Healthcare cybersecurity is a growing concern. The last few years have seen hacking and IT security incidents steadily rise and many healthcare organizations have struggled to defend their network perimeter and keep cybercriminals at bay.

2015 was a record year for healthcare industry data breaches. More patient and health plan member records were exposed or stolen in 2015 than in the previous 6 years combined, and by some distance. More than 113 million records were compromised in 2015 alone, 78.8 million of which were stolen in a single cyberattack. 2016 saw more healthcare data breaches reported than any other year, and 2017 looks set to be another record breaker.

Healthcare providers now have to secure more connected medical devices than ever before and there has been a proliferation of IoT devices in the healthcare industry. The attack surface is growing and cybercriminals are developing more sophisticated tools and techniques to attack healthcare organizations, gain access to data and hold data and networks to ransom.

The healthcare industry has been slow to respond and has lagged behind other industries when it comes to cybersecurity. However, cybersecurity budgets have increased, new technology has been purchased, and healthcare organizations are getting better at blocking attacks and keeping their networks secure.

The articles in this healthcare cybersecurity section are intended to help HIPAA covered entities decide on the best technologies to protect their networks from attack and develop effective policies, procedures and security awareness training programs to prevent costly data breaches.

Our healthcare cybersecurity section contains articles and new reports relating to:

New vulnerabilities that could be exploited to gain access to healthcare networks

Security warnings about new attack vectors currently being used by cybercriminals to gain access to healthcare networks and data

Details of new malware and ransomware that threaten the confidentiality, integrity, and availability of protected health information

Healthcare cybersecurity best practices

New guidelines for HIPAA covered entities on data and device security

Updates from the Healthcare Industry Cybersecurity Task Force

Details of cybersecurity frameworks that can be adopted by healthcare organizations to improve security posture

Advice related to the HIPAA Security Rule and the safeguards that must be applied to secure medical devices, networks and healthcare data

The latest healthcare cybersecurity surveys, reports and white papers

NIST Publishes Updated Security and Privacy Controls Guidance for Information Systems and Organizations
Sep25

NIST Publishes Updated Security and Privacy Controls Guidance for Information Systems and Organizations

The National Institute of Standards and Technology (NIST) has released updated guidance on Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Revision 5). This is the first time that NIST has updated the guidance since 2013 and is a complete renovation rather than a minor update. NIST explained that the updated guidance will “provide a solid foundation for protecting organizations and systems—including the personal privacy of individuals—well into the 21st century.” The updated guidance is the result of years of effort “to develop the first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size, and all types of systems—from super computers to industrial control systems to Internet of Things (IoT) devices.” This is the first control catalog to be released worldwide that includes privacy and security controls in the same catalog. The guidance will help to protect organizations from diverse threats and risks, including cyberattacks, human error, natural disasters, privacy...

Read More
CISA Issues Alert Following Surge in LokiBot Malware Activity
Sep24

CISA Issues Alert Following Surge in LokiBot Malware Activity

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following a surge in LokiBot malware activity over the past two months. LokiBot – also known as Lokibot, Loki PWS, and Loki-bot – first appeared in 2015 and is an information stealer used to steal credentials and other sensitive data from victim machines. The malware targets Windows and Android operating systems and employs a keylogger to capture usernames and passwords and monitors browser and desktop activity. LokiBot can steal credentials from multiple applications and data sources, including Safari, Chrome, and Firefox web browsers, along with credentials for email accounts, FTP and sFTP clients. The malware is also capable of stealing other sensitive information and cryptocurrency wallets and can create backdoors in victims’ machines to provide persistent access, allowing the operators of the malware to deliver additional malicious payloads. The malware establishing a connection with its Command and Control Server and exfiltrates data via HyperText Transfer Protocol....

Read More
August 2020 Healthcare Data Breach Report
Sep22

August 2020 Healthcare Data Breach Report

37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average. The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.     Largest Healthcare Data Breaches Reported in August 2020   Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Incident Northern Light Health Business Associate 657,392 Hacking/IT Incident Network Server, Other Blackbaud ransomware attack Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident Network Server Blackbaud ransomware attack Assured Imaging Healthcare Provider 244,813 Hacking/IT Incident Network Server Ransomware attack MultiCare Health System Healthcare Provider 179,189 Hacking/IT Incident Network Server Blackbaud...

Read More
Hospital Ransomware Attack Results in Patient Death
Sep18

Hospital Ransomware Attack Results in Patient Death

Ransomware attacks on hospitals pose a risk to patient safety. File encryption results in essential systems crashing, communication systems are often taken out of action, and clinicians can be prevented from accessing patients’ medical records. Highly disruptive attacks may force hospitals to redirect patients to alternate facilities, which recently happened in a ransomware attack on the University Clinic in Düsseldorf, Germany. One patient who required emergency medical treatment for a life threatening condition had to be rerouted to an alternate facility in Wuppertal, approximately 21 miles away. The redirection resulted in a one-hour delay in receiving treatment and the patient later died. The death could have been prevented had treatment been provided sooner. The attack occurred on September 10, 2020 and completely crippled the clinic’s systems. Investigators determined that the attackers exploited a vulnerability in “widely used commercial add-on software” to gain access to the network. As the encryption process ran, hospital systems started to crash and medical records could...

Read More
CISA Warns of Public Exploit for Windows Netlogon Remote Protocol Vulnerability
Sep18

CISA Warns of Public Exploit for Windows Netlogon Remote Protocol Vulnerability

CISA has published information on a critical vulnerability in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) now that a public exploit for the flaw has been released. If exploited, an attacker could gain access to a domain controller with administrator privileges. MS-NRPC is a core component of Active Directory that provides authentication for users and accounts. “The Netlogon Remote Protocol (MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel,” explained Microsoft. The vulnerability, tracked as CVE-2020-1472, is an elevation of privilege vulnerability that can be exploited when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller. MS-NRPC reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode, which would allow an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and gain domain administrator privileges. Microsoft is addressing the...

Read More
Vulnerabilities Identified in Philips Clinical Collaboration Platform
Sep18

Vulnerabilities Identified in Philips Clinical Collaboration Platform

5 low- to medium-severity vulnerabilities have been identified in the Philips Clinical Collaboration Platform (Vue PACS). If successfully exploited, an attacker could convince an authorized user to execute unauthorized actions or could result in the disclosure of information that could be used in further attacks. Philips has not received any reports to indicate exploits for the vulnerabilities have been developed or used in real world attacks, and there have been no reports of incidents from clinical use associated with the vulnerabilities. The vulnerabilities affect versions 12.2.1 and prior and range in severity from low (CVSS v3 base score 3.4) to medium (CVSS v3 base score 6.8). CVE-2020-16200 – Resource exposed to the wrong control sphere – Allows unauthorized access to the resource (CVSS 6.8) CVE-2020-16247 – Algorithm downgrade – A failure to control the allocation and maintenance of a limited resource, potentially leading to exhaustion of available resources. (CVSS 6.5) CVE-2020-16198 – Protection mechanism failure – Failure or insufficient checks to verify the identity...

Read More
CISA/FBI Warn of Targeted Attacks by Iranian Hacking Groups
Sep17

CISA/FBI Warn of Targeted Attacks by Iranian Hacking Groups

A hacking group with links to the Iranian government has been observed exploiting several vulnerabilities in attacks on U.S. organizations and government agencies, according to a recent joint cybersecurity advisory released by the Cybersecurity Security and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). The alert closely follows a similar cybersecurity advisory warning about hackers linked to the Chinese government conducting attacks exploiting some of the same vulnerabilities. The Iranian hacking group, known as UNC757 and Pioneer Kitten, has been exploiting vulnerabilities in F5 networking solutions, Citrix NetScaler, and Pulse Secure VPNs to gain access to networks. The hacking group has also been observed using open source tools such as Nmap to identify vulnerabilities, such as open ports within vulnerable networks. Exploited Vulnerabilities Two vulnerabilities in Pulse Secure products are being exploited. The first, CVE-2019-11510, affects Pulse Secure Connect enterprise VPN servers and is a file reading vulnerability. The second is an...

Read More
CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws
Sep15

CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning hackers affiliated with China’s Ministry of State Security (MSS) are conducting targeted cyberattacks on U.S. government agencies and private sector companies. The attacks have been ongoing for more than a year and often target vulnerabilities in popular networking devices such as Citrix and Pulse Secure VPN appliances, F5 Big-IP load balancers, and Microsoft Exchange email servers. The hacking groups use publicly available information and open source exploit tools in the attacks such as China Chopper, Mimikatz, and Cobalt Strike. The hacking groups, which have varying levels of skill, attempt to gain access to federal computer networks and sensitive corporate data and several attacks have been successful. The software vulnerabilities exploited by the hackers are all well-known and patches have been released to correct the flaws, but there are many potential targets that have yet to apply the patches and are vulnerable to attack. Some of the most...

Read More
8 Vulnerabilities Identified in Philips Patient Monitoring Devices
Sep14

8 Vulnerabilities Identified in Philips Patient Monitoring Devices

8 low- to moderate-severity vulnerabilities have been identified in Philips patient monitoring devices. Exploitation of the vulnerabilities could result in information disclosure, interrupted monitoring, denial of service, and an escape from the restricted environment with limited privileges. The vulnerabilities affect the following Philips patient monitoring devices: Patient Information Center iX (PICiX) Versions B.02, C.02, C.03 PerformanceBridge Focal Point Version A.01 IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior IntelliVue X3 and X2 Versions N and prior Vulnerabilities CVE-2020-16212 – CVSS 6.8/10 – Moderate Severity. A resource is exposed to wrong control sphere, which could allow an unauthorized individual to gain access to the resource and escape the restricted environment with limited privileges. Physical access to a vulnerable device is required to exploit the flaw. CVE-2020-16216 – CVSS 6.5/10 – Moderate Severity. The product does not validate or incorrectly validates input or data to ensure it has the necessary properties to allow it...

Read More
Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats
Sep08

Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats

September 2020 is the second annual National Insider Threat Awareness Month (NITAM). Throughout the month, resources are being made available to emphasize the importance of detecting, deterring, and reporting insider threats. NITAM is a collaborative effort between several U.S. government agencies including the National Counterintelligence and Security Center (NCSC), Office of the Under Secretary of Defense Intelligence and Security (USD(I&S)), National Insider Threat Task Force (NITTF), Department of Homeland Security (DHS), and the Defense Counterintelligence and Security Agency (DCSA). NITAM was devised last year to raise awareness of the risks posed by insiders and to encourage organizations to take action to manage those risks. Security teams often concentrate on protecting their networks, data, and resources from hackers and other external threat actors, but it is also important to protect against insider threats. An insider is an individual within an organization who has been granted access to hardware, software, data, or knowledge about an organization. Insiders include...

Read More
CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity
Sep07

CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity

The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued guidance for network defenders and incident response teams on identifying malicious activity and mitigating cyberattacks.  The guidance details best practices for detecting malicious activity and step by step instructions for investigating potential security incidents and securing compromised systems. The purpose of the guidance is “to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.” The guidance will help incident response teams collect the data necessary to investigate suspicious activity within the network, such host-based artifacts, conduct a host analysis review and analysis of network activity, and take the right actions to mitigate a cyberattack. The guidance document was created in collaboration with cybersecurity authorities in the United States, United Kingdom, Australia, New Zealand and Canada and includes technical help for security teams to help them identify malicious attacks in progress and mitigate attacks...

Read More
Cisco Warns of Active Exploitation of Zero Day Flaws in IOS XR Software Used by Cisco Carrier-Grade Routers
Sep02

Cisco Warns of Active Exploitation of Zero Day Flaws in IOS XR Software Used by Cisco Carrier-Grade Routers

Two zero-day vulnerabilities in the IOS XR software used by Cisco Network Converging System carrier-grade routers are being actively exploited by hackers. The first attempts at exploitation of the vulnerabilities were detected by Cisco on August 25, 2020. While patches have yet to be released by Cisco to correct the vulnerabilities, there are workarounds that can be used to reduce the risk of the vulnerabilities being exploited. The vulnerabilities, tracked as CVE-2020-3566 and CVE-2020-3569, are present in the distance vector multicast routing protocol (DVMRP) and affect all Cisco devices that use the IOS XR version of its Internetworking Operating System, if the software has been configured to use multicast routing. Multicast routing is used to save bandwidth and involves sending certain data in a single stream to multiple recipients. An unauthenticated attacker could exploit the flaws to exhaust the process memory of a device by remotely sending specially crafted internet group management protocol (IGMP) packets to the device. If the flaws are successfully exploited it would...

Read More
Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE
Sep01

Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE

A sophisticated COVID-19 themed phishing campaign has been detected that spoofs chemical manufacturers and importers and exporters offering the recipient personal protective equipment (PPE) such as disposable face masks, forehead temperature thermometers, and other medical supplies to help in the fight against COVID-19. The campaign was detected by researchers at Area 1 Security, who say the campaign has been active since at least May 2020 and has so far targeted thousands of inboxes. The threat actors behind the campaign regularly change their tactics, techniques, and procedures (TTPs) to evade detection by security tools, typically every 10 days. The threat actors regularly rotate IP addresses for each new wave of phishing emails, frequently change the companies they impersonate, and revise their phishing lures. In several of the intercepted emails, in addition to spoofing a legitimate company, the names of real employees along with their email addresses and contact information are used to add legitimacy. The emails use the logos of the spoofed companies and the correct URL of...

Read More
OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory
Aug27

OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory

The risk analysis is one of the most important requirements of the HIPAA Security Rule, yet it is one of the most common areas of noncompliance discovered during Office for Civil Rights data breach investigations, compliance reviews, and audits. While there have been examples of HIPAA-covered entities ignoring this requirement entirely, in many cases noncompliance is due to the failure to perform a comprehensive risk analysis across the entire organization. In order to perform a comprehensive risk analysis to identity all threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI), you must first know how ePHI arrives in your organization, where it flows, where all ePHI is stored, and the systems that can be used to access that information. One of the common reasons for a risk analysis compliance failure, is not knowing where all ePHI is located in the organization. In its Summer 2020 Cybersecurity Newsletter, OCR highlighted the importance of maintaining a comprehensive IT asset inventory and explains how it can assist with the...

Read More
Study Reveals Increase in Credential Theft via Spoofed Login Pages
Aug26

Study Reveals Increase in Credential Theft via Spoofed Login Pages

A new study conducted by IRONSCALES shows there has been a major increase in credential theft via spoofed websites. IRONSCALES researchers spent the first half of 2020 identifying and analyzing fake login pages that imitated major brands. More than 50,000 fake login pages were identified with over 200 brands spoofed. The login pages are added to compromised websites and other attacker-controlled domains and closely resemble the genuine login pages used by those brands. In some cases, the fake login is embedded within the body of the email. The emails used to direct unsuspecting recipients to the fake login pages use social engineering techniques to convince recipients to disclose their usernames and passwords, which are captured and used to login to the real accounts for a range of nefarious purposes such as fraudulent wire transfers, credit card fraud, identity theft, data extraction, and more. IRONSCALES researchers found the brands with the most fake login pages closely mirrored the brands with the most active phishing websites. The brand with the most fake login pages – 11,000...

Read More
FBI and CISA Issue Joint Warning About Vishing Campaign Targeting Teleworkers
Aug24

FBI and CISA Issue Joint Warning About Vishing Campaign Targeting Teleworkers

An ongoing voice phishing (vishing) campaign is being conducted targeting remote workers from multiple industry sectors. The threat actors impersonate a trusted entity and use social engineering techniques get targets to disclose their corporate Virtual Private Network (VPN) credentials. The Federal Bureau of Investigation (FBI) and the DHS Cybersecurity and infrastructure Security Agency (CISA) have issued a joint advisory about the campaign, which has been running since mid-July. The COVID-19 pandemic forced many employers to allow their entire workforce to work from home and connect to the corporate network using VPNs. If those credentials are obtained by cybercriminals, they can be used to access the corporate network. The threat group first purchases and registers domains that are used to host phishing pages that spoof the targeted company’s internal VPN login page and SSL certificates are obtained for the domains to make them appear authentic. Several naming schemes are used for the domains to make them appear legitimate, such as [company]-support, support-[company], and...

Read More
Millions of Devices Affected by Vulnerability in Thales Wireless IoT Modules
Aug21

Millions of Devices Affected by Vulnerability in Thales Wireless IoT Modules

A vulnerability in components used in millions of IoT devices could be exploited by hackers and used to steal sensitive information and gain control of vulnerable devices, which could then be used in attacks on internal networks. Thales components are used by more than 30,000 companies, whose products are used across a broad range of industry sectors including energy, telecommunications, and healthcare. The flaw exists in the Cinterion EHS8 M2M module, along with several other products in the same line (BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62). The embedded modules provide processing power and allow devices to send and receive data over wireless mobile connections. The module is also used as a digital secure repository for sensitive information such as passwords, credentials and operational code. The flaw would allow an attacker to gain access to the contents of that repository. X-Force Red researchers discovered a method for bypassing security measures protecting code and files in the EHS8 module. “[The modules] store and run Java code, often containing confidential...

Read More
New FritzFrog P2P Botnet Targets SSH Servers of Banks, Educational Institutions, and Medical Centers
Aug21

New FritzFrog P2P Botnet Targets SSH Servers of Banks, Educational Institutions, and Medical Centers

A new peer-to-peer (P2P) botnet has been discovered that is targeting SSH servers found in IoT devices and routers which accept connections from remote computers. The botnet, named FritzFrog, spreads like a computer worm by brute forcing credentials. The botnet was analyzed by security researchers at Guardicore Labs and was found to have successfully breached more than 500 servers, with that number growing rapidly. FritzFrog is modular, multi-threaded, and fileless, and leaves no trace on the machines it infects. FritzFrog assembles and executes malicious payloads entirely in the memory, making infections hard to detect. When a machine is infected, a backdoor is created in the form of an SSH public key, which provides the attackers with persistent access to the device. Additional payloads can then be downloaded, such as a cryptocurrency miner. Once a machine is compromised, the self-replicating process starts to execute the malware throughout the host server. The machine is added to the P2P network, can receive and execute commands sent from the P2P network, and is used to...

Read More
Three Vulnerabilities Identified in Philips SureSigns Vital Signs Monitors
Aug21

Three Vulnerabilities Identified in Philips SureSigns Vital Signs Monitors

Three low- to medium-severity vulnerabilities have been identified in Philips SureSigns VS4 vital signs monitors. If exploited, an attacker could gain access to administrative controls and system configurations and alter settings to send sensitive patient data to a remote destination. The vulnerabilities were identified by the Cleveland Clinic, which reported the flaws to Philips. Philips is unaware of any public exploits for the vulnerabilities and no reports have been received to date to indicate any of the vulnerabilities have been exploited. The flaws have been categorized as improper input validation (CWE-20), Improper access control (CWE-284), and improper authentication (CWE-287). Philips SureSigns VS4 receives input or data, but there is a lack of input validation controls to check the input has the properties to allow the data to be processed safely and correctly. This vulnerability is tracked as CVE-2020-16237 and has been assigned a CVSS V3 base score of 2.1 out of 10. When a user claims to have a given identity, there are insufficient checks performed to prove that the...

