Healthcare cybersecurity is a growing concern. The last few years have seen hacking and IT security incidents steadily rise and many healthcare organizations have struggled to defend their network perimeter and keep cybercriminals at bay.

2015 was a record year for healthcare industry data breaches. More patient and health plan member records were exposed or stolen in 2015 than in the previous 6 years combined, and by some distance. More than 113 million records were compromised in 2015 alone, 78.8 million of which were stolen in a single cyberattack. 2016 saw more healthcare data breaches reported than any other year, and 2017 looks set to be another record breaker.

Healthcare providers now have to secure more connected medical devices than ever before and there has been a proliferation of IoT devices in the healthcare industry. The attack surface is growing and cybercriminals are developing more sophisticated tools and techniques to attack healthcare organizations, gain access to data and hold data and networks to ransom.

The healthcare industry has been slow to respond and has lagged behind other industries when it comes to cybersecurity. However, cybersecurity budgets have increased, new technology has been purchased, and healthcare organizations are getting better at blocking attacks and keeping their networks secure.

The articles in this healthcare cybersecurity section are intended to help HIPAA covered entities decide on the best technologies to protect their networks from attack and develop effective policies, procedures and security awareness training programs to prevent costly data breaches.

Our healthcare cybersecurity section contains articles and new reports relating to:

New vulnerabilities that could be exploited to gain access to healthcare networks

Security warnings about new attack vectors currently being used by cybercriminals to gain access to healthcare networks and data

Details of new malware and ransomware that threaten the confidentiality, integrity, and availability of protected health information

Healthcare cybersecurity best practices

New guidelines for HIPAA covered entities on data and device security

Updates from the Healthcare Industry Cybersecurity Task Force

Details of cybersecurity frameworks that can be adopted by healthcare organizations to improve security posture

Advice related to the HIPAA Security Rule and the safeguards that must be applied to secure medical devices, networks and healthcare data

The latest healthcare cybersecurity surveys, reports and white papers

CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks
Jan21

CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to all organizations in the United States to take immediate steps to prepare for attempted cyberattacks involving a new wiper malware that has been used in targeted attacks on government agencies, non-profits, and information technology organizations in Ukraine. The malware – dubbed Whispergate – masquerades as ransomware and generates a ransom note when executed; however, the malware lacks the capabilities to allow files to be recovered. Whispergate consists of a Master Boot Record (MBR) wiper, a file corruption, and a Discord-based downloader. The MBR is the section of the hard drive that identifies how and where an operating system is located. Wiping the MBR will brick an infected device by making the hard drive inaccessible. The Microsoft Threat Intelligence Center (MSTIC) has recently performed an analysis of the new malware. The first stage of the malware, typically called stage1.exe, wipes the MBR and prevents the operating system from loading. The malware is executed when an infected...

Read More
December 2021 Healthcare Data Breach Report
Jan18

December 2021 Healthcare Data Breach Report

56 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in December 2021, which is a 17.64% decrease from the previous month. In 2021, an average of 59 data breaches were reported each month and 712 healthcare data breaches were reported between January 1 and December 31, 2021. That sets a new record for healthcare data breaches, exceeding last year’s total by 70 – An 10.9% increase from 2020. Across December’s 56 data breaches, 2,951,901 records were exposed or impermissibly disclosed – a 24.52% increase from the previous month. At the time of posting, the OCR breach portal shows 45,706,882 healthcare records were breached in 2021 – The second-highest total since OCR started publishing summaries of healthcare data breaches in 2009. Largest Healthcare Data Breaches in December 2021 Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause Oregon Anesthesiology Group, P.C. OR Healthcare Provider 750,500 Ransomware Texas ENT Specialists TX Healthcare Provider 535,489 Ransomware Monongalia Health System, Inc....

Read More
Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack
Jan14

Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack

Maryland Chief Information Security Officer (CISO) Chip Stewart has issued a statement confirming the disruption to services at the Maryland Department of Health (MDH) was the result of a ransomware attack. A security breach was detected in the early hours of December 4, 2021, and prompt action was taken to isolate the affected server and contain the attack. Stewart said the Department of Information Technology successfully isolated and contained the affected systems within a matter of hours, limiting the severity of the attack. “It is in part because of this swift response that we have not identified, to this point in our ongoing investigation, evidence of the unauthorized access to or acquisition of State data,” said Stewart in a statement issued on January 12, 2022. According to Stewart, there was an attempted distributed-denial-of-service (DDoS) attack shortly after the ransomware attack; however, that attack was not successful. Evidence gathered during the investigation of the ransomware and DDoS attacks indicates they were conducted by different threat actors. Stewart said he...

Read More
New HIPAA Regulations in 2022
Jan14

New HIPAA Regulations in 2022

It has been several years since new HIPAA regulations have been signed into law, but HIPAA changes in 2022 are expected. The last update to the HIPAA Rules was the HIPAA Omnibus Rule in 2013, which introduced new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR issued a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that proposed a slew of changes to the HIPAA Privacy Rule, and a Final Rule is expected to be issued in 2022; however, no date has yet been provided on when the 2022 HIPAA changes will take effect and become enforceable. Over the past few years, new HIPAA regulations under consideration include changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS is considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided. There have been calls from many...

Read More
Critical Infrastructure Entities Warned About Cyberattacks by State-sponsored Russian APT Actors
Jan13

Critical Infrastructure Entities Warned About Cyberattacks by State-sponsored Russian APT Actors

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have issued a joint advisory warning about the threat of Russian cyberattacks on critical infrastructure, including the healthcare, energy, government, and telecommunications sectors. “CISA, the FBI, and NSA encourage the cybersecurity community – especially critical infrastructure network defenders – to adopt a heightened state of awareness and to conduct proactive threat hunting,” explained the agencies in the advisory. The agencies have shared details of the tactics, techniques, and procedures (TTPs) commonly used by Russian state-sponsored advanced persistent threat (APT) actors to gain persistent access to networks for espionage and destructive cyberattacks. Russian APT actors use a variety of methods to breach perimeter defenses including spear phishing, brute force attacks against accounts and networks with weak security, and the exploitation of unpatched vulnerabilities, and have previously targeted vulnerable...

Read More
2020-2021 HIPAA Violation Cases and Penalties
Jan04

2020-2021 HIPAA Violation Cases and Penalties

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. 2021 saw a slight reduction in the number of settlements and fines for HIPAA violations, with 14 enforcement actions announced by OCR. Even so, 2021 had the second-highest number of HIPAA fines of any year since OCR started enforcing compliance with the HIPAA Rules. While the number of penalties was still high in 2021, there was a sizeable reduction in penalty amounts which totaled $5,982,150 for the year, and $5,100,000 of that total came from just one enforcement action. The reason for this is that most of the penalties were for violations of the HIPAA Right of Access, and were in response to investigations of complaints filed by patients who had not been provided with timely access to their medical records, rather than penalties for...

Read More
Healthcare Supply Chain Association Issues Guidance on Medical Device and Service Cybersecurity
Dec31

Healthcare Supply Chain Association Issues Guidance on Medical Device and Service Cybersecurity

The Healthcare Supply Chain Association (HSCA) has issued guidance for healthcare delivery organizations, medical device manufacturers, and service suppliers on securing medical devices to make them more resilient to cyberattacks. The use of medical devices in healthcare has grown at an incredible rate and they are now relied upon to provide vital clinical functions that cannot be compromised without diminishing patient care. Medical devices are, however, often vulnerable to cyber threats and could be attacked to cause harm to patients, be taken out of service to pressure healthcare providers into meeting attackers’ extortion demands, or could be accessed remotely to obtain sensitive patient data. Medical devices are often connected to the Internet and can easily be attacked, so it is essential for proactive steps to be taken to improve security. The HSCA represents healthcare group purchasing organizations (GPOs) and advocates for fair procurement practices and education to improve the efficiency of purchases of healthcare goods and services and, as such, has a unique line of...

Read More
November 2021 Healthcare Data Breach Report
Dec21

November 2021 Healthcare Data Breach Report

The number of reported healthcare data breaches has increased for the third successive month, with November seeing 68 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – a 15.25% increase from October and well above the 12-month average of 56 data breaches a month. From January 1 to November 30, 614 data breaches were reported to the Office for Civil Rights. It is looking increasingly likely that this year will be the worst ever year for healthcare data breaches. The number of data breaches increased, but there was a sizable reduction in the number of breached records. Across the 68 reported breaches, 2,370,600 healthcare records were exposed, stolen, or impermissibly disclosed – a 33.95% decrease from the previous month and well below the 12-month average of 3,430,822 breached records per month. Largest Healthcare Data Breaches Reported in November 2021 In November, 30 data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights, and 4 of those breaches resulted in the exposure/theft of more than 100,000 records. The...

Read More
New Data Reveals Extent of Ransomware Attacks on the Healthcare Sector
Dec20

New Data Reveals Extent of Ransomware Attacks on the Healthcare Sector

The CyberPeace Institute has released new data on cyberattacks on the healthcare industry. According to the latest figures, 295 cyberattacks are known to have been conducted on the healthcare sector in the past 18 months between June 2, 2020, and December 3, 2021. The attacks have been occurring at a rate of 3.8 per week and have occurred in 35 countries. Those attacks include 263 incidents that have either been confirmed as ransomware attacks (165) or are suspected of involving ransomware (98), with those attacks occurring in 33 countries at a rate of 3.4 incidents a week. Over the past 18 months, at least 39 different ransomware groups have conducted ransomware attacks on the healthcare sector. Those attacks have mostly been on patient care services (179), followed by pharma (35), medical manufacturing & development (26), and other medical organizations (23). The CyberPeace Institute studied darknet publications, correspondence with ransomware gangs, and interviews and identified 12 ransomware groups that had stated they would not conduct attacks on the healthcare sector...

Read More
Third Version of Log4j Released to Fix High Severity DoS Vulnerability
Dec20

Third Version of Log4j Released to Fix High Severity DoS Vulnerability

The original vulnerability identified in Log4j (CVE-2021-44228) that sent shockwaves around the world due to its seriousness, ease of exploitation, and the extent to which it impacts software and cloud services, is not the only vulnerability in the Java-based logging utility. After releasing version 2.15.0 to fix the flaw, it was determined that version 2.15.0 was still vulnerable in certain non-default configurations due to an incomplete patch. The new vulnerability is tracked as CVE-2021-45046 and was fixed in version 2.16.0 of Log4j. Initially, the vulnerability was assigned a CVSS score of 3.7 (low severity); however, the severity score has since been increased to critical (CVSS 9.0), as while this flaw was initially reported as a denial-of-service bug, it was later determined that it could be exploited to allow data exfiltration and remote code execution. According to Apache, “When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious...

Read More
What is a HIPAA Violation?
Dec14

What is a HIPAA Violation?

Barely a day goes by without a news report of a hospital, health plan, or healthcare professional violating HIPAA, but what is a HIPAA violation and what happens when a violation occurs? What is a HIPAA Violation? The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs. There have been notable updates to HIPAA to improve privacy protections for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule. A HIPAA violation is a failure to comply with any aspect of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164. The combined text of all HIPAA regulations published by the Department of Health and Human Services...

Read More
Learnings from a Major Healthcare Ransomware Attack
Dec13

Learnings from a Major Healthcare Ransomware Attack

One of the most serious healthcare ransomware attacks occurred in Ireland earlier this year. The Health Service Executive (HSE), the Republic of Ireland’s national health system, suffered a major attack that resulted in Conti ransomware being deployed and forced its National Healthcare Network to be taken offline. That meant healthcare professionals across the country were prevented from accessing all HSE IT systems, including clinical care systems, patient records, laboratory systems, payroll, and other clinical and non-clinical systems which caused major disruption to healthcare services across the country. Following the attack, the HSE Board commissioned PricewaterhouseCoopers (PWC) to conduct an independent post-incident review into the attack to establish the facts related to technical and operational preparedness and the circumstances that allowed the attackers to gain access to its systems, exfiltrate sensitive data, encrypt files, and extort the HSE. Cybersecurity Failures that are Common in the Healthcare Industry PWC’s recently published report highlights a number of...

Read More
Max-Severity Apache Log4j Zero-day Vulnerability Extensively Exploited in the Wild
Dec13

Max-Severity Apache Log4j Zero-day Vulnerability Extensively Exploited in the Wild

A maximum-severity vulnerability has been identified in Apache Log4j, an open-source Java-based logging library used by many thousands of organizations in their enterprise applications and by many cloud services. The vulnerability, dubbed Log4Shell and tracked as CVE-2021-44228, is serious as they come, with some security researchers claiming the flaw is the most serious to be discovered in the past decade due to its ease of exploitation and the sheer number of enterprise applications and cloud services that are affected. The vulnerability can be exploited without authentication to achieve remote code execution and take full control of vulnerable systems. The vulnerability affects Apache Log4j between versions 2.0 to 2.14.1, and has been fixed in version 2.15.0. The advice is to ensure the upgrade is performed immediately as a proof-of-concept exploit for the flaw is in the public domain, extensive scans are being performed for vulnerable systems, and there have been many cases of the flaw being exploited in the wild. Some reports suggest the improper input validation bug has been...

Read More
HIPAA Social Media Rules
Dec12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook and Instagram were launched, so there are no specific HIPAA social media rules. However, as with all healthcare-related communications, the HIPAA Privacy Rule still applies whenever covered entities or business associates – or employees of either – use social media networks. There are many benefits to be gained from using social media. Social media networks allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media networks. However, there is also considerable potential for HIPAA rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media Healthcare organizations must implement a HIPAA social media policy to reduce the risk of...

Read More
High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products
Dec10

High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products

A high severity vulnerability has been identified in certain Hillrom Welch Allyn Cardio products that allows accounts to be accessed without a password. The vulnerability is an authentication bypass issue that exists when the Hillrom cardiology products have been configured to use single sign-on (SSO). The vulnerability allows the manual entry of all active directory (AD) accounts provisioned within the application, and access will be granted without having to provide the associated password. That means a remote attacker could access the application under the provided AD account and gain all privileges associated with the account. The vulnerability is tracked as CVE-2021-43935 and has been assigned a CVSS v3 base score of 8.1 out of 10. According to Hillrom, the vulnerability affects the following Hillrom Welch Allyn cardiology products: Welch Allyn Q-Stress Cardiac Stress Testing System: Versions 6.0.0 through 6.3.1 Welch Allyn X-Scribe Cardiac Stress Testing System: Versions 5.01 through 6.3.1 Welch Allyn Diagnostic Cardiology Suite: Version 2.1.0 Welch Allyn Vision Express:...

Read More
SonicWall Recommends Immediate Firmware Upgrade to Fix Critical Flaws in SMA 100 Series Appliances
Dec09

SonicWall Recommends Immediate Firmware Upgrade to Fix Critical Flaws in SMA 100 Series Appliances

SonicWall has released new firmware for its Secure Mobile Access (SMA) 100 series remote access appliances that fixes 8 vulnerabilities including 2 critical and 4 high-severity flaws. Vulnerabilities in SonicWall appliances are attractive to threat actors and have been targeted in the past in ransomware attacks. While there are currently no known cases of the latest batch of vulnerabilities being exploited in the wild, there is a high risk of these vulnerabilities being exploited if the firmware is not updated promptly. SMA 100 series appliances include the SonicWall SMA 200, 210, 400, 410, and 500v secure access gateway products, all of which are affected. The most serious vulnerabilities are buffer overflow issues which could be exploited remotely by an unauthenticated attacker to execute code on vulnerable appliances. These are CVE-2021-20038, an unauthenticated stack-based buffer overflow vulnerability (CVSS score of 9.8), and CVE-2021-20045, which covers multiple unauthenticated file explorer heap-based and stack-based buffer overflow issues (CVSS score 9.4). A further...

Read More
Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access
Dec06

Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access

The Health Information Sharing and Analysis Center (Health-ISAC) has released guidance for Chief Information Security Officers (CISOs) on adopting an identity-centric approach to enabling secure and easy access to patient data to meet the interoperability, patient access, and data sharing requirements of the 21st Century Cures Act. New federal regulations tied to the 21st Century Cures Act call for healthcare organizations to provide patients with easy access to their healthcare data and ensure patients can easily share their electronic health information (EHI) data wherever, whenever, and with whomever they want. The failure of a healthcare organization to implement systems to support patient access and interoperability could be considered information blocking and would be subject to fines and penalties. The new federal requirements are for healthcare providers and insurers to allow data sharing through Application Programming Interfaces (APIs) that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard. Healthcare providers and insurers are required to...

Read More
Biomanufacturing Sector Warned of High Risk of Tardigrade Malware Attacks
Dec06

Biomanufacturing Sector Warned of High Risk of Tardigrade Malware Attacks

A highly sophisticated malware capable of aggressively spreading within networks is being used in targeted attacks on the biomanufacturing sector. The malware has been named Tardigrade by security researchers and initial research suggests it may be a variant of SmokeLoader – A commonly used malware loader and backdoor, although SmokeLoader and Tardigrade malware are quite distinct. The sophisticated nature of the malware coupled with the targeted attacks on vaccine manufacturers and their partners strongly suggest the malware was developed and is being used by an Advanced Persisted Threat (APT) actor. The malware was first detected being used in attacks on the biomanufacturing sector in the spring of 2021 when an infection was discovered at a large U.S. biomanufacturing facility. The malware was identified again in an attack on a biomanufacturing firm in October 2021 and it is believed to have been used in attacks on several firms in the sector. In contrast to SmokeLoader, which requires instructions to be sent to the malware from its command-and-control infrastructure, Tardigrade...

Read More
APT Actors Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells
Dec03

APT Actors Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells

An APT actor that was targeting a vulnerability in the enterprise password management and single sign-on solution Zoho ManageEngine ADSelfService Plus has started exploiting another critical vulnerability in a different Zoho product, the IT helpdesk and asset management solution Zoho ManageEngine ServiceDesk Plus. The APT group had been exploiting a critical vulnerability in ManageEngine ADSelfService Plus tracked as CVE-2021-40539, which affects Zoho ManageEngine ADSelfService Plus version 6113 and prior, and is a REST API authentication bypass that can be exploited to allow remote code execution. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on December 2, 2021, about a different vulnerability being exploited by the APT actor. The vulnerability, CVE-2021-44077, affects all versions of Zoho ManageEngine ServiceDesk Plus (on-premises) prior to version 11306. The vulnerability is related to RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration. Successful exploitation of the...

Read More
HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats
Dec03

HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats

The Department of Health and Human Services has launched a new website that offers advice and resources to help the healthcare and public health sector mitigate cybersecurity threats. The website was created as part of the HHS 405(d) Aligning Health Care Industry Security Approaches Program, which was established in response to the Cybersecurity Act of 2015. The Cybersecurity Act of 2015 called for the HHS to establish the program and a Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures and processes that healthcare organizations can use. More than 150 individuals from industry and the federal government have collaborated under the program and provided insights into how best to mitigate cyberthreats. The new website supports the motto, Cyber Safety is Patient Safety, and provides videos and other educational material to raise awareness of pertinent threats along with vetted cybersecurity resources to drive behavioral change and...

Read More
CISA Publishes Mobile Device Cybersecurity Checklist for Organizations
Nov30

CISA Publishes Mobile Device Cybersecurity Checklist for Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance for enterprises to help them secure mobile devices and safely access enterprise resources using mobile devices. The Enterprise Mobility Management (EMM) system checklist has been created to help businesses implement best practices to mitigate vulnerabilities and block threats that could compromise mobile devices and the enterprise networks to which they connect. The steps outlined in the checklist are easy for enterprises to implement and can greatly improve mobile device security and allow mobile devices to be safely used to access business networks. CISA recommends a security-focused approach to mobile device management. When selecting mobile devices that meet enterprise requirements, an assessment should be performed to identify potential supply chain risks. The Mobile Device Management (MDM) system should be configured to update automatically to ensure it is always running the latest version of the software and patches are applied automatically to fix known vulnerabilities. A policy should be...

Read More
Increased Risk of Cyber and Ransomware Attacks Over Thanksgiving Weekend
Nov23

Increased Risk of Cyber and Ransomware Attacks Over Thanksgiving Weekend

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned organizations in the United States about the increased risk of cyberattacks over Thanksgiving weekend. Cyber threat actors are often at their most active during holidays and weekends, as there are likely to be fewer IT and security employees available to detect attempts to breach networks. Recent attacks have demonstrated holiday weekends are prime time for cyber threat actors, with Las Vegas Cancer Center one of the most recent victims of such an attack on the Labor Day weekend. The warning applies to all organizations and businesses, but especially critical infrastructure firms. Cyber actors around the world may choose Thanksgiving weekend to conduct attacks to disrupt critical infrastructure and conduct ransomware attacks. CISA and the FBI are urging all entities to take steps to ensure risk is effectively mitigated ahead of the holiday weekend to help prevent them from becoming the next victim of a costly cyberattack. Steps that should be taken immediately...

Read More
HC3 Warns Healthcare Sector About Risk of Zero-day Attacks
Nov23

HC3 Warns Healthcare Sector About Risk of Zero-day Attacks

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief warning the healthcare and public health sector about an increase in financially motivated zero-day attacks, outlining mitigation tactics that should be adopted to reduce risk to a low and acceptable level. A zero-day attack leverages a vulnerability for which a patch has yet to be released. The vulnerabilities are referred to as zero-day, as the developer has had no time to release a patch to correct the flaw. Zero-day attacks are those where a threat actor has exploited a zero-day vulnerability using a weaponized exploit for the flaw. Zero-day vulnerabilities are exploited in attacks on all industry sectors and are not only a problem for the healthcare industry.  For instance, in 2010, exploits were developed for four zero-day vulnerabilities in the “Stuxnet” attack on the Iranian nuclear program, which caused Iranian centrifuges to self-destruct to disrupt Iran’s nuclear program. More recently in 2017, a zero-day vulnerability was exploited to deliver the Dridex banking Trojan. While it...

Read More
Vulnerabilities Identified in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors
Nov19

Vulnerabilities Identified in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors

Five vulnerabilities have been identified that affect the IntelliBridge EC 40 and EC 80 Hub, Philips Patient Information Center iX, and Efficia CM series patient monitors. IntelliBride EC 40 and EC 80 Hub Two vulnerabilities have been identified that affect C.00.04 and prior versions of the IntelliBridge EC 40 and EC 80 Hub. Successful exploitation of the vulnerabilities could allow an unauthorized individual to execute software, change system configurations, and update/view files that may include unidentifiable patient data. The first vulnerability is due to the use of hard-coded credentials – CVE-2021-32993 – in the software for its own inbound authentication, outbound communication to external components, or the encryption of internal data. The second vulnerability is an authentication bypass issue – CVE-2021-33017. While the standard access path of the product requires authentication, an alternative path has been identified that does not require authentication. Both vulnerabilities have been assigned a CVSS v3 severity score of 8.1 out of 10. Philips has not yet issued an...

Read More
Iranian APT Actors Actively Exploiting Microsoft Exchange and Fortinet Vulnerabilities
Nov18

Iranian APT Actors Actively Exploiting Microsoft Exchange and Fortinet Vulnerabilities

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) warning of ongoing attacks by an Iranian Advanced Persistent Threat (APT) actor on critical infrastructure sectors including the healthcare and public health sector. Cyber actors known to be associated with the Iranian government have been exploiting vulnerabilities in the Fortinet FortiOS operating system since at least March 2021, and have been leveraging a Microsoft Exchange ProxyShell vulnerability since October 2021 to gain access to targets’ networks. The attacks appear to be focused on exploiting the vulnerabilities rather than any specific sector. Once the vulnerabilities have been exploited to gain a foothold in networks, the threat actor can perform a range of follow-on operations, which have included data exfiltration and data encryption. The threat actors are exploiting three vulnerabilities in Fortinet Devices –...

Read More
82% Of Healthcare Organizations Have Experienced an IoT Cyberattack in the Past 18 Months
Nov18

82% Of Healthcare Organizations Have Experienced an IoT Cyberattack in the Past 18 Months

A new study conducted by Medigate and CrowdStrike has highlighted the extent to which healthcare Internet of Things (IoT) devices are being targeted by threat actors and warns about the worrying state of IoT security in the healthcare industry. The number of IoT devices being used in healthcare has increased significantly in recent years as connected health drives a revolution in care delivery. Healthcare providers are increasingly reliant on IoT devices to perform a range of essential functions, and while the devices offer huge clinical benefits, full consideration should be given to cybersecurity. Cyber threat actors have disproportionately targeted healthcare organizations for many years due to the high value of healthcare data, the ease at which it can be monetized, and the relatively poor cybersecurity defenses in healthcare compared to other industry sectors. The rapid adoption of IoT devices has resulted in a major increase in the attack surface which gives cyber actors even more opportunities to conduct attacks. Further, IoT devices often have weaker cybersecurity controls...

Read More
Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft
Nov16

Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft

A recent survey conducted by the unified asset visibility and security platform provider Armis has explored the state of cybersecurity in healthcare and the security risks that are now faced by healthcare organizations. The survey was conducted by Censuswide on 400 IT professionals at healthcare organizations across the United States, and 2,000 U.S. patients to obtain their views on cybersecurity and data breaches in healthcare. The survey confirmed cyber risk is increasing, with 85% of respondents saying cyber risk has increased over the past 12 months. Ransomware gangs have targeted the healthcare industry over the past 12 months, and many of those attacks have succeeded. 58% of the surveyed IT professionals said their organization had experienced a ransomware attack in the past 12 months. Ransomware attacks were viewed as a cause of concern by 13% of IT security pros, indicating most are confident that they will be able to recover data in the event of an attack. However, data breaches that result in the loss of patient data were a major worry, with 52% of IT pros rating data...

Read More
Medical Devices Affected by 13 Siemens Nucleus RTOS TCP/IP Stack Vulnerabilities
Nov15

Medical Devices Affected by 13 Siemens Nucleus RTOS TCP/IP Stack Vulnerabilities

13 vulnerabilities have been identified in the Siemens Nucleus RTOS TCP/IP stack that could potentially be exploited remotely by threat actors to achieve arbitrary code execution, conduct a denial-of-service attack, and obtain sensitive information. The vulnerabilities, dubbed NUCLEUS:13, affect the TCP/IP stack and related FTP and TFTP services of the networking component (Nucleus NET) of the Nucleus Real-Time Operating System (RTOS), which is used in many safety-critical devices. In healthcare, Nucleus is used in medical devices such as anesthesia machines and patient monitors. One critical vulnerability has been identified that allows remote code execution which has a CVSS v3 severity score of 9.8 out of 10. Ten of the vulnerabilities are rated high severity flaws, with CVSS scores ranging from 7.1 to 8.8. There are also two medium-severity flaws with CVSS scores of 6.5 and 5.3. The vulnerabilities were identified by security researchers at Forescout Research Labs, with assistance provided by researchers at Medigate. The vulnerabilities affect the following Nucleus RTOS...

Read More
DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information
Nov11

DOJ Indicts 2 REvil Ransomware Gang Members: State Department Now Offering $10 Million Reward for Information

The United States Department of Justice (DoJ) has unsealed indictments charging two individuals for their roles in multiple REvil/Sodinokibi ransomware attacks on organizations in the United States. Ukrainian national, Yaroslav Vasinskyi, 22, has been indicted on multiple charges related to the ransomware attacks, including the supply chain attack that saw Kaseya’s Virtual System/Server Administrator (VSA) platform compromised. That attack involved ransomware being deployed on the systems of around 40 managed service providers and 1,500 downstream businesses. Russian national, Yevgeniy Igoryevich Polyanin, 28, has been indicted for his role in multiple ransomware attacks, including attacks on government entities in Texas. The DoJ says it seized $6.1 million in ransom payments that were paid to cryptocurrency wallets linked to Polyanin. The DoJ has indicted several individuals believed to have been involved in cyberattacks in the United States; however, those individuals can only face trial if they are located, arrested, and extradited to the United States. Many ransomware threat...

Read More
HC3: Cobalt Strike Penetration Testing Framework Increasingly Used in Cyberattacks on Healthcare Organizations
Nov10

HC3: Cobalt Strike Penetration Testing Framework Increasingly Used in Cyberattacks on Healthcare Organizations

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief for the healthcare industry warning about the use of the Cobalt Strike penetration testing tool by cyber threat actors. Cobalt Strike is a powerful red team tool used by penetration testers when conducting risk and vulnerability assessments, but it can also be abused and is increasingly being used by cyber threat actors in attacks on the healthcare and public health sector. Cobalt Strike can be used for reconnaissance to gain valuable information about the target infrastructure to allow threat actors to determine the best use of their time when attacking healthcare networks. The system profiler function can be used to discover client-side applications used by a target and provides version information. The system profiler starts a local web server, fingerprints visitors, identifies internal IP addresses behind a proxy, and obtains reconnaissance data from the weblog, applications, and provides information on targets. Cobalt Strike includes a spear phish tool that can be used to create and send...

Read More
3 Medium Severity Vulnerabilities Identified in Philips MRI Solutions
Nov10

3 Medium Severity Vulnerabilities Identified in Philips MRI Solutions

Three medium severity vulnerabilities have been identified in Philips MRI products which, if exploited, could allow an unauthorized individual to run software, modify the device configuration, view and updates files, and export data, including protected health information, to an untrusted environment. Aguilar found insufficient access controls which fail to restrict access by unauthorized individuals (CVE-2021-3083), the software assigns an owner who is outside the intended control sphere (CVE-2021-3085), and sensitive data is exposed to individuals who should not be provided with access (CVE-2021-3084). Each of the vulnerabilities has been assigned a CVSS V3 base score of 6.2 out of 10. The vulnerabilities were identified by Secureworks Adversary Group consultant, Michael Aguilar, and affect Philips MRI 1.5T: Version 5.x.x, and MRI 3T: Version 5.x.x. Aguilar reported the flaws to Philips and a patch has been scheduled for release by October 2022. In the meantime, Philips recommends implementing mitigating measures to prevent the vulnerabilities from being exploited. The...

Read More
The HIPAA Password Requirements and the Best Way to Comply With Them
Nov09

The HIPAA Password Requirements and the Best Way to Comply With Them

It is important that Covered Entities and Business Associates understand the HIPAA password requirements and the best way to comply with them because if a data breach is found to be attributable to a lack of compliance, the penalties could be significant. However, understanding the HIPAA password requirements is not straightforward. HIPAA is intentionally technology-neutral; so whereas Security Standard §164.312(d) stipulates Covered Entities must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed”, there is no indication what procedures should be implemented or even that user verification should be password-based. Guidance published by the Department of Health and Human Services suggests there are three ways in which users can verify their identity: With something only known to the user, such as a password or PIN, With something the user possesses, such as a smart card or key, or With something unique to the user, such as a fingerprint or facial image. In addition to the above, a required...

Read More
Chinese APT Group Compromised Healthcare Organizations by Exploiting Zoho Password Management Platform Flaw
Nov08

Chinese APT Group Compromised Healthcare Organizations by Exploiting Zoho Password Management Platform Flaw

An advanced persistent threat (APT) actor has been conducting an espionage campaign that has seen the systems of at least 9 organizations compromised. The campaign targeted organizations in a range of critical sectors, including healthcare, energy, defense, technology, and education. The campaign was identified by security researchers at Palo Alto Networks and while the identity of the hacking group has yet to be confirmed, the researchers believe the attacks were most likely conducted by the Chinese state-sponsored hacking group APT27, aka Iron Tiger, Emissary Panda, TG-3390, and LuckyMouse based on the use of hacking tools and techniques that match previous APT27 activity. The campaign exploited a critical vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus, an enterprise password management and single sign-on solution developed by Zoho. Successful exploitation of the flaw allows remote attackers to execute arbitrary code and take full control of vulnerable systems. On September 17, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a...

Read More
Is G Suite HIPAA Compliant?
Nov03

Is G Suite HIPAA Compliant?

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules? Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider. Making G Suite HIPAA Compliant (by default it isn’t) As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules. Obtain a BAA from Google One important requirement of HIPAA is to obtain a signed, HIPAA-compliant...

Read More
FBI: Ransomware Gangs Exploiting Corporate Financial Events to Facilitate Extortion
Nov03

FBI: Ransomware Gangs Exploiting Corporate Financial Events to Facilitate Extortion

Ransomware gangs often use double extortion tactics to encourage victims to pay the ransom. In addition to file encryption, sensitive data are stolen and a threat is issued to sell or publish the data if the ransom is not paid. The Federal Bureau of Investigation (FBI) has recently issued a private industry notification warning of a new extortion tactic, where ransomware gangs target companies and organizations that are involved in significant time-sensitive financial events, steal sensitive financial data, then threaten to publish that information if payment is not made. Ransomware gangs conduct extensive research on their victims before launching an attack, which includes gathering publicly available data and nonpublic material. The attacks are then timed to coincide with the release of quarterly earnings reports, SEC filings, initial public offerings, and merger and acquisition activity, with the release of information having the potential to significantly affect the victim’s stock value. “During the initial reconnaissance phase, cyber criminals identify non-publicly...

Read More
42% of Healthcare Organizations Have Not Developed an Incident Response Plan
Nov02

42% of Healthcare Organizations Have Not Developed an Incident Response Plan

Hacks, ransomware attacks, and other IT security incidents account for the majority of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights, but data breaches involving physical records are also commonplace. According to the Verizon Data Breach Investigations Report, disclosed physical records accounted for 43% of all breaches in 2021, which highlights the need for data security measures to be implemented covering all forms of data. The healthcare industry is extensively targeted by cybercriminals and cyberattacks increased during the pandemic. There was a 73% increase in healthcare cyberattacks in 2020, with those breaches resulting in the exposure of 12 billion pieces of protected health information, according to the 2021 Data Protection Report recently published by Shred-It. The report is based on an in-depth survey of C-level executives, small- and medium-sized business owners, and consumers across North America and identifies several areas where organizations could improve their defenses against external and internal threats....

Read More
OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance
Nov02

OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance

The Department of Health and Human Services’ Office for Civil Rights has advised HIPAA-covered entities to assess the protections they have implemented to secure their legacy IT systems and devices. A legacy system is any system that has one or more components that have been supplanted by newer technology and reached end-of-life. When software and devices reach end-of-life, support comes to an end, and patches are no longer issued to correct known vulnerabilities. That makes legacy systems and devices vulnerable to cyberattacks. Healthcare organizations should be aware of the date when support will no longer be provided, and a plan should be developed to replace outdated software and devices; however, there are often valid reasons for continuing to use outdated systems and devices. Legacy systems may work well and be well-tailored to an organization’s business model, so there may be a reluctance to upgrade to new systems that are supported. Upgrading to a newer system may require time, funds, and human resources that are not available, or it may not be possible to replace a legacy...

Read More
Microsoft Warns of Ongoing Attacks by SolarWinds Hackers on Service Providers and Downstream Businesses
Nov01

Microsoft Warns of Ongoing Attacks by SolarWinds Hackers on Service Providers and Downstream Businesses

The advanced persistent threat (APT) actor Nobelium (aka APT29; Cozy Bear) that was behind the 2020 SolarWinds supply chain attack is targeting cloud service providers (CSPs), managed service providers (MSPs), and other IT service providers, according to a recent alert from Microsoft. Rather than conducting attacks on many companies and organizations, Nobelium is favoring a compromise-one-to-compromise-many approach. This is possible because service providers are often given administrative access to customers’ networks to allow them to provide IT services. Nobelium is attempting to leverage that privileged access to conduct attacks on downstream businesses and has been conducting attacks since at least May 2021. Nobelium uses several techniques to compromise the networks of service providers, including phishing and spear phishing attacks, token theft, malware, supply chain attacks, API abuse, and password spraying attacks on accounts using commonly used passwords and passwords that have previously been stolen in data breaches. Once access to service providers’ networks has been...

Read More
Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI
Oct27

Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI

A new study has revealed widespread security failures at healthcare organizations, including poor access controls, few restrictions on access to protected health information (PHI), and poor password practices, all of which are putting sensitive data at risk. The study, conducted by the data security and insider threat detection platform provider Varonis, involved an analysis of around 3 billion files at 58 healthcare organizations, including healthcare providers, pharmaceutical companies, and biotechnology firms. The aim of the study was to determine whether security controls had been implemented to secure sensitive data and to help organizations better understand their cybersecurity vulnerabilities in the face of increasing threats. The Health Insurance Portability and Accountability Act (HIPAA) requires access to PHI to be limited to employees who need to view PHI for work purposes. When access is granted, the HIPAA minimum necessary standard applies, and only the minimum amount of PHI should be accessible. Each user must be provided with a unique username that allows access to...

Read More
International Law Enforcement Operation Takes Down REvil Ransomware Gang’s Infrastructure
Oct27

International Law Enforcement Operation Takes Down REvil Ransomware Gang’s Infrastructure

In July 2021, the notorious REvil (Sodinokibi) ransomware gang appeared to have ceased operations, with both its Tor payment site and data leak blog suddenly going offline. The DarkSide ransomware operation also went quiet, leading many security experts to believe that the operators of the ransomware-as-a-service (RaaS) operations were laying low or that there had been a law enforcement takedown of their infrastructure. Some of the servers used by the REvil gang were brought back online temporarily but were shut down again in mid-October. This temporary resurrection was thought to be an affiliate attempting to continue the operation. The apparent shutdown of the REvil operation followed two major attacks on the food production company JBS and the software management company Kaseya, with the later attack affecting around 50 managed service providers and up to 1,500 downstream businesses. Associates of the REvil gang had developed the DarkSide ransomware variant, which was used in the attack on Colonial Pipeline and caused its fuel pipeline to the Eastern seaboard of the United...

Read More
Cybersecurity Awareness Month: Put Cybersecurity First
Oct25

Cybersecurity Awareness Month: Put Cybersecurity First

The theme of the fourth week of Cybersecurity Awareness Month is “Cybersecurity First”, with the focus on getting the message across to businesses about the need for cybersecurity measures to address vulnerabilities in products, processes, and people. Cybersecurity Advice for Companies One study suggests 64% of companies worldwide have experienced some form of cyberattack and the rate at which attacks are occurring is increasing. It is essential for companies to ensure that cybersecurity measures are incorporated when developing apps, products, or new services and for cybersecurity to be considered at the design stage. Safeguards need to be baked into products from the start. Cybersecurity should not be an afterthought. Businesses need to have a thorough understanding of their IT environment and what assets need to be protected. An inventory should be created for all assets and the location of all sensitive data should be known. A plan then needs to be developed to protect those assets, which should include overlapping layers of protection using technologies such as firewalls, spam...

Read More
44% of Healthcare Organizations Don’t Have Full Visibility into 3rd Party Access and Permissions
Oct25

44% of Healthcare Organizations Don’t Have Full Visibility into 3rd Party Access and Permissions

A recent study conducted by the Ponemon Institute on behalf of cybersecurity firm SecureLink has explored the state of third-party security and critical access management at healthcare organizations. As with other industry sectors, remote access to internal systems is provided to third parties to allow them to perform essential business functions. Whenever a third party is provided with access, there is a risk that access rights will be abused. Credentials could also potentially be obtained by cyber threat actors and used for malicious purposes. While healthcare organizations are aware that providing access to third parties involves a degree of risk, in healthcare the level of risk is often underestimated. The healthcare industry is extensively targeted by cyber actors and the industry experiences four times the number of data breaches as other industry sectors and the threat is growing. A recent Bitglass study suggests a 55% increase in healthcare data breaches in the United States during the pandemic. SecureLink’s study, the results of which were published in the report, A Matter...

Read More
Healthcare CISOs Need Federal Assistance to Deal with Increase in Cyber Threats
Oct22

Healthcare CISOs Need Federal Assistance to Deal with Increase in Cyber Threats

A recent survey conducted on Chief Information Security Officer (CISO) members of the College of Healthcare Information Management Executives (CHIME) and Association for Executives in Healthcare Information Security (AEHIS) has highlighted the impact cybersecurity incidents have had on the healthcare industry and the need for federal assistance to deal with the threats. The healthcare industry has long been targeted by cybercriminals, but attacks have increased during the pandemic. 67% of respondents said their organization had experienced a security incident in the past 12 months with almost half saying they were the victim of a phishing attack. Phishing and business email compromise attacks, malware ransomware, hacking, and insider threats were the most common security exploits used in cyberattacks on the industry. Cyberattacks can cause patient safety issues. One recent study indicates mortality rates increase following a ransomware attack, as do medical complications and the length of hospital stays. The survey confirmed the impact on patient safety, with 15% of respondents...

Read More
September 2021 Healthcare Data Breach Report
Oct20

September 2021 Healthcare Data Breach Report

There was a 23.7% month-over-month increase in reported healthcare data breaches in September, which saw 47 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights. While that is more than 1.5 breaches a day, it is under the average of 55.5 breaches per month over the past 12 months. While data breaches increased, there was a major decrease in the number of breached healthcare records, dropping 75.5% from August to 1,253,258 records across the 47 reported data breaches, which is the third-lowest total over the past 12 months. Largest Healthcare Data Breaches Reported in September 2021 16 healthcare data breaches were reported in September 2021 that involved the exposure, theft, or impermissible disclosure of more than 10,000 healthcare records. The largest breach of the month was reported by the State of Alaska Department of Health & Social Services. The breach was initially thought to have resulted in the theft of the personal and protected health information (PHI) of all state residents, although the breach was...

Read More
Alert Issued About Ongoing BlackMatter Ransomware Attacks
Oct19

Alert Issued About Ongoing BlackMatter Ransomware Attacks

A joint alert has been issued by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) about ongoing BlackMatter ransomware attacks. The group has been conducting attacks in the United States since July 2021, which have included attacks on critical infrastructure entities and two organizations in the U.S. Food and Agriculture Sector. Evidence has been obtained that links the gang to the DarkSide ransomware gang that conducted attacks between September 2020 and May 2021, including the attack on Colonial Pipeline, with BlackMatter ransomware potentially a rebrand of the DarkSide operation. Investigations into the attacks have allowed the agencies to obtain important information about the tactics, techniques, and procedures (TTPs) of the group, and an analysis has been performed on a sample of the ransomware in a sandbox environment. The group is known to use previously compromised credentials to gain access to victims’ networks, then leverages the Lightweight Directory Access Protocol (LDAP) and...

Read More
How to Secure Patient Information (PHI)
Oct13

How to Secure Patient Information (PHI)

HIPAA requires healthcare organizations of all sizes to secure protected health information (PHI), but how can covered entities secure patient information? If you are asked how you secure patient information, could you provide an answer? How Can You Secure Patient Information? HIPAA requires healthcare organizations and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although there is little detail provided on how to secure patient information in HIPAA regulations. This is intentional, as the pace that technology is advancing is far greater than the speed at which HIPAA can be updated. If details were included, they would soon be out of date. Technology is constantly changing and new vulnerabilities are being discovered in systems and software previously thought to be secure. Securing patient information is therefore not about implementing security solutions and forgetting about them. To truly secure patient information you must regularly review your security controls, update policies and procedures, maintain...

Read More
Cybersecurity Awareness Month: Fight the Phish!
Oct12

Cybersecurity Awareness Month: Fight the Phish!

According to the Verizon Data Breach Investigations Report, phishing accounted for around 80% of all reported phishing attacks in 2019 and since the pandemic began in 2020 phishing attacks and associated scams have been thriving. In 2020, 74% of US organizations experienced a successful phishing attack. Phishing attacks typically use emails or malicious websites – or both – to obtain sensitive information such as login credentials or to infect devices with malware and viruses. Phishing attacks involve a lure to get the recipient to take a certain action, such as clicking on a hyperlink in an email or opening a malicious email attachment. Email addresses, sender names, phone numbers, and website URLs are often spoofed to trick people into believing they are interacting with a familiar and trusted source. The 2021 Cost of Phishing Study conducted by the Ponemon Institute/Proofpoint suggests the cost of phishing attacks has quadrupled over the past 6 years, with large U.S. firms now losing an average of $14.83 million a year to phishing attacks. An average-sized U.S. company employing...

Read More
FIN12 Ransomware Gang Actively Targeting the Healthcare Sector
Oct12

FIN12 Ransomware Gang Actively Targeting the Healthcare Sector

Ransomware is currently the biggest cyber threat faced by the healthcare industry. Attacks often cripple healthcare IT systems for weeks or months and prevent medical records from being accessed. One study by the Ponemon Institute/Censinet shows attacks result in treatment delays, an increase in complications, poorer patient outcomes, and an increase in mortality rates. Several ransomware gangs have publicly stated they will not attack the healthcare industry, but that is certainly not true of FIN12. According to a recently published analysis of the ransomware actor by Mandiant, around 20% of the attacks conducted by the group have been on the healthcare industry. FIN12 is a prolific ransomware actor that focuses on big game targets. Almost all the victims of FIN12 have annual revenues over $300 million, with an average of almost $6 billion. FIN12 has been active since at least 2018 and has largely targeted North America where 85% of its attacks have occurred, although the gang has recently expanded geographically and now also conducts attacks in Europe and the Asia Pacific region....

Read More
Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours
Oct11

Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours

A new bill has been introduced that, if passed, will require victims of ransomware attacks to disclose any payments made to the attackers to the Department of Homeland Security (DHS) within 48 hours of the ransom being paid. The Ransom Disclosure Act was introduced by Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.) and aims to provide the DHS with the data it needs to investigate ransomware attacks and improve understanding of how cybercriminal enterprises operate, thus allowing the DHS to gain a much better picture of the ransomware threat facing the United States. Between 2019 and 2020 ransomware attacks increased by 62% worldwide, and by 158% in the United States. The Federal Bureau of Investigation (FBI) received 2,500 complaints about ransomware attacks in 2020, up 20% from the previous year and there were more than $29 million in reported losses to ransomware attacks in 2020. Not all ransomware attacks are reported. Many victims choose to quietly pay the attackers for the keys to decrypt their data and prevent the public disclosure of any data stolen in the...

Read More
Medtronic Recalls MiniMed Remote Controllers Due to Serious Cybersecurity Vulnerability
Oct07

Medtronic Recalls MiniMed Remote Controllers Due to Serious Cybersecurity Vulnerability

The Food and Drug Administration (FDA) has issued a warning to users of Medtronic wireless insulin pumps about a serious security vulnerability affecting certain remote controllers. MiniMed insulin pumps deliver insulin for the management of diabetes and the pumps are supplied with an optional remote controller device that communicates wirelessly with the insulin pump. A security researcher has identified a cybersecurity vulnerability in older models of remote controllers that use previous-generation technology that could potentially be exploited to cause harm to users of the pumps. The cybersecurity vulnerability could be exploited by an unauthorized person to record and replay the wireless communication between the remote and the MiniMed insulin pump. Using specialist equipment, an unauthorized individual in the vicinity of the insulin pump user could send radio frequency signals to the insulin pump to instruct it to over-deliver insulin to a patient or stop insulin delivery. Over-delivering insulin could result in dangerously low blood sugar levels and stopping insulin delivery...

Read More
Expert Insights Recognizes TitanHQ with 4 Best of Awards for SpamTitan, WebTitan & ArcTitan
Oct07

Expert Insights Recognizes TitanHQ with 4 Best of Awards for SpamTitan, WebTitan & ArcTitan

The online B2B publication Expert Insights has recognized TitanHQ’s cybersecurity solutions in its Fall 2021 Best of Cybersecurity Awards. The Irish cybersecurity firm collected 4 awards for its email security, web security, and email archiving solutions, which were each rated best-in-class by the editorial team. Expert Insights is used by over 80,000 individuals each month to identify cybersecurity and cloud-based security solutions that meet their business needs, saving countless hours in the search for the right solutions. Expert Insights conducts research into cybersecurity and cloud-based security solutions and publishes buyers’ guides, blog posts, and industry analyses. Each year, the best cybersecurity solutions are selected based on independent technical analyses, customer feedback, and reviews by the US- and UK-based editorial teams. For the second successive year, TitanHQ has had a clean sweep and collected Best Of Awards for each of its three security solutions. SpamTitan received Best of Awards in two categories, being selected as the top product in the Best Email...

Read More
Insider Threat Self-Assessment Tool Released by CISA
Oct06

Insider Threat Self-Assessment Tool Released by CISA

Public and private sector organizations have a new tool to help them assess their level of vulnerability to insider threats. The new Insider Threat Risk Mitigation Self-Assessment Tool has been created by the Cybersecurity and Infrastructure Security Agency (CISA) to help users further their understanding of insider threats and develop prevention and mitigation programs. In healthcare, security efforts often focus on the network perimeter and implementing measures to block external threats, but insider threats can be just as damaging, if not more so. Insiders can steal sensitive information for financial gain, can take information to provide to their next employer, or can abuse their privileged access to cause significant harm. Insider breaches can have major consequences for businesses, with may include reputation damage, loss of revenue, theft of intellectual property, reduced market share, and even physical harm. CISA says insider threats can include current and former employers, contractors, or other individuals with inside knowledge about a business. The threat posed by...

Read More
Survey Reveals 24% of Healthcare Employees Have Had No Security Awareness Training
Oct05

Survey Reveals 24% of Healthcare Employees Have Had No Security Awareness Training

Entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) are required to provide security awareness training to the workforce, but a new report suggests training is lacking at many HIPAA-regulated entities. The security awareness training and phishing simulation platform provider KnowBe4 commissioned Osterman Research to conduct a survey on 1,000 U.S. employees to determine their level of knowledge about security threats and how much training they have been given. The findings of the survey were published in the KnowBe4 2021 State of Privacy and Security Awareness Report. The survey revealed employees are generally confident about password best practices but lacked confidence in other areas of cybersecurity such as identifying social engineering attacks. Only a minority understood threats such as phishing, even though phishing is one of the most common ways that hackers gain access to business networks and corporate data. Worryingly, less than half of respondents believed clicking a link in an email or opening an attachment could result in their mobile...

Read More
Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death
Oct04

Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death

A medical malpractice lawsuit has been filed against an Alabama hospital alleging vital information that could have prevented the death of a baby was not available due to a ransomware attack and that the mother was not informed that patient care had been affected by the incident. Springhill Medical Center in Mobile, AL suffered a ransomware attack in 2019 which caused widespread encryption of files and a major IT system outage. Computer systems were taken offline for 8 days, during which time care continued to be provided to patients with staff operating under the hospital’s emergency protocol during the downtime. With no access to computer systems patient information was recorded on paper charts. Following the attack, Springhill Medical Center issued a statement about the incident and said it had no impact on patient care, “We’d like to assure our patients and the community that patient safety is always our top priority and we would never allow our staff to operate in an unsafe environment.” During the system downtime, Teiranni Kidd arrived at the hospital to have her baby...

Read More
National Cybersecurity Awareness Month: Do Your Part, #BeCyberSmart
Oct04

National Cybersecurity Awareness Month: Do Your Part, #BeCyberSmart

October is National Cybersecurity Awareness Month. Throughout October, the importance of cybersecurity is highlighted and resources are made available to raise awareness of cyber threats and encourage individuals and organizations to adopt cybersecurity best practices and better protect accounts and sensitive data. Cybersecurity Awareness Month was launched by the National Cyber Security Alliance and the United States Department of Homeland Security in 2004 to raise awareness of the importance of cybersecurity. Each year has a different theme, although the overall aim is the same – To empower individuals and the organizations they work for to improve cybersecurity and make it harder for hackers and scammers to succeed. The month is focused on improving education about cybersecurity best practices, raising awareness of the digital threats to privacy, encouraging organizations and individuals to put stronger safeguards in place to protect sensitive data, and highlighting the importance of security awareness training. This year has the overall theme – “Do Your Part,...

Read More
NSA/CISA Issue Guidance on Selecting Secure VPN Solutions and Hardening Security
Sep30

NSA/CISA Issue Guidance on Selecting Secure VPN Solutions and Hardening Security

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued new guidance on selecting and improving the security of Virtual Private Networks (VPN) solutions. VPN solutions allow remote workers to securely connect to business networks. Data traffic is routed through an encrypted virtual tunnel to prevent the interception of sensitive data and to block external attacks. VPNs are an attractive target for hackers, and vulnerabilities in VPN solutions have been targeted by several Advanced Persistent Threat (APT) groups. APT actors have been observed exploiting vulnerabilities in VPN solutions to remotely gain access to business networks, harvest credentials, remotely execute code on the VPN devices, hijack encrypted traffic sessions, and obtain sensitive data from the devices. Several common vulnerabilities and exposures (CVEs) have been weaponized to gain access to the vulnerable devices, including Pulse Connect Secure SSL VPN (CVE-2019-11510), Fortinet FortiOS SSL VPN (CVE-2018-13379), and Palo Alto Networks PAN-OS (CVE_2020-2050)....

Read More
Fifth of Healthcare Providers Report Increase in Patient Mortality After a Ransomware Attack
Sep27

Fifth of Healthcare Providers Report Increase in Patient Mortality After a Ransomware Attack

While there have been no reported cases of American patients dying as a direct result of a ransomware attack, a new study suggests patient mortality does increase following a ransomware attack on a healthcare provider. According to a recent survey conducted by the Ponemon Institute, more than one fifth (22%) of healthcare organizations said patient mortality increased after a ransomware attack. Ransomware attacks on healthcare providers often result in IT systems being taken offline, phone and voicemail systems can be disrupted, emergency patients are often redirected to other facilities, and routine appointments are commonly postponed. The recovery process can take several weeks, during which time services continue to be disrupted. While some ransomware gangs have a policy of not attacking healthcare organizations, many ransomware operations target healthcare. For instance, the Vice Society ransomware operation has conducted around 20% of its attacks on the healthcare sector and attacks on healthcare organizations have been increasing. During the past 2 years, 43% of respondents...

Read More
CISA and FBI Warn About Escalating Conti Ransomware Attacks
Sep23

CISA and FBI Warn About Escalating Conti Ransomware Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning about escalating Conti ransomware attacks. CISA and the FBI have observed Conti ransomware being used in more than 400 cyberattacks in the United States and globally. Like many ransomware gangs, prior to deploying Conti ransomware the gang exfiltrates data from victims’ networks. A ransom demand is issued along with a threat to publish the stolen data if the ransom is not paid. The developers of Conti ransomware run a ransomware-as-a-service operation, where affiliates are recruited to conduct attacks. Under this model, affiliates usually receive a percentage of any ransoms they generate. Conti appears to operate slightly differently, where affiliates are paid a wage to conduct attacks. A variety of methods are used to gain access to victims’ networks. Spear phishing emails are common, where malicious attachments such as Word documents with embedded scripts are used as malware droppers. Typically, a malware variant such as TrickBot or IcedID is downloaded...

Read More
Health and Public Health Sector Warn of Elevated Risk of BlackMatter Ransomware Attacks
Sep13

Health and Public Health Sector Warn of Elevated Risk of BlackMatter Ransomware Attacks

The health and public health sector is facing an elevated risk of ransomware attacks by affiliates of the BlackMatter ransomware-as-a-service (RaaS) operation, according to the Health Sector Cybersecurity Coordination Center (HC3) of the Department of Health and Human Services. The BlackMatter threat group emerged in July 2021 shortly after the DarkSide ransomware gang shut down its operation and the Sodinokibli/REvil took its infrastructure offline. The Russian speaking threat group is believed to originate in Eastern Europe and has conducted many attacks over the past couple of months in Brazil, Chile, India, Thailand, and the United States. The group also started leaking data stolen in attacks on its data leak site on August 11, 2021. The threat group has mostly conducted ransomware attacks on companies in the real estate, food and beverage, architecture, IT, financial services, and education sectors, and while the ransomware gang has publicly stated it would not attack hospitals, critical infrastructure companies, nonprofits, government, and defense contractors, there is...

Read More
NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders
Sep08

NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has recently released the final version of the NIST Cybersecurity Practice Guide SP 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders. Public safety and first responder (PSFR) personnel require on-demand access to public safety data in order to provide proper support and emergency care. In order to access the necessary data, PSFR personnel are heavily reliant on mobile platforms. Through these platforms, PSFR personnel can access the personal and protected health information of patients and sensitive law enforcement information; however, in order to keep sensitive information secure and to prevent unauthorized access, strong authentication mechanisms are required. Those authentication mechanisms are needed to keep data secure and to protect privacy, but they have potential to hinder PSFR personnel and get in the way of them providing emergency services. While authentication may only take a matter of seconds, any...

Read More
CISA Updates List of Cybersecurity Bad Practices to Eradicate
Sep06

CISA Updates List of Cybersecurity Bad Practices to Eradicate

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its list of cybersecurity bad practices that must be eradicated. Cyber threat actors often conduct highly sophisticated attacks to gain access to internal networks and sensitive data, but oftentimes sophisticated tactics, techniques and procedures are not required. The Bad Practices Catalog was created in July 2021 to raise awareness of some of the most egregious errors that are made in cybersecurity that leave the door wide open to hackers. There have been many lists published on cybersecurity best practices to follow, and while it is vital that those practices are followed, it is critical that these bad practices are eradicated, especially at organizations that support critical infrastructure or national critical functions (NCFs). These bad practices significantly increase risk to the critical infrastructure relied upon for national security, economic stability, and life, health, and safety of the public. When the Bad Practices Catalog was first published, two entries were added. First on the list is the...

Read More
FBI & CISA Warn of Increased Risk of Ransomware Attacks over Labor Day Weekend
Sep02

FBI & CISA Warn of Increased Risk of Ransomware Attacks over Labor Day Weekend

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning to all public and private sector organizations about the increased risk of ransomware attacks at times when offices are normally closed, such as long holiday weekends. While many employees will be having a long weekend due to Labor Day, this is a time when threat actors are usually highly active. The low staff numbers during holidays and weekends make it less likely that their attacks will be detected and blocked. The CISA and the FBI explained in the warning that they have observed an increase in “highly impactful ransomware attacks occurring on holidays and weekends,” and provided multiple examples of threat actors conducting attacks over holiday weekends in the United States in 2021. Most recently, the Sodinokibi/REvil ransomware actors conducted an attack on the Kaseya remote monitoring and management tool over the Fourth of July 2021 holiday weekend. The attack affected hundreds of organizations including many managed service providers and their...

Read More
Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals
Sep01

Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals

A new analysis of breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights has revealed outpatient facilities and specialty clinics have been targeted by cyber threat actors more frequently than hospital systems in the first 6 months of 2021. Researchers at Critical Insight explained in their 2021 Healthcare Data Breach Report that cybercriminals have changed their targets within the healthcare ecosystem and are now focusing on outpatient facilities and business associates more often than hospitals and health insurers. While large health systems are naturally attractive targets for cybercriminals, smaller healthcare organizations tend to have weaker security defenses and can be attacked more easily and are low hanging fruit for hackers. The potential profits from the attacks may be lower, but so too is the effort to gain access to their networks and sensitive data. “It is no secret as to why hackers are showing interest. Electronic protected health information (ePHI) is worth more than a credit card number or social security number. Scammers...

Read More
Researchers Identify Easily Exploitable Vulnerabilities in Drug Infusion Pumps
Aug31

Researchers Identify Easily Exploitable Vulnerabilities in Drug Infusion Pumps

Researchers at McAfee Advanced Threat Research (ATR), in conjunction with the medical device cybersecurity firm Culinda, have identified 5 previously unreported vulnerabilities in two widely used models of B. Braun drug infusion pumps. The devices are used globally in hospitals to treat adult and pediatric patients and automate the delivery of medications and nutrients to patients. They are especially useful for ensuring controlled delivery of critical medication doses. The flaws in the B. Braun infusion pumps could be exploited by an unauthenticated attacker to change the configuration of the infusion pumps while they are in standby mode, which could result in an unexpected dose of medication being delivered the next time the device is used, potentially causing harm to a patient. McAfee alerted B.Braun to the vulnerabilities in the B. Braun Infusomat Space Large Volume Pump and the B. Braun SpaceStation on January 11, 2021, and recommended safeguards that should be implemented to prevent the flaws being exploited. In May 2021, B.Braun published information for customers and...

Read More
July 2021 Healthcare Data Breach Report
Aug23

July 2021 Healthcare Data Breach Report

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day. The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records. Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month! Largest Healthcare Data Breaches in July 2021 Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the...

Read More
CISA Publishes Guidance on Protecting Sensitive Data and Responding to Double-Extortion Ransomware Attacks
Aug20

CISA Publishes Guidance on Protecting Sensitive Data and Responding to Double-Extortion Ransomware Attacks

Ransomware attacks dramatically increased in 2020 and cyberattacks using the file-encrypting malware are showing no sign of abating. Attacks have continued to increase this year to the point where there were almost half the number of attempted ransomware attacks in Q2, 2021 as there were all of 2019. Most threat actors conducting ransomware attacks are now using double extortion tactics, where ransoms must be paid to obtain the keys to decrypt files but also to prevent the publication of data stolen in the attacks. The theft of data prior to file encryption has not only helped ransomware gangs demand huge ransom payments, but the threat of leaking data has greatly increased to probability of the ransom being paid. Many victims end up paying the ransom to prevent data leakage, even though they have valid backups that will allow them to restore the encrypted data for free. To help public and private sector organizations deal with the threat of these double-extortion ransomware attacks, the Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance, which...

Read More
Mid-Year Threat Report Shows Massive Increase in Ransomware Attacks
Aug19

Mid-Year Threat Report Shows Massive Increase in Ransomware Attacks

Last month, SonicWall published a mid-year update of its Cyber Threat Report which confirmed there has been a major increase in cyberattacks since 2020. In the first 6 months of 2021, cryptojacking attacks increased by 23%, encrypted threats rose by 26%, IoT attacks rose by 59%, and there was a 151% increase in ransomware attacks compared to the corresponding period last year. Ransomware attacks have been steadily increasing since Q1, 2020, but the rate of increase jumped considerably between Q1 and Q2, 2021, rising to a Q2 total of 188.9 million attempted attacks: an increase of 63.1% from the previous quarter. In June alone there were 78.4 million attempted ransomware attacks, which is more than the total number of attacks in the second quarter of 2020 and almost half of the total number of attempted ransomware attacks in all of 2019. In total, there were 304.7 million attempted ransomware attacks in the first half of 2021. “Even if we don’t record a single ransomware attempt in the entire second half (which is irrationally optimistic), 2021 will already go down as the worst year...

Read More
Scripps Health Ransomware Attack Cost Increases to Almost $113 Million
Aug18

Scripps Health Ransomware Attack Cost Increases to Almost $113 Million

Ransomware attacks on hospitals can cause huge financial losses, as the Ryuk ransomware attack on Universal Health Services showed. UHS is one of the largest healthcare providers in the United States, and operates 26 acute care hospitals, 330 behavioral health facilities, and 41 outpatient facilities. UHS said in March 2021 that the September 2020 ransomware attack resulted in $67 million in pre-tax losses due the cost of remediation, loss of acute care services, and other expenses incurred due to the attack. While the losses suffered by UHS were significant, the ransomware attack on Scripps Health has proven to be far more expensive. Scripps Health is a California-based nonprofit operator of 5 hospitals and 19 outpatient facilities in the state. In the May 2021 ransomware attack, Scripps Health lost access to information systems at two of its hospitals, staff couldn’t access the electronic medical record system, and its offsite backup servers were also affected. Without access to critical IT systems, Scripps Health was forced to re-route stroke and heart attack patients from four...

Read More
CISA Issues Warning About Blackberry’s QNX Vulnerability Affecting Critical Infrastructure
Aug18

CISA Issues Warning About Blackberry’s QNX Vulnerability Affecting Critical Infrastructure

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a security alert warning about a vulnerability affecting Blackberry’s QNX Real Time Operating System (RTOS), which is extensively used by critical infrastructure organizations and affects multiple consumer, medical, and industrial networks. The vulnerability is one of 25 that are collectively known as BadAlloc, which affect multiple IoT and OT systems. The flaws are memory allocation integer overflow or wraparound issues in memory allocation functions used in real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. On August 17, 2021, Blackberry announced that its QNX products were affected by one of the BadAlloc vulnerabilities – CVE-2021-22156. The flaw could be exploited by a remote attacker to cause a denial-of-service condition, or even achieve remote code execution, with the latter potentially allowing an attacker to take control of highly sensitive systems. The flaw affects the calloc() function in the C runtime library of...

Read More
Study Reveals Extent of Cybersecurity Vulnerabilities at Major Pharmaceutical Firms
Aug16

Study Reveals Extent of Cybersecurity Vulnerabilities at Major Pharmaceutical Firms

Reposify, a provider of an external attack surface management platform, has published the findings of a study of security vulnerabilities at pharmaceutical firms which shows the vast majority of pharma firms have unresolved vulnerabilities that are putting sensitive data and internal systems at risk of compromise. The study was conducted to assess the prevalence of exposures of services, sensitive platforms, unpatched CVEs and other security issues. Data analyzed for the Pharmaceutical Industry: 2021: The State of the External Attack Surface Report were collected over a two-week period in March 2021 and covered 18 of the leading pharmaceutical companies worldwide and more than 900 of their subsidiaries. Pharmaceutical companies hold vast amounts of sensitive personal data and extremely valuable drug and vaccine research data. That has made them an attractive target for cybercriminals. During the COVID-19 pandemic, nation state hackers targeted pharma and biotech firms to gain access to sensitive COVID-19 research and vaccine development data. According to the 2020 Cost of a Data...

Read More
New ‘DeepBlueMagic’ Ransomware Discovered by Heimdal Security Researchers
Aug13

New ‘DeepBlueMagic’ Ransomware Discovered by Heimdal Security Researchers

A new ransomware variant has been detected by researchers at Heimdal Security that is being used by a threat group that calls itself DeepBlueMagic. The ransomware differs considerably from all other previously identified ransomware strains. Heimdal Security researchers discovered the new ransomware variant on Wednesday, August 11, 2021, which had been used in an attack on a device running Windows Server 2012 R2. The analysis of the attack revealed DeepBlueMagic ransomware works completely differently to any other ransomware encountered in the past. The researchers determined DeepBlueMagic ransomware disables security solutions installed on devices to prevent detection, then proceeds to encrypt entire hard drives using a third-party disk encryption tool rather than files. All drives on the targeted server are encrypted with the exception of the system drive (“C:\” partition). The ransomware uses BestCrypt Volume Encryption software from Jetico. In the attack, the D:\ drive was turned into a RAW partition rather than NTFS, which rendered it inaccessible. Following an attack, any...

Read More
NIST Updates Guidance on Developing Cyber Resilient Systems
Aug12

NIST Updates Guidance on Developing Cyber Resilient Systems

The National Institute of Standards and Technology (NIST) has released a major update to its guidance on developing cyber-resilient systems. A draft version of the updated guidance – NIST Special Publication 800-160, Volume 2, Revision 1: Developing Cyber-Resilient Systems: A Systems Security Engineering Approach – has been released which includes updates to reflect the changing tactics, techniques, and procedures (TTPs) of cyber threat actors, who are now conducting more destructive attacks, including the use of ransomware. Organizations used to be able to focus their resources on perimeter defenses and penetration resistance; however, these measures are no longer as effective as they once were at preventing attacks. A modern approach is now required which requires more resilience to be built into IT systems, which requires measures to be taken to limit the ability of an attacker to damage infrastructure and move laterally within networks. “The document provides suggestions on how to limit the damage that adversaries can inflict by impeding their lateral movement, increasing their...

Read More
Hospitals More Vulnerable to Botnets, Spam, and Malware than Fortune 1000 Firms
Aug11

Hospitals More Vulnerable to Botnets, Spam, and Malware than Fortune 1000 Firms

A recent study published in the Journal of the American Medical Informatics Association (JAMIA) sought to identify the relationship between cybersecurity risk ratings and healthcare data breaches. The study was conducted using data obtained from the Department of Health and Human Services between 2014-2019 and hospital cybersecurity ratings obtained from BitSight. The data sample included 3,528 hospital-year observations and Fortune 1000 firms were used as the benchmark against which hospital cybersecurity ratings were compared. For many years, healthcare has lagged other industries when it comes to managing and reducing cybersecurity risk. The researchers found that in aggregate, hospitals had significantly lower cybersecurity ratings than the Fortune 1000 firms; however, the situation has been improving and, based on BitSight risk ratings, the healthcare industry has now caught up with Fortune 1000 firms. By 2019, the difference between the cybersecurity risk ratings of hospitals and Fortune 1000 firms was no longer statistically significant. While the gap has virtually been...

Read More
NCSC Password Recommendations
Aug10

NCSC Password Recommendations

The UK’s NCSC password recommendations have been updated and a new strategy is being promoted that meets password strength requirements but improves usability.  There are multiple schools of thought when it comes to the creation of passwords, but all are based on the premise that passwords need to be sufficiently complex to ensure they cannot be easily guessed, not only by humans, but also the algorithms used by hackers in brute force attacks. Each year lists of the worst passwords are published that are compiled from credentials exposed in data breaches. These worst password lists clearly demonstrate that some people are very poor at choosing passwords. Passwords such as “password,” “12345678,” and “qwertyuiop” all feature highly in the lists. Due to the risk of end users creating these weak passwords, many organizations now have minimum requirements for password complexity, but that does not always mean end users will set strong passwords. The Problem with Password Complexity Requirements The minimum requirements for password complexity are typically to have at least one lower-...

Read More
73% of Businesses Suffered a Data Breach Linked to a Phishing Attack in the Past 12 Months
Aug05

73% of Businesses Suffered a Data Breach Linked to a Phishing Attack in the Past 12 Months

Ransomware attacks have increased significantly during the past year, but phishing attacks continue to cause problems for businesses, according to a recent survey conducted by Arlington Research on behalf of security firm Egress. Almost three quarters (73%) of surveyed businesses said they had experienced a phishing related data breach in the past 12 months. The survey for the 2021 Insider Data Breach Report was conducted on 500 IT leaders and 3,000 employees in the United States and United Kingdom. The survey revealed 74% of organizations had experienced a data breach as a result of employees breaking the rules, something that has not been helped by the pandemic when many employees have been working remotely. More than half (53%) of IT leaders said remote work had increased risk, with 53% reporting an increase in phishing incidents in the past year. The increased risk from remote working is of concern, especially as many organizations plan to continue to support remote working or adopt a hybrid working model in the future. 50% of IT leaders believe remote/hybrid working will make...

Read More
Healthcare Industry has Highest Number of Reported Data Breaches in 2021
Aug05

Healthcare Industry has Highest Number of Reported Data Breaches in 2021

Data breaches declined by 24% globally in the first 6 months of 2021, although breaches in the United States increased by 1.5% in that period according to the 2021 Mid-Year Data Breach QuickView Report from Risk-Based Security. Risk Based Security identified 1,767 publicly reported breaches between January 1, 2021 and June 30, 2021. Across those breaches, 18.8 billion records were exposed, which represents a 32% decline from the first 6 months of 2020 when 27.8 billion records were exposed. 85% of the exposed records in the first half of 2021 occurred in just one breach at the Forex trading service FBS Markets. The report confirms the healthcare industry continues to be targeted by cyber threat actors, with the industry having reported more data breaches than any other industry sector this year. Healthcare has been the most targeted industry or has been close to the top since at least 2017 and it does not appear that trend will be reversed any time soon. 238 healthcare data breaches were reported in the first 6 months of 2021, with finance & insurance the next most attacked...

Read More
NSA & CISA Issue Guidance on Hardening Security and Managing Kubernetes Environments
Aug04

NSA & CISA Issue Guidance on Hardening Security and Managing Kubernetes Environments

Kubernetes is a popular open-source cloud solution for deploying and managing containerized apps.  Recently there have been several security breaches where hackers have gained access to poorly secured Kubernetes environments to steal sensitive data, deploy cryptocurrency miners, and conduct denial-of-service attacks. This month, security researchers discovered Kubernetes clusters were being targeted by cyber actors who were exploiting misconfigured permissions for the web-facing dashboard of Argo Workflows instances. In these attacks, the computing power of Kubernetes environments were harnessed for mining cryptocurrencies. In another attack, a vulnerability in the Kubernetes API Server was being exploited to steal sensitive data. In light of these attacks, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a 52-page technical report that includes detailed guidance on how to correctly set up and manage Kubernetes environments to make it harder for the environments to be compromised by hackers. The report includes details...

Read More
Multiple Critical Vulnerabilities Identified in Pneumatics System Used in 2,300 U.S. Hospitals
Aug03

Multiple Critical Vulnerabilities Identified in Pneumatics System Used in 2,300 U.S. Hospitals

Nine critical vulnerabilities have been identified in the Nexus Control Panel of Swisslog Healthcare Translogic Pneumatic Tube System (PTS) stations, which are used in more than 80% of major hospitals in the United States. Pneumatic tube systems are used to rapidly send test samples and medications around hospitals and the vulnerable PTS stations are present in 3,000 hospitals worldwide, including 2,300 in the United States. The vulnerabilities, collectively named ‘PwnedPiper’, were discovered by researchers at Armis Security. In total, 9 critical flaws were identified in the Nexus Control Panel and the firmware of all current models of Translogic PTS stations are affected. The vulnerabilities identified by the researchers are common in Internet of Things (IoT) devices but are far more serious in pneumatic tube systems, which are part of hospitals’ critical infrastructure. The Armis researchers pointed out that these systems are prevalent in hospitals, yet they have never been thoroughly analyzed or researched. The flaws could be exploited by a threat actor to cause denial of...

Read More
CISA Publishes List of the Most Commonly Exploited Vulnerabilities
Jul29

CISA Publishes List of the Most Commonly Exploited Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) have issued a joint cybersecurity advisory about the most common vulnerabilities exploited by cyber actors in 2020, many of which are still being widely exploited in 2021. The advisory lists the top 30 exploited Common Vulnerabilities and Exposures (CVEs), how each vulnerability is exploited, recommended mitigations, indicators of compromise, and tools and methods that can be used to check whether the vulnerabilities have already been exploited. Recently disclosed vulnerabilities are exploited by cyber threat actors, but most of the commonly exploited vulnerabilities are not new and were disclosed in the past two years. In 2020, the pandemic forced many businesses to switch from an office-based to a remote workforce, so it is not surprising that 4 of the most commonly exploited vulnerabilities in 2020 concern remote working solutions such as VPNs and cloud-based technologies....

Read More
The Average Cost of a Healthcare Data Breach is Now $9.42 Million
Jul29

The Average Cost of a Healthcare Data Breach is Now $9.42 Million

IBM Security has published its 2021 Cost of a Data Breach Report, which shows data breach costs have risen once again and are now at the highest level since IBM started publishing the reports 17 years ago. There was a 10% year-over-year increase in data breach costs, with the average cost rising to $4.24 million per incident. Healthcare data breaches are the costliest, with the average cost increasing by $2 million to $9.42 million per incident. Ransomware attacks cost an average of $4.62 million per incident. The large year-over-year increase in data breach costs has been attributed to the drastic operational shifts due to the pandemic. With employees forced to work remotely during the pandemic, organizations had to rapidly adapt their technology. The pandemic forced 60% of organizations to move further into the cloud. Such a rapid change resulted in vulnerabilities being introduced and security often lagged behind the rapid IT changes. Remote working also hindered organizations’ ability to quickly respond to security incidents and data breaches. According to IBM, data breaches...

Read More
Report: The State of Privacy and Security in Healthcare
Jul28

Report: The State of Privacy and Security in Healthcare

2020 was a particularly bad year for the healthcare industry with record numbers of data breaches reported. Ransomware was a major threat, with Emsisoft identifying 560 ransomware attacks on healthcare providers in 2020. Those attacks cost the healthcare industry dearly. $20.8 billion was lost in downtime in 2020, according to Comparitech, which is more than twice the ransomware downtime cost to the healthcare industry in 2019. With the healthcare industry facing such high numbers of cyberattacks, the risk of a security breach is considerable, yet many healthcare organizations are still not fully conforming with the NIST Cybersecurity Framework (NIST CSF) and the HIPAA Security Rule, according to the 2021 Annual State of Healthcare Privacy and Security Report published today by healthcare cybersecurity consulting firm CynergisTek. To compile the report – The State of Healthcare Privacy and Security – Maturity Paradox: New World, New Threats, New Focus – CynergisTek used annual risk assessments at 100 healthcare organizations and measured progress alongside overall NIST CSF...

Read More
The Average Ransomware Payment Fell by 38% in Q2, 2021
Jul27

The Average Ransomware Payment Fell by 38% in Q2, 2021

The average ransom payment made by victims of ransomware attacks fell by 38% between Q1 and Q2, 2021, according to the latest report from ransomware incident response company Coveware. In Q2, the average ransom payment was $136,576 and the median payment decreased by 40% to $47,008. One of the key factors driving down ransom payments is a lower prevalence of attacks by two key ransomware operations, Ryuk and Clop, both of which are known for their large ransom demands. Rather than the majority of attacks being conducted by a few groups, there is now a growing number of disparate ransomware-as-a-service brands that typically demand lower ransom payments. In Q2, Sodinokibi (REvil) was the most active RaaS operation conducting 16.5% of attacks, followed by Conti V2 (14.4%), Avaddon (5.4%), Mespinoza (4.9%), and Hello Kitty (4.5%). Ryuk only accounted for 3.7% of attacks and Clop 3.3%. The Sodinokibi gang has now gone silent following the attack on Kaseya and appears to have been shut down; however, the group has shut down operations in the past only to restart with a new ransomware...

Read More
June 2021 Healthcare Data Breach Report
Jul21

June 2021 Healthcare Data Breach Report

For the third consecutive month, the number of reported healthcare data breaches of 500 or more records increased. June saw an 11% increase in reported breaches from the previous month with 70 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – the highest monthly total since September 2020 and well above the average of 56 breaches per month over the past year. While the number of reported breaches increased, there was a substantial fall in the number of breached healthcare records, which decreased 80.24% from the previous month to 1,290,991 breached records. That equates to more than 43,000 breached records a day in June. More than 40 million healthcare records have been exposed or impermissibly disclosed over the past 12 months across 674 reported breaches. On average, between July 2020 and June 2021, an average of 3,343,448 healthcare records were breached each month. Largest Healthcare Data Breaches in June 2021 There were 19 healthcare data breaches of 10,000 or more records reported in June. Ransomware continues to pose problems for healthcare...

Read More
Is Google Drive HIPAA Compliant?
Jul21

Is Google Drive HIPAA Compliant?

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant? Is Google Drive HIPAA Compliant? The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner that violates HIPAA Rules. G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not violate HIPAA Rules provided HIPAA Rules are followed by users. G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied. The use of any software or cloud platform in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business...

Read More
U.S. Government Launches New One-Stop Ransomware Website
Jul19

U.S. Government Launches New One-Stop Ransomware Website

The Department of Justice and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have announced the launch of a new web resource that will serve as a one-stop-shop providing information to help public and private sector organizations deal with the growing ransomware threat. The new resource – StopRansomware.gov – is an interagency resource that provides guidance on ransomware protection, detection, and response in a single location. The new resource provides general information about ransomware, including what ransomware is and how it is used by cybercriminals to extort money from public and private sector organizations. Detailed information is provided on how organizations can improve their security posture and defend against attacks, including ransomware best practices, bad practices to avoid, cyber hygiene tips, FAQs, and training material. The website includes a newsroom with the latest ransomware-related advice, along with alerts from CISA, the FBI, Department of Treasury, and other federal agencies about the ever-evolving tactics, techniques, and procedures used...

Read More
Imminent Risk of Ransomware Attacks Exploiting Flaw in SonicWall SRA/SMA 100 Series VPN Appliances
Jul15

Imminent Risk of Ransomware Attacks Exploiting Flaw in SonicWall SRA/SMA 100 Series VPN Appliances

SonicWall has issued an urgent security notice warning users of its Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running end-of-life firmware about an imminent ransomware campaign using stolen credentials. The campaign exploits a known vulnerability in 8.x firmware on the devices. SonicWall patched the vulnerability in later versions of the firmware. All users of these devices that are still running the vulnerable firmware version have been advised to update to version 9.x or 10.x of the firmware immediately. SonicWall became aware of threat actors targeting the vulnerability in SMA 100 series and SRA products through collaboration with trusted third parties. “The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk,” explained SonicWall. Customers using end-of-life SMA or SRA devices running the vulnerable 8.x firmware should apply the update immediately or disconnect their appliances and reset passwords. EOL devices are: SRA 4600/1600 (EOL...

Read More
CISA Publishes Guidance for MSPs and SMBs on Hardening Security Defenses
Jul15

CISA Publishes Guidance for MSPs and SMBs on Hardening Security Defenses

Managed Service Providers (MSPs) are attractive targets for cybercriminals. They typically have privileged access to their clients’ networks, so a cyberattack on a single MSP can see the attacker gain access to the systems of many, if not all, of their clients. The recent Kaseya supply chain attack showed just how serious such an attack can be. An REvil ransomware affiliate gained access to Kaseya systems, through which it was possible to access the systems and encrypt data of around 60 of its customers, many of which are MSPs. Through those MSP customers, ransomware was deployed on up to 1,500 downstream businesses. Small- and mid-sized businesses often do not have staff to manage their own IT systems or may lack the skills or hardware to store sensitive data and support sensitive processes. Many turn to MSPs to provide that expertise. It is often more cost effective for SMBs to scale and support their network environments using MSPs rather than manage their resources themselves. Outsourcing IT or security functions to an MSP introduces risks, which need to be mitigated by SMBs....

Read More
REvil Ransomware Websites Disappear Fueling Speculation of Law Enforcement Takedown
Jul14

REvil Ransomware Websites Disappear Fueling Speculation of Law Enforcement Takedown

The notorious REvil ransomware gang’s Internet and dark web sites have suddenly gone offline, days after President Biden called Vladimir Putin demanding action be taken against ransomware gangs and other cybercriminals conducting attacks from within Russia on U.S. companies. At around 1 a.m. on Tuesday, the websites used by the gang for leaking data of ransomware victims, their ransom negotiation chat server, and command and control infrastructure went offline and have remained offline since. For one of the gang’s sites, the server IP address is no longer resolvable via DNS queries. REvil has grown into one of the most prolific ransomware-as-a-service operations. The gang was behind many ransomware attacks in the United States and worldwide, including the recent attack on JBS Foods and the supply chain attack on Kaseya, which saw ransomware used in attacks on around 60 managed service providers and up to 1,500 of their clients on July 2. A ransom demand of $70 million was issued to supply the keys to decrypt all victims’ devices, with the demand falling to $50 million shortly...

Read More
Kaseya Security Update Addresses Flaws Exploited in KSA Ransomware Attack
Jul12

Kaseya Security Update Addresses Flaws Exploited in KSA Ransomware Attack

Kaseya has announced a security update has been released for the Kaseya KSA remote management and monitoring software solution to fix the zero-day vulnerabilities recently exploited by the REvil ransomware gang in attacks on its customers and their clients. The vulnerabilities exploited in the attack were part of a batch of seven flaws that were reported to Kaseya in April 2021 by the Dutch Institute for Vulnerability Disclosure (DIVD). Kaseya had developed patches to correct four of the seven vulnerabilities in its Virtual System Administrator solution and released these as part of its April and May security updates; however, before patches could be released for the remaining three vulnerabilities, one or more of them were exploited by an REvil ransomware affiliate. The attack affected approximately 60 customers who had deployed the Kaseya VSA on-premises, many of which were managed service providers (MSPs). The REvil ransomware gang gained access to their servers, encrypted them, and pushed their ransomware out to approximately 1,500 business clients of those companies. Following...

Read More
Multiple Critical Vulnerabilities Affect Philips Vue PACS Products
Jul07

Multiple Critical Vulnerabilities Affect Philips Vue PACS Products

Multiple vulnerabilities have been identified in Philips Vue PACS products, including 5 critical flaws with a 9.8 severity rating and 4 high severity flaws. Some of the vulnerabilities can be exploited remotely and there is a low attack complexity. Successful exploitation of the flaws would allow an unauthorized to gain system access, eavesdrop, view and modify data, execute arbitrary code, install unauthorized software, or compromise system integrity and gain access to sensitive data or negatively affect the availability of the system. The vulnerabilities were recently reported to CISA by Philips and affect the following Philips Vue PACS products: Vue PACS: Versions 12.2.x.x and prior Vue MyVue: Versions 12.2.x.x and prior Vue Speech: Versions 12.2.x.x and prior Vue Motion: Versions 12.2.1.5 and prior Critical Vulnerabilities CVE-2020-1938 – Improper validation of input to ensure safe and correct data processing, potentially allowing remote code execution – (CVSS v3 9.8/10) CVE-2018-12326 – Buffer overflow issue in Redis third-party software allowing code execution and...

Read More
Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies
Jul05

Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies

A Kaseya KSA supply chain attack has affected dozens of its managed service provider (MSP) clients and saw REvil ransomware pushed out to MSPs and their customers. Kaseya is an American software company that develops software for managing networks, systems, and information technology infrastructure. The software is used to provide services to more than 40,000 organizations worldwide. The REvil ransomware gang gained access to Kaseya’s systems, compromised the Kaseya’s VSA remote monitoring and management tool, and used the software update feature to install ransomware. The Kaseya VSA tool is used by MSPs to monitor and manage their infrastructure. It is not clear when the ransomware gang gained access to Kaseya’s systems, but ransomware was pushed out to customers when the software updated on Friday July 2. The attack was timed to coincide with the July 4th holiday weekend in the United States, when staffing levels were much lower and there was less chance of the attack being detected and blocked before the ransomware payload was deployed. Fast Response Limited Extent of the Attack...

Read More
HHS: Take Action Now to Secure Vulnerable PACS Servers
Jul05

HHS: Take Action Now to Secure Vulnerable PACS Servers

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a TLP:White Alert warning about vulnerabilities in the Picture Archiving Communication Systems (PACS) used by hospitals, clinics, small healthcare practices, and research institutions for sharing patient data and medical images. The HC3 Sector Alert warns that PACS vulnerabilities are exposing sensitive patient data and placing systems at risk of compromise. Vulnerable Internet-exposed PACS servers can easily be identified and compromised by hackers, threatening not just the PACS servers but also any systems to which those servers connect. PACS was initially developed to help with the transition from analog to digital storage of medical images. PACS servers receive medical images from medical imaging systems such as magnetic resonance imaging (MRI), computed tomography (CT), radiography, and ultrasound and store the images digitally using the Digital Imaging and Communications in Medicine (DICOM) format. DICOM is now three decades old and was discovered to have vulnerabilities that could easily be exploited....

Read More
CISA Releases Ransomware Readiness Assessment Audit Tool
Jul05

CISA Releases Ransomware Readiness Assessment Audit Tool

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a new tool that can be used by organizations to assess how well they are equipped to defend and recover from a ransomware attack. The threat from ransomware has gown significantly over the past year. The Verizon Data Breach Investigations Report shows 10% of cyberattacks now involve the use of ransomware, with SonicWall reporting a 62% global increase in ransomware attacks since 2019 and a 158% spike in attacks in North America during the same period. BlackFog predicts loses due to ransomware attacks will increase to $6 trillion in 2021, up from $3 trillion in 2015. The Ransomware Readiness Assessment (RRA) audit module has been added to CISA’s Cyber Security Evaluation Tool (CSET). CSET is a desktop software tool that guides network defenders through a step-by-step process of assessing their cybersecurity practices for both their information technology (IT) and operational technology (OT) networks. CSET can be used to perform a comprehensive evaluation of an organization’s cybersecurity posture using...

Read More
Exploit Released for ‘PrintNightmare’ Zero-Day Windows Print Spooler RCE Vulnerability
Jul02

Exploit Released for ‘PrintNightmare’ Zero-Day Windows Print Spooler RCE Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following the publication of a proof of concept (PoC) exploit for a zero-day vulnerability in the Windows Print Spooler service. The vulnerability has been dubbed PrintNightmare and is tracked as CVE-2021-34527. The flaw is due to the Windows Print Spooler service improperly performing privileged file operations. Microsoft says the flaw can be exploited by an authenticated user calling RpcAddPrinterDriverEx(). If exploited, an attacker would gain SYSTEM privileges and could execute arbitrary code and could install programs; view, change, or delete data; or create new accounts with full user rights. The PoC exploit for the vulnerability was published by the Chinese security firm Sangfor. Typically, exploits for unpatched vulnerabilities are not released publicly until software developers have been notified about a flaw and sufficient time has been allowed for a patch to be released and applied by users. In this case an error was made. Sangfor researchers published the PoC exploit in late June, as...

Read More
CISA Publishes Catalog of Cybersecurity Bad Practices That Must Be Eradicated
Jul01

CISA Publishes Catalog of Cybersecurity Bad Practices That Must Be Eradicated

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has published a new resource that lists cybersecurity bad practices that are exceptionally dangerous and significantly increase risk to critical infrastructure. There are many published resources that provide information about cybersecurity best practices that should be adopted to improve security, but CISA felt an additional perspective was required as it is equally, if not more, important to ensure that bad cybersecurity practices are eliminated. “Ending the most egregious risks requires organizations to make a concerted effort to stop bad practices,” explained CISA. CISA is urging leaders of all organizations to engage in urgent conversations to address technology bad practices, especially organizations that support national critical functions. One of the foundational elements of risk management is “focus on the critical few”, explained CISA Executive Assistant Director Eric Goldstein in a blog post announcing the launch of the new website resource. Organizations may have limited resources to identify and mitigate...

Read More
OIG Survey Reveals Lack of Oversight of Cybersecurity of Networked Medical Devices in Hospitals
Jul01

OIG Survey Reveals Lack of Oversight of Cybersecurity of Networked Medical Devices in Hospitals

The HHS’ Office of Inspector General (OIG) has conducted a review to determine the extent to which the Centers for Medicare and Medicaid Services (CMS) and Medicare Accreditation Organizations (AOs) require hospitals to have implemented a cybersecurity plan for networked devices and the methods used to assess the cybersecurity of networked medical devices. Cybersecurity controls are required to protect medical devices that are connected to the Internet, other medical devices, or internal hospital networks. Without those controls, the devices could be accessed by unauthorized individuals and patients could be at risk of harm. Networked medical devices include MRIs, computed tomography, ultrasound, nuclear medicine, and endoscopy systems, as well as systems that communicate with clinical laboratory analyzers such as laboratory information systems. OIG cited an estimate that a large hospital may have around 85,000 medical devices connected to its network. These devices are usually separated from other systems, they may connect to the same network as the electronic health record (EHR)...

Read More
NIST Publishes Critical Software Definition for U.S. Agencies
Jun30

NIST Publishes Critical Software Definition for U.S. Agencies

President Biden’s Cybersecurity Executive Order requires all federal agencies to reevaluate their approach to cybersecurity, develop new methods of evaluating software, and implement modern security approaches to reduce risk, such as encryption for data at rest and in transit, multi-factor authentication, and using a zero-trust approach to security. One of the first requirements of the Executive Order was for the National Institute of Standards and Technology (NIST) to publish a definition of critical software, which the Cybersecurity and Infrastructure Security Agency (CISA) will use to create a list of all software covered by the Executive Order and for creating security rules that federal agencies will be required to follow when purchasing and deploying the software. These measures will help to prevent cyberattacks such as the SolarWinds Orion supply chain attack that saw the systems of several federal agencies infiltrated by state-sponsored Russian hackers. The Executive Order required NIST to publish its critical software definition within 45 days. NIST sought input from...

Read More
Government Watchdog Makes 7 Recommendations to HSS to Improve Cybersecurity
Jun30

Government Watchdog Makes 7 Recommendations to HSS to Improve Cybersecurity

The Government Accountability Office has published a report following a review of the organizational approach to cybersecurity of the U.S. Department of Health and Human Services (HHS). The study was conducted because both the HHS and the healthcare and public health sector are heavily reliant on information systems to fulfil their missions, which include providing healthcare services and responding to national health emergencies. Should any information systems be disrupted, it could have major implications for the HHS and healthcare sector organizations and could be catastrophic for Americans who rely on their services. “A cyberattack resulting in the disruption of IT systems supporting pharmacies, hospitals, and physicians’ offices would interfere with the approval and distribution of the life-saving medications and other products needed by patients and healthcare facilities,” said the GAO in the report. The HHS must implement safeguards in place to protect its computer systems from cyber threat actors looking to obtain sensitive data to commit fraud and identity theft,...

Read More
Bipartisan Group of Senators Introduce Draft Federal Data Breach Notification Bill
Jun22

Bipartisan Group of Senators Introduce Draft Federal Data Breach Notification Bill

A bipartisan group of senators has introduced a federal data breach notification bill – the Cyber Incident Notification Act of 2021 – that requires all federal agencies, contractors, and businesses that have oversight over critical infrastructure to report significant cyber threats to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery. The draft bill was introduced by Senators Mark Warner (D-VA), Marco Rubio (R-FL), and Susan Collins (R-ME) but has yet to be formally introduced in the Senate. The bill seeks to address many of the issues that have been identified following recent cyberattacks that have impacted critical infrastructure, such as the SolarWinds Orion supply chain attack and the ransomware attacks on JBS and Colonial Pipeline. The purpose of the new bill is to ensure timely federal government awareness of cyber intrusions that pose a threat to national security, which will enable the development of a common operating picture of national-level cyber threats. Entities discovering cyber threats will be required to provide...

Read More
May 2021 Healthcare Data Breach Report
Jun18

May 2021 Healthcare Data Breach Report

May was the worst month of 2021 to date for healthcare data breaches. There were 63 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in May. For the past three months, breaches have been reported at a rate of more than 2 per day. The average number of healthcare data breaches per month has now risen to 54.67. May was also the worst month of the year in terms of the severity of breaches. 6,535,130 healthcare records were breached across those 63 incidents. The average number of breached healthcare records each month has now risen to 3,323,116. 17,733,372 healthcare records have now been exposed or impermissibly disclosed so far in 2021 and almost 40 million records (39.87M) have been breached in the past 12 months. Largest Healthcare Data Breaches Reported in April 2021 As was the case in April, there were 19 healthcare data breaches involving 10,000 or more records and 7 of those breaches involved 100,000 or more records. All but one of those breaches was a hacking incident or involved It systems being compromised by...

Read More
Avaddon Ransomware Operation Shuts Down and Releases Decryption Keys
Jun15

Avaddon Ransomware Operation Shuts Down and Releases Decryption Keys

The Avaddon ransomware-as-a-service operation was shut down on Friday and the threat group released the decryption keys for all victims. Bleeping Computer was sent an email with password and a link to a password protected ZIP file that contained the private keys for 2,934 Avaddon ransomware victims. The keys were confirmed as legitimate by Emsisoft and Coveware, with the former now having released a free decryptor that can be used by all Avaddon ransomware victims to decrypt their files. Avaddon is a relatively new ransomware-as-a-service operation which started up in March 2020. The threat group behind the operation recruited affiliates to conduct attacks and provided them with a portal through which they could generate copies of the ransomware to conduct their own attacks. All ransoms generated were then shared between the affiliate and the RaaS operator. It is not uncommon for RaaS operations to suddenly stop and release the keys for victims that have not yet paid, but the timing of the shut down suggests the RaaS operator may have got nervous with the increased focus of...

Read More
HSCC Urges Biden to Provide Funding to Bolster Cybersecurity Posture of the Healthcare Sector
Jun11

HSCC Urges Biden to Provide Funding to Bolster Cybersecurity Posture of the Healthcare Sector

The Healthcare and Public Health Sector Coordinating Council (HSCC) has urged President Biden to provide further funding and support to improve the cybersecurity posture of the healthcare sector to improve resilience to cyberattacks. In a recent letter addressed to President Biden and copied to Senate and House party leaders, the HSCC called for more funds to help the healthcare sector deal with cyber threats, improved collaboration between the healthcare industry and government, and for the government to provide a roadmap for making improvements to the cybersecurity readiness of the healthcare sector. Under the American Rescue Plan, the government has made funding available to modernize federal information technology systems to improve resilience against future cyberattacks. $9 billion will be invested to help the U.S. launch major new IT and cybersecurity shared services at the Cyber Security and Information Security Agency (CISA) and the General Services Administration, and $690 million has been made available to CISA to bolster cybersecurity across federal civilian networks;...

Read More
Patch Issued to Fix Critical RCE Vulnerability in ZOLL Defibrillator Dashboard
Jun11

Patch Issued to Fix Critical RCE Vulnerability in ZOLL Defibrillator Dashboard

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning about 6 vulnerabilities in the ZOLL Defibrillator Dashboard, including one critical 9.9 severity remote code execution flaw. The vulnerabilities were reported to CISA anonymously and affect all versions of the ZOLL Defibrillator Dashboard prior to version 2.2. Some of the flaws can be exploited remotely and require a low level of skill to exploit. Exploitation of the vulnerabilities could allow non-admin users to achieve remote code execution and steal credentials, which would impact the confidentiality, integrity, and availability of the application. ZOLL has confirmed that all 6 vulnerabilities have been fixed in version 2.2 of the ZOLL Defibrillator Dashboard. Customers have been advised to upgrade the solution to version 2.2 or later as soon as possible. ZOLL also explained that in the event of any discrepancy with the Defibrillator Dashboard, the defibrillator device should be considered the source of accurate data. The vulnerabilities are as follows: Vulnerability CVSS Severity...

Read More
Critical VMWare VCenter Software Vulnerability Under Attack
Jun09

Critical VMWare VCenter Software Vulnerability Under Attack

A critical remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation is being actively exploited by cyber actors to take full control of unpatched systems. The flaw, tracked as CVE-2021-21985, was announced by VMWare in late May and a patch was released to correct the flaw on May 25, 2021. The Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert warning all users of VMware vCenter Server and VMware Cloud Foundation that the vulnerability is an attractive target for attackers and there is a high risk of exploitation. A reliable proof-of-concept exploit for the vulnerability is now in the public domain. There are thousands of vulnerable vCenter servers accessible over the Internet that are vulnerable to attack. Mass scanning for VMware vSphere hosts vulnerable to RCE attacks are currently being conducted and several security researchers have reported the honeypots they set up with vulnerable versions of VMware vCenter Server have been scanned for the vulnerability. Today, the Department of Health and Human Services’ Office...

Read More
Vulnerabilities Identified in Hillrom Medical Device Management Products
Jun04

Vulnerabilities Identified in Hillrom Medical Device Management Products

Two medium severity vulnerabilities have been identified in Hillrom medical device management tools which could result in the leakage of sensitive data, corruption of data, and remote code execution. An out-of-bounds write vulnerability – tracked as CVE-2021-27410 – could allow an attacker to cause memory corruption which would allow the remote execution of arbitrary code. While remote code execution is possible, exploiting the flaw is highly complex. The flaw has been assigned a CVSS v3 severity score of 5.9 out of 10. The second flaw is an out-of-bounds read issue that could result in information leakage and arbitrary code execution if combined with the out-of-bounds write vulnerability. The flaw is tracked as CVE-2021-27408 and has been assigned a CVSS severity score of 5.9. The flaws affected the following Hillrom Welch Allyn medical device management tools: Welch Allyn Service Tool: versions prior to v1.10 Welch Allyn Connex Device Integration Suite – Network Connectivity Engine (NCE): versions prior to v5.3 Welch Allyn Software Development Kit (SDK): versions prior to v3.2...

Read More
Critical Vulnerabilities identified in MesaLabs Laboratory Temperature Monitoring System
Jun02

Critical Vulnerabilities identified in MesaLabs Laboratory Temperature Monitoring System

Five vulnerabilities have been identified in the MesaLabs AmegaView continuous monitoring system used in hospital laboratories, forensics labs, and biotech firms. Two of the flaws are critical command injection vulnerabilities with CVSS severity scores of 9.9/10 and 10/10. The vulnerabilities affect AmegaView Versions 3.0 and prior and were identified by Stephen Yackey of Securifera. In order of severity, the vulnerabilities are as follows: CVE-2021-27447 – CVSS 10/10 – Flaw due to improper neutralization of special elements used in a command, which could allow an attacker to execute arbitrary code. CVE-2021-27449 – CVSS 9.9/10 – Flaw due to improper neutralization of special elements used in a command, which could allow an attacker to execute commands in the web server. CVE-2021-27445 – CVSS 7.8/10 – Insecure file permissions which could be exploited to elevate privileges on the device. CVE-2021-27451 – CVSS 7.3/10 – Improper authentication due to passcodes being generated by an easily reversible algorithm, which could allow an attacker to gain access to the device....

Read More
FBI Warns of Ongoing Exploitation of Fortinet Vulnerabilities by APT Actors
Jun02

FBI Warns of Ongoing Exploitation of Fortinet Vulnerabilities by APT Actors

The Federal Bureau of Investigation (FBI) has issued a Flash Alert warning users of Fortinet Fortigate appliances that Advanced Persistent Threat (APT) groups are targeting devices that have not been patched for three CVEs: CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812. These are not zero-day vulnerabilities, as patches have been available for some time. Many organizations have been slow to apply the patches and are now being targeted. In early April, the FBI, in conduction with the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory warning that the vulnerabilities could be exploited by threat actors to conduct data exfiltration, data encryption, and to pre-position for follow-on attacks. In the recent Flash Alert, the FBI confirmed that an APT actor has been attempting to exploit the vulnerabilities since at least May 2021, and almost certainly exploited the vulnerabilities to gain access to a webserver hosting the domain for a U.S. municipal government. In that instance, the threat actors most likely created a new account –...

Read More
Best Password Manager for the Healthcare Industry
Jun01

Best Password Manager for the Healthcare Industry

In this post we explore some of the leading solutions to find the best password manager for the healthcare industry – One that is easy to use, reasonably priced and, most importantly considering the extent to which the industry is targeted by hackers, has excellent security. HIPAA and Password Management The HIPAA Security Rule was signed into law at a time when the requirements for password complexity were far lower, fewer passwords had to be created and remembered, and cracking passwords was a long and slow process. In the 18 years since the HIPAA Security Rule took effect, a lot has changed. The changes to best practices over time is the reason why the HIPAA Security rule is not technology specific. The Security Rule was written to be flexible to allow for changes to best practices. What was perfectly acceptable in 2003 for passwords, is no where near enough in 2021. The HIPAA Security Rule has provisions covering passwords. The technical safeguards of the HIPAA Security Rule (45 CFR § 164.312), require covered entities to implement technical procedures for systems that maintain...

Read More
SolarWinds Orion Hackers Targeting U.S. Organizations with New Spear Phishing Campaign
Jun01

SolarWinds Orion Hackers Targeting U.S. Organizations with New Spear Phishing Campaign

Microsoft has discovered a large-scale spear phishing campaign being conducted by the Russian Advanced Persistent Threat (APT) group behind the SolarWinds Orion supply chain attack. The spear phishing campaign has been active since at least January 2021 and the APT group, tracked by Microsoft as Nobelium. The APT group has been experimenting and has trialed various delivery techniques, including leveraging the Google Firebase platform to deliver a malicious ISO file via HTML email attachments that deliver a variety of malware payloads. Nobelium escalated the campaign on May 25, 2021 when it started using the Constant Contact mass-mailing service to distribute messages to targets in a wide range of industry verticals. The latest campaign targeted around 7,000 individual accounts across 350 government organizations, intergovernmental organizations and nongovernmental organizations. Each target had its own unique infrastructure and tooling, which has helped the group stay under the radar. The attackers gained access to the Constant Contact account of the U.S. Agency for International...

Read More
Healthcare Organizations Facing Higher Cyber Insurance Costs for Less Coverage
May28

Healthcare Organizations Facing Higher Cyber Insurance Costs for Less Coverage

The number of cyberattacks now being reported is higher than ever before. A couple of years ago, healthcare cyberattacks were being reported at a rate of one per day, but in 2021, there have been months where attacks have been reported at twice that rate. The severity of cyberattacks has also increased and the cost of responding to and recovering from cyberattacks is now much higher. The likelihood of a serious cyberattack occurring and the high costs of remediating such an attack have prompted many healthcare organizations to take out a cyber insurance policy to cover the cost. The Government Accountability Office (GAO) has recently published a study of the cyber insurance market as required by the National Defense Authorization Act for Fiscal Year 2021. GAO conducted the study of the cyber insurance market to identify key trends and the challenges faced by insurers and the options available to address them. GAO studied cyber insurance policies, reports on cyber risk and cyber insurance from researchers, think tanks, and the insurance industry, and interviews were conducted with...

Read More
FBI Warns of Ongoing Conti Ransomware Attacks on Healthcare Organizations and First Responders
May24

FBI Warns of Ongoing Conti Ransomware Attacks on Healthcare Organizations and First Responders

The Federal Bureau of Investigation (FBI) has issued a TLP:WHITE Flash notice about ongoing Conti ransomware attacks targeting healthcare and first responder networks. According to the FBI, the Conti ransomware gang has attacked 16 healthcare and first responder organizations in the United States. In addition to healthcare providers, the gang has attempted ransomware attacks on 911 dispatch centers, emergency medical services, law enforcement agencies and municipalities. The gang is known to have conducted attacks on 400 organizations worldwide, including a recent attack on the Health Service Executive (HSE) and Department of Health (DoH) in Ireland. To date, the gang has claimed 290 victims in the United States. Conti ransomware is believed to be operated by the Russian cybercrime group Wizard Spider and is a ransomware-as-a-service (RaaS) operation. The threat group is known for attacking large organizations and issuing huge ransom demands, which have been as high as $25 million. The ransom demand set for each victim based on the extent of the encryption and the perceived ability...

Read More
U.S Advances 5 Bills to Improve Cyber Defenses of SLTT Governments and Critical Infrastructure Entities
May20

U.S Advances 5 Bills to Improve Cyber Defenses of SLTT Governments and Critical Infrastructure Entities

In the wake of the SolarWinds Supply chain attack, ransomware attack on Colonial Pipeline, and President Biden’s cybersecurity executive order, the U.S. House Committee on Homeland Security has cleared five bipartisan bills that seek to address cybersecurity and improve the defenses of state, local, tribal, and territorial (SLTT) governments and critical infrastructure entities. The cyberattack on Colonial Pipeline forced the company to shut down its 5,500-mile fuel pipeline that delivers 45% of the fuel required by the East Coast. In order to speed up recovery and minimize disruption, Colonial Pipeline’s CEO Joseph Blount authorized the payment of a $4.4 million ransom to the DarkSide ransomware gang; however, even though the ransom was paid, the fuel pipeline remained shut down for 5 days, causing major disruption to fuel supplies. These attacks have highlighted major vulnerabilities in cybersecurity defenses which need to be addressed to improve national security. The five bipartisan cybersecurity bills advanced this week are: The Pipeline Security Act (H.R. 3243)...

Read More
Ransomware Gangs Adopt Triple Extortion Tactics
May19

Ransomware Gangs Adopt Triple Extortion Tactics

Following on from the DarkSide ransomware attack on Colonial Pipeline, several ransomware threat actors have ceased activity or have implemented rules that their affiliates must follow, including banning all attacks on critical infrastructure firms, healthcare organizations, and government organizations.  Some popular hacking forums are distancing themselves from ransomware and have banned ransomware groups from advertising their RaaS programs. However, there are many threat actors conducting attacks and not all are curbing their activities. It remains to be seen whether there will be any reduction in attacks, even in the short term. So far in 2021, attacks have been occurring at record levels, with the healthcare and utility sectors the most targeted. An analysis of attacks by Check Point Research found that since the start of April 2021, ransomware attacks have been occurring at a rate of around 1,000 per week, with a 21% increase in impacted organizations in the first trimester of 2021 and 7% more in April. The number of attacked organizations is up 102% from the corresponding...

Read More
CISA Issues Guidance on Evicting Adversaries from Networks Following SolarWinds Attacks
May18

CISA Issues Guidance on Evicting Adversaries from Networks Following SolarWinds Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has published guidance on evicting threat actors from networks compromised in the SolarWinds Orion supply chain attacks and, including subsequent compromises of Active Directory and M365 environments. The attacks have been attributed to threat actors tied to the Russian Foreign Intelligence Service (SVR). After gaining network access through the update mechanism of SolarWinds Orion, the threat actor selected targets of interest for further compromise and bypassed multi-factor authentication methods and moved laterally into Microsoft 365 environments by compromising federated identity solutions. Most of the targets selected for further compromise were government departments and agencies and critical infrastructure organizations, although private sector organizations may also have experienced more extensive compromises. The guidance applies to evicting adversaries from on-premises and cloud environments and includes a 3-phase remediation plan. CISA notes that malicious compromises are unique to each victim, so careful...

Read More
April 2021 Healthcare Data Breach Report
May18

April 2021 Healthcare Data Breach Report

April was another particularly bad month for healthcare data breaches with 62 reported breaches of 500 or – the same number as March 2021. That is more than 2 reported healthcare data breaches every day, and well over the 12-month average of 51 breaches per month. High numbers of healthcare records continue to be exposed each month. Across the 62 breaches, 2,583,117 healthcare records were exposed or compromised; however, it is below the 12-month average of 2,867,243 breached records per month. 34.4 million healthcare records have now been breached in the past 12 months, 11.2 million of which were breached in 2021. Largest Healthcare Data Breaches Reported in April 2021 There were 19 reported data breaches in April that involved more than 10,000 records, including 7 that involved more than 100,000 records with all but one of the top 10 data breaches due to hacking incidents. Ransomware attacks continue to occur at high levels, with many of the reported attacks affecting business associates of HPAA-covered entities. These incidents, which include attacks on Netgain Technologies,...

Read More
DarkSide RaaS Shut Down and Ransomware Gangs Ban Attacks on Healthcare Organizations
May17

DarkSide RaaS Shut Down and Ransomware Gangs Ban Attacks on Healthcare Organizations

The DarkSide ransomware gang has notified its affiliates that it has shut down its ransomware-as-a-service (RaaS) operation. The announcement came after the group’s public infrastructure was taken offline in what appears to be a law enforcement operation. On May 13, the DarkSide data leak site went offline along with much of the group’s public infrastructure, including the payment server used to obtain ransom payments from victims and its breach data content delivery network. The gang also said its cryptocurrency wallets had been emptied and the funds transferred to an unknown account. Intel 471 obtained a copy of a note written by the gang explaining to its affiliates that part of its public infrastructure was lost, its servers could not be accessed via SSH, and its hosting panels had been blocked. The group said its hosting company did not provide any further information other than the loss of the servers was “at the request of law enforcement.” The group explained that it will be releasing the decryptors for all companies that have been attacked but have not paid the ransom;...

Read More
President Biden Signs Expansive Executive Order to Improve Cybersecurity for Federal Networks
May14

President Biden Signs Expansive Executive Order to Improve Cybersecurity for Federal Networks

On May 13, 2021, President Biden signed an expansive Executive Order that aims to significantly bolster cybersecurity protections for federal networks, improve threat information sharing between the government, law enforcement and the private sector, and introduce a cyber threat response playbook to accelerate incident response and mitigation. The 34-page Executive Order includes short time frames for making significant improvements to cybersecurity, with all elements of the Executive Order due to be implemented within the next 360 days and the first elements due in 30 days.  The Executive Order was penned following a series of damaging cyberattacks that impacted government departments and agencies, such as the SolarWinds Orion Supply chain attack and attacks on Microsoft Exchange Servers. The recent DarkSide ransomware attack on Colonial Pipeline served as yet another reminder of the importance of improving cybersecurity, not just for the Federal government but also the private sector which owns and operates much of the country’s critical infrastructure. President Biden is...

Read More
Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall
May14

Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall

2020 was certainly not a typical year. The pandemic placed huge pressures on IT security teams and businesses were forced to rapidly accelerate their digital transformation plans and massively expand their remote working capabilities. Cyber actors seized the opportunities created by the pandemic and exploited vulnerabilities in security defenses to gain access to business networks and sensitive data. In 2020, phishing and ransomware attacks increased, as did web application attacks, according to the recently published Verizon 2021 Data Breach Investigations Report. The report provides insights into the tactics, techniques and procedures used by nation state actors and cybercriminal groups and how these changed during the pandemic. To compile the Verizon 2021 Data Breach Investigations Report, the researchers analyzed 79,635 incidents, of which 29,207 met the required quality standards and included 5,258 confirmed data breaches in 88 countries – one third more data breaches than the previous year’s DBIR. 2020 saw an 11% increase in phishing attacks, with cases of misrepresentation...

Read More
CISA/FBI Provide Best Practices for Preventing Business Disruption from Ransomware Attacks
May12

CISA/FBI Provide Best Practices for Preventing Business Disruption from Ransomware Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert about DarkSide ransomware in the wake of the cyberattack on Colonial Pipeline. The cyberattack caused major disruption to fuel supplies to the East Coast. Colonial Pipeline was forced to shut down systems to contain the threat, including the operational technology of its 5,500-mile pipeline which supplies diesel, gasoline, and jet fuel to the U.S. East Coast. The four main pipelines were shut down over the weekend, and while smaller pipelines were quickly restored, the main pipelines have remained shut down pending safety assessments. The pipelines transport around 2.5 million barrels of fuel a day and provide 45% of the East Coast’s fuel. The attack affected Colonial Pipeline’s information technology network, but its operational technology network was not affected. The DarkSide ransomware gang issued a statement shortly after the attack explaining the attacks was conducted purely for financial reasons and not for political reasons or to cause economic or...

Read More
CISA Warns of FiveHands Ransomware Threat
May10

CISA Warns of FiveHands Ransomware Threat

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about a new ransomware variant being used in attacks on a wide range of industry sectors, including healthcare. So far, the threat group behind the attacks has mainly targeted small- to medium-sized companies, according to researchers at FireEye who have been tracking the activity of the threat group. It is currently unclear whether this is the work of a nation state-backed hacking group or a cybercriminal organization. FireEye is tracking the group as UNC2447. The threat group was first identified conducting FiveHands ransomware attacks in January and February, mostly on businesses in healthcare, telecommunications, construction, engineering, education, real estate, and the food and beverage industries. The group has been targeting an SQL injection vulnerability in the SonicWall SMA 100 Series VPN appliance – CVE-2021-20016 – to gain access to business networks and is using a variety of publicly available penetration and exploitation tools in the attacks. FiveHands is a novel ransomware variant...

Read More
Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause
May06

Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause

Network intrusion incidents have overtaken phishing as the leading cause of healthcare data security incidents, which has been the main cause of data breaches for the past 5 years. In 2020, 58% of the security incidents dealt with by BakerHostetler’s Digitial Assets and Data Management (DADM) Practice Group were network intrusions, most commonly involving the use of ransomware. This is the 7th consecutive year that the BakerHostetler 2021 Data Security Incident Response (DSIR) Report has been published. The report provides insights into the current threat landscape and offers risk mitigation and compromise response intelligence to help organizations better defend against attacks and improve their incident response. The report is based on the findings of more than 1,250 data security incidents managed by the company in 2020, which included a wide variety of attacks on healthcare organizations and their vendors. Ransomware attacks are now the attack method of choice for many cybercriminal organizations and have proven to be very profitable. By exfiltrating data prior to encryption,...

Read More
CISA/NIST Issue Guidance on Improving Defenses Against Software Supply Chain Attacks
May03

CISA/NIST Issue Guidance on Improving Defenses Against Software Supply Chain Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have published guidance to help organizations improve their defenses against software supply chain attacks. The guidance document – Defending Against Software Supply Chain Attacks – explains the three most common methods that threat groups use in supply chain attacks along with in-depth recommendations for software customers and vendors for prevention, mitigation, and improving resilience against software supply chain attacks. Like many supply chain attacks, the recent SolarWinds Orion attack involved hijacking the software update mechanism of the platform to deliver a version of the software with malicious code that provided the attackers with persistent access to the solution on more than 18,000 customers’ systems, with the attackers then cherry picking targets of interest for more extensive compromises. This was also the method used by the threat group behind the NotPetya wiper attacks in 2017. The software update mechanism used by a popular tax...

Read More
Study: 1 in 5 Enterprise Users Have Set Weak Passwords
May01

Study: 1 in 5 Enterprise Users Have Set Weak Passwords

The sharing of passwords across multiple platforms is a bad idea. If one platform suffers a data breach, all other systems that have the same password set could also easily be compromised. Even though the reuse of passwords is unwise, and many organizations have policies in place prohibiting employees from recycling passwords, it remains a common practice. Many organizations have implemented policies, procedures and technology to prevent weak passwords from being used and they force end users to change their passwords frequently, but it is difficult for organizations to prevent password recycling. The practice has recently been investigated by Preempt. Preempt has developed a tool that can be used by enterprises to assess the strength of the passwords used by their employees. The tool reports on the accounts that have weak passwords set, allowing the enterprise to take action. The tool also compares passwords to a database of 10 million passwords compromised in previous data breaches that are now in the hands of cybercriminals. An analysis of data from enterprises that downloaded...

Read More
Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks
Apr28

Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks

The increase in ransomware attacks in 2020 has continued in 2021 with healthcare one of the most targeted industries, according to the latest Coveware Quarterly Ransomware Report. Healthcare ransomware attacks accounted for 11.6% of all attacks in Q1, 2021, on a par with attacks on the public sector and second only to attacks on firms in professional services (24.9%). While ransom demands declined in Q4, 2020, that trend abruptly stopped in Q1, 2021 with the average ransom payment increasing by 43% to $220,298 and the median ransom payment up 59% to $78,398. The increase in payments was not due to ransomware attacks but data exfiltration extortion attacks by the Clop ransomware gang. The Clop ransomware gang exploited two zero-day vulnerabilities in the Accellion legacy File Transfer Appliance, exfiltrated customers’ data, then threatened to publish the stolen data if the ransom was not paid. When victims refused to pay, the stolen data were leaked on the Clop ransomware data leak site. These attacks show that file encryption is not always necessary, with the threat of publication...

Read More
Best Practices for Network Defenders to Identify and Block Russian Cyber Operations
Apr27

Best Practices for Network Defenders to Identify and Block Russian Cyber Operations

A joint cybersecurity advisory has been issued by the Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) about ongoing cyber operations by the Russian Foreign Intelligence Service (SVR). The advisory provides further information on the tactics, techniques, and procedures (TTPs) used by SVR hackers to gain access to networks and the stealthy intrusion tradecraft used to move laterally within compromised networks. Best practices have been shared to allow network defenders to improve their defenses, secure their networks, and conduct investigations to determine whether their systems have already been compromised. The advisory follows on from an April 15, 2021 joint alert from the NSA, CISA, and FBI following the formal declaration by the U.S. Government that the SolarWinds supply chain attack was conducted by SVR cyber actors known as The Dukes, CozyBear, Yttrium, and APT29. The CVR operatives are primarily targeting government agencies, policy analysis organizations and think tanks, IT...

Read More
DOJ Launches Ransomware and Digital Extortion Task Force
Apr23

DOJ Launches Ransomware and Digital Extortion Task Force

In response to the growing threat from ransomware attacks, the U.S Department of Justice has launched a new Ransomware and Digital Extortion Task Force that will target the entire ransomware ecosystem as a whole. The aim is not only to bring the individuals conducting the attacks to justice, but also any individuals who assist attackers, including those who launder ransom payments. The Task Force will include representatives from the DOJ criminal, national security and civil divisions, the Federal Bureau of Investigation, and the Executive Office for United States Attorneys and will work closely with the Departments of Homeland Security and the Treasury. The task force will also work to improve collaboration with the private sector and international partners. Resources will be increased to address ransomware attacks, training and intelligence gathering will be improved, and the task force will coordinate with the Department of Justice to investigate leads and connections to known cybercriminal organizations and nation state threat groups. In addition to aggressively pursuing all...

Read More
Three Zero-Day Vulnerabilities in SonicWall Email Security are Being Actively Exploited
Apr22

Three Zero-Day Vulnerabilities in SonicWall Email Security are Being Actively Exploited

Three zero-day vulnerabilities have been identified in SonicWall Email Security products that are being actively exploited in the wild by at least one threat actor. The vulnerabilities can be chained to gain administrative access to enterprise networks and achieve code execution. SonicWall Email Security solutions are deployed as a physical appliance, virtual appliance, software installation, or as a hosted SaaS solution and provide protection from phishing, spear phishing, malware, ransomware, and BEC attacks. The solutions do not need to be Internet facing, but hundreds are exposed to the Internet and are vulnerable to attack. In one instance, a threat actor with intimate knowledge of the SonicWall application exploited the vulnerabilities to gain administrative access to the application and installed a backdoor that provided persistent access. The threat actor was able to access files and emails, harvest credentials from memory, and then used those credentials to move laterally within the victim’s network. The three vulnerabilities were identified by the Mandiant Managed Defense...

Read More
Pulse Connect Secure Vulnerabilities Being Actively Exploited, Including New Zero-Day Flaw
Apr21

Pulse Connect Secure Vulnerabilities Being Actively Exploited, Including New Zero-Day Flaw

At least one threat group is exploiting vulnerabilities in Ivanti’s Pulse Connect Secure products, according to a recent alert from the DHS’ Cybersecurity and Infrastructure Security Agency (CISA). While there has not been an official attribution, the threat actor has been linked to China by some security researchers and targets have included government, defense, financial, and critical infrastructure organizations. FireEye has been tracking the malicious activity and reports that at least 12 malware families have been involved in cyberattacks exploiting the vulnerabilities since August 2020. These attacks have involved the harvesting of credentials to allow lateral movement within victim networks and the use of scripts and the replacement of files to achieve persistence. Several entities have now confirmed that they have been attacked after they identified malicious activity using the Pulse Connect Secure Integrity Tool. Access has been gained to Pulse Connect Secure appliance by exploiting multiple vulnerabilities including three vulnerabilities that were disclosed in 2019 and...

Read More
HSCC Publishes Guidance on Securing the Telehealth and Telemedicine Ecosystem
Apr20

HSCC Publishes Guidance on Securing the Telehealth and Telemedicine Ecosystem

Healthcare providers are increasingly leveraging health information technology to provide virtual healthcare services to patients. Telehealth services allow patients living in rural areas and the elderly to gain access to essential medical services, and the pandemic has seen a major expansion in telehealth to provide virtual healthcare services to patients to reduce the spread of COVID-19. According to FAIR Health, the number of telehealth claims to private insurers has increased by 4,347% in the past year, with virtual care such as telehealth now one of the fastest growing areas of healthcare. The Centers for Medicare and Medicaid Services has committed to providing long term support for virtual healthcare services and Frost & Sullivan predicts there will be a seven-fold increase in telehealth by 2025. The major expansion of healthcare services has happened quickly and at a time when the healthcare industry is being targeted by cybercriminals more than ever before. Hackers have been exploiting vulnerabilities with ease to gain access to sensitive healthcare data and disrupt...

Read More
Health-ISAC Helps Healthcare Organizations Prepare for Supply Chain Cyberattacks
Apr16

Health-ISAC Helps Healthcare Organizations Prepare for Supply Chain Cyberattacks

Health-ISAC, in conjunction with the American Hospital Association (AHA), has published guidance for healthcare information security teams to help them improve resilience against supply chain cyberattacks such as the recent SolarWinds Orion incident. The white paper – Strategic Threat Intelligence: Preparing for the Next “SolarWinds” Event – provides insights into the cyberattack and explores the characteristics that made such an attack possible. The document provides technical recommendations for senior business leaders, C-suite executives, and IT and information security teams to help them prevent and mitigate similar attacks. Solutions such as SolarWinds Orion have privileged access to the assets they are used to manage, and those supply chain dependencies and inherent trust models were exploited in the SolarWinds Orion attack. The attackers exploited a software update mechanism to inject a backdoor into the network monitoring platform. The update was downloaded and applied by around 18,000 customers and selected companies were then targeted in more in-depth compromises,...

Read More
NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities
Apr16

NSA/CISA/FBI: Patch Now to Stop Russian Government Hackers Exploiting These 5 Vulnerabilities

Tension is growing between Russia and the United States over the continuous cyberattacks on the U.S. government and public and private sector organizations by Russian government hackers. Yesterday, a joint alert was issued by the National Security Agency (NSA), DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), warning of the continued exploitation of software vulnerabilities by the Russian Foreign Intelligence Service (SVR). The attacks have been attributed to the Cozy Bear Advanced Persistent Threat (APT) Group – aka APT29/The Dukes – which is part of the SVR. The APT group is conducting widespread scanning and exploitation of software flaws in vulnerable systems to gain access to credentials that allow them to gain further access to devices and networks for espionage activities. The NSA, CISA, and the FBI have shared details of five software vulnerabilities that continue to be successfully exploited by the SVR to gain access to devices and networks. The NSA, CISA, and the FBI have previously shared mitigations that can be...

Read More
COVID-19 Vaccine Cold Chain Continues to Be Targeted by Threat Groups
Apr15

COVID-19 Vaccine Cold Chain Continues to Be Targeted by Threat Groups

The global COVID-19 vaccine cold chain continues to be targeted advanced persistent threat groups, according to an updated report from IBM Security X-Force. X-Force researchers previously published a report in December 2020 warning that cyber adversaries were targeting the COVID-19 cold chain to gain access to vaccine data and attacks continue to pose a major threat to vaccine distribution and storage. There are currently more than 350 logistics partners that are part of the cold chain and are involved in the delivery and storage of vaccines at low temperatures. Since the initial report was published on cold chain phishing attacks, IBM X-Force researchers have identified a further 50 email message files tied to spear phishing campaigns, which have targeted 44 companies in 14 countries throughout Europe, the Americas, Africa, and Asia. The companies being targeted underpin the transport, warehousing, storage, and distribution of COVID-19 vaccines, with the most targeted organizations involved in transportation, IT and electronics, and healthcare such companies in biomedical...

Read More
100 Million+ Devices Affected by NAME:WRECK DNS Vulnerabilities
Apr14

100 Million+ Devices Affected by NAME:WRECK DNS Vulnerabilities

Researchers at Forescout and JSOF have identified 9 vulnerabilities in Internet-connected devices that could be exploited in denial-of-service and remote code execution attacks. The flaws have been identified in certain implementations of the Domain Name System (DNS) protocol in TCP/IP network communication stacks. The flaws are mostly due to how parsing of domain names occurs, which can breach DNS implementations, and problems with DNS compression, which devices use to compress data to communicate over the Internet using TCP/IP. This class of vulnerabilities has been named NAME:WRECK. They affect common IoT and operational technology systems, including FreeBSD, IPnet, Nucleus NET, and NetX. While the use of these IoT/OP systems does not necessarily mean devices are vulnerable, many will be. The researchers suggest that around 1% of IoT devices are likely to be susceptible to the flaws, which is more than 100 million devices worldwide. Vulnerable devices are used in a range of industry sectors, including healthcare, retail, manufacturing, and the government, with healthcare...

Read More
Immediate Patching Required for 4 New Critical Microsoft Exchange Server Vulnerabilities
Apr14

Immediate Patching Required for 4 New Critical Microsoft Exchange Server Vulnerabilities

The U.S. National Security Agency (NSA) has identified four zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 which are used for on-premises Microsoft Exchange Servers. Immediate patching is required as the flaws are likely to be targeted by threat actors. The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to patch all vulnerable on-premises Exchange Servers by 12.01 AM on Friday April 16, 2021 due to the high risk of exploitation of the flaws. At the time of issuing the patches there have been no known cases of exploitation of the flaws in the wild, but it is likely that now the flaws have been publicly disclosed, the patches could be reverse engineered and working exploits developed. All four of the vulnerabilities could lead to remote execution of arbitrary code and would allow threat actors to take full control of vulnerable Exchange Servers as well as persistent access and control of enterprise networks. Two of the vulnerabilities can be exploited remotely by unauthenticated attackers with no user...

Read More
HHS OIG: HHS Information Security Program Rated ‘Not Effective’
Apr12

HHS OIG: HHS Information Security Program Rated ‘Not Effective’

The Department of Health and Human Services’ Office of Inspector General has published the findings of its annual evaluation of the HHS information security programs and practices, as required by the Federal Information Security Modernization Act of 2014 (FISMA). It was determined that the HHS information security program has not yet reached the level of maturity to be considered effective. The independent audit was conducted on behalf of the HHS’ OIG by Ernst & Young (EY) to determine compliance with FISMA reporting metrics and to assess whether the overall security program of the HHS met the required information security standards. The HHS was assessed against the Identify, Protect, Detect, Respond, and Recover functional areas of the Cybersecurity Framework across the FISMA domains: Risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring (ISCM), incident response, and contingency planning. The levels of maturity for information security are Level 1 (Ad hoc...

Read More
CISA Releases Tool for Assessing Post Compromise Activity in Microsoft 365 Environments
Apr09

CISA Releases Tool for Assessing Post Compromise Activity in Microsoft 365 Environments

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to accompany the open-source PowerShell-based Sparrow detection tool released in December 2020 to help network defenders detect potential compromised accounts in their Azure, Microsoft 365, and Office 365 environments. Sparrow was created following the SolarWinds cyberattack to help network defenders identify whether their cloud environments had been compromised. The new tool, named Aviary, is a Splunk-based dashboard that can be used to visualize and analyze data outputs from the Sparrow tool to identify post-compromise threat activity in Azure, Microsoft 365, and Office 365 accounts. The Aviary dashboard helps network defenders analyze PowerShell logs and analyze mailbox sign-ins to determine if the activity is legitimate. Through the dashboard, PowerShell usage by employees can also be examined along with Azure AD domains to determine if they have been modified. CISA is encouraging network defenders to review the previously released AA21-008A alert on detecting post compromise activity in...

Read More
Vulnerabilities in Mission Critical SAP Systems Actively Exploited by Multiple Threat Groups
Apr08

Vulnerabilities in Mission Critical SAP Systems Actively Exploited by Multiple Threat Groups

Researchers at security firm Onapsis have observed cybercriminals exploiting multiple vulnerabilities in mission-critical SAP systems. Since mid-2020, there have been more than 300 observed attacks exploiting one or more of six unpatched vulnerabilities. Vulnerabilities in SAP systems are highly sought after by cybercriminals due to the widespread use of SAP systems. SAP says 92% of the Forbes Global 2000 use SAP to power their operations, including the majority of pharmaceutical firms, critical infrastructure and utility companies, food distributors, defense contractors and others. Over 400,000 organizations use SAP globally and 77% of the world’s transactional revenue touches a SAP system. Onapsis reports critical SAP vulnerabilities are typically weaponized within 72 hours of patches being released. Unprotected SAP applications in cloud environments are often discovered and compromised in less than 3 hours. Despite the high risk of exploitation, many organizations are slow to apply patches. One of the vulnerabilities currently being exploited is 11 years old, while the others...

Read More
FBI/CISA Warn of Ongoing Attacks Targeting Vulnerable Fortinet FortiOS Servers
Apr06

FBI/CISA Warn of Ongoing Attacks Targeting Vulnerable Fortinet FortiOS Servers

Vulnerabilities in the Fortinet FortiOS operating system are being targeted by advanced persistent threat (APT) actors and are being used to gain access to servers to infiltrate networks as pre-positioning for follow-on data exfiltration and data encryption attacks. In a recent Joint Cybersecurity Advisory, the Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency warned users of the Fortinet FortiOS to immediately patch three vulnerabilities, tracked under the CVE numbers CVE-2018-13379, 2020-12812, and 2019-5591. Patches were released to correct the flaws in May 2019, July 2019, July 2020. Fortinet communicated with affected companies and published multiple blog posts urging customers to update the FortiOS to a secure version; however, some customers have yet to apply the patches to correct the flaws and are at risk of attack. CVE-2018-13379 is a vulnerability due to improper limitation of a pathname to a restricted directory and is present in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12. Under SSL VPN web...

Read More
VMware Patches High Severity Flaws in vRealize Operations, Cloud Foundation and vRealize Suite Lifecycle Manager
Apr02

VMware Patches High Severity Flaws in vRealize Operations, Cloud Foundation and vRealize Suite Lifecycle Manager

VMware has released patches to correct two high severity vulnerabilities in its AI-powered IT operations management platform for private, hybrid, and multi-cloud environments – vRealize Operations. The flaws also affect VMware Cloud Foundation and vRealize Suite Lifecycle Manager. CVE-2021-21975 is a server side request forgery flaw which could be exploited by a remote attacker to abuse the functionality of a server and access or manipulate information that should not be directly accessible. The flaw could be exploited by sending a specially crafted request to a vulnerable vRealize Operations Manager API endpoint which would allow the attacker to steal administrative credentials. The vulnerability has been assigned a CVSS score of 8.6 out of 10. The second vulnerability, tracked as CVE-2021-21983, is an arbitrary file write vulnerability in the vRealize Operations Manager API. The flaw has been assigned a CVSS score of 7.2 out of 10. Exploitation of the vulnerability would allow an attacker to write files to the underlying photon operating system. An attacker would first need...

Read More
What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?
Apr02

What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996 and led to the development of the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005, but how did the Health Information Technology for Economic and Clinical Health (HITECH) Act change HIPAA and what is the relationship between HITECH, HIPAA, and electronic health and medical records? What is the Relationship Between HITECH and HIPAA and Medical Records? Title I of HIPAA is concerned with the portability of health insurance and protecting the rights of workers between jobs to ensure health insurance coverage is maintained, which have nothing to do with the HITECH Act. However, there is a strong relationship between HITECH and HIPAA Title II. Title II of HIPAA includes the administrative provisions, patient privacy protections, and security controls for health and medical records and other forms of protected health information (PHI). One of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives...

Read More
Iranian APT Group Linked to Spear Phishing Campaign Targeting Senior Staffers at Medical Research Firms
Apr01

Iranian APT Group Linked to Spear Phishing Campaign Targeting Senior Staffers at Medical Research Firms

Security firm Proofpoint reports that the Advanced Persistent Threat (APT) group Charming Kitten was behind a spear phishing campaign in late 2020 targeting senior professionals at medical research organizations in the United States and Israel. Charming Kitting, aka Phosphorus, Ajax, and TA453, is an APT group with links to the Islamic Revolutionary Guard Corps (IRCG) in Iran. Charming Kitting has been active since at least 2014 and is primarily involved in espionage campaigns involving spear phishing attacks and custom malware. The attacks previously linked to the APT group have been on dissidents, academics, and journalists, so the latest spear phishing campaign targeting medical research organizations is a departure from the group’s usual targets. The phishing campaign, dubbed BadBlood, attempted to steal Microsoft Office credentials and coincided with growing tensions between Iran, the United States, and Israel. It is unclear at this stage whether the targeting of very senior professionals in medical research firms is part of a wider campaign or was simply an outlier event. The...

Read More
New Report Provides Deep Dive into COVID-19 Themed Phishing Tactics
Mar30

New Report Provides Deep Dive into COVID-19 Themed Phishing Tactics

In early 2020, phishers started to take advantage of the pandemic and switched from their standard lures to a wide variety of pandemic-related themes for their campaigns. To coincide with the one-year anniversary of the pandemic, researchers at the Palo Alto Networks Unit 42 Team analyzed the phishing trends over the course of the past year to review the changes in the tactics, techniques, and procedures (TTPs) of phishers and the extent to which COVID-19 was used in their phishing campaigns. The researchers analyzed all phishing URLs detected between January 2020 and February 2021 to determine how many had a COVID-19 theme, using specific keywords and phrases related to COVID-19 and other aspects of the pandemic. The researchers identified 69,950 unique phishing URLs related to COVID-19 topics, with almost half of those URLs directly related to COVID-19. Phishing campaigns were promptly adapted to the latest news and thoughts on the coronavirus and closely mirrored the latest pandemic trends. Following the World Health Organization’s declaration of the pandemic in March 2020 there...

Read More
FBI Issues Warning About Mamba Ransomware
Mar29

FBI Issues Warning About Mamba Ransomware

An increase in cyberattacks involving Mamba ransomware has prompted the Federal Bureau of Investigation and the Department of Homeland Security to issue a flash alert warning organizations and companies in multiple sectors about the dangers of the ransomware. In contrast to many ransomware variants that have their own encryption routines, Mamba ransomware has weaponized the open source full disk encryption software DiskCryptor. DiskCryptor is a legitimate encryption tool that is not malicious and is therefore unlikely to be detected as such by security software. The FBI has not provided any details of the extent to which the ransomware has been used in attacks, which have so far mostly targeted government agencies and transportation, legal services, technology, industrial, commercial, manufacturing, construction companies. Several methods are used to gain access to systems to deploy the ransomware, including exploitation of vulnerabilities in Remote Desktop Protocol (RDP) and other unsecured methods of remote access. Rather than searching for certain file extensions to encrypt,...

Read More
FBI Warns of Increase in Business Email Compromise Attacks on Local and State Governments
Mar23

FBI Warns of Increase in Business Email Compromise Attacks on Local and State Governments

State, local, tribal, and territorial (SLTT) governments have been warned they are being targeted by Business Email Compromise (BEC) scammers. In a March 17, 2021 Private Industry Notification, the Federal Bureau of Investigation (FBI) explained it has observed an increase in BEC attacks on SLTT government entities between 2018 and 2020. Losses to these attacks range from $10,000 to $4 million. BEC attacks involve gaining access to an email account and sending messages impersonating the account holder with a view to convincing the target to make a fraudulent transaction. The email account is often used to send messages to the payroll department to change employee direct deposit information or to individuals authorized to make wire transfers, to request changes to bank account details or payment methods. In 2020, the FBI’s Internet Crime Complaint Center (IC3) was notified about 19,369 BEC attacks and losses of almost $1.9 billion were reported. In July 2019, a small city government was scammed out of $3 million after receiving a spoofed email that appeared to be from a contractor...

Read More
Verkada Surveillance Camera Hacker Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft
Mar22

Verkada Surveillance Camera Hacker Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft

The Swiss hacktivist who gained access to the security cameras of the California startup Verkada in March 2021 has been indicted by the US government for computer crimes from 2019 to present, including accessing and publicly disclosing source code and proprietary data of corporate and government victims in the United States and beyond. Till Kottmann, 21, aka ‘tillie crimew’ and ‘deletescape’ resides in Lucerne, Switzerland and is a member of a hacking collective self-named APT 69420 / Arson Cats. Most recently, Kottman admitted accessing the Verkada surveillance cameras used by many large enterprises, including Tesla, Okta, Cloudflare, Nissan, as well as schools, correctional facilities, and hospitals. Live streams of surveillance camera and archived footage were accessed between March 7 and March 9, 2021, screenshots and videos of which were published online. Ethical hackers often exploit vulnerabilities and gain access to systems and their efforts often result in vulnerabilities being addressed before they can be exploited by bad actors. The vulnerabilities are reported to the...

Read More
February 2021 Healthcare Data Breach Report
Mar19

February 2021 Healthcare Data Breach Report

There was a 40.63% increase in reported data breaches of 500 or more healthcare records in February 2021. 45 data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights by healthcare providers, health plans and their business associates in February, the majority of which were hacking incidents. After two consecutive months where more than 4 million records were breached each month there was a 72.35% fall in the number of breached records. 1,234,943 records were exposed, impermissibly disclosed, or stolen across the 45 breaches. Largest Healthcare Data Breaches Reported in February 2021 Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach The Kroger Co. OH Healthcare Provider 368,100 Hacking/IT Incident Ransomware BW Homecare Holdings, LLC (Elara Caring single affiliated covered entity) TX Healthcare Provider 100,487 Hacking/IT Incident Phishing RF EYE PC dba Cochise Eye and Laser AZ Healthcare Provider 100,000 Hacking/IT Incident Ransomware Gore Medical Management, LLC GA Healthcare Provider...

Read More
FBI: $4.2 Billion Lost to Cybercrime in 2020
Mar18

FBI: $4.2 Billion Lost to Cybercrime in 2020

The Federal Bureau of Investigation (FBI) has published its annual Internet Crime Report. 791,790 complaints were made to the FBI’s Internet Crime Complaint Center (IC3) in 2020, which is a 69% increase from 2019. More than $4.2 billion was lost to cybercrime in 2020, an increase of 20% from 2019. Since 2016, there have been reported losses to cybercrime of more than $13.3 billion. In 2020, the most reported cybercriminal activity was phishing, which accounted for 30.5% of all complaints to IC3. 2.45% of complaints were about business email compromise (BEC) attacks. Business email compromise