacking groups linked to Russia, China, and Iran are conducting attacks to obtain COVID-19 research data, and earlier this month the U.S. Department of Justice indicted two Chinese nationals for hacking into the networks of U.S. organizations over a 10-year period, with recent hacks conducted to obtain COVID-19 vaccine research data. Director of CISA, Christopher Krebs confirmed this week that research organizations working on vaccines are vulnerable to attack and that their hardware, software, and services are already under stress due to the increase in teleworking due to the pandemic.  A recent study conducted by BitSight on biomedical companies revealed many have unaddressed vulnerabilities that...

Read More
FBI Issues Flash Alert Warning of Increasing Netwalker Ransomware Attacks
Jul30

FBI Issues Flash Alert Warning of Increasing Netwalker Ransomware Attacks

This week, the Federal Bureau of Investigation (FBI) issued a (TLP:WHITE) FLASH alert following an increase in attacks involving Netwalker ransomware. Netwalker is a relatively new ransomware threat that was recognized in March 2020 following attacks on a transportation and logistics company in Australia and the University of California, San Francisco. UC San Francisco was forced to pay a ransom of around $1.14 million for the keys to unlock encrypted files to recover essential research data. One of the most recent healthcare victims was the Maryland-based nursing home operator, Lorien Health Services. The threat group has taken advantage of the COVID-19 pandemic to conduct attacks and has targeted government organizations, private companies, educational institutions, healthcare providers, and entities involved in COVID-19 research. The threat group initially used email as their attack vector, sending phishing emails containing a malicious Visual Basic Scripting (.vbs) file attachment in COVID-19 themed emails. In April, the group also started exploiting unpatched vulnerabilities...

Read More
IBM Security 2020 Cost of Data Breach Report Shows 10% Annual Increase in Healthcare Data Breach Costs
Jul29

IBM Security 2020 Cost of Data Breach Report Shows 10% Annual Increase in Healthcare Data Breach Costs

The 2020 Cost of Data Breach Report from IBM Security has been released and reveals there has been a slight reduction in global data breach costs, falling to $3.86 million per breach from $3.92 million in 2019 – A reduction of 1.5%. There was considerable variation in data breach costs in different regions and industries. Organizations in the United States faced the highest data breach costs, with a typical breach costing $8.64 million, up 5.5% from 2019. COVID-19 Expected to Increase Data Breach Costs This is the 15th year that IBM Security has conducted the study. The research was conducted by the Ponemon Institute, and included data from 524 breached organizations, and 3,200 individuals were interviewed across 17 countries and regions and 17 industry sectors. Research for the report was conducted between August 2019 and April 2020. The research was mostly conducted before the COVID-19 pandemic, which is likely to have an impact on data breach costs. To explore how COVID-19 is likely to affect the cost of a data breaches, the Ponemon Institute re-contacted study participants to...

Read More
FBI Warns of Increase in Destructive Distributed Denial of Service Attacks and Risk of Malware in Chinese Tax Software
Jul27

FBI Warns of Increase in Destructive Distributed Denial of Service Attacks and Risk of Malware in Chinese Tax Software

The FBI’s Cyber Division has issued two recent cybersecurity alerts, the first following an increase in destructive Distributed Denial of Service (DDoS) on U.S. companies and the second concerns the risk of malware infections when installing Chinese tax software. Increase in Destructive DDoS Attacks on US Networks Cybercriminals have been exploiting new built-in network protocols to conduct amplified destructive DDoS attacks on US networks.  Three network protocols have been developed for use in devices such as smartphones, Macs, and IoT devices, which are being leveraged by cybercriminals in the DDoS attacks. The protocols – CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), and ARMS (Apple Remote Management Service) have already been leveraged to conduct massive real-world DDoS attacks. The alert also covers the built-in network protocol used by Jenkins servers, which could also potentially be used in similar attacks, although the vulnerability has not currently been exploited in the wild. Jenkins is an open source server used by software...

Read More
Study Reveals COVID-19 Research Companies are Vulnerable to Cyberattacks
Jul23

Study Reveals COVID-19 Research Companies are Vulnerable to Cyberattacks

The biomedical community is working hard to develop vaccines against SARS-CoV-2 and discover new treatments for COVID-19 and nation-state hackers and cybercriminal organizations are targeting those organizations to gain access to their research data. Recently, security agencies in the United States, Canada, and the United Kingdom issued alerts about state-sponsored Russian hackers targeting organizations involved in COVID-19 research and vaccine development. The security agencies had found evidence that the Russian hacking group APT29 was actively conducting scans against the external IP addresses of companies engaged in COVID-19 research and vaccine development, and that it was almost certain that the hackers were working with the Russian intelligence services. An joint alert was also issued by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the FBI indicating hackers linked to China were conducting similar attacks on pharmaceutical companies and academic research facilities to obtain intellectual property and sensitive data related to...

Read More
Emotet Botnet Reactivated and Sending Large Volumes of Malicious Emails
Jul21

Emotet Botnet Reactivated and Sending Large Volumes of Malicious Emails

The Emotet botnet has been reactivated after a 5-month period of dormancy and is being used to send large volumes of spam emails to organizations in the United States and United Kingdom. The Emotet botnet is a network of compromised computers that have been infected with Emotet malware. Emotet malware is an information stealer and malware downloader that has been used to distribute a variety of banking Trojans, including the TrickBot Trojan. Emotet hijacks email accounts and uses them to send spam emails containing malicious links and email attachments, commonly Word documents and Excel spreadsheets containing malicious macros. If the macros are allowed to run, a PowerShell script is launched that silently downloads Emotet malware. Emotet malware can also spread to other devices on the network and all infected devices are added to the botnet. The emails being used in the campaign are similar to previous campaigns. They use fairly simple, yet effective lures to target businesses, typically fake invoices, purchase orders, receipts, and shipping notifications. The messages often only...

Read More
70% of Companies Have Suffered a Public Cloud Data Breach in the Past Year
Jul20

70% of Companies Have Suffered a Public Cloud Data Breach in the Past Year

A recent study conducted by Sophos has revealed 96% of companies are concerned about the state of their public cloud security. There appears to be a valid cause for that concern, as 70% of companies that host data or workloads in the cloud have experienced a breach of their public cloud environment in the past year. The most common attack types were malware (34%), followed by exposed data (29%), ransomware (28%), account compromises (25%), and cryptojacking (17%). Data for the study came from a survey conducted by Vanson Bourne on 3,521 IT managers in 26 countries including the United States, Canada, France, Germany, India, and the United Kingdom. More than 10 industry sectors were represented.  Respondents used one or more public clouds from Azure, Oracle Cloud, AWS, VMWare Cloud on AWS, Alibaba Cloud, Google Cloud and IBM Cloud. The findings of the survey were published in the Sophos report: The State of Cloud Security 2020. The biggest areas of concern are data loss, detection and response and multi-cloud management. Companies that use two or more public cloud providers...

Read More
Russian APT Group is Targeting Organizations Involved in COVID-19 Research
Jul17

Russian APT Group is Targeting Organizations Involved in COVID-19 Research

The APT29 hacking group, aka Cozy Bear, is targeting healthcare organizations, pharma firms, and research entities in the United States, United Kingdom, and Canada and is attempting to steal COVID-19 research data and information about vaccine development. On July 16, 2020, a joint advisory was issued by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), UK National Cyber Security Centre (NCSC), Canada’s Communications Security Establishment (CSE), and the National Security Agency (NSA) to raise awareness of the threat. APT29 is a cyber espionage group that is almost certainly part of the Russian intelligence services. The group primarily targets government entities, think-tanks, diplomatic and energy targets in order to steal sensitive data. The group has been highly active during the COVID-19 pandemic and has conducted multiple attacks on entities involved COVID-19 research and vaccine development. The group conducts widespread scanning to identify unpatched vulnerabilities and uses publicly available exploits to gain a foothold in vulnerable systems. The group has...

Read More
Vulnerability Identified in Capsule Technologies SmartLinx Neuron 2 Medical Information Collection Devices
Jul16

Vulnerability Identified in Capsule Technologies SmartLinx Neuron 2 Medical Information Collection Devices

A high severity flaw has been identified in Capsule Technologies SmartLinx Neuron 2 medical information collection devices running version 6.9.1 of the software. SmartLinx Neuron 2 is a bedside mobile clinical computer that automatically collects vital signs data and connects to hospitals’ medical device information systems. The flaw, tracked as CVE-2019-5024, is a restricted environment escape vulnerability due to the failure of a protection mechanism in kiosk mode. The flaw is present in all versions of Capsule Technologies SmartLinx Neuron 2 prior to version 9.0. Kiosk mode is a restricted environment that prevents users from exiting the running applications and accessing the underlying operating system. By exploiting the flaw, an attacker can exit kiosk mode and access the underlying operating system with full administrative rights. That could allow the attacker to gain full control of a trusted device on the hospital’s internal network. To exploit the flaw an attacker would need to have physical access to the device. The flaw could be exploited by connecting to the device...

Read More
Microsoft Releases Patch to Correct Critical Wormable Windows DNS Server Vulnerability
Jul16

Microsoft Releases Patch to Correct Critical Wormable Windows DNS Server Vulnerability

Microsoft has released a patch to correct a 17-year old wormable remote code execution vulnerability in Windows DNS Server. The flaw can be exploited remotely, requires little skill to exploit, and could allow an attacker to take full control of an organization’s entire IT infrastructure. The vulnerability, CVE-2020-1350, was discovered by security researchers at Check Point who named the flaw SIGRed. The vulnerability is present on all Windows Server versions from 2003 to 2019 and has been assigned the maximum CVSS v3 score of 10 out of 10. The flaw is wormable, which means an attacker could exploit the vulnerability on all vulnerable servers on the network after an initial attack, with no user interaction required. The flaw is due to how the Windows Domain Name System servers handle requests and affects all Windows servers that have been configured as DNS servers. The flaw can be exploited remotely by sending a specially crafted request to the Windows DNS Server. The DNS serves as a phone book for the internet and is used to link an IP address to a domain name, which allows that...

Read More
At Least 41 Healthcare Providers Experienced Ransomware Attacks in the First Half of 2020
Jul15

At Least 41 Healthcare Providers Experienced Ransomware Attacks in the First Half of 2020

The New Zealand-based cybersecurity firm Emsisoft has released ransomware statistics for 2020 that show there have been at least 41 successful ransomware attacks on hospitals and other healthcare providers in the first half of the year. There were 128 successful ransomware attacks on federal and state entities, healthcare providers, and educational institutions in the first 6 months of 2020, with the healthcare industry accounting for 32% of those attacks. The large number of ransomware attacks in 2020 follows on from a spike in attacks in late 2019. 2019 saw more than double the number of ransomware attacks as 2018, attacks on healthcare providers increased by 350% in the final quarter of 2019. 966 entities were successfully attacked with ransomware across all industry sectors in 2019 and those attacks are estimated to have cost $7.5 billion. 2020 started badly for the healthcare industry with 10 successful ransomware attacks on healthcare providers in January, followed by a further 16 successful ransomware attacks in February. There was a marked decrease in attacks in March as...

Read More
FBI and CISA Issue Joint Alert About Threat of Malicious Cyber Activity Through Tor
Jul09

FBI and CISA Issue Joint Alert About Threat of Malicious Cyber Activity Through Tor

A joint alert was recently issued by the FBI and the DHS’ Cybersecurity Infrastructure Security Agency (CISA) regarding cybercriminals’ use of The Onion Router (Tor) in cyberattacks. Tor is free, open source software that was developed by the U.S. Navy in the mid-1990s. Today, Tor is used to browse the internet anonymously. When using Tor, internet traffic is encrypted multiple times and a user is passed through a series of nodes in a random path to a destination server. When a user is connected to the Tor network, their online activity cannot easily be traced back to their IP address. When a Tor user accesses a website, rather than their own IP address being recorded, the IP address of the exit node is recorded. Unsurprisingly, given the level of anonymity provided by Tor, it has been adopted by many threat actors to hide their location and IP address and conduct cyberattacks and other malicious activities anonymously. Cybercriminals are using Tor to perform reconnaissance on targets, conduct cyberattacks, view and exfiltrate data, and deploy malware, ransomware, and conduct...

Read More
Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps
Jul09

Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps

A large-scale phishing campaign conducted in 62 countries has been shut down by Microsoft.  The campaign was first identified by Microsoft’s Digital Crimes Unit (DCU) in December 2019. The phishing campaign targeted businesses and was conducted to obtain Office 365 credentials. Those credentials were then used to access victims’ accounts to obtain sensitive information and contact lists. The accounts were then used for business email compromise (BEC) attacks to obtain fraudulent wire transfers and redirect payroll. Initially, the emails used in the campaign appeared to have been sent by an employer and contained business-related reports with a malicious email attachment titled Q4 Report – Dec19. Recently, the phishing campaign changed and the attackers switched to COVID-19 lures to exploit financial concerns related to the pandemic. One of the lures used the term “COVID-19 bonus” to get victims to open malicious email attachments or click malicious links. When the email attachments were opened or links clicked, users were directed to a webpage hosting a malicious application. The...

Read More
NSA Issues Guidance on Securing IPsec Virtual Private Networks
Jul07

NSA Issues Guidance on Securing IPsec Virtual Private Networks

The U.S. National Security Agency (NSA) has issued guidance to help organizations secure IP Security (IPsec) Virtual Private Networks (VPNs), which are used to allow employees to securely connect to corporate networks to support remote working. While IPsec VPNs can ensure sensitive data in traffic is protected against unauthorized access through the use of cryptography, if IPsec VPNs are not correctly configured they can be vulnerable to attack. During the pandemic, many organizations have turned to VPNs to support their remote workforce and the large number of employees working remotely has made VPNs a key target for cybercriminals. Many attacks have been performed on vulnerable VPNs and flaws and misconfigurations have been exploited to gain access to corporate networks to steal sensitive information and deploy malware and ransomware. The NSA warns that maintaining a secure VPN tunnel can be complex and regular maintenance is required. As with all software, regular software updates are required. Patches should be applied on VPN gateways and clients as soon as possible to prevent...

Read More
Serious Vulnerabilities Identified in Apache Guacamole Remote Access Software
Jul06

Serious Vulnerabilities Identified in Apache Guacamole Remote Access Software

Several vulnerabilities have been identified in the remote access system, Apache Guacamole.  Apache Guacamole has been adopted by many companies to allow administrators and employees to access Windows and Linux devices remotely. The system has proven popular during the COVID-19 pandemic for allowing employees to work from home and connect to the corporate network. Apache Guacamole is also embedded into many network accessibility and security products such as Fortress, Quali, and Fortigate and is one of the most prominent tools on the market with more than 10 million Docker downloads. Apache Guacamole is a clientless solution, meaning remote workers do not need to install any software on their devices. They can simply use a web browser to access their corporate device. System administrators only need to install the software on a server. Depending on how the system is configured, a connection is made using SSH or RDP with Guacamole acting as an intermediary between the browser and the device the user wants to connect to, relaying communications between the two. Check Point Research...

Read More
Serious Vulnerabilities identified in the OpenClinic GA Integrated Hospital Information Management System
Jul03

Serious Vulnerabilities identified in the OpenClinic GA Integrated Hospital Information Management System

12 vulnerabilities have been identified in the open source integrated hospital information management system, OpenClinic GA. OpenClinic GA is used by many hospitals and clinics for the management of administrative, financial, clinical, lab and pharmacy workflows, and is used for bed management, medical billing, ward management, in-patient and out-patient management, and other hospital management functions. Brian D. Hysell has been credited with finding the vulnerabilities, three of which are rated critical and 6 are rated high severity. Exploitation of the vulnerabilities could allow an attacker to bypass authentication, gain access to restricted information, view or manipulate database information, and remotely execute malicious code. The vulnerabilities require a low level of skill to exploit, several can be exploited remotely, and there are public exploits for some of the flaws. The vulnerabilities have been assigned CVSS v3 base codes ranging from 5.4 to 9.8. The flaws were identified in OpenClinic GA Versions 5.09.02 and 5.89.05b. The most serious flaws include: CVE-2020-14495...

Read More
University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack
Jun29

University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack

University of California San Francisco has paid a $1.14 million ransom to the operators of NetWalker ransomware to resolve an attack that saw data on servers within the School of Medicine encrypted. The attack occurred on June 1, 2020. UCSF isolated the affected servers, but not in time to prevent file encryption. UCSF School of Medicine is engaged in research to find a cure for COVID-19 and the university is heavily involved in antibody testing. The ransomware attack did not impede the work being conducted on COVID-19, patient care delivery operations were not affected, and UCSF does not believe the attackers gained access to patient data, although some files were stolen in the attack. The encrypted data was essential to research being conducted by the university, and since it was not possible to recover files from backups, UCSF had little option other than to negotiate with the attackers. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the...

Read More
Surge in Attacks Prompts Fresh Warning to Patch Microsoft Exchange Server Vulnerability
Jun26

Surge in Attacks Prompts Fresh Warning to Patch Microsoft Exchange Server Vulnerability

Microsoft has issued a further warning to all Exchange users to patch the critical Microsoft Exchange memory corruption vulnerability CVE-2020-0688. Microsoft released an update to correct the vulnerability in February 2020 and an alert was issued in March when the flaw started to be exploited by APT groups, yet even though the vulnerability was being actively exploited in the wild, patching was still slow. Now Microsoft has detected a surge in attacks on vulnerable Exchange servers and is advising all Exchange customers to ensure the flaw is patched immediately. Any vulnerability in Microsoft Exchange should be treated as high priority. By exploiting Exchange flaws, an attacker can gain access to the email system, which often contains an extensive amount of highly sensitive information, and often protected health information in healthcare. As is the case with this vulnerability, attackers can gain access to highly privileged accounts and not only compromise the entire email system, but also gain administrative rights to the server and from there take control of the network....

Read More
Vulnerability identified in Philips Ultrasound Systems
Jun26

Vulnerability identified in Philips Ultrasound Systems

Philips has discovered an authentication bypass issue affecting Philips Ultrasound Systems that could potentially be exploited by an attacker to view or modify information. The flaw is due to the presence of an alternative path or channel that can be used to bypass authentication controls. The flaw has been assigned CVE-2020-14477 but is considered a low severity flaw and has been assigned a CVSS v3 base score of 3.6 out of 10. To exploit the vulnerability, an attacker would require local access to a vulnerable system. The vulnerability cannot be exploited remotely and does not place patient safety at risk. The flaw affects the following Philips Ultrasound Systems: Ultrasound ClearVue Versions 3.2 and prior Ultrasound CX Versions 5.0.2 and prior Ultrasound EPIQ/Affiniti Versions VM5.0 and prior Ultrasound Sparq Version 3.0.2 and prior and Ultrasound Xperius all versions The flaw has been corrected for Ultrasound EPIQ/Affiniti systems in the VM6.0 release. Users of these systems should contact their Philips representative for further information on installing the update. Users of...

Read More
May 2020 Healthcare Data Breach Report
Jun23

May 2020 Healthcare Data Breach Report

May 2020 saw a marked fall in the number of reported healthcare data breaches compared to April, with 28 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights. That is the lowest number of monthly breaches since December 2018 and the first time in 17 months that healthcare data breaches have been reported at a rate of less than one per day. The monthly total would have been even lower had one breach been reported by the business associate responsible for an improper disposal incident, rather than the 7 healthcare providers impacted by the breach.   Several cybersecurity companies have reported an increase in COVID-19-related breaches, such as phishing attacks that use COVID-19-themed lures. While there is strong evidence to suggest that these types of attacks have increased since the start of the pandemic, the number of cyberattacks appears to have broadly remained the same or increased slightly. Microsoft has reported that its data shows a slight increase in attacks, but says it only represents a blip and the number of threats and cyberattacks has...

Read More
Lack of Visibility and Poor Access Management are Major Contributors to Cloud Data Breaches
Jun23

Lack of Visibility and Poor Access Management are Major Contributors to Cloud Data Breaches

More companies are now completing their digital transformations and are taking advantage of the flexibility, scalability, and cost savings provided by public cloud environments, but securing public clouds can be a major challenge. One of the main factors that has stopped companies from taking advantage of the public cloud has been security. Security teams often feel protecting an on-premise data center is much easier than protecting data in public clouds, although many are now being won over and understand that public clouds can be protected just as easily. Public cloud providers now offer a range of security tools that can help companies secure their cloud environments. While these offerings can certainly make cloud security more straightforward, organizations must still ensure that their cloud services are configured correctly, identities and access rights are correctly managed, and they have full visibility into all of their cloud workloads. Cloud security vendor Ermetic recently commissioned IDC to conduct a survey of CISOs to explore the challenges associated with cloud...

Read More
Advisories Issued About Vulnerabilities in Baxter, BD, and BIOTRONIK Medical Devices
Jun22

Advisories Issued About Vulnerabilities in Baxter, BD, and BIOTRONIK Medical Devices

The DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued medical advisories about vulnerabilities in medical devices manufactured by Baxter, Becton, Dickinson and Company (BD), and BIOTRONIK. The following products are affected: Baxter PrismaFlex (all versions) Baxter PrisMax (all versions prior to 3.x) Baxter ExactaMix EM 2400 (Versions 1.10, 1.11, 1.13, 1.14) Baxter ExactaMix EM 1200 (Versions 1.1, 1.2, 1.4, 1.5) Baxter Phoenix Hemodialysis Delivery System (SW 3.36 and 3.40) Baxter Sigma Spectrum Infusion Pumps (see below) BIOTRONIK CardioMessenger II-S T-Line (T4APP 2.20) BIOTRONIK CardioMessenger II-S GSM (T4APP 2.20) BD Alaris PCU (Versions 9.13, 9.19, 9.33, and 12.1) Before implementing any defensive measures it is important to conduct an impact analysis and risk assessment. Baxter PrismaFlex and PrisMax Three vulnerabilities have been identified in Baxter PrismaFlex and PrisMax systems that could allow an attacker to obtain sensitive data, although network access would first be required. The vulnerabilities are: CVE-2020-12036 – Cleartext transmission of...

Read More
CISA Warns of Ongoing Ransomware Campaign Exploiting Vulnerabilities in RDP and VPNs
Jun19

CISA Warns of Ongoing Ransomware Campaign Exploiting Vulnerabilities in RDP and VPNs

The DHS Cybersecurity & Infrastructure Security Agency (CISA) has issued an alert about an ongoing Nefilim ransomware campaign, following the release of a security advisory by the New Zealand Computer Emergency Response Team (CERT NZ). Nefilim ransomware is the successor of Nemty ransomware and was first discovered in February 2020. In contrast to Nemty, Nefilim ransomware is not distributed under the ransomware-as-a-service model. The developers of the ransomware conduct their own attacks and deploy the ransomware manually after gaining access to enterprise networks. As with other manual ransomware groups, data is stolen from victims prior to deploying the ransomware. The group then threatens to publish or sell the stolen data if the ransom demand is not met. The group responsible for the attacks gains access to enterprise networks by exploiting vulnerabilities in remote desktop protocol (RDP) and virtual private networks (VPNs). The group uses brute force tactics to exploit weak authentication and the lack of multi-factor authentication, and also exploits unpatched...

Read More
Exploitable ‘Ripple20’ RCE TCP/IP Flaws Affect Hundreds of Millions of Connected Devices
Jun17

Exploitable ‘Ripple20’ RCE TCP/IP Flaws Affect Hundreds of Millions of Connected Devices

19 zero-day vulnerabilities have been identified in the TCP/IP communication software library developed by Treck Inc. which impact hundreds of millions of connected devices across virtually all industry sectors, including healthcare. Treck is a Cincinnatti, OH-based company that develops low-level network protocols for embedded devices. The company may not be widely known, but its software library has been used in internet-enabled devices for decades. The code is used in many low-power IoT devices and real-time operating systems due to its high performance and reliability and is used in industrial control systems, printers, medical infusion pumps and many more. The vulnerabilities were identified by security researchers at the Israeli cybersecurity company JSOF, who named the vulnerabilities Ripple20 because of the supply chain ripple effect. A vulnerability in small component can have wide reaching consequences and can affect a huge number of companies and products. In the case of Ripple20, companies affected include HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar,...

Read More
Misconfigured Public Cloud Databases are Found and Attacked Within Hours
Jun11

Misconfigured Public Cloud Databases are Found and Attacked Within Hours

Misconfigured public cloud databases are often discovered by security researchers. Misconfigurations that leave cloud data exposed could be due to a lack of understanding about cloud security or policies, poor oversight to identify errors, or negligent behavior by insiders to name but a few. A recent report from Trend Micro revealed cloud misconfigurations were the number one cause of cloud security issues. Security researchers at Comparitech often discover unsecured cloud resources, commonly Elasticsearch instances and unsecured AWS S3 buckets. When the unsecured cloud databases are discovered, the owners are identified and notified to ensure data is secured quickly. Providing the owner can be identified, the databases are usually secured within a matter of hours, but there have been several cases where the database owner has been contacted but no response is received, and it is not always apparent to whom the data belongs. In these cases, data can be left exposed online for several days or even weeks. During that time, the databases remain unprotected and can be accessed and...

Read More
Attacks on Cloud Services Increased by 630% Between January and April
Jun10

Attacks on Cloud Services Increased by 630% Between January and April

COVID-19 has forced businesses to close their offices and allow employees to work from home. Cloud services have been provisioned to support home working and communication solutions such as Zoom, Cisco WebEx, and Microsoft Teams have allowed remote workers in collaborate effectively. A recently published report from cybersecurity company McAfee shows business use of cloud services increased by 50% in the first 4 months of 2020 and collaboration services saw an increase of 600% in usage during the same period. These solutions have allowed businesses to continue to operate, and many have reported productivity has actually improved during the pandemic; however, the rapid change to a largely at-home workforce has introduced vulnerabilities and cybercriminals have taken advantage. Attacks on Cloud Services Have Surged During the Pandemic An analysis of data from over 30 million McAfee cloud customers revealed cyberattacks on cloud services increased by 630% between January and April, 2020. Threats to cloud services were split into two main categories: Excessive usage from an anomalous...

Read More
Proof of Concept Exploit Released for Critical SMBGhost Windows 10 SMBv3 Vulnerability
Jun09

Proof of Concept Exploit Released for Critical SMBGhost Windows 10 SMBv3 Vulnerability

A functional proof of concept (PoC) exploit for a critical remote code execution vulnerability in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol has been released and is being used by malicious cyber actors to attack vulnerable systems, according to an alert issued by the DHS Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability, referred to as SMBGhost, is due to the way the SMBv3 protocol handles certain requests. If exploited, a malicious cyber actor could remotely execute code on a vulnerable server or client by sending a specially crafted packet to a targeted SMBv3 server. An attack against a client would also be possible if an attacker configured a malicious SMBv3 server and convinced a user to connect to it. The vulnerability could be exploited to spread malware from one vulnerable system to another in a similar fashion to the SMBv1 vulnerability that was exploited in the 2017 WannaCry ransomware attacks. No user interaction is required to exploit the flaw on vulnerable SMBv3 servers. The flaw – tracked as CVE-2020-0796 – is present in Windows...

Read More
Voicemail Phishing Scam Identified Targeting Remote Healthcare Workers
Jun08

Voicemail Phishing Scam Identified Targeting Remote Healthcare Workers

The COVID-19 pandemic has forced many companies to change working practices and allow large numbers of employees to work remotely from home. In healthcare, employees have been allowed to work remotely and provide telehealth services to patients. While this move is important for virus control and to ensure patients still have access to the medical services they need, remote working introduces cybersecurity risks and cybercriminals are taking advantage. There has been a significant rise in cyberattacks targeting remote workers over the past three months. A variety of tactics are being used to trick remote workers into installing malware or divulging credentials, now a new method has been uncovered by cybersecurity firm IRONSCALES. In a recent report, IRONSCALES revealed threat actors are spoofing messages automatically generated by Private Branch Exchange (PBX) systems to steal credentials. PBX is a legacy phone system used by many enterprises to automate the handling of calls. One of the features of these systems is the ability to record voicemail messages and send recordings...

Read More
Fake VPN Alerts Used as Lure in Office 365 Credential Phishing Campaign
Jun05

Fake VPN Alerts Used as Lure in Office 365 Credential Phishing Campaign

A phishing campaign has been identified that uses fake VPN alerts as a lure to get remote workers to divulge their Office 365 credentials. Healthcare providers have increased their telehealth services during the COVID-19 public health emergency in an effort to help prevent the spread of COVID-19 and ensure that healthcare services can continue to be provided to patients who are self-isolating at home. Virtual private networks (VPNs) are used to support telehealth services and provide secure access the network and patient data. Several vulnerabilities have been identified in VPNs which are being exploited by threat actors to gain access to corporate networks to steal sensitive data and deploy malware and ransomware. It is therefore essential for VPN systems to be patched promptly and for VPN clients on employee laptops to be updated. Employees may therefore be used to updating their VPN. Researchers at Abnormal Security have identified a phishing campaign that impersonates a user’s organization and claims there is a problem with the VPN configuration that must be addressed to allow...

Read More