Read More
Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed
Aug17

Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed

A new report has revealed the personal and protected health information of patients and other sensitive data are being exposed online without the knowledge of covered entities and business associates through public GitHub repositories. Jelle Ursem, a security researcher from the Netherlands, discovered at least 9 entities in the United States – including HIPAA-covered entities and business associates – have been leaking sensitive data via GitHub. The 9 leaks – which involve between 150,000 and 200,000 patient records – may just be the tip of the iceberg. The search for exposed data was halted to ensure the entities concerned could be contacted and to produce the report to highlight the risks to the healthcare community. Even if your organization does not use GitHub, that does not necessarily mean that you will not be affected. The actions of a single employee or third-party contracted developer may have opened the door and allowed unauthorized individuals to gain access to sensitive data. Exposed PII and PHI in Public GitHub Repositories Jelle Ursem is an ethical security...

Read More
NIST Publishes Final Guidance on Establishing Zero Trust Architecture to Improve Cybersecurity Defenses
Aug14

NIST Publishes Final Guidance on Establishing Zero Trust Architecture to Improve Cybersecurity Defenses

NIST has published the final version of its zero trust architecture guidance document (SP 800-207) to help private sector organizations apply this cybersecurity concept to improve their security posture. Zero trust is a concept that involves changing defenses from static, network-based perimeters to focus on users, assets, and resources. With zero trust, assets and user accounts are not implicitly trusted based on their physical or network location or asset ownership. Under the zero trust approach, authentication and authorization are discreet functions that occur with subjects and devices before a session is established with an enterprise resource. The use of credentials for gaining access to resources has been an effective security measure to prevent unauthorized access; however, credential theft – through phishing campaigns for instance – is now commonplace, so cybersecurity defenses need to evolve to better protect assets, services, workflows, and network accounts from these attacks. All too often, credentials are stolen and are used by threat actors to gain access to...

Read More
Patches Released to Fix Critical Vulnerabilities in Citrix Endpoint Management / XenMobile Server
Aug13

Patches Released to Fix Critical Vulnerabilities in Citrix Endpoint Management / XenMobile Server

Two critical flaws have been found in Citrix Endpoint Management (CEM) / XenMobile Server. The flaws could be exploited by an unauthenticated attacker to access domain account credentials, take full control of a vulnerable XenMobile Server, and access VPN, email, and web applications and obtain sensitive corporate and patient data. CEM/ XenMobile Server is used by many businesses to manage employees’ mobile devices, apply updates, manage security settings, and the toolkit is used to support many in-house applications. The nature of the flaws make it likely that hackers will move to develop exploits quickly, so immediate patching is essential. The two critical flaws are tracked as CVE-2020-8208 and CVE-2020-8209. Information has only been released on one of the critical flaws – CVE-2020-8209 – which is a path traversal vulnerability due to insufficient input validation. If exploited, an unauthenticated attacker could read arbitrary files on the server running an application. Those files include configuration files and encryption keys could be obtained, which would allow sensitive...

Read More
More Than 1,000 Companies Targeted in New Business Email Compromise Scam
Aug11

More Than 1,000 Companies Targeted in New Business Email Compromise Scam

More than 1,000 companies worldwide have been targeted in a business email compromise (BEC) campaign that has been running since March 2020. The scam was uncovered by researchers at Trend Micro who report that more than 800 sets of Office 365 credentials have been compromised so far. Trend Micro has attributed the campaign to a cybercriminal group called Water Nue. While the group is not particularly technically sophisticated, the attacks have proven to be successful and the gang is extremely proficient. Trend Micro identified the campaign when it appeared that a large number of email domains were being used to phish for credentials and most of the victims were individuals in high corporate positions. The attackers target the Office 365 accounts of executives, particularly those working in finance. Cloud-based email distribution services are used to send emails containing malicious hyperlinks that direct the recipient to a fake Office 365 login page. The emails claim a voicemail message has been left and a hyperlink is included that must be clicked to listen to the message....

Read More
FBI Urges Enterprises to Upgrade Windows 7 Devices to a Supported Operating System
Aug06

FBI Urges Enterprises to Upgrade Windows 7 Devices to a Supported Operating System

The FBI Cyber Division has issued a Private Industry Notification advising enterprises still using Windows 7 within their infrastructure to upgrade to a supported operating system due to the risk of security vulnerabilities in the Windows 7 operating system being exploited. The FBI has observed an increase in cyberattacks on unsupported operating systems once they reach end-of-life status. Any organization that is still using Windows 7 on devices faces an increased risk of cybercriminals exploiting vulnerabilities in the operating system to remotely gain network access. “As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered,” warned the FBI. The Windows 7 operating system reached end-of-life on January 14, 2020 and Microsoft stopped releasing free patches to correct known vulnerabilities. Microsoft is only providing security updates for Windows 7 Professional, Windows 7 Enterprise, and Windows 7 Ultimate if users sign up for the Extended Security Update (ESU) program. The ESU program will only run...

Read More
CISA Warns of Increase in Cyberattacks by Chinese Nation State Threat Groups using the Taidoor RAT
Aug05

CISA Warns of Increase in Cyberattacks by Chinese Nation State Threat Groups using the Taidoor RAT

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a high priority alert warning enterprises of the risk of cyberattacks involving Taidoor malware, a remote access Trojan (RAT) used by the Chinese government in cyber espionage campaigns. Taidoor was first identified in 2008 and has been used in many attacks on enterprises. The alert was issued after CISA, the FBI and the Department of Defense (DoD) identified a new variant of the Taidoor RAT which is being used in attacks on US enterprises. Strong evidence has been found suggesting the Taidoor RAT is being used by threat actors working for the Chinese government. CISA explains in the alert that the threat actors are using the malware in conjunction with proxy servers to hide their location and gain persistent access to victims’ networks and for further network exploitation. Two versions of the malware have been identified which are being used to target 32-bit and 64-bit systems. Taidoor is downloaded onto victims’ systems as a service dynamic link library (DLL) and consists of two...

Read More
Vulnerability Identified in Philips DreamMapper Software
Aug03

Vulnerability Identified in Philips DreamMapper Software

A vulnerability has been identified in Philips DreamMapper software, a mobile app that is used to monitor and manage sleep apnea. The app is not used to provide therapy to patients, so exploitation of the flaw does not place patient safety at risk, but the vulnerability could be exploited to gain access to log files, obtain guidance from the information in the log files, and insert additional data. The vulnerability was identified by Lutz Weimann, Tim Hirschberg, Issam Hbib, and Florian Mommertz of SRC Security Research & Consulting GmbH. The flaw was reported to the Federal Office for Information Security (BSI) in Germany, who alerted Philips to the vulnerability. Philips alerted the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) about the flaw under its responsible disclosure policy, and CISA issued an advisory about the flaw on July 30, 2020. The vulnerability affects version 2.24 and prior versions of the software and is being tracked as CVE-2020-14518. The flaw has been assigned a CVSS v3 base score of 5.3 out of 10 – Medium...

Read More
$53 Million Cash Injection Proposed to Improve Cybersecurity and Protect COVID-19 Research Data
Jul30

$53 Million Cash Injection Proposed to Improve Cybersecurity and Protect COVID-19 Research Data

There is a considerable weight of evidence suggesting nation state hacking groups are targeting organizations involved in COVID-19 research and vaccine development to obtain information to further the research programs in their respective countries. Security agencies in the United States, Canada and United Kingdom have recently warned that there is strong evidence that state-sponsored hacking groups linked to Russia, China, and Iran are conducting attacks to obtain COVID-19 research data, and earlier this month the U.S. Department of Justice indicted two Chinese nationals for hacking into the networks of U.S. organizations over a 10-year period, with recent hacks conducted to obtain COVID-19 vaccine research data. Director of CISA, Christopher Krebs confirmed this week that research organizations working on vaccines are vulnerable to attack and that their hardware, software, and services are already under stress due to the increase in teleworking due to the pandemic.  A recent study conducted by BitSight on biomedical companies revealed many have unaddressed vulnerabilities that...

Read More
FBI Issues Flash Alert Warning of Increasing Netwalker Ransomware Attacks
Jul30

FBI Issues Flash Alert Warning of Increasing Netwalker Ransomware Attacks

This week, the Federal Bureau of Investigation (FBI) issued a (TLP:WHITE) FLASH alert following an increase in attacks involving Netwalker ransomware. Netwalker is a relatively new ransomware threat that was recognized in March 2020 following attacks on a transportation and logistics company in Australia and the University of California, San Francisco. UC San Francisco was forced to pay a ransom of around $1.14 million for the keys to unlock encrypted files to recover essential research data. One of the most recent healthcare victims was the Maryland-based nursing home operator, Lorien Health Services. The threat group has taken advantage of the COVID-19 pandemic to conduct attacks and has targeted government organizations, private companies, educational institutions, healthcare providers, and entities involved in COVID-19 research. The threat group initially used email as their attack vector, sending phishing emails containing a malicious Visual Basic Scripting (.vbs) file attachment in COVID-19 themed emails. In April, the group also started exploiting unpatched vulnerabilities...

Read More
IBM Security 2020 Cost of Data Breach Report Shows 10% Annual Increase in Healthcare Data Breach Costs
Jul29

IBM Security 2020 Cost of Data Breach Report Shows 10% Annual Increase in Healthcare Data Breach Costs

The 2020 Cost of Data Breach Report from IBM Security has been released and reveals there has been a slight reduction in global data breach costs, falling to $3.86 million per breach from $3.92 million in 2019 – A reduction of 1.5%. There was considerable variation in data breach costs in different regions and industries. Organizations in the United States faced the highest data breach costs, with a typical breach costing $8.64 million, up 5.5% from 2019. COVID-19 Expected to Increase Data Breach Costs This is the 15th year that IBM Security has conducted the study. The research was conducted by the Ponemon Institute, and included data from 524 breached organizations, and 3,200 individuals were interviewed across 17 countries and regions and 17 industry sectors. Research for the report was conducted between August 2019 and April 2020. The research was mostly conducted before the COVID-19 pandemic, which is likely to have an impact on data breach costs. To explore how COVID-19 is likely to affect the cost of a data breaches, the Ponemon Institute re-contacted study participants to...

Read More
FBI Warns of Increase in Destructive Distributed Denial of Service Attacks and Risk of Malware in Chinese Tax Software
Jul27

FBI Warns of Increase in Destructive Distributed Denial of Service Attacks and Risk of Malware in Chinese Tax Software

The FBI’s Cyber Division has issued two recent cybersecurity alerts, the first following an increase in destructive Distributed Denial of Service (DDoS) on U.S. companies and the second concerns the risk of malware infections when installing Chinese tax software. Increase in Destructive DDoS Attacks on US Networks Cybercriminals have been exploiting new built-in network protocols to conduct amplified destructive DDoS attacks on US networks.  Three network protocols have been developed for use in devices such as smartphones, Macs, and IoT devices, which are being leveraged by cybercriminals in the DDoS attacks. The protocols – CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), and ARMS (Apple Remote Management Service) have already been leveraged to conduct massive real-world DDoS attacks. The alert also covers the built-in network protocol used by Jenkins servers, which could also potentially be used in similar attacks, although the vulnerability has not currently been exploited in the wild. Jenkins is an open source server used by software...

Read More
Study Reveals COVID-19 Research Companies are Vulnerable to Cyberattacks
Jul23

Study Reveals COVID-19 Research Companies are Vulnerable to Cyberattacks

The biomedical community is working hard to develop vaccines against SARS-CoV-2 and discover new treatments for COVID-19 and nation-state hackers and cybercriminal organizations are targeting those organizations to gain access to their research data. Recently, security agencies in the United States, Canada, and the United Kingdom issued alerts about state-sponsored Russian hackers targeting organizations involved in COVID-19 research and vaccine development. The security agencies had found evidence that the Russian hacking group APT29 was actively conducting scans against the external IP addresses of companies engaged in COVID-19 research and vaccine development, and that it was almost certain that the hackers were working with the Russian intelligence services. An joint alert was also issued by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the FBI indicating hackers linked to China were conducting similar attacks on pharmaceutical companies and academic research facilities to obtain intellectual property and sensitive data related to...

Read More
Emotet Botnet Reactivated and Sending Large Volumes of Malicious Emails
Jul21

Emotet Botnet Reactivated and Sending Large Volumes of Malicious Emails

The Emotet botnet has been reactivated after a 5-month period of dormancy and is being used to send large volumes of spam emails to organizations in the United States and United Kingdom. The Emotet botnet is a network of compromised computers that have been infected with Emotet malware. Emotet malware is an information stealer and malware downloader that has been used to distribute a variety of banking Trojans, including the TrickBot Trojan. Emotet hijacks email accounts and uses them to send spam emails containing malicious links and email attachments, commonly Word documents and Excel spreadsheets containing malicious macros. If the macros are allowed to run, a PowerShell script is launched that silently downloads Emotet malware. Emotet malware can also spread to other devices on the network and all infected devices are added to the botnet. The emails being used in the campaign are similar to previous campaigns. They use fairly simple, yet effective lures to target businesses, typically fake invoices, purchase orders, receipts, and shipping notifications. The messages often only...

Read More
70% of Companies Have Suffered a Public Cloud Data Breach in the Past Year
Jul20

70% of Companies Have Suffered a Public Cloud Data Breach in the Past Year

A recent study conducted by Sophos has revealed 96% of companies are concerned about the state of their public cloud security. There appears to be a valid cause for that concern, as 70% of companies that host data or workloads in the cloud have experienced a breach of their public cloud environment in the past year. The most common attack types were malware (34%), followed by exposed data (29%), ransomware (28%), account compromises (25%), and cryptojacking (17%). Data for the study came from a survey conducted by Vanson Bourne on 3,521 IT managers in 26 countries including the United States, Canada, France, Germany, India, and the United Kingdom. More than 10 industry sectors were represented.  Respondents used one or more public clouds from Azure, Oracle Cloud, AWS, VMWare Cloud on AWS, Alibaba Cloud, Google Cloud and IBM Cloud. The findings of the survey were published in the Sophos report: The State of Cloud Security 2020. The biggest areas of concern are data loss, detection and response and multi-cloud management. Companies that use two or more public cloud providers...

Read More
Russian APT Group is Targeting Organizations Involved in COVID-19 Research
Jul17

Russian APT Group is Targeting Organizations Involved in COVID-19 Research

The APT29 hacking group, aka Cozy Bear, is targeting healthcare organizations, pharma firms, and research entities in the United States, United Kingdom, and Canada and is attempting to steal COVID-19 research data and information about vaccine development. On July 16, 2020, a joint advisory was issued by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), UK National Cyber Security Centre (NCSC), Canada’s Communications Security Establishment (CSE), and the National Security Agency (NSA) to raise awareness of the threat. APT29 is a cyber espionage group that is almost certainly part of the Russian intelligence services. The group primarily targets government entities, think-tanks, diplomatic and energy targets in order to steal sensitive data. The group has been highly active during the COVID-19 pandemic and has conducted multiple attacks on entities involved COVID-19 research and vaccine development. The group conducts widespread scanning to identify unpatched vulnerabilities and uses publicly available exploits to gain a foothold in vulnerable systems. The group has...

Read More
Vulnerability Identified in Capsule Technologies SmartLinx Neuron 2 Medical Information Collection Devices
Jul16

Vulnerability Identified in Capsule Technologies SmartLinx Neuron 2 Medical Information Collection Devices

A high severity flaw has been identified in Capsule Technologies SmartLinx Neuron 2 medical information collection devices running version 6.9.1 of the software. SmartLinx Neuron 2 is a bedside mobile clinical computer that automatically collects vital signs data and connects to hospitals’ medical device information systems. The flaw, tracked as CVE-2019-5024, is a restricted environment escape vulnerability due to the failure of a protection mechanism in kiosk mode. The flaw is present in all versions of Capsule Technologies SmartLinx Neuron 2 prior to version 9.0. Kiosk mode is a restricted environment that prevents users from exiting the running applications and accessing the underlying operating system. By exploiting the flaw, an attacker can exit kiosk mode and access the underlying operating system with full administrative rights. That could allow the attacker to gain full control of a trusted device on the hospital’s internal network. To exploit the flaw an attacker would need to have physical access to the device. The flaw could be exploited by connecting to the device...

Read More
Microsoft Releases Patch to Correct Critical Wormable Windows DNS Server Vulnerability
Jul16

Microsoft Releases Patch to Correct Critical Wormable Windows DNS Server Vulnerability

Microsoft has released a patch to correct a 17-year old wormable remote code execution vulnerability in Windows DNS Server. The flaw can be exploited remotely, requires little skill to exploit, and could allow an attacker to take full control of an organization’s entire IT infrastructure. The vulnerability, CVE-2020-1350, was discovered by security researchers at Check Point who named the flaw SIGRed. The vulnerability is present on all Windows Server versions from 2003 to 2019 and has been assigned the maximum CVSS v3 score of 10 out of 10. The flaw is wormable, which means an attacker could exploit the vulnerability on all vulnerable servers on the network after an initial attack, with no user interaction required. The flaw is due to how the Windows Domain Name System servers handle requests and affects all Windows servers that have been configured as DNS servers. The flaw can be exploited remotely by sending a specially crafted request to the Windows DNS Server. The DNS serves as a phone book for the internet and is used to link an IP address to a domain name, which allows that...

Read More
At Least 41 Healthcare Providers Experienced Ransomware Attacks in the First Half of 2020
Jul15

At Least 41 Healthcare Providers Experienced Ransomware Attacks in the First Half of 2020

The New Zealand-based cybersecurity firm Emsisoft has released ransomware statistics for 2020 that show there have been at least 41 successful ransomware attacks on hospitals and other healthcare providers in the first half of the year. There were 128 successful ransomware attacks on federal and state entities, healthcare providers, and educational institutions in the first 6 months of 2020, with the healthcare industry accounting for 32% of those attacks. The large number of ransomware attacks in 2020 follows on from a spike in attacks in late 2019. 2019 saw more than double the number of ransomware attacks as 2018, attacks on healthcare providers increased by 350% in the final quarter of 2019. 966 entities were successfully attacked with ransomware across all industry sectors in 2019 and those attacks are estimated to have cost $7.5 billion. 2020 started badly for the healthcare industry with 10 successful ransomware attacks on healthcare providers in January, followed by a further 16 successful ransomware attacks in February. There was a marked decrease in attacks in March as...

Read More
FBI and CISA Issue Joint Alert About Threat of Malicious Cyber Activity Through Tor
Jul09

FBI and CISA Issue Joint Alert About Threat of Malicious Cyber Activity Through Tor

A joint alert was recently issued by the FBI and the DHS’ Cybersecurity Infrastructure Security Agency (CISA) regarding cybercriminals’ use of The Onion Router (Tor) in cyberattacks. Tor is free, open source software that was developed by the U.S. Navy in the mid-1990s. Today, Tor is used to browse the internet anonymously. When using Tor, internet traffic is encrypted multiple times and a user is passed through a series of nodes in a random path to a destination server. When a user is connected to the Tor network, their online activity cannot easily be traced back to their IP address. When a Tor user accesses a website, rather than their own IP address being recorded, the IP address of the exit node is recorded. Unsurprisingly, given the level of anonymity provided by Tor, it has been adopted by many threat actors to hide their location and IP address and conduct cyberattacks and other malicious activities anonymously. Cybercriminals are using Tor to perform reconnaissance on targets, conduct cyberattacks, view and exfiltrate data, and deploy malware, ransomware, and conduct...

Read More
Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps
Jul09

Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps

A large-scale phishing campaign conducted in 62 countries has been shut down by Microsoft.  The campaign was first identified by Microsoft’s Digital Crimes Unit (DCU) in December 2019. The phishing campaign targeted businesses and was conducted to obtain Office 365 credentials. Those credentials were then used to access victims’ accounts to obtain sensitive information and contact lists. The accounts were then used for business email compromise (BEC) attacks to obtain fraudulent wire transfers and redirect payroll. Initially, the emails used in the campaign appeared to have been sent by an employer and contained business-related reports with a malicious email attachment titled Q4 Report – Dec19. Recently, the phishing campaign changed and the attackers switched to COVID-19 lures to exploit financial concerns related to the pandemic. One of the lures used the term “COVID-19 bonus” to get victims to open malicious email attachments or click malicious links. When the email attachments were opened or links clicked, users were directed to a webpage hosting a malicious application. The...

Read More
NSA Issues Guidance on Securing IPsec Virtual Private Networks
Jul07

NSA Issues Guidance on Securing IPsec Virtual Private Networks

The U.S. National Security Agency (NSA) has issued guidance to help organizations secure IP Security (IPsec) Virtual Private Networks (VPNs), which are used to allow employees to securely connect to corporate networks to support remote working. While IPsec VPNs can ensure sensitive data in traffic is protected against unauthorized access through the use of cryptography, if IPsec VPNs are not correctly configured they can be vulnerable to attack. During the pandemic, many organizations have turned to VPNs to support their remote workforce and the large number of employees working remotely has made VPNs a key target for cybercriminals. Many attacks have been performed on vulnerable VPNs and flaws and misconfigurations have been exploited to gain access to corporate networks to steal sensitive information and deploy malware and ransomware. The NSA warns that maintaining a secure VPN tunnel can be complex and regular maintenance is required. As with all software, regular software updates are required. Patches should be applied on VPN gateways and clients as soon as possible to prevent...

Read More
Serious Vulnerabilities Identified in Apache Guacamole Remote Access Software
Jul06

Serious Vulnerabilities Identified in Apache Guacamole Remote Access Software

Several vulnerabilities have been identified in the remote access system, Apache Guacamole.  Apache Guacamole has been adopted by many companies to allow administrators and employees to access Windows and Linux devices remotely. The system has proven popular during the COVID-19 pandemic for allowing employees to work from home and connect to the corporate network. Apache Guacamole is also embedded into many network accessibility and security products such as Fortress, Quali, and Fortigate and is one of the most prominent tools on the market with more than 10 million Docker downloads. Apache Guacamole is a clientless solution, meaning remote workers do not need to install any software on their devices. They can simply use a web browser to access their corporate device. System administrators only need to install the software on a server. Depending on how the system is configured, a connection is made using SSH or RDP with Guacamole acting as an intermediary between the browser and the device the user wants to connect to, relaying communications between the two. Check Point Research...

Read More
Serious Vulnerabilities identified in the OpenClinic GA Integrated Hospital Information Management System
Jul03

Serious Vulnerabilities identified in the OpenClinic GA Integrated Hospital Information Management System

12 vulnerabilities have been identified in the open source integrated hospital information management system, OpenClinic GA. OpenClinic GA is used by many hospitals and clinics for the management of administrative, financial, clinical, lab and pharmacy workflows, and is used for bed management, medical billing, ward management, in-patient and out-patient management, and other hospital management functions. Brian D. Hysell has been credited with finding the vulnerabilities, three of which are rated critical and 6 are rated high severity. Exploitation of the vulnerabilities could allow an attacker to bypass authentication, gain access to restricted information, view or manipulate database information, and remotely execute malicious code. The vulnerabilities require a low level of skill to exploit, several can be exploited remotely, and there are public exploits for some of the flaws. The vulnerabilities have been assigned CVSS v3 base codes ranging from 5.4 to 9.8. The flaws were identified in OpenClinic GA Versions 5.09.02 and 5.89.05b. The most serious flaws include: CVE-2020-14495...

Read More
University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack
Jun29

University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack

University of California San Francisco has paid a $1.14 million ransom to the operators of NetWalker ransomware to resolve an attack that saw data on servers within the School of Medicine encrypted. The attack occurred on June 1, 2020. UCSF isolated the affected servers, but not in time to prevent file encryption. UCSF School of Medicine is engaged in research to find a cure for COVID-19 and the university is heavily involved in antibody testing. The ransomware attack did not impede the work being conducted on COVID-19, patient care delivery operations were not affected, and UCSF does not believe the attackers gained access to patient data, although some files were stolen in the attack. The encrypted data was essential to research being conducted by the university, and since it was not possible to recover files from backups, UCSF had little option other than to negotiate with the attackers. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the...

Read More
Surge in Attacks Prompts Fresh Warning to Patch Microsoft Exchange Server Vulnerability
Jun26

Surge in Attacks Prompts Fresh Warning to Patch Microsoft Exchange Server Vulnerability

Microsoft has issued a further warning to all Exchange users to patch the critical Microsoft Exchange memory corruption vulnerability CVE-2020-0688. Microsoft released an update to correct the vulnerability in February 2020 and an alert was issued in March when the flaw started to be exploited by APT groups, yet even though the vulnerability was being actively exploited in the wild, patching was still slow. Now Microsoft has detected a surge in attacks on vulnerable Exchange servers and is advising all Exchange customers to ensure the flaw is patched immediately. Any vulnerability in Microsoft Exchange should be treated as high priority. By exploiting Exchange flaws, an attacker can gain access to the email system, which often contains an extensive amount of highly sensitive information, and often protected health information in healthcare. As is the case with this vulnerability, attackers can gain access to highly privileged accounts and not only compromise the entire email system, but also gain administrative rights to the server and from there take control of the network....

Read More
Vulnerability identified in Philips Ultrasound Systems
Jun26

Vulnerability identified in Philips Ultrasound Systems

Philips has discovered an authentication bypass issue affecting Philips Ultrasound Systems that could potentially be exploited by an attacker to view or modify information. The flaw is due to the presence of an alternative path or channel that can be used to bypass authentication controls. The flaw has been assigned CVE-2020-14477 but is considered a low severity flaw and has been assigned a CVSS v3 base score of 3.6 out of 10. To exploit the vulnerability, an attacker would require local access to a vulnerable system. The vulnerability cannot be exploited remotely and does not place patient safety at risk. The flaw affects the following Philips Ultrasound Systems: Ultrasound ClearVue Versions 3.2 and prior Ultrasound CX Versions 5.0.2 and prior Ultrasound EPIQ/Affiniti Versions VM5.0 and prior Ultrasound Sparq Version 3.0.2 and prior and Ultrasound Xperius all versions The flaw has been corrected for Ultrasound EPIQ/Affiniti systems in the VM6.0 release. Users of these systems should contact their Philips representative for further information on installing the update. Users of...

Read More
May 2020 Healthcare Data Breach Report
Jun23

May 2020 Healthcare Data Breach Report

May 2020 saw a marked fall in the number of reported healthcare data breaches compared to April, with 28 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights. That is the lowest number of monthly breaches since December 2018 and the first time in 17 months that healthcare data breaches have been reported at a rate of less than one per day. The monthly total would have been even lower had one breach been reported by the business associate responsible for an improper disposal incident, rather than the 7 healthcare providers impacted by the breach.   Several cybersecurity companies have reported an increase in COVID-19-related breaches, such as phishing attacks that use COVID-19-themed lures. While there is strong evidence to suggest that these types of attacks have increased since the start of the pandemic, the number of cyberattacks appears to have broadly remained the same or increased slightly. Microsoft has reported that its data shows a slight increase in attacks, but says it only represents a blip and the number of threats and cyberattacks has...

Read More
Lack of Visibility and Poor Access Management are Major Contributors to Cloud Data Breaches
Jun23

Lack of Visibility and Poor Access Management are Major Contributors to Cloud Data Breaches

More companies are now completing their digital transformations and are taking advantage of the flexibility, scalability, and cost savings provided by public cloud environments, but securing public clouds can be a major challenge. One of the main factors that has stopped companies from taking advantage of the public cloud has been security. Security teams often feel protecting an on-premise data center is much easier than protecting data in public clouds, although many are now being won over and understand that public clouds can be protected just as easily. Public cloud providers now offer a range of security tools that can help companies secure their cloud environments. While these offerings can certainly make cloud security more straightforward, organizations must still ensure that their cloud services are configured correctly, identities and access rights are correctly managed, and they have full visibility into all of their cloud workloads. Cloud security vendor Ermetic recently commissioned IDC to conduct a survey of CISOs to explore the challenges associated with cloud...

Read More
Advisories Issued About Vulnerabilities in Baxter, BD, and BIOTRONIK Medical Devices
Jun22

Advisories Issued About Vulnerabilities in Baxter, BD, and BIOTRONIK Medical Devices

The DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued medical advisories about vulnerabilities in medical devices manufactured by Baxter, Becton, Dickinson and Company (BD), and BIOTRONIK. The following products are affected: Baxter PrismaFlex (all versions) Baxter PrisMax (all versions prior to 3.x) Baxter ExactaMix EM 2400 (Versions 1.10, 1.11, 1.13, 1.14) Baxter ExactaMix EM 1200 (Versions 1.1, 1.2, 1.4, 1.5) Baxter Phoenix Hemodialysis Delivery System (SW 3.36 and 3.40) Baxter Sigma Spectrum Infusion Pumps (see below) BIOTRONIK CardioMessenger II-S T-Line (T4APP 2.20) BIOTRONIK CardioMessenger II-S GSM (T4APP 2.20) BD Alaris PCU (Versions 9.13, 9.19, 9.33, and 12.1) Before implementing any defensive measures it is important to conduct an impact analysis and risk assessment. Baxter PrismaFlex and PrisMax Three vulnerabilities have been identified in Baxter PrismaFlex and PrisMax systems that could allow an attacker to obtain sensitive data, although network access would first be required. The vulnerabilities are: CVE-2020-12036 – Cleartext transmission of...

Read More
CISA Warns of Ongoing Ransomware Campaign Exploiting Vulnerabilities in RDP and VPNs
Jun19

CISA Warns of Ongoing Ransomware Campaign Exploiting Vulnerabilities in RDP and VPNs

The DHS Cybersecurity & Infrastructure Security Agency (CISA) has issued an alert about an ongoing Nefilim ransomware campaign, following the release of a security advisory by the New Zealand Computer Emergency Response Team (CERT NZ). Nefilim ransomware is the successor of Nemty ransomware and was first discovered in February 2020. In contrast to Nemty, Nefilim ransomware is not distributed under the ransomware-as-a-service model. The developers of the ransomware conduct their own attacks and deploy the ransomware manually after gaining access to enterprise networks. As with other manual ransomware groups, data is stolen from victims prior to deploying the ransomware. The group then threatens to publish or sell the stolen data if the ransom demand is not met. The group responsible for the attacks gains access to enterprise networks by exploiting vulnerabilities in remote desktop protocol (RDP) and virtual private networks (VPNs). The group uses brute force tactics to exploit weak authentication and the lack of multi-factor authentication, and also exploits unpatched...

Read More
Exploitable ‘Ripple20’ RCE TCP/IP Flaws Affect Hundreds of Millions of Connected Devices
Jun17

Exploitable ‘Ripple20’ RCE TCP/IP Flaws Affect Hundreds of Millions of Connected Devices

19 zero-day vulnerabilities have been identified in the TCP/IP communication software library developed by Treck Inc. which impact hundreds of millions of connected devices across virtually all industry sectors, including healthcare. Treck is a Cincinnatti, OH-based company that develops low-level network protocols for embedded devices. The company may not be widely known, but its software library has been used in internet-enabled devices for decades. The code is used in many low-power IoT devices and real-time operating systems due to its high performance and reliability and is used in industrial control systems, printers, medical infusion pumps and many more. The vulnerabilities were identified by security researchers at the Israeli cybersecurity company JSOF, who named the vulnerabilities Ripple20 because of the supply chain ripple effect. A vulnerability in small component can have wide reaching consequences and can affect a huge number of companies and products. In the case of Ripple20, companies affected include HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar,...

Read More
Misconfigured Public Cloud Databases are Found and Attacked Within Hours
Jun11

Misconfigured Public Cloud Databases are Found and Attacked Within Hours

Misconfigured public cloud databases are often discovered by security researchers. Misconfigurations that leave cloud data exposed could be due to a lack of understanding about cloud security or policies, poor oversight to identify errors, or negligent behavior by insiders to name but a few. A recent report from Trend Micro revealed cloud misconfigurations were the number one cause of cloud security issues. Security researchers at Comparitech often discover unsecured cloud resources, commonly Elasticsearch instances and unsecured AWS S3 buckets. When the unsecured cloud databases are discovered, the owners are identified and notified to ensure data is secured quickly. Providing the owner can be identified, the databases are usually secured within a matter of hours, but there have been several cases where the database owner has been contacted but no response is received, and it is not always apparent to whom the data belongs. In these cases, data can be left exposed online for several days or even weeks. During that time, the databases remain unprotected and can be accessed and...

Read More
Attacks on Cloud Services Increased by 630% Between January and April
Jun10

Attacks on Cloud Services Increased by 630% Between January and April

COVID-19 has forced businesses to close their offices and allow employees to work from home. Cloud services have been provisioned to support home working and communication solutions such as Zoom, Cisco WebEx, and Microsoft Teams have allowed remote workers in collaborate effectively. A recently published report from cybersecurity company McAfee shows business use of cloud services increased by 50% in the first 4 months of 2020 and collaboration services saw an increase of 600% in usage during the same period. These solutions have allowed businesses to continue to operate, and many have reported productivity has actually improved during the pandemic; however, the rapid change to a largely at-home workforce has introduced vulnerabilities and cybercriminals have taken advantage. Attacks on Cloud Services Have Surged During the Pandemic An analysis of data from over 30 million McAfee cloud customers revealed cyberattacks on cloud services increased by 630% between January and April, 2020. Threats to cloud services were split into two main categories: Excessive usage from an anomalous...

Read More
Proof of Concept Exploit Released for Critical SMBGhost Windows 10 SMBv3 Vulnerability
Jun09

Proof of Concept Exploit Released for Critical SMBGhost Windows 10 SMBv3 Vulnerability

A functional proof of concept (PoC) exploit for a critical remote code execution vulnerability in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol has been released and is being used by malicious cyber actors to attack vulnerable systems, according to an alert issued by the DHS Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability, referred to as SMBGhost, is due to the way the SMBv3 protocol handles certain requests. If exploited, a malicious cyber actor could remotely execute code on a vulnerable server or client by sending a specially crafted packet to a targeted SMBv3 server. An attack against a client would also be possible if an attacker configured a malicious SMBv3 server and convinced a user to connect to it. The vulnerability could be exploited to spread malware from one vulnerable system to another in a similar fashion to the SMBv1 vulnerability that was exploited in the 2017 WannaCry ransomware attacks. No user interaction is required to exploit the flaw on vulnerable SMBv3 servers. The flaw – tracked as CVE-2020-0796 – is present in Windows...

Read More
Voicemail Phishing Scam Identified Targeting Remote Healthcare Workers
Jun08

Voicemail Phishing Scam Identified Targeting Remote Healthcare Workers

The COVID-19 pandemic has forced many companies to change working practices and allow large numbers of employees to work remotely from home. In healthcare, employees have been allowed to work remotely and provide telehealth services to patients. While this move is important for virus control and to ensure patients still have access to the medical services they need, remote working introduces cybersecurity risks and cybercriminals are taking advantage. There has been a significant rise in cyberattacks targeting remote workers over the past three months. A variety of tactics are being used to trick remote workers into installing malware or divulging credentials, now a new method has been uncovered by cybersecurity firm IRONSCALES. In a recent report, IRONSCALES revealed threat actors are spoofing messages automatically generated by Private Branch Exchange (PBX) systems to steal credentials. PBX is a legacy phone system used by many enterprises to automate the handling of calls. One of the features of these systems is the ability to record voicemail messages and send recordings...

Read More
Fake VPN Alerts Used as Lure in Office 365 Credential Phishing Campaign
Jun05

Fake VPN Alerts Used as Lure in Office 365 Credential Phishing Campaign

A phishing campaign has been identified that uses fake VPN alerts as a lure to get remote workers to divulge their Office 365 credentials. Healthcare providers have increased their telehealth services during the COVID-19 public health emergency in an effort to help prevent the spread of COVID-19 and ensure that healthcare services can continue to be provided to patients who are self-isolating at home. Virtual private networks (VPNs) are used to support telehealth services and provide secure access the network and patient data. Several vulnerabilities have been identified in VPNs which are being exploited by threat actors to gain access to corporate networks to steal sensitive data and deploy malware and ransomware. It is therefore essential for VPN systems to be patched promptly and for VPN clients on employee laptops to be updated. Employees may therefore be used to updating their VPN. Researchers at Abnormal Security have identified a phishing campaign that impersonates a user’s organization and claims there is a problem with the VPN configuration that must be addressed to allow...

Read More
Mobile Phishing Attacks Have Surged During the COVID-19 Health Crisis
Jun03

Mobile Phishing Attacks Have Surged During the COVID-19 Health Crisis

Cybercriminals have changed their tactics, techniques, and procedures during the COVID-19 health crisis and have been targeting remote workers using COVID-19 themed lures in their phishing campaigns. There has also been a sharp increase in the number of phishing attacks targeting users of mobile devices such as smartphones and tablets, according to a recent report from mobile security company Lookout. Globally, mobile phishing attacks on corporate users increased by 37% from Q4, 2019 to the end of Q1, 2020 with an even bigger increase in North America, where mobile phishing attacks increased by 66.3%, according to data obtained from users of Lookout’s mobile security software. Phishers have also been targeting remote workers in specific industry sectors such as healthcare and the financial services. While the sharp increase in mobile phishing attacks has been attributed to the change in working practices due to the COVID-19 pandemic, there has been a steady rise in mobile phishing attacks over the past few quarters. Phishing attacks on mobile device users tend to have a higher...

Read More
Russian Sandworm Group Targeting Exim Mail Servers, Warns NSA
Jun01

Russian Sandworm Group Targeting Exim Mail Servers, Warns NSA

A Russian hacking outfit called Sandworm (Fancy Bear) is exploiting a vulnerability in the Exim Mail Transfer Agent, which is commonly used for Unix-based systems. The flaw, tracked as CVE-2019-10149, is a remote code execution vulnerability that was introduced in Exim version 4.87. An update was released on June 5, 2019 to correct the flaw, but many organizations have still not updated Exim and remain vulnerable to attack. The vulnerability can be exploited by sending a specially crafted email which allows commands to be executed with root privileges. After exploiting the flaw, an attacker can install programs, execute code of their choosing, modify data, create new accounts, and potentially gain access to stored messages. According to a recent National Security Agency (NSA) alert, Sandworm hackers have been exploiting the flaw by incorporating a malicious command in the MAIL FROM field of an SMTP message. Attacks have been performed on organizations using vulnerable Exim versions that have internet-facing mail transfer agents. After exploiting the vulnerability, a shell script is...

Read More
HHS’ OIG to Scrutinize HHS COVID-19 Response and Recovery Efforts
May28

HHS’ OIG to Scrutinize HHS COVID-19 Response and Recovery Efforts

The HHS’ Office of Inspector General (OIG) has published a strategic plan for oversight of the COVID-19 response and recovery efforts of the Department of Health and Human Services. OIG will assess how well the HHS has performed in its mission to ensure the health and safety of Americans, determine whether HHS systems and data have been adequately protected, evaluate the effectiveness of the HHS response, and assess whether the $251 billion in COVID-19 funding has been correctly distributed by the HHS. OIG has a mandate to oversee the activities of the HHS to promote the economy, efficiency, effectiveness, and integrity of HHS programs. OIG explained that “COVID-19 has created unprecedented challenges for the HHS and for the delivery of health care and human services to the American people.” Through audits, risk assessments, and data analytics, OIG will be assessing the HHS’s COVID-19 response and recovery efforts. The HHS has a responsibility to protect the health and safety of Americans during a public health emergency such as the COVID-19 pandemic and protect beneficiaries that...

Read More
NetWalker Ransomware Gang Targeting the Healthcare Industry
May27

NetWalker Ransomware Gang Targeting the Healthcare Industry

While some threat groups have stated that they will not attack healthcare organizations on the frontline in the fight against COVID-19, that is certainly not the case for the operators of NetWalker ransomware, who have been actively targeting the healthcare industry during the COVID-19 public health emergency . Recent research conducted by Advanced Intelligence LLC has revealed the operators of the ransomware have been conducting extensive attacks on healthcare industry targets and operations are now being significantly expanded. Most ransomware attacks conducted by Russian-speaking threat actors involve large-scale phishing campaigns rather that targeted attacks. NetWalker ransomware has been spread in this manner during the COVID-19 pandemic through spam emails claiming to provide information about SARS-CoV-2 and COVID-19 cases. The emails include a Visual Basic script file attachment named CORONAVIRUS_COVID-19.vbs, which downloads the ransomware from a remote server. While phishing emails are still being used, the group is now moving into large-scale network infiltration....

Read More
Senators Seek Answers from CISA and FBI About Threat to COVID-19 Research Data
May26

Senators Seek Answers from CISA and FBI About Threat to COVID-19 Research Data

Four Senators have written to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) in response to the recent alert warning COVID-19 research organizations that hackers with links to China are conducting attacks to gain access to COVID-19 vaccine and research data. On May 13, 2020, CISA and the FBI issued a joint alert warning organizations in the healthcare, pharmaceutical, and research sectors that they are prime targets for hackers. Hacking groups linked to the People’s Republic of China have been attempting to infiltrate the networks of U.S. companies to gain access to intellectual property, public health data, and information related to COVID-19 testing, potential vaccines, and treatment information. “China’s efforts to target these sectors pose a significant threat to our nation’s response to COVID-19,” warned CISA and the FBI. “The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.” In the letter, Thom Tills (R-NC), Richard Blumenthal (D-CT), John Cornyn...

Read More
H-ISAC Publishes Framework for Managing Identity in Healthcare
May26

H-ISAC Publishes Framework for Managing Identity in Healthcare

The Health Information Sharing and Analysis Center (H-ISAC) has published a framework for CISOs to manage identity and defend their organization against identity-based cyberattacks. This is the second white paper to be published by H-ISAC covering the identity-centric approach to security. The first white paper explains why an identity-centric approach to cybersecurity is now needed, with the latest white paper detailing how that approach can be implemented. By adopting the framework, CISOs will be able to manage the full identity lifecycle of employees, patients, practitioners, and business partners in a way that guards against cyberattacks on identity, lowers risk, and increases operational efficiencies. The framework has been developed for CISOs at healthcare organizations of all sizes. As such, it does not offer a one-size-fits-all approach. Instead, components of the framework can be applied differently based on different environments and use cases. CISOs will need to assess the resources available and their unique risks and decide how best to apply the framework. The...

Read More
Web Application Attacks Double as Threat Actors Target Cloud Data
May21

Web Application Attacks Double as Threat Actors Target Cloud Data

The 2020 Verizon Data Breach Investigations Report shows malware attacks are falling as threat actors target data in the cloud.  This is the 13th year that the report has been produced, which this year contains an analysis of 32,002 security incidents and 3,950 confirmed data breaches from 81 global contributors in 81 countries. The report confirms that the main motivator for conducting attacks is financial gain. 86% of all security breaches were financially motivated, up from 71% last year. 70% of breaches were due to external actors, with 55% of attacks conducted by cybercriminals. 67% of breaches were the result of credential theft or brute forcing of weak credentials (37%) and phishing and other social engineering attacks (25%). 22% of those breaches involved human error. Only 20% of breaches were due to the exploitation of vulnerabilities. It should be noted that it is much easier to conduct attacks using stolen credentials rather than exploiting vulnerabilities, so the relatively low number of vulnerability-related attacks may not be due to organizations patching...

Read More
Guidance on Managing the Cybersecurity Tactical Response in a Pandemic
May19

Guidance on Managing the Cybersecurity Tactical Response in a Pandemic

Joint guidance has been issued by the Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) on managing the cybersecurity tactical response in emergency situations, such as a pandemic. Threat actors will try to exploit emergency situations to conduct attacks, which has been clearly seen during the COVID-19 pandemic. In many cases, the duration of an emergency will limit the potential for threat actors to take advantage, but in a pandemic the period of exposure is long. The SARS-CoV-2 outbreak was declared a public health emergency on January 30, 2020, giving threat actors ample time to exploit COVID-19 to conduct attacks on the healthcare sector. The key to dealing with the increased level of cybersecurity threat during emergency situations is preparation. Without preparation, healthcare organizations will find themselves constantly fighting fires and scrambling to improve security at a time when resources are stretched thin. The new guidance was created during the COVID-19 pandemic by HSCC’s Cybersecurity...

Read More
Study Suggests Paying a Ransom Doubles the Cost of Recovery from a Ransomware Attack
May15

Study Suggests Paying a Ransom Doubles the Cost of Recovery from a Ransomware Attack

Organizations that experience a ransomware attack may be tempted to pay the ransom to reduce downtime and save on recovery costs, but a survey commissioned by Sophos suggests organizations that pay the ransom actually end up spending much more than those that recover files from backups. The FBI does not recommend paying a ransom as giving attackers money enables them to conduct more attacks and could see a victim targeted further and there is no guarantee that valid keys will be supplied to decrypt data. The increased cost can now be added to the list of reasons not to pay. The survey was conducted by market research firm Vanson Bourne between January and February 2020 on approximately 5,000 IT decision makers at companies with between 100 and 5,000 employees across 26 countries including the United States, Canada, and the United Kingdom. 51% of the people surveyed said they had experienced a ransomware attack in the previous 12 months, 73% of whom said the attack resulted in the encryption of data. 26% of attacked organizations paid the ransom and 73% did not. 56% of firms said...

Read More
Chinese Hacking Groups are Targeting COVID-19 Research Organizations
May14

Chinese Hacking Groups are Targeting COVID-19 Research Organizations

Organizations involved in research into SARS-CoV-2 and COVID-19 have been warned that they are being targeted by hackers affiliated with the People’s Republic of China (PRC) and should take steps to protect their systems from attack. The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and the Federal Bureau of Investigation (FBI) have warned that organizations in the health care, pharmaceutical, and research sectors that are working on testing procedures, SARS-CoV-2 vaccines, and new treatments for COVID-19 are being targeted by hackers looking to gain access to research data to advance PRC’s research program. The Trump Administration has also warned that cyber espionage campaigns targeting COVID-19 research organizations are now being conducted by hackers linked to Iran. In the alert, CISA and the FBI warn that the theft of intellectual property in these attacks jeopardizes the delivery of secure, effective, and efficient treatment options. All organizations involved in COVID-19 research have been advised to apply the...

Read More
CISA and FBI Publish List of Top 10 Exploited Vulnerabilities
May14

CISA and FBI Publish List of Top 10 Exploited Vulnerabilities

On Tuesday, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint public service announcement detailing the top 10 most exploited vulnerabilities between 2016 and 2019. These vulnerabilities have been exploited by sophisticated nation state hackers to attack organizations in the public and private sectors to gain access to their networks to steal sensitive data. The vulnerabilities included in the list have been extensively exploited by hacking groups with ties to China, Iran, Russia and North Korea with those cyber actors are still conducting attacks exploiting the vulnerabilities, even though patches have been released to address the flaws. In some cases, patches have been available for more than 5 years, but some organizations have still not applied the patches. Exploiting the vulnerabilities in the top 10 list requires fewer resources compared to zero-day exploits, which means more attacks can be conducted. When patches are applied to address the top 10 vulnerabilities, nation state hackers will be forced to develop new exploits which will limit their...

Read More
Zoom Reaches Settlement with NY Attorney General Over Privacy and Security Issues
May12

Zoom Reaches Settlement with NY Attorney General Over Privacy and Security Issues

Zoom has reached an agreement with the New York Attorney General’s office and has made a commitment to implement better privacy and security controls for its teleconferencing platform. Zoom has proven to be one of the most popular teleconferencing platforms during the COVID-19 pandemic. In March, more than 200 million individuals were participating in Zoom meetings with usership growing by 2,000% in the space of just three months. As the number of users grew and the platform started to be used more frequently by consumers and students, flaws in the platform started to emerge. Meeting participants started reporting cases of uninvited people joining and disrupting private meetings. Several of these “Zoombombing” attacks saw participants racially abused and harassed on the basis of religion and gender. There were also several reported cases of uninvited individuals joining meetings and displaying pornographic images. Then security researchers started uncovering privacy and security issues with the platform. Zoom stated on its website that Zoom meetings were protected with end-to-end...

Read More
Government Healthcare Agencies and COVID-19 Research Organizations Targeted by Nigerian BEC Scammers
May08

Government Healthcare Agencies and COVID-19 Research Organizations Targeted by Nigerian BEC Scammers

Business email compromise scammers operating out of Nigeria have been targeting government healthcare agencies, COVID-19 research organizations, and pandemic response organizations to obtain fraudulent wire transfer payments and spread malware. The attacks were detected by Palo Alto Networks’ Unit 42 team researchers and have been attributed to a cybercriminal organization called SilverTerrier. SilverTerrier actors have been highly active over the past 12 months and are known to have conducted at least 2.1 million BEC attacks since the Unit 42 team started tracking their activity in 2014. In 2019, the group conducted an average of 92,739 attacks per month, with activity peaking in June when 245,637 attacks were conducted. The gang has been observed exploiting the CVE-2017-11882 vulnerability in Microsoft Office to install malware, but most commonly uses spear phishing emails targeting individuals in the finance department. The gang uses standard phishing lures such as fake invoices and payment advice notifications to trick recipients into opening malicious email attachments that...

Read More
CISA Issues Fresh Alert About Ongoing APT Group Attacks on Healthcare Organizations
May07

CISA Issues Fresh Alert About Ongoing APT Group Attacks on Healthcare Organizations

Advanced Persistent Threat (APT) groups are continuing to target healthcare providers, pharmaceutical firms, research institutions, and others involved in the COVID-19 response, prompting a further joint alert from cybersecurity authorities in the United State and United Kingdom. The latest warning from the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) follows on from an earlier joint alert issued on April 8, 2020 and provides further information on the tactics, techniques, and procedures being used by the APT groups to gain access to networks and sensitive data. In the latest alert, CISA/NCSC explained that APT groups are targeting organizations involved in COVID-19 research to obtain sensitive information on the COVID-19 response and research data to further the domestic research efforts in countries that fund the APT groups. APT groups often target healthcare organizations to obtain personal information of patients, intellectual property, and intelligence that aligns with national...

Read More
Worldwide Spike in Brute Force RDP Attacks During COVID-19 Pandemic
May01

Worldwide Spike in Brute Force RDP Attacks During COVID-19 Pandemic

COVID-19 has forced many organizations to rapidly scale up the numbers of employees working from home, which has created new opportunities for cybercriminals to conduct attacks. Cyberattacks on remote workers have increased substantially during the COVID-19 lockdown, with application-level protocols used by remote workers to connect to corporate systems now being extensively targeted. Remote Desktop Protocol (RDP) is a proprietary communications protocol developed by Microsoft to allow employees, IT workers, and others to remotely connect to corporate systems, services, and virtual desktops. The protocol has been used by many organizations to allow their employees to work from home on personal computers. RDP has also proven to be popular with cybercriminals. In line with the increase in remote workers accessing systems via RDP, cybercriminals have stepped up attacks. New data from Kaspersky show a major worldwide increase in brute force attacks on RDP. In order to connect via RDP, employees typically need to enter a username and password. Brute force attacks on RDP are conducted to...

Read More
NSA Cybersecurity Guidance for Teleworkers and Other Useful COVID-19 Threat Resources
May01

NSA Cybersecurity Guidance for Teleworkers and Other Useful COVID-19 Threat Resources

The National Security Agency has issued cybersecurity guidance for teleworkers to help improve security when working remotely. The guidance has been released primarily for U.S. government employees and military service members, but it is also relevant to healthcare industry workers providing telehealth services from their home computers and smartphones. There are many consumer and enterprise-grade communication solutions available and the cybersecurity protections offered by each can differ considerably. The guidance document outlines 9 important considerations when selecting a collaboration service. By assessing each service against the 9 criteria, remote workers will be able to choose the most appropriate solution to meet their needs. The NSA strongly recommends conducting high-level security assessments to determine how the security capabilities of each platform performs against certain security criteria. These assessments are useful for identifying risks associated with the features of each tool. The guidance document also provides information on using the collaboration...

Read More
Advice for Healthcare Organizations on Preventing and Detecting Human-Operated Ransomware Attacks
Apr30

Advice for Healthcare Organizations on Preventing and Detecting Human-Operated Ransomware Attacks

Human-operated ransomware attacks on healthcare organizations and critical infrastructure have increased during the COVID-19 pandemic. Dozens of attacks have occurred on healthcare organizations in recent weeks, including Parkview Medical Center, ExecuPharm, and Brandywine Counselling and Community Services. Many ransomware attacks are automated and start with a phishing email. Once ransomware is downloaded, it typically runs its encryption routine within an hour. Human-operated ransomware attacks are different. Access is gained to systems several weeks or months before ransomware is deployed. During that time, the attackers obtain credentials, move laterally, and collect and exfiltrate data before encrypting files with ransomware. The attackers can lay dormant in systems for several months before choosing their moment to deploy the ransomware to maximize the disruption caused. The COVID-19 pandemic is the ideal time for deployment of ransomware on healthcare organizations and others involved in the response to COVID-19, as there is a higher probability that the ransom will be paid...

Read More
EFF Warns of Privacy and Security Risks with Google and Apple’s COVID-19 Contact Tracing Technology
Apr30

EFF Warns of Privacy and Security Risks with Google and Apple’s COVID-19 Contact Tracing Technology

The contact tracing technology being developed by Apple and Google to help track people who have come into close contact with individuals confirmed as having contracted COVID-19 could be invaluable in the fight against SARS-CoV-19; however, the Electronic Frontier Foundation (EFF) has warned that in its current form, the system could be abused by cybercriminals. Google and Apple are working together on the technology, which is expected to be fully rolled out next month. The system will allow app developers to build contact tracing apps to help identify individuals who may have been exposed to SARS-CoV-2. When a user downloads a contact tracing app, each time they come into contact with another person with the app installed on their phone, anonymous identifier beacons called rolling proximity identifiers (RPIDs) will be exchanged via Bluetooth Low Energy. How Does the Contact-Tracing System Work? RPIDs will be exchanged only if an individual moves within a predefined range – 6 feet – and stays in close contact for a set period of time. Range can be determined by strength of...

Read More
WHO Confirms Fivefold Increase in Cyberattacks on its Staff
Apr28

WHO Confirms Fivefold Increase in Cyberattacks on its Staff

The World Health Organization is one of the leading agencies combating COVID-19 and has proven to be an attractive target for hackers and hacktivists, who have stepped up attacks on the organization during the COVID-19 pandemic. Cyberattacks on WHO are at five times the level they were at this time last year. Last month, WHO confirmed hackers had tried to gain access to its network and those of its partners by spoofing an internal WHO email system and the attacks have kept on coming. Last week, SITE Intelligence Group discovered the credentials of thousands of individuals involved in the fight against COVID-19 had been dumped online on 4chan, Pastebin, Telegram, and Twitter. Around 25,000 email and password combos were leaked in total, including around 2,700 credentials for WHO staff members. WHO said the data had come from an old extranet system and most of the credentials were no longer valid, but 457 were current and still active. In response, WHO said it performed a password reset to ensure the credentials could no longer be used, internal security has been strengthened, a more...

Read More
Senators Call for CISA and U.S. Cyber Command to Issue Healthcare-specific Cybersecurity Guidance
Apr24

Senators Call for CISA and U.S. Cyber Command to Issue Healthcare-specific Cybersecurity Guidance

A bipartisan group of Senators has written to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and U.S. Cyber Command requesting healthcare-specific cybersecurity guidance on how to deal with coronavirus and COVID-19-related threats. Richard Blumenthal, (D-CT), Mark Warner (D-VA), Tom Cotton (R-AR), David Perdue (R-GA), and Edward J. Markey (D-MA) penned the letter in response to the escalating cyber espionage and cybercriminal activity targeting the healthcare, public health, and research sectors during the COVID-19 pandemic. The letter cites a report from cybersecurity firm FireEye which identified a major campaign being conducted by the Chinese hacking group, APT41, targeting the healthcare sector. The hacking group is exploiting vulnerabilities in networking equipment, cloud software and IT management tools to gain access to healthcare networks – The same systems that are now being used by telecommuting workers for providing telehealth during the pandemic. Several other threat groups with links to China have also stepped up...

Read More
FBI Issues Flash Alert About COVID-19 Phishing Scams Targeting Healthcare Providers
Apr22

FBI Issues Flash Alert About COVID-19 Phishing Scams Targeting Healthcare Providers

The FBI has issued a fresh warning following an increase in COVID-19 phishing scams targeting healthcare providers. In the alert, the FBI explains that network perimeter cybersecurity tools used by US-based healthcare providers started detecting COVID-19 phishing campaigns from both domestic and international IP addresses on March 18, 2020 and those campaigns are continuing. These campaigns use malicious Microsoft Word documents, Visual Basic Scripts, 7-zip compressed files, JavaScript, and Microsoft Executables to gain a foothold in healthcare networks. While the full capabilities of the malicious code are not known, the FBI suggests that the purpose is to gain a foothold in the network to allow follow-on exploitation, persistence, and data exfiltration. In the alert, the FBI provides indicators of compromise for the ongoing phishing campaigns to allow network defenders to take action to block the threats and protect their environments against attack. Indicators of Compromise Email Sender Email Subject Attachment Filename Hash srmanager@combytellc.com PURCHASE ORDER PVT Doc35...

Read More
CISA Warns of Continuing Attacks on Pulse Secure VPNs After Patching
Apr20

CISA Warns of Continuing Attacks on Pulse Secure VPNs After Patching

The Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA) has issued a warning to all organizations using Pulse Secure VPN servers that patching vulnerabilities will not necessarily prevent cyberattacks. CISA is aware of attacks occurring even after patches have been applied to address known vulnerabilities. CISA issued an alert about a year ago warning organizations to patch a vulnerability (CVE-2019-1151) in Pulse Secure Virtual Private Network appliances due to a high risk of exploitation. Many companies were slow to apply the patch, and hackers took advantage. CVE-2019-1151 is an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances. The vulnerability was identified in the spring of 2019 and Pulse Secure released a patch to address the vulnerability in April 2019. Several advanced persistent threat groups are known to have exploited the vulnerability to steal data and install malware and ransomware. By exploiting the vulnerability and stealing credentials, the attackers were able to gain persistent access to networks even...

Read More
AHA and AMA Release Joint Cybersecurity Guidance for Telecommuting Physicians
Apr17

AHA and AMA Release Joint Cybersecurity Guidance for Telecommuting Physicians

The American Medical Association (AMA) and the American Hospital Association (AHA) have issued joint cybersecurity guidance for physicians working from home due to the COVID-19 pandemic to help them secure their computers, mobile devices, and home networks and safely provide remote care to patients. Physicians are able to use their mobile devices to access patients’ medical records over the internet as if they were in the office, and medical teleconferencing solutions allow them to conduct virtual visits using video, audio, and text to diagnose and treat patients. However, working from home introduces risks that can jeopardize the privacy and security of patient data. The AMA/AHA guidance is intended to help physicians secure their home computers and home network to protect patient data and keep their work environment safe from cyber threats such as malware and ransomware, which could have a negative impact on patent safety and well-being. “For physicians helping patients from their homes and using personal computers and mobile devices, the AMA and AHA have moved quickly to provide...

Read More
Scammers Target Healthcare Buyers Trying to Purchase PPE and Medical Equipment
Apr16

Scammers Target Healthcare Buyers Trying to Purchase PPE and Medical Equipment

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are attempting to steal money from state agencies and healthcare industry buyers that are trying to purchase personal protective equipment (PPE) and medical supplies. Healthcare industry buyers have been told to be on high alert following a rise in the number of scams related to the procurement of PPE and essential medical equipment such as ventilators, which are in short supply due to increased demand. The FBI has received reports of several cases of advance fee scams, where government agencies and healthcare industry buyers have wired funds to brokers and sellers of PPE and medical equipment, only to discover the suppliers were fake. There have also been several reported cases of business email compromise (BEC) scams related to PPE and medical equipment procurement. In these scams, brokers and vendors of goods and services are impersonated. The scammers use email addresses that are nearly identical to the legitimate broker or seller and request wire transfer payments for the goods and services. The...

Read More
Small-Sized and Medium-Sized Healthcare Providers Most Likely to Be Attacked with Ransomware
Apr16

Small-Sized and Medium-Sized Healthcare Providers Most Likely to Be Attacked with Ransomware

Ransomware gangs are concentrating their attacks on smaller healthcare providers and clinics, according to a new report from RiskIQ. Healthcare providers with fewer than 500 employees are key targets for the gangs, with these organizations accounting for 70% of all successful healthcare ransomware attacks since 2016. RiskIQ’s analysis of 127 healthcare ransomware attacks revealed there has been a 35% increase in attacks between 2016 and 2019. Hospitals and healthcare centers accounted for 51% of ransomware attacks, 24% of attacks were on medical practices, with 17% on health and wellness centers. The cybersecurity defenses at smaller healthcare organizations are likely to be far less effective than those at larger healthcare systems. RiskIQ reports that 85% of small- and medium-sized hospitals do not have a qualified IT security person on staff, so there is a higher chance of gaps in security being left unaddressed. Ransom payments are more likely to be paid to avoid the costly downtime that is often caused by an attack. It can often take several weeks for an organization to fully...

Read More
Microsoft Patches Three Actively Exploited Flaws and Delays End of Support for Software and Services
Apr15

Microsoft Patches Three Actively Exploited Flaws and Delays End of Support for Software and Services

On April 2020 Patch Tuesday, Microsoft released updates to correct 113 vulnerabilities in its operating systems and software solutions, 19 of which have been rated critical. This month’s round of updates includes fixes for at least 3 zero-day vulnerabilities that are being actively exploited in real world attacks. Two of the actively exploited vulnerabilities were announced by Microsoft in March and Microsoft suggested workarounds to limit the potential for exploitation. The flaws – CVE-2020-0938 and CVE-2020-1020 – both affect the Adobe Font Manager Library and can lead to remote code execution on all supported Windows versions. The flaws are partially mitigated in Windows 10 and could only result in code execution in an AppContainer sandbox with limited privileges and capabilities. The flaws could be exploited if a user is convinced to open a specially crafted document or if it is viewed in the Windows Preview pane. The third actively exploited zero-day is a Windows Kernel vulnerability that was discovered by Google’s Project Zero team. The flaw, tracked as...

Read More
More Than 82% of Public-Facing Exchange Servers Still Vulnerable to Actively Exploited Critical Flaw
Apr09

More Than 82% of Public-Facing Exchange Servers Still Vulnerable to Actively Exploited Critical Flaw

On February Patch Tuesday, 2020, Microsoft released a patch for a critical vulnerability affecting Microsoft Exchange Servers which could potently be exploited by threat actors to take full control of a vulnerable system. Despite Microsoft warning that the flaw would be attractive to hackers, patching has been slow. An analysis conducted by cybersecurity firm Rapid7 revealed more than 82% of public-facing Exchange servers remained vulnerable and had not been patched. The firm’s scan identified 433,464 public-facing Exchange servers, and at least 357,629 were vulnerable to an attack exploiting the CVE-2020-0688 vulnerability. Exchange administrators may not have prioritized the patch as the vulnerability is a post-authorization flaw; however, attacks could take place using any stolen email credentials or by using brute force tactics to guess weak passwords. Several proof-of-concept exploits for the flaw have been published on GitHub, and there have been reports of nation state Advanced Persistent Threat groups attempting to exploit the flaw using brute force tactics to obtain...

Read More
INTERPOL Issues Warning Over Increase in Ransomware Attacks on Healthcare Organizations
Apr09

INTERPOL Issues Warning Over Increase in Ransomware Attacks on Healthcare Organizations

INTERPOL has issued an alert to hospitals over continuing ransomware attacks during the 2019 Novel Coronavirus pandemic. While some ransomware gangs have publicly stated they will be stopping attacks on healthcare providers that are on the front line dealing with COVID-19, many are still conducting attacks. Further, those attacks have increased. Attempted Ransomware Attacks on Healthcare Organizations Increased over the Weekend Last weekend, INTERPOL’s Cybercrime Threat Response (CTR) team detected a significant increase in attempted ransomware attacks on hospitals and other organizations and infrastructure involved in the response to the coronavirus pandemic and issued a ‘Purple Notice’ alerting police forces in all 194 member countries of the increased risk of attacks. “As hospitals and medical organizations around the world are working non-stop to preserve the well-being of individuals stricken with the coronavirus, they have become targets for ruthless cybercriminals who are looking to make a profit at the expense of sick patients,” said INTERPOL Secretary General...

Read More
FBI Warns of Increase in COVID-19 Related Business Email Compromise Scams
Apr08

FBI Warns of Increase in COVID-19 Related Business Email Compromise Scams

The Federal Bureau of Investigation has issued a warning following a rise in Business Email Compromise (BEC) attacks that are taking advantage of uncertainty surrounding the COVID-19 pandemic. BEC is the term given to an attempt to fool individuals responsible for performing legitimate transfers of funds into sending money to a bank account controlled by the attacker. This is achieved by impersonating an individual within a company that the victim usually conducts business with. A typical attack scenario will see an email sent to an individual in the finance department requesting a change to bank account information for an upcoming payment. Several attacks have recently been reported to the FBI’s Internet Crime Complaint Center (IC3) that have a COVID-19 theme and municipalities are being targeted that are purchasing personal protective equipment (PPE) and other essential supplies to use in the fight against COVID-19. In the alert, the FBI offered two recent examples of COVID-19 BEC scams. The first involved a scammer impersonating the CEO of a company and requesting that a...

Read More
Kwampirs APT Group Continues to Attack Healthcare Organizations via the Supply Chain
Apr07

Kwampirs APT Group Continues to Attack Healthcare Organizations via the Supply Chain

An Advanced Persistent Threat (APT) group known as Kwampirs, aka OrangeWorm, is continuing to attack healthcare organizations and infect their networks with the Kwampirs Remote Access Trojan (RAT) and other malware payloads. The threat group has been active since at least 2016, but activity has increased recently with the FBI now having issued three alerts about the APT group so far in 2020. Symantec was first to report attacks on healthcare organizations via the supply chain in a report published in April 2019. A variety of industries are being targeted by the APT group, including healthcare, energy, engineering, and software supply chain. The attacks on the healthcare sector are believed to have occurred through vendor software supply chain and hardware products. The FBI reports that the attacks have been very effective. The APT group has compromised a large number of hospitals throughout the United States, Europe, and Asia, ranging from local hospital associations to major transnational healthcare companies. The campaigns have included locally infected machines and enterprise...

Read More
2019 Novel Coronavirus and COVID-19 Themed Attacks Dominate Threat Landscape
Apr06

2019 Novel Coronavirus and COVID-19 Themed Attacks Dominate Threat Landscape

Cybercriminals are now almost exclusively conducting 2019 Novel Coronavirus and COVID-19 themed-campaigns according to a new report published by Proofpoint. 80% of all threats identified by the firm are coronavirus or COVID-19 related. The recent analysis was performed on more than half a million email messages, 300,000 malicious URLs, and over 200,000 malicious email attachments. Proofpoint researchers identified more than 140 phishing and malware distribution campaigns and report that the number of active campaigns continues to rise. The coronavirus theme spans virtually every possible threat, with COVID-19 campaigns being conducted by small players to the most prolific APT groups. The email campaigns are diverse and frequently change and Proofpoint researchers believe the diverse nature of attacks will continue and attacks will likely increase. A report from Check Point tells a similar story. In mid-February, Check Point was seeing a few hundred coronavirus-themed malware attacks a day, but by late March the average number of attacks had increased to 2,600 a day with 5,000...

Read More
OCR Investigators Impersonated to Obtain PHI
Apr06

OCR Investigators Impersonated to Obtain PHI

While the majority of social engineering and phishing attacks take place via email, social engineering tactics are also used to convince people to part with sensitive information via other communication channels, including the telephone. Once such campaign is now being conducted over the telephone to convince healthcare employees to divulge protected health information (PHI). An individual claiming to be a HHS’ Office for Civil Rights investigator is calling healthcare providers to obtain the PHI of patients. The scam prompted OCR to issue a warning to healthcare providers over the weekend. The caller provides no information that can be used to verify the legitimacy of the call and an OCR compliant transaction number is not provided. OCR has recommended healthcare providers and their business associates raise awareness of the scam with the workforce and to provide information on the correct course of action to take if such a call is received. Healthcare employees should take steps to verify the identity that any caller requesting PHI. If a call from someone claiming to be an OCR...

Read More
Zoom Security Problems Raise Concern About Suitability for Medical Use
Apr03

Zoom Security Problems Raise Concern About Suitability for Medical Use

Teleconferencing platforms such as Zoom have proven popular with businesses and consumers for maintaining contact while working from home during the COVID-19 crisis, but a slew of Zoom security problems have been identified in the past few days that have raised concerns about the suitability of the platform for medical use. Zoom Security Problems Uncovered by Researchers Several Zoom security problems and privacy issues have been discovered in the past few days. The macOS installer was discovered to use malware-like methods to install the Zoom client without final confirmation being provided by users. This method could potentially be hijacked and could serve as a backdoor for malware delivery. Two zero-day vulnerabilities were identified in the macOS client version of Zoom’s teleconferencing platform, which would allow a local user to escalate privileges and gain root privileges, even without an administrator password, and gain access to the webcam and microphone and intercept and record Zoom meetings. A feature of the platform that is intended to make it easier for business...

Read More
Microsoft Helps Healthcare Organizations Protect Against Human-Operated Ransomware Attacks
Apr02

Microsoft Helps Healthcare Organizations Protect Against Human-Operated Ransomware Attacks

The COVID-19 pandemic is forcing many employees to work from home and the infrastructure used to support those workers is being targeted by human-operated ransomware gangs. While several ransomware operators have stated they will not attack healthcare organizations during the COVID-19 public health emergency, not all cybercrime gangs are taking it easy on the healthcare sector and attacks are continuing. Several cybercrime groups are using the COVID-19 pandemic to their advantage. Tactics, techniques and procedures (TTPs) have been changed in response to the pandemic and they are now using social engineering tactics that prey on fears about COVID-19 and the need for information to gain access to credentials to gain a foothold in healthcare networks. Ransomware attacks on hospitals can cause massive disruption at the best of times. Ransomware attacks that occur while hospitals are trying to respond to the pandemic will severely hamper their efforts to treat COVID-19 patients. Microsoft has committed to help protect critical services during the COVID-19 crisis and has recently...

Read More
Hackers Target WHO, HHS, and COVID-19 Research Firm
Mar26

Hackers Target WHO, HHS, and COVID-19 Research Firm

The World Health Organization (WHO) and its partners have been targeted by a sophisticated group of hackers who attempted to steal login credentials to gain access to its network by impersonating WHO’s internal email system. Spear phishing emails were sent to several WHO staffers that included links to a malicious website hosting a phishing kit. The attack was detected on March 13 by cybersecurity expert, Alexander Urbelis, an attorney with New York-based Blackstone Law Group. The malicious website used to host the fake WHO login page had previously been used in other attacks on WHO employees. It is unclear who was responsible for the campaign, but it is believed to be a South Korea-based threat group called DarkHotel. The aims of the attackers are not known, although Urbelis suggests the highly targeted nature of the attack, suggests the attackers were looking for specific credentials. DarkHotel has previously conducted several attacks in East Asia for espionage purposes. It is possible that the hackers were trying to gain access to information about possible treatments, potential...

Read More
Cybersecurity Best Practices for Protecting Remote Employees During the COVID-19 Crisis
Mar24

Cybersecurity Best Practices for Protecting Remote Employees During the COVID-19 Crisis

The COVID-19 crisis has meant many individuals have had to self-quarantine or self-isolate, and organizations are under increasing pressure to let their employees work from home whenever possible. While these measures are necessary to keep people safe and avoid infection, having so many employees working remotely increases cyber risk. When people work from home and connect to work networks remotely using portable electronic devices, the attack surface grows considerably and new vulnerabilities are introduced that can exploited by attackers. With attacks targeting remote workers increasing, it is important to ensure that cybersecurity best practices for protecting remote employees are adopted to reduce risk. Phishing Campaigns Targeting Remote Workers Cybercriminals are already exploiting the coronavirus pandemic and are using COVID-19 and coronavirus-themed lures in phishing and social engineering attacks to steal credentials and spread malware. The first major coronavirus-themed phishing and malware distribution campaigns were detected in early January and the volume of malicious...

Read More
February 2020 Healthcare Data Breach Report
Mar24

February 2020 Healthcare Data Breach Report

There were 39 reported healthcare data breaches of 500 or more records in February and 1,531,855 records were breached, which represents a 21.9% month-over-month increase in data breaches and a 231% increase in breached records. More records were breached in February than in the past three months combined. In February, the average breach size was 39,278 records and the mean breach size was 3,335 records. Largest Healthcare Data Breaches in February 2020 The largest healthcare data breach was reported by the health plan, Health Share of Oregon. An unencrypted laptop computer containing the records of 654,362 plan members was stolen from its transportation vendor in an office break in. The second largest breach was a ransomware attack on the accounting firm BST & Co. CPAs which saw client records encrypted, including those of the New York medical group, Community Care Physicians. Aside from the network server breach at SOLO Laboratories, the cause of which has not been determined, the remaining 7 breaches in the top 10 were all email security incidents. Name of Covered Entity...

Read More
Cybersecurity Firms Offer Free Assistance to Healthcare Organizations During the Coronavirus Pandemic
Mar20

Cybersecurity Firms Offer Free Assistance to Healthcare Organizations During the Coronavirus Pandemic

There have been several reported cases of cyberattacks on healthcare organizations that are currently working round the clock to ensure patients with COVID-19 receive the medical are they need. These attacks cause major disruption at the best of times, but during the COVID-19 outbreak the attacks have potential to cause even greater harm and place patient safety at risk. Many phishing campaigns have been detected using COVID-19 as a lure, fear about the 2019 Novel coronavirus is being exploited to deliver malware, and more than 2,000 coronavirus and COVID-19-themed domains have been registered, many of which are expected to be used for malicious purposes. One of the largest testing laboratories in the Czech Republic, Brno University Hospital, experienced a cyberattack forcing the shutdown of its computer systems. The attack also affected its Children’s Hospital and Maternity hospital and patients had to be re-routed to other medical facilities. Cyberattacks have also experienced in the United States, with the Champaign-Urbana Public Health District of Illinois suffering a...

Read More
Vulnerabilities Identified in Insulet Omnipod and Systech NDS-5000 Terminal Server
Mar20

Vulnerabilities Identified in Insulet Omnipod and Systech NDS-5000 Terminal Server

Advisories have been issued about recently discovered vulnerabilities in the Insulet Omnipod Insulin Management System and the Systech NDS-5000 Terminal Server. Improper Access Control Identified in Insulet Omnipod Insulin Management System ThirdwayV Inc. has discovered a high severity flaw in the Omnipod Insulin Management System which could allow an attacker with access to a vulnerable insulin pump to access the Pod and intercept and modify data, change insulin pump settings, and control insulin delivery. The vulnerable insulin pumps communicate with an Insulet manufactured Personal Diabetes Manager device using wireless RF. The researchers discovered the RF communication protocol does not implement authentication or authorization properly. The following versions are affected: Omnipod Insulin Management System Product ID/Reorder number: 19191 and 40160 UDI/Model/NDC number: ZXP425 (10-Pack) and ZXR425 (10-Pack Canada) The vulnerability is tracked as CVE-2020-10597 and has been assigned a CVSS v3 base score of 7.3 out of 10. There have been no reported cases of exploitation of the...

Read More
CISA Warns of Exploitation of Vulnerabilities in VPNs and Campaigns Targeting Remote Workers
Mar19

CISA Warns of Exploitation of Vulnerabilities in VPNs and Campaigns Targeting Remote Workers

In an effort to prevent the spread of the coronavirus, many employers are telling their employees to work from home. While this measure is important for reducing the risk of contracting Coronavirus Disease 2019 (COVID-19), working from home introduces other risks. In order to protect against cyberattacks, enterprise-class virtual private networks (VPN) solutions should be used to connect remotely to the network. VPNs secure the connection between a user’s device and the network, allowing them to access and share healthcare information securely. While VPNs will improve security, many VPN solutions have vulnerabilities that can be exploited by cybercriminals. If those vulnerabilities are exploited, sensitive data can be intercepted, and an attacker could even take control of affected systems. Cybercriminals are actively searching for vulnerabilities in VPNs to exploit, and the increase in remote workers as a result of the coronavirus gives them many more targets to attack. The risks associates with VPNs and the increase in the number of remote workers due to the coronavirus has...

Read More
Department of Health and Human Services Targeted in Cyberattack
Mar17

Department of Health and Human Services Targeted in Cyberattack

The U.S. Department of Health and Human Services (HHS) has been targeted by cybercriminals in what appears to be an attempt to overwhelm its website with millions of hits. According to a statement issued by HHS spokesperson, Caitlin B. Oakley, the HHS detected “a significant increase in activity on HHS cyber infrastructure” in what appears to have been an attempted Distributed Denial of Service (DDoS) attack. The individuals responsible for the attack were unsuccessful thanks to additional protections put in place to mitigate DDoS attacks as part of HHS preparation and response to the COVID-19 pandemic. “HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities,” explained Oakley. No data breach was experienced and the HHS and federal networks are continuing to function normally. Federal cybersecurity professionals are continuing to monitor HHS computer networks and will take appropriate actions to protect those networks and mitigate any further attacks should they occur. The...

Read More
HSCC Publishes Best Practices for Cyber Threat Information Sharing
Mar16

HSCC Publishes Best Practices for Cyber Threat Information Sharing

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published best practices for cyber threat information sharing. The new guidance document is intended to help healthcare organizations develop, implement, and maintain a successful cyber threat information sharing program to reduce cyber risk. The new document builds on previously published guidance – the Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) – in which HSCC identified key Information Sharing and Analysis Organizations (ISAOs) for the healthcare sector. The latest guidance document helps organizations determine what information to share, how to share the information, and how to protect any sensitive information they receive, as well as providing best practices for obtaining internal and legal approvals for information sharing processes. One of the main benefits of participating in these programs is to learn about possible attacks and the mitigations to implement to avoid becoming a victim. If an attack occurs at one healthcare organization, it is...

Read More
83% of Medical Devices Run on Outdated Operating Systems
Mar12

83% of Medical Devices Run on Outdated Operating Systems

The current state of IoT device security has been investigated by the Unit 42 team at Palo Alto Networks which identified major risks to the confidentiality, integrity and availability of healthcare data and serious vulnerabilities that could easily be exploited in devastating cyberattacks. The Unit 42 team analyzed more that 1.2 million IoT devices of 8,000 different types across a range of industry sectors for the 2020 IoT Threat Report. Data was gathered from its Zingbox IoT inventory and management service, which included 73.2 billion network sessions. The researchers found high numbers of IoT devices that use legacy protocols and unsupported operating systems, a problem that has now got worse since support for Windows 7 stopped in January 2020. Unit 42’s research revealed only 17% of devices have active support for their underlying operating systems. In healthcare, 83% of IoT devices were running on unsupported operating systems, which increased 56% from last year following the end of support for Windows 7. 27% of IoT medical devices are still running on Windows XP and...

Read More
90% of Healthcare Organizations Have Experienced an Email-Based Attack in the Past Year
Mar12

90% of Healthcare Organizations Have Experienced an Email-Based Attack in the Past Year

A recently published study conducted by HIMSS Media on behalf of Mimecast has revealed 90% of healthcare organizations have experienced at least one email-based threat in the past 12 months. 72% have experienced downtime as a result and one in four said the attacks were very or extremely disruptive. Healthcare organizations are a major target for cybercriminals. They hold large quantities of personal and health information that can be used for many fraudulent purposes, email-based attacks are easy to perform and require little technical skill, and they often give a high return on investment. Healthcare email security defenses also lag behind other industry sectors and security awareness training is often overlooked. The study was conducted in November 2019 on 101 individuals that had significant involvement with email security at hospitals and health systems in the United States. 3 out of 4 respondents said they have or are in the process of rolling out a comprehensive cyber resilience program, but only 56% of respondents said they already have such a strategy in place. When asked...

Read More
Maximum Severity SMBv3 Flaw Identified: Patch Released
Mar11

Maximum Severity SMBv3 Flaw Identified: Patch Released

Update 03/12/20: Microsoft has updated its security advisory and has released an out of band update for the flaw for CVE-2020-0796 Windows 10 and Windows Server 1903 / Server 1909:  A critical flaw has been identified in Windows Server Message Block version 3 (SMBv3) which could potentially be exploited in a WannaCry-style attack. The vulnerability is wormable, which means an attacker could combine it with a worm and compromise all other vulnerable devices on the network from a single infected machine. This is a pre-auth remote code execution vulnerability in the SMBv3 communication protocol due to an error that occurs when SMBv3 handles maliciously crafted compressed data packets. If exploited, an unauthenticated attacker could execute arbitrary code in the context of the application and take full control of a vulnerable system. The vulnerability can be exploited remotely by sending a specially crafted packet to a targeted SMBv3 server. The vulnerability, tracked as CVE-2020-0796, affects Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10...

Read More
Healthcare and Pharma Companies Targeted in HIV Test Phishing Campaign
Mar11

Healthcare and Pharma Companies Targeted in HIV Test Phishing Campaign

Researchers at Proofpoint have identified a new phishing campaign targeting healthcare providers, insurance firms and pharmaceutical companies. The intercepted emails impersonate Vanderbilt University Medical Center and claim to include the results of a recent HIV test. The emails have the subject line “Test result of medical analysis” and include an Excel spreadsheet attachment – named TestResult.xlsb – which the recipient must open to view the HIV test results. When the spreadsheet is opened, the user is advised the data is protected. To view the test result it is necessary to enable content. If content is enabled and macros are allowed to run, malware will be downloaded onto the user’s computer. This is a relatively small-scale campaign being used to distribute the Koadic RAT, a program used by network defenders and pen testers to take control of a system. According to Proofpoint, Koadic is popular with nation state-backed hacking groups in Russia, China, and Iran. Koadic allows attackers to take control of a computer, install and run programs, and steal sensitive...

Read More
Q3, 2019 Saw a 350% Increase in Ransomware Attacks on Healthcare Providers
Mar10

Q3, 2019 Saw a 350% Increase in Ransomware Attacks on Healthcare Providers

Ransomware attacks on healthcare providers increased by 350% in Q4, 2019, according to a recently published report from Corvus. The attacks show no sign of letting up in 2020. Already in 2020 attacks have been reported by NRC Health, Jordan Health, Pediatric Physician’s Organization at Children’s, and the accounting firm BST & Co., which affected the medical group Community Care Physicians. To identify ransomware trends in healthcare, Corvus’s Data Science team studied ransomware attacks on healthcare organizations since Q1, 2017. Between Q1, 2017 and Q2, 2019, an average of 2.1 ransomware attacks were reported by healthcare organizations each quarter. In Q3, 2019, 7 attacks were reported, and 9 attacks were reported in Q4, 2019. Corvus identified more than two dozen ransomware attacks on U.S. healthcare organizations in 2019 and predicts there will be at least 12 ransomware attacks on healthcare organizations in Q1, 2020. Reports from other cybersecurity firms similarly show an increase in ransomware attacks on healthcare providers in the second half of the year. One report...

Read More
March 2020 Deadline for Compliance with New York SHIELD Act Data Security Requirements
Mar10

March 2020 Deadline for Compliance with New York SHIELD Act Data Security Requirements

In July 2019, the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act was signed into law. The New York SHIELD Act expanded the breach notification requirements for businesses that collect the personal information of New York residents. On March 21, 2020, the data security provisions of the New York SHIELD Act come into effect. There are also exemptions for small businesses, which are deemed to be businesses with fewer than 50 employees, businesses with less than $3 million in gross revenues for each of the past 3 fiscal years, or businesses with less than $5 million in year-end total assets. In these cases, their data security program can be scaled according to the size and complexity of the business, the nature of business activities, and the sensitivity of the personal data collected. For most HIPAA-covered entities, compliance will be relatively straightforward. Entities in compliance with the Health Insurance Portability and Accountability Act (HIPAA) are deemed to be in compliance with the New York SHIELD Act. New York SHIELD Act Requirements for HIPAA...

Read More
University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack
Mar09

University of Kentucky and UK HealthCare Impacted by Month-Long Cryptominer Attack

The University of Kentucky (UK) has been battling to remove malware that was downloaded on its network in February 2020. Cybercriminals gained access to the UK network and installed cryptocurrency mining malware that used the processing capabilities of UK computers to mine Bitcoin and other cryptocurrencies. The malware caused a considerable slowdown of the network, with temporary failures of its computer system causing repeated daily interruptions to day to day functions, in particular at UK healthcare. UK believes the attack was resolved on Sunday morning after a month-long effort. On Sunday morning, UK performed a major reboot of its IT systems – a process that took around 3 hours. UK believes the attackers have now been removed from its systems, although they will be monitoring the network closely to ensure that external access has been blocked. The attack is believed to have originated from outside the United States. UK Healthcare, which operates UK Albert B. Chandler Hospital and Good Samaritan Hospital in Lexington, KY, serves more than 2 million patients. While computer...

Read More
53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months
Mar09

53% of Healthcare Organizations Have Experienced a PHI Breach in the Past 12 Months

The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses Report from Keeper Security shows approximately two thirds of healthcare organizations have experienced a data breach in the past, and 53% have experienced a breach of protected health information in the past 12 months. The survey was conducted by the Ponemon Institute on 2,391 IT and IT security professionals in the United States, United Kingdom, DACH, Benelux, and Scandinavia, including 219 respondents from the healthcare industry. Keeper Security reports indicates the average healthcare data breach results in the exposure of more than 7,200 confidential records and the average cost of a healthcare data breach is $1.8 million, including the cost of disruption to normal operations. The most common causes of healthcare data breaches are phishing attacks (68%), malware infections (41%), and web-based attacks (40%). Healthcare data breaches have increased considerably in the past few years. Even though there is a high risk of an attack, healthcare organizations do not feel that they are well prepared. Only...

Read More
‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices
Mar05

‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices

12 vulnerabilities – collectively called SweynTooth – have been identified by researchers at the Singapore University of Technology and Design which are present in the Bluetooth Low Energy (BLE) software development kits used by at least 7 manufacturers of software-on-a-chip (SOC) chipsets. SOCs are used in smart home devices, fitness trackers, wearable health devices, and medical devices and give them their wireless connectivity. SoCs with the SweynTooth vulnerabilities are used in insulin pumps, pacemakers, and blood glucose monitors as well as hospital equipment such as ultrasound machines and patient monitors. It is not yet known exactly how many medical devices and wearable health devices are impacted by the flaws as manufacturers obtain their SoCs from several sources. Some security researchers believe millions of medical devices could be vulnerable. SoCs are used in around 500 different products. Hundreds of millions of devices could be affected. The vulnerabilities are present in SoCs from Cypress, Dialog Semiconductors, Microchip, NXP Semiconductors,...

Read More
IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk
Mar03

IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk

An audit of the National Institutes of Health (NIH) conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed technology control weaknesses in the NIH electronic medical records system and IT systems that placed the protected health information of patients at risk. NIH received $5 million in congressional appropriations in FY 2019 to conduct oversight of NIH grant programs and operations. Congress wanted to ensure that cybersecurity controls had been put in place to protect sensitive data and determine whether NIH was in compliance with Federal regulations. The audit was conducted on July 16, 2019 by CliftonLarsonAllen LLP (CLA) on behalf of OIG to determine the effectiveness of certain NIH information technology controls and to assess how NIH receives, processes, stores, and transmits Electronic Health Records (EHR) within its Clinical Research Information System (CRIS), which contained the EHRs of patients of the NIH Clinical Center. NHS has approximately 1,300 physicians, dentists and PhD researchers, 830 nurses, and around 730...

Read More
NIST Publishes Roadmap for Regional Alliances and Partnerships to Build the Cybersecurity Workforce
Mar02

NIST Publishes Roadmap for Regional Alliances and Partnerships to Build the Cybersecurity Workforce

The National Institute of Standards and Technology (NIST) has published a cybersecurity education and development roadmap based on data from five pilot Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) Cybersecurity Education and Workforce Development programs. There is a currently a global shortage of cybersecurity professionals and the problem is getting worse. Data from CyberSeek.org shows that between September 2017 and August 2018, 313,735 cybersecurity positions were open and figures from the 2017 Global Information Security Workforce Study indicate that by 2022, 1.8 million cybersecurity professionals will be required to fill open positions. To help address the shortfall, the National Initiative for Cybersecurity Education (NICE), led by NIST, provided funding for the pilot programs in September 2016. The RAMPS cybersecurity education and development pilot programs were concerned with “energizing and promoting a robust network and ecosystem of cybersecurity education, training, and workforce development.” The pilot programs involved forming regional...

Read More
What is DNS Filtering?
Feb24

What is DNS Filtering?

What is DNS filtering, how does it work, and why is it such an important cybersecurity measure for blocking phishing and malware attacks? In this post we will explain why DNS based filtering is so important and the benefits of internet content control for cybersecurity. What is DNS Filtering? The Domain Name System (DNS) is an integral part of the internet and is used to match alphanumeric domain names with the unique IP addresses that allow websites to be found by computers. When a request is made by a user to access a website by typing a URL into their browser or by clicking a hyperlink, before a connection is made the location of the website must be determined and that requires an IP address. To find the IP address for a website a query is sent to a recursive DNS server. The recursive DNS server will contact other DNS servers to find the IP address. When the DNS lookup has been completed and the IP address found it is passed to the web browser, a connection is made, and the web content is loaded in the browser. The DNS is incredibly efficient at matching domain names with their...

Read More
January 2020 Healthcare Data Breach Report
Feb21

January 2020 Healthcare Data Breach Report

In January, healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights at a rate of more than one a day. As our 2019 Healthcare Data Breach Report showed, 2019 was a particularly bad year for healthcare data breaches with 510 data breaches reported by HIPAA-covered entities and their business associates. That equates to a rate of 42.5 data breaches per month. January’s figures are an improvement, with a reporting rate of 1.03 breaches per day and a 15.78% decrease in reported breaches compared to December 2019. While the number of breaches was down, the number of breached records increased by 17.71% month-over-month. 462,856 healthcare records were exposed, stolen, or impermissibly disclosed across 32 reported data breaches. As the graph below shows, the severity of data breaches has increased in recent years. Largest Healthcare Data Breaches in January 2020 Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information PIH Health CA Healthcare Provider...

Read More
Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep
Feb20

Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep

The healthcare industry is digitizing business management and data management processes and is adopting new technology to improve efficiency and cut costs, but that technology, in many cases, has been added to infrastructure, processes, and software from a different era and as a result, many vulnerabilities are introduced. The healthcare industry is being targeted by cybercriminals who are looking for any chink in the armor to conduct their attacks, and many of those attacks are succeeding. The healthcare industry is the most targeted industry sector and one third of data breaches in the United States happen in hospitals. According to the recently published 2020 Healthcare Security Vision Report from CyberMDX almost 30% of healthcare delivery organizations (HDOs) have experienced a data breach in the past 12 months, clearly demonstrating that the healthcare industry is struggling to address vulnerabilities and block cyberattacks. Part of the reason is the number of difficult-to-secure devices that connect to healthcare network. The attack surface is huge. It has been estimated that...

Read More
2020 Protenus Breach Barometer Report Reveals 49% Increase in Healthcare Hacking Incidents
Feb20

2020 Protenus Breach Barometer Report Reveals 49% Increase in Healthcare Hacking Incidents

According to the 2020 Protenus Breach Barometer report, there were 572 healthcare data breaches of 500 or more records in 2019 and at least 41.4 million patient records were breached. That represents a 13.7% annual increase in the number of reported breaches and a 174.5% increase in the number of breached records. The final total for 2019 is likely to be considerably higher, as the number of individuals affected by 91 of those breaches is not known, including two major breaches that have yet to be reported that affected more than 500 dental offices throughout the United States. The 2020 Protenus Breach Barometer report, produced in conjunction with databreaches.net, was compiled from breaches reported to the HHS’ Office for Civil Rights, the media, and other sources. The report shows a dramatic rise in the number of hacking incidents in 2019, which were up 49% from 2018. 58% of all reported breaches in 2019 were hacking/IT incidents and at least 36,911,960 records were exposed or stolen in those breaches. “It appears hacking incidents, particularly ransomware incidents, are on the...

Read More
Spacelabs Xhibit Telemetry Receiver and GE Healthcare Ultrasound Products Vulnerabilities Reported
Feb19

Spacelabs Xhibit Telemetry Receiver and GE Healthcare Ultrasound Products Vulnerabilities Reported

A critical vulnerability has been identified in the Xhibit Telemetry Receiver and GE Healthcare has issued an advisory about a flaw in its ultrasound products. Xhibit Telemetry Receiver Vulnerable to Critical BlueKeep Windows Vulnerability The Xhibit Telemetry Receiver (XTR), Model number 96280, v1.0.2 and all versions of the now unsupported Xhibit Arkon (99999) are vulnerable to the critical BlueKeep Remote code execution vulnerability. The vulnerability – CVE-2019-0708 – affects the Remote Desktop Protocol feature of the underlying Microsoft Windows operating system. The flaw can be exploited by sending specially crafted packets to Windows operating systems that have RDP enabled. The vulnerability is pre-authentication and no user interaction is required to exploit the flaw. The BlueKeep vulnerability is also worm-able. Malware could be developed to exploit the vulnerability allowing propagation to other vulnerable systems, as was the case with the WannaCry ransomware attacks in 2017. Successful exploitation would allow a remote attacker to add accounts with full user...

Read More
2019 Healthcare Data Breach Report
Feb13

2019 Healthcare Data Breach Report

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018. As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009. 37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019. Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen. Largest Healthcare Data Breaches of 2019 The table below shows the largest healthcare data breaches of 2019, based on the entity...

Read More
Ransomware Attacks Have Cost the Healthcare Industry at Least $157 Million Since 2016
Feb13

Ransomware Attacks Have Cost the Healthcare Industry at Least $157 Million Since 2016

A new study by Comparitech has shed light on the extent to which ransomware has been used to attack healthcare organizations and the true cost of ransomware attacks on the healthcare industry. The study revealed there have been at least 172 ransomware attacks on healthcare organizations in the United States in the past three years. 1,446 hospitals, clinics, and other healthcare facilities have been affected as have at least 6,649,713 patients. 2018 saw a reduction in the number of attacks, falling from 53 incidents in 2017 to 31 in 2018, but the attacks increased to 2017 levels in 2019 with 50 reported attacks on healthcare organizations. 74% of healthcare ransomware attacks since 2016 have targeted hospitals and health clinics. The remaining 26% of attacks have been on other healthcare organizations such as nursing homes, dental practices, medical testing laboratories, health insurance providers, plastic surgeons, optometry practices, medical supply companies, government healthcare providers, and managed service providers. Ransom demands can vary considerably from attack to...

Read More
$1.77 Billion Was Lost to Business Email Compromise Attacks in 2019
Feb12

$1.77 Billion Was Lost to Business Email Compromise Attacks in 2019

The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) has published its 2019 Internet Crime Report. The report shows losses to cybercrime exceeded $3.5 million in 2019. More than half of the losses were due to business email compromise (BEC) attacks. BEC, also known as email account compromise (EAC), involves the impersonation of a legitimate person or company to obtain money via email. These sophisticated scams often start with a phishing attack on an executive to obtain email credentials. The email account is then used to send a wire transfer request to an individual in the company with access to corporate bank accounts. Sometimes this step is skipped and the attackers simply spoof an individual’s email account. While BEC attacks mostly involve wire transfer requests, in 2019 there was an increase in attacks on human resources and payroll departments to divert employee payroll funds to attacker-controlled pre-paid card accounts. The potential profit from such an attack is lower than a wire transfer request, but changes to payroll are less likely to be...

Read More
Draft Cyber Supply Chain Risk Management Guidance Published by NIST
Feb07

Draft Cyber Supply Chain Risk Management Guidance Published by NIST

The National Institute of Standards and Technology (NIST) has published a new draft guidance document on cyber supply chain risk management to help organizations implement an effective cyber supply risk management program. Organizations now rely on other organizations to provide critical products and services, yet they often lack visibility into their supply ecosystems. Using third parties for products and services brings many benefits, but also introduces risks. Vulnerabilities in supply chains can be exploited by threat actors and attacks on supply chains are on the rise. In the second half of 2018, the Operation ShadowHammer supply chain attack saw the software update utility of ASUS compromised. Up to 500,000 users of the ASUS Live Update utility were impacted before the cyberattack was discovered. The DragonFly threat group, aka Energetic Bear, compromised the update site used by several industrial control system (ICS) software producers and added a backdoor to ICS software. Three ICS software producers are known to have been compromised, resulting in companies in the energy...

Read More
Medtronic Issues Patches for CareLink Programmers and Implanted Cardiac Devices
Feb06

Medtronic Issues Patches for CareLink Programmers and Implanted Cardiac Devices

The medical device manufacturer Medtronic has issued patches to correct flaws in its CareLink 2090 and CareLink Encore 29901 programmers, implantable cardioverter defibrillators (ICDs), and cardiac resynchronization therapy defibrillators (CRT-Ds). The vulnerabilities were first identified by security researchers in 2018 and 2019. When Medtronic was informed about the vulnerabilities, mitigations were quickly published to reduce the risk of exploitation of the vulnerabilities and allow customers to continue to use the affected products safely. The development and release of patches for these complex and safety-critical devices has taken a long time due to the required regulatory approval process. “Development and validation can take a significant amount of time and also includes a required regulatory review process before we can distribute updates to products. Medtronic worked to develop security remediations quickly while also ensuring the patches continue to maintain comprehensive safety and functionality,” explained Medtronic. In 2018, Security researchers Billy Rios and...

Read More
Annual Cost of Insider Cybersecurity Incidents Has Risen 31% in 2 Years
Feb06

Annual Cost of Insider Cybersecurity Incidents Has Risen 31% in 2 Years

The frequency of cybersecurity incidents caused by insiders has increased by 47% in the past two years and the average annual global cost of those cybersecurity incidents has increased by 31% over the same period, according to new research conducted by the Ponemon Institute. The average annual cost of insider incidents is now $11.45 million. The research was conducted for the 2020 Cost of Insider Threats study on behalf of the Proofpoint company, ObserveIT. 964 IT and security professionals at 204 organizations in North America, Europe, Africa, the Middle East and Asia-Pacific were surveyed for the study. Insider incidents were divided into three categories: Incidents that resulted from mistakes made by employees (negligent insiders); incidents deliberately caused by employees and contractors to harm the company (criminal insiders); and incidents involving the use of insiders’ login details to gain access to applications, systems, and data (credential insiders). In the past 12 months, 4,716 insider incidents occurred. Incidents caused by credential insiders were the costliest to...

Read More
Average Ransomware Payment Increased Sharply in Q4, 2019
Feb03

Average Ransomware Payment Increased Sharply in Q4, 2019

A new report from the ransomware incident response firm Coveware shows payments made by ransomware victims increased sharply in Q4, 2019. The average ransomware payment doubled in Q4, as two of the most prolific ransomware gangs – Sodinokibi and Ryuk – shifted their attention to attacking large enterprises. In Q3, 2019 the average ransom payment was $41,198. In Q4, that figure jumped to $84,116, with a median payment of $41,179. The large increase in ransom amounts is largely due to changing tactics of the two main ransomware gangs, Ryuk especially. Ryuk is now heavily focused on attacking large enterprises. The average number of employees at victim companies increased from 1,075 in Q3 to 1,686 in Q4. The largest ransom amount was $779,855.5 in Q4; a considerable jump from the largest demand of $377,027 in Q3. In Q4, the most prevalent ransomware threats were Sodinokibi (29.4%), Ryuk (21.5%), Phobos (10.7%), Dharma (9.3%), DoppelPaymer (6.1%), and NetWalker (5.1%). 10.7% of attacks involved the Rapid, Snatch, IEncrypt or GlobeImposter ransomware variants. Many of the above...

Read More
NIST Seeks Comment on Two Draft Cybersecurity Practice Guides on Ransomware and Other Data Integrity Events
Jan31

NIST Seeks Comment on Two Draft Cybersecurity Practice Guides on Ransomware and Other Data Integrity Events

The National Cybersecurity Center of Excellence at NIST (NCCoE) has released two draft cybersecurity practice guides on ransomware and other destructive events. The first guide concerns identifying and protecting assets (SP 1800-25) and the second concerns detection and response to cyberattacks that compromise data integrity (SP 1800-26). The guides consist of three volumes, an executive summary; approach, architecture and security characteristics; and how to guides. They are intended to be used by executives, chief Information security officers, system administrators, or individuals who have a stake in protecting their organizations’ data, privacy, and overall operational security. The first guide concerns the first two core functions of the NIST Cybersecurity Framework: Identify and Protect. Organizations need to take steps to protect their assets from ransomware, destructive malware, malicious insiders, and accidental data loss. In order to protect assets, organizations must first identify where they are located. Only then can the necessary steps be taken to secure those...

Read More
65% of U.S. Organizations Experienced a Successful Phishing Attack in 2019
Jan28

65% of U.S. Organizations Experienced a Successful Phishing Attack in 2019

The 2020 State of the Phish report from the cybersecurity firm Proofpoint shows 65% of U.S. organizations (55% globally) had to deal with at least one successful phishing attack in 2019. For the report, Proofpoint drew data from a third-party survey of 3,500 working adults in the United States, United Kingdom, Australia, France, Germany, Japan, Spain along with a survey of 600 IT security professionals in those countries. Data was also taken from 9 million suspicious emails reported by its customers and more than 50 million simulated phishing emails in the past year. Infosec professionals believe the number of phishing attacks remained the same or declined in 2019 compared to the previous year. This confirms what may cybersecurity firms have found: Phishing tactics are changing. Cybercriminals are now focusing on quality over quantity. Standard phishing may have declined, but spear phishing attacks are more common. 88% of organizations said they faced spear phishing attacks in 2019 and 86% said they faced business email compromise (BEC) attacks. Phishing attacks are most commonly...

Read More
Critical ‘MDHex’ Vulnerabilities Identified in GE Healthcare Patient Monitoring Products
Jan24

Critical ‘MDHex’ Vulnerabilities Identified in GE Healthcare Patient Monitoring Products

Critical vulnerabilities have been identified in GE Healthcare patient monitoring products by a security researcher at CyberMDX. Elad Luz, Head of Research at CyberMDX, identified six vulnerabilities, five of which have been rated critical and one high severity. The five critical vulnerabilities have been assigned the maximum CVSS v3 score of 10 out of 10. The other vulnerability has a CVSS v3 score of 8.5 out of 10. Exploitation of the flaws could render the affected products unusable. Remote attackers could also alter the functionality of vulnerable devices, including changing or disabling alarm settings, and steal protected health information stored on the devices. CyberMDX initially investigated the CARESCAPE Clinical Information Center (CIC) Pro product, but discovered the flaws affected patient monitors, servers, and telemetry systems. The vulnerabilities have been collectively named MDHex and are tracked under the CVEs: CVE-2020-6961, CVE-2020-6962, CVE-2020-6963, CVE-2020-6964, CVE-2020- 6965, and CVE-2020-6966. GE Healthcare has confirmed that the vulnerabilities could...

Read More
Maze Ransomware Gang Publishes Research Data of Medical Diagnostic Laboratories
Jan23

Maze Ransomware Gang Publishes Research Data of Medical Diagnostic Laboratories

The operators of Maze ransomware are following through on their threats to publish stolen data if victims do not pay the ransoms. In December, the Carrollton, GA-based wire and cable manufacturer Southwire refused to pay a 200 BTC ransom ($1,664,320) and the threat actors went ahead and published some of the stolen data. Southwire filed a lawsuit in the Northern District of Georgia against the Maze team and the ISP hosting the Maze Team’s website. The case was won, and the website was taken offline; however, the website was back online with a different hosting provider a few days later. Listed on the webpage are the names of the companies that have been attacked and refused to pay the ransom demand, along with some of the data stolen in the attacks. One of those companies is New Jersey-based Medical Diagnostic Laboratories (MDLab). According to the Maze Team, MD Lab was attacked on December 2, 2019. MD Lab made contact with the Maze team, but negotiations stalled, and no ransom was paid. According the Maze website, 231 workstations were encrypted in the attack. When MD Lab refused...

Read More
CISA Issues Warning About Increase in Emotet Malware Attacks
Jan23

CISA Issues Warning About Increase in Emotet Malware Attacks

A warning has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about a recent increase in Emotet malware attacks. Emotet was first detected in 2014 and was initially developed to steal banking credentials, but it has seen considerable development over the past five years and is now is a highly sophisticated Trojan. In addition to stealing banking credentials, Emotet can steal passwords stored in web browsers and the credentials files of external drives. Modules have been added that allow it to propagate via email and download other malware variants. The malware has been used to infect devices with cryptocurrency miners and cryptowallet stealers, the TrickBot banking Trojan, and Ryuk ransomware. These additional payloads are often downloaded weeks, months, or even years after the initial Emotet infection. Emotet malware is primarily delivered via spam email. Initially, the malware was spread by JavaScript attachments; however, the threat actors behind the malware have now switched to Office documents with malicious macros that run PowerShell commands...

Read More
Emergency Directives Issued by CISA and OCR to Mitigate Critical Windows Vulnerabilities
Jan16

Emergency Directives Issued by CISA and OCR to Mitigate Critical Windows Vulnerabilities

Microsoft has issued patches for several critical vulnerabilities in all supported Windows versions that require urgent attention to prevent exploitation. While there have been no reports of exploitation of the flaws in the wild, the seriousness of the vulnerabilities and their potential to be weaponized has prompted both the Department of Homeland Security (DHS) and the Department of Health and Human Services (HHS) to issue emergency directives about the vulnerabilities. One of the vulnerabilities was discovered by the National Security Agency (NSA), which took the unusual step of reporting the vulnerability to Microsoft. This is the first time that a vulnerability has been reported by the NSA to a software vendor. Windows CryptoAPI Vulnerability Requires Immediate Patching The NSA-discovered vulnerability, tracked as CVE-2020-0601, affects Windows 10 and Server 2016/2019 systems. The vulnerability is due to how the Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. The flaw would allow a remote attacker to sign malicious code with an ECC certificate to...

Read More
DHS Warns of Continuing Cyberattacks Exploiting Pulse Secure VPN Vulnerability
Jan14

DHS Warns of Continuing Cyberattacks Exploiting Pulse Secure VPN Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to Pulse Secure customers urging them to patch the 2019 Pulse Secure VPN vulnerability, CVE-2019-11510. Pulse Secure VPN servers that have not been patched are continuing to be attacked by cybercriminals. The threat actors behind Sodinokibi (REvil) ransomware are targeting unpatched Pulse Secure VPN servers and are exploiting CVE-2019-11510 to install ransomware. Several attacks have been reported in January 2020. In addition to encrypting data, the attackers are stealing and threatening to publish victims’ sensitive information. Last week data belonging to Artech Information Systems was published when the ransom was not paid. CISA continues to see widespread exploitation of the flaw by multiple threat actors, including nation-state sponsored advanced persistent threat actors, who are exploiting the flaw to steal passwords, data, and deploy malware. Exploitation of the vulnerability can allow a remote, unauthenticated attacker to gain access to all active VPN users and obtain their plain-text...

Read More
Support for Windows 7 Finally Comes to an End
Jan14

Support for Windows 7 Finally Comes to an End

Microsoft is stopping free support for Windows 7, Windows Server 2008, and Windows Server 2008 R2 on January 14, 2020, meaning no more patches will be released to fix vulnerabilities in the operating systems. Support for Office 2010 has also come to an end. The operating systems will be up to date as of January 14, 2020 and all known vulnerabilities will have been fixed, but it will only be a matter of time before exploitable vulnerabilities are discovered and used by cybercriminals to steal data and deploy malware. Even though Microsoft has given a long notice period that the operating system was reaching end of life, it is still the second most used operating system behind Windows 10. According to NetMarketShare, 33% of all laptop and desktop computers were running Windows 7 in December 2019. Many healthcare organizations are still using Windows 7 on at least some devices. The continued use of those devices after support is stopped places them at risk of cyberattacks and violating the HIPAA Security Rule. The natural solution is to update Windows 7 to Windows 10, although that...

Read More
DHS Warns of Critical Citrix Vulnerability Being Exploited in the Wild
Jan13

DHS Warns of Critical Citrix Vulnerability Being Exploited in the Wild

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a recently discovered vulnerability in the Citrix Application Delivery Controller and Citrix Gateway web server appliances. Exploitation of the vulnerability – tracked as CVE-2019-19781 – is possible over the internet and can allow remote execution of arbitrary code on vulnerable appliances. Exploitation of the flaw would allow a threat actor to gain access to the appliances and attack other resources connected to the internal network. Some security researchers have described the bug as one of the most dangerous to be discovered in recent years. The alert, issued on January 8, 2020, urges all organizations using the affected Citrix appliances (formerly NetScaler ADC and NetScaler Gateway) to apply mitigations immediately to limit the potential for an attack, and to apply the firmware updates as soon as they are released later this month. Two proof of concept exploits have already been published on GitHub which makes exploitation of the flaws trivial. Scans for...

Read More
Healthcare Data Breaches Predicted to Cost Industry $4 Billion in 2020
Jan08

Healthcare Data Breaches Predicted to Cost Industry $4 Billion in 2020

Healthcare industry data breaches are occurring more frequently than ever before. The healthcare data breach figures for 2019 have yet to be finalized, but so far 494 data breaches of more than 500 records have been reported to the HHS’ Office for Civil Rights and more than 41.11 million records were exposed, stolen, or impermissibly disclosed in 2019. That makes 2019 the worst ever year for healthcare data breaches and the second worst in terms of the number of breached healthcare records. The healthcare industry now accounts for around four out of every five data breaches and 2020 looks set to be another record-breaking year. The cost to the healthcare industry from those breaches is expected to reach $4 billion in 2020. The poor state of healthcare cybersecurity was highlighted by a survey of healthcare security professionals conducted in late 2019 by Black Book Market Research. The survey was conducted on 2,876 security professionals from 733 provider organizations to identify cybersecurity gaps, vulnerabilities, and deficiencies in the healthcare industry. The survey revealed...

Read More
FBI Issues Alert as Maze Ransomware Attacks Increase in the U.S.
Jan07

FBI Issues Alert as Maze Ransomware Attacks Increase in the U.S.

Last week, the Federal Bureau of Investigation (FBI) issued a flash alert warning private companies in the United States about the threat of attacks involving Maze ransomware. The warning came just a few days after the FBI issued an alert about two other ransomware variants, LockerGoga and MegaCortex. The Maze ransomware TLP: Green warning is not intended for public distribution as it provides technical details about the attacks and indicators of compromise which can be used by private firms to prevent attacks. If published in the public domain, it could aid the attackers. In the alert, victims of Maze ransomware attacks were urged to share information with the FBI as soon as possible to help its agents trace the attackers and bring them to justice. Maze ransomware was first identified in early 2019, but it was not until November 2019 when the first attacks hit companies in the United States. Those attacks have been increasing in recent weeks. When network access is gained, data is exfiltrated prior to file encryption. A ransom demand is then issued specific to the organization....

Read More
DHS Warns of Retaliatory Cyberattacks in Response to U.S. Drone Strike
Jan06

DHS Warns of Retaliatory Cyberattacks in Response to U.S. Drone Strike

The U.S. Department of Homeland Security has issued a warning about retaliatory cyberattacks following the military action in Iraq in which Iran’s top general, Major General Qasem Soleimani, was killed in a drone strike. The U.S. Department of Defense issued a statement saying “General Soleimani was actively developing plans to attack American diplomats and service members in Iraq and throughout the region.” President Trump tweeted soon after the attack saying, “We took action last night to stop a war. We did not take action to start a war.” Iran has condemned the attack and the country’s supreme leader, Ayatollah Ali Khamenei, has vowed to take “forceful revenge” on the United States. The U.S. State Department has advised all Americans in Iraq to leave the country over concerns for their safety and on Sunday, Iraqi MPs voted to expel all US troops from the country, There are genuine fears of reprisal attacks from Iran and growing concern that those attacks will take place in cyberspace rather than on the ground. US companies, government agencies, and...

Read More
HIPAA Enforcement in 2019
Jan02

HIPAA Enforcement in 2019

It has been another year of heavy enforcement of HIPAA compliance. HIPAA enforcement in 2019 by the Department of Health and Human Services’ Office for Civil Right (OCR) has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases. 2019 saw two civil monetary penalties issued and settlements were reached with 8 entities, one fewer than 2018. In 2019, the average financial penalty was $1,227,400. Particularly egregious violations will attract financial penalties, but some of the HIPAA settlements in 2019 provide insights into OCRs preferred method of dealing with noncompliance. Even when HIPAA violations are discovered, OCR prefers to settle cases through voluntary compliance and by providing technical assistance. When technical assistance is provided and covered entities fail to act on OCR’s advice, financial penalties are likely to be issued. This was made clear in two of the most recent HIPAA enforcement actions. OCR launched compliance investigations into two covered entities after being notified about data breaches. OCR...

Read More
FBI Issues Warning Following Spate of LockerGoga and MegaCortex Ransomware Attacks
Dec31

FBI Issues Warning Following Spate of LockerGoga and MegaCortex Ransomware Attacks

The FBI has issued a TLP:Amber alert in response to a spate of cyberattacks involving the ransomware variants LockerGoga and MegaCortex. The threat actors using these ransomware variants have been targeting large enterprises and organizations and typically deploy the ransomware several months after a network has been compromised. LockerGoga was first detected in January 2019 and MegaCortex ransomware first appeared in May 2019. Both ransomware variants exhibit similar IoCs and have similar C2 infrastructure and are both used in highly targeted attacks on large corporate networks. LockerGoga was used in the ransomware attacks on the U.S. chemical companies Hexion and Momentive, the aluminum and energy company Norsk Hydro, and the engineering consulting firm, Altran Technologies. MegaCortex ransomware was used in the attacks on the accounting software firm Wolters Kluwer and the cloud hosting firm iNSYNQ, to name but a few. The threat actors are careful, methodical, and attempt to cause maximum damage to increase the probability that their victim’s will pay. The ransom demands are...

Read More
November 2019 Healthcare Data Breach Report
Dec20

November 2019 Healthcare Data Breach Report

In November 2019, 33 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). That represents a 36.5% decrease in reported breaches from October – The worst ever month for healthcare data breaches since OCR started listing breaches on its website in October 2009. The fall in breaches is certainly good news, but data breaches are still occurring at a rate of more than one a day. 600,877 healthcare records were exposed, impermissibly disclosed, or stolen in November. That represents a 9.2% decrease in breached healthcare records from October, but the average breach size increased by 30.1% to 18,208 records in November.   Largest Healthcare Data Breaches in November 2019 Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Ivy Rehab Network, Inc. and its affiliated companies Healthcare Provider 125000 Hacking/IT Incident Email Solara Medical Supplies, LLC Healthcare Provider 114007 Hacking/IT Incident Email Saint Francis Medical Center Healthcare...

Read More
Poor RSA Encryption Implementation Opens Door to Attacks on Medical Devices and Implants
Dec18

Poor RSA Encryption Implementation Opens Door to Attacks on Medical Devices and Implants

Encryption renders data inaccessible to unauthorized individuals, provided the private key to decrypt data is not compromised and strong encryption is used. Not all algorithms provide the same level of protection. The strength of encryption relies on the length of the key. The longer the key, the more computational power is required to break the encryption. When strong encryption is used, the computing power and time required to break the encryption renders the data virtually inaccessible. DES was once considered a strong form of encryption but the computing power now available makes cracking the encryption possible even on relatively inexpensive computers. DES used 56-bit keys, which were fine in the 1970’s, but today the keys are nowhere near long enough. Strong encryption today is generally considered to require 256-bit keys, such as those generated by the AES algorithm. With AES-256, for the time being at least, sensitive data can be adequately secured. Providing the key is not disclosed, encrypted data cannot be accessed. RSA is an alternative encryption standard that is...

Read More
15 Million Customers Potentially Impacted by Ransomware Attack on Large Canadian Medical Testing Company
Dec18

15 Million Customers Potentially Impacted by Ransomware Attack on Large Canadian Medical Testing Company

A major data breach has been reported by one of Canada’s largest medical testing and diagnostics companies. Toronto-based LifeLabs said hackers have potentially gained access to the personal and health information of up to 15 million customers, most of whom are in British Columbia and Ontario. The number of people potentially affected makes this one of the largest healthcare ransomware attacks to date. The privacy commissioners in both provinces said the scale of the attack “extremely troubling.” After gaining access to its systems, the attackers deployed ransomware and encrypted an extensive amount of customer data. The cyberattack is still under investigation, so it is unclear what, if any, data has been stolen. It has been confirmed that the attackers gained access to parts of the system that contained the test results of around 85,000 Ontarians. The test results were from 2016 and earlier. No evidence has been found to suggest more recent test results, or medical test results from customers in other areas, have been compromised. Some of those test results include highly...

Read More
Blue Cross Blue Shield of Minnesota Starts Correcting 200,000 Critical and Severe Vulnerabilities
Dec17

Blue Cross Blue Shield of Minnesota Starts Correcting 200,000 Critical and Severe Vulnerabilities

Blue Cross Blue Shield of Minnesota, the largest health insurer in the state, is now taking steps to fix around 200,000 unaddressed vulnerabilities on its servers that, in some cases, are more than a decade old. In August 2018, Tom Yardic, a cybersecurity engineer at BCBS Minnesota discovered patches were not being applied on its servers, even though the vulnerabilities were rated critical or severe. The engineer met with executives at BCBS Minnesota to raise the alarm, yet no action appeared to be taken. Around a month later, Yardic alerted the BCBS Minnesota board of trustees as a last resort to get action taken to address the flaws, according to a recent report in the Star Tribune. According to the newspaper report, evidence was obtained that revealed vulnerabilities had not been addressed for many years. There were around 200,000 critical or severe vulnerabilities that had not been addressed on approximately 2,000 servers. Around 44% of the vulnerabilities were more than 3 years old and approximately 12% of the flaws dated back 10 or more years. Approximately 3.9 million...

Read More
Rep. Jayapal Seeks Answers from Google and Alphabet on Ascension Partnership
Dec16

Rep. Jayapal Seeks Answers from Google and Alphabet on Ascension Partnership

Pressure is continuing to be applied on Google and its parent company Alphabet to disclose information about how the protected health information (PHI) of patients of Ascension will be used, and the measures put in place to ensure PHI is secured and protected against unauthorized access. The partnership between Google and Ascension was announced on November 11, 2019 following the publication of a story in the Wall Street Journal. A whistleblower at Google had shared information with the WSJ and expressed concern that millions of healthcare records had been shared with Google without first obtaining consent from patients. It was also alleged that Google employees could freely download PHI. In its announcement, Google stated that the collaboration – named Project Nightingale – involved migrating Ascension’s infrastructure to the cloud and that it was helping Ascension implement G Suite tools to improve productivity and efficiency. Patient data was also being provided to Google to help develop AI and machine learning technologies to improve patient safety and clinical quality....

Read More
SpamTitan Top Rated AntiSpam Solution on Business Software Review Sites
Dec16

SpamTitan Top Rated AntiSpam Solution on Business Software Review Sites

The 2018 Verizon Data Breach Investigations Report showed phishing to be the primary method used by cybercriminals to infect healthcare networks with malware and steal financial information. Email was the attack vector in 96% of healthcare data breaches according to the report. All it takes is for one employee to respond to a phishing email for a data breach to occur, so it is essential for a powerful email security solution to be deployed that will catch phishing emails, malware, ransomware, and other email-based threats. Email security solutions can vary considerably from company to company. Some may be excellent at blocking email threats but can be difficult to use, others may fall short at detecting zero-day threats, and some fail to block many spam and phishing emails. All of the companies offering email security solutions claim that their products provide excellent protection, so selecting the best solution for your organization can be a challenge. Making the wrong decision can be a costly mistake. When choosing an email security solution, third party review sites are a...

Read More
MSPs and Healthcare Organizations Targeted with New Zeppelin Ransomware Variant
Dec12

MSPs and Healthcare Organizations Targeted with New Zeppelin Ransomware Variant

A new ransomware variant is being used in targeted attacks on managed service providers, technology, and healthcare firms, according to security researchers at Blackberry Cylance. Attacks are being conducted on carefully selected, high profile targets using a new variant of VegaLocker/Buran ransomware named Zeppelin. VegaLocker has been around since early 2019 and all variants from this family have been used to attack companies in Russian speaking countries. The campaigns were broad and used malvertising to direct users to websites hosting the ransomware. The latest variant is being used in a distinctly different campaign that is much more targeted. Attacks have only been detected on companies in Europe, the United States, and Canada so far. If the ransomware is downloaded onto a device in the Russian Federation, Ukraine, Belorussia, or Kazakhstan, the ransomware exits and does not encrypt files. Ransomware variants from the VegaLocker family have all been offered as ransomware-as-a-service and there are indications that the same is true of Zeppelin ransomware, although the...

Read More
Ryuk Ransomware Decryptor Bug May Result in Permanent Data Loss
Dec11

Ryuk Ransomware Decryptor Bug May Result in Permanent Data Loss

Cybersecurity firm Emsisoft has issued a warning about a recently discovered bug in the decryptor used by Ryuk ransomware victims to recover their data. A bug in the decryptor app can cause certain files to be corrupted, resulting in permanent data loss. Ryuk ransomware is one of the most active ransomware variants. It has been used in many attacks on healthcare organizations in the United States, including DCH Health System in Alabama and the recent attack on the IT service provider Virtual Care Provider. Ryuk ransomware is distributed in several ways. Scans are conducted to identify open Remote Desktop Protocol ports, brute force attacks on RDP are also conducted, and the ransomware is downloaded by exploiting unpatched vulnerabilities. Ryuk ransomware is also installed as a secondary payload by Trojans such as TrickBot. There is no free decryptor for Ryuk ransomware, so recovery depends of whether viable backups have been made, otherwise victims must pay a sizeable ransom for the keys to decrypt their files. When Ryuk ransomware victims pay the ransom, they are provided with a...

Read More
Deadline for Upgrading Windows 7 Devices is Fast Approaching
Dec10

Deadline for Upgrading Windows 7 Devices is Fast Approaching

Healthcare organizations still using Windows 7 and Windows 2008 only have a few days to upgrade the operating systems before Microsoft stops providing support. Support for both operating systems will come to an end on January 14, 2020. From January 14, 2020, no more patches and updates will be released by Microsoft so the operating system will potentially be vulnerable to attack. Cyberattacks are unlikely to start the second support is stopped, but any vulnerabilities in the operating system discovered after January 14 will remain unaddressed. Exploits could therefore be developed to exploit Windows 7 flaws and through those compromised devices, attacks could be launched on other devices on the network. As the number of vulnerabilities grow, the risk of a cyberattack will increase. According to Forescout the healthcare industry has the largest percentage of Windows 7 devices of any industry. A report earlier this year suggested 56% of healthcare organizations are still using Windows 7 on at least some devices and 10% of devices used by healthcare organizations are running Windows 7...

Read More
Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices
Dec09

Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices

A Colorado IT firm that specializes in providing managed IT services to dental offices has been attacked with ransomware. Through the firm’s systems, more than 100 dental practices have also been attacked and have had ransomware deployed on their networks. The attack on Englewood, CO-based Complete Technology Solutions (CTS) commenced on November 25, 2019. According to a report on KrebsonSecurity, CTS was issued with a ransom demand of $700,000 for the keys to unlock the encryption. The decision was taken not to pay the ransom. In order to provide IT services to the dental practices, CTS is able to logon to their systems using a remote access tool. That tool appears to have been abused by the attackers, who used it to access the systems of all its clients and deploy Sodinokibi ransomware. Some of the dental practices impacted by the attack have been able to recover data from backups, specifically, dental practices that had a copy of their backup data stored securely offsite. Many dental practices are still without access to their data or systems and are turning patients away due to...

Read More
Microsoft Issues Advice on Defending Against Spear Phishing Attacks
Dec06

Microsoft Issues Advice on Defending Against Spear Phishing Attacks

Cybercriminals conduct phishing attacks by sending millions of messages randomly in the hope of getting a few responses, but more targeted attacks can be far more profitable. There has been an increase in these targeted attacks, which are often referred to as spear phishing. Spear phishing attacks have doubled in the past year according to figures from Microsoft. Between September 2018 and September 2019, spear phishing attacks increased from 0.31% of email volume to 0.62%. The volume may seem low, but these campaigns are laser-focused on specific employees and they are often very affective. The emails are difficult even for security conscious employees to recognize and many executives, and even IT and cybersecurity staff, fall for these campaigns. The emails are tailored to a specific individual or small group of individuals in a company, they are often addressed to that individual by name, appear to come from a trusted individual, and often lack the signs of a phishing emails present in more general phishing campaigns. These attacks are more profitable as some credentials are...

Read More
HIPAA Compliance Can Help Covered Entities Prevent, Mitigate, and Recover from Ransomware Attacks
Dec05

HIPAA Compliance Can Help Covered Entities Prevent, Mitigate, and Recover from Ransomware Attacks

Ransomware attacks are often conducted indiscriminately, with the file-encrypting software commonly distributed in mass spam email campaigns. However, since 2017, ransomware attacks have become far more targeted. It is now common for cybercriminals to select targets to attack where there is a higher than average probability of a ransom being paid. Healthcare providers are a prime target for cybercriminals. They have large quantities of sensitive data, low tolerance for system downtime, and high data availability requirements. They also have the resources to pay ransom demands and many are covered by cybersecurity insurance policies. Insurance companies often choose to pay the ransom as it is usually far lower than the cost of downtime while systems are rebuilt, and data is restored from backups. With attacks increasing in frequency and severity, healthcare organizations need to ensure that their networks are well defended and they have policies and procedures in place to ensure a quick response in the event of an attack. Ransomware attacks are increasing in sophistication and new...

Read More
Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018
Dec04

Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018

Cyberattacks on healthcare organizations have increased in frequency and severity in the past year, according to recently published research from Malwarebytes. In its latest report – Cybercrime Tactics and Techniques: The 2019 State of Healthcare – Malwarebytes offers insights into the main threats that have plagued the healthcare industry over the past year and explains how hackers are penetrating the defenses of healthcare organizations to gain access to sensitive healthcare data. Cyberattacks on healthcare organizations can have severe consequences. As we have seen on several occasions this year, attacks can cause severe disruption to day to day operations at hospitals often resulting in delays in healthcare provision. In at least two cases, cyberattacks have resulted in healthcare organizations permanently closing their doors and a recent study has shown that cyberattacks contribute to an increase in heart attack mortality rates. Even though the attacks can cause considerable harm to patients, attacks are increasing in frequency and severity. Malwarebytes data shows the...

Read More
DHS Updates Top 25 Most Dangerous Software Errors List for First Time in 8 Years
Nov27

DHS Updates Top 25 Most Dangerous Software Errors List for First Time in 8 Years

The U.S. Department of Homeland Security’s Homeland Security Systems Engineering and Development Institute (HSSEDI) has updated its list of the 25 most dangerous software vulnerabilities. This is the first time in the past 8 years that the list has been updated. The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors was first created in 2011. The list is an important tool for improving cybersecurity resiliency and is valuable to software developers, testers, customers, security researchers, and educators as it provides insights into the most prevalent and serious security threats in the software industry. The list was originally compiled by analysts using a subjective approach for assessing vulnerabilities. Security researchers were interviewed, and industry experts were surveyed to find out which vulnerabilities were believed to be the most serious. HSSEDI, which is run by MITRE, used a different approach for assessing vulnerabilities: One that is based on real-world vulnerabilities that have been reported by security researchers. “We shifted to a data-driven...

Read More
October 2019 Healthcare Data Breach Report
Nov25

October 2019 Healthcare Data Breach Report

There was a 44.44% month-over-month increase in healthcare data breaches in October. 52 breaches were reported to the HHS’ Office for Civil Rights in October. 661,830 healthcare records were reported as exposed, impermissibly disclosed, or stolen in those breaches. This month takes the total number of breached healthcare records in 2019 past the 38 million mark. That equates to 11.64% of the population of the United States. Largest Healthcare Data Breaches in October 2019 Breached Entity Entity Type Individuals Affected Type of Breach Betty Jean Kerr People’s Health Centers Healthcare Provider 152,000 Hacking/IT Incident Kalispell Regional Healthcare Healthcare Provider 140,209 Hacking/IT Incident The Methodist Hospitals, Inc. Healthcare Provider 68,039 Hacking/IT Incident Children’s Minnesota Healthcare Provider 37,942 Unauthorized Access/Disclosure Tots & Teens Pediatrics Healthcare Provider 31,787 Hacking/IT Incident University of Alabama at Birmingham Healthcare Provider 19,557 Hacking/IT Incident Prisma Health – Midlands Healthcare Provider 19,060...

Read More
Phishing Attacks at Highest Level Since 2016
Nov25

Phishing Attacks at Highest Level Since 2016

According to the Q3, 2019 Phishing Activity Trends Report from the Anti-Phishing Working Group, phishing attacks are now occurring at a rate not seen since 2016. 266,387 unique phishing sites were detected in Q3, 2019, an increase of 46% from Q2, 2019. Almost twice the number of phishing sites were detected in Q3, 2019 than in the last quarter of 2018. APWG received data on 277,693 unique phishing campaigns from its members. That is the highest number of detected phishing campaigns since Q4, 2016. APWG also collates information from phishing attacks reported by consumers and the general public. 122,359 unique reports were received from the public in Q3, 2019, up 9.09% from Q2. The phishing campaigns detected in Q3, 2019 impersonated more than 400 different companies, up from 313 in Q2, 2019. The types of company most commonly impersonated in the attacks are webmail and software-as-a-service providers. The main aim of the attacks on these firms is to obtain credentials that can be used to gain access to corporate email and SaaS accounts. The targets of attacks are largely unchanged...

Read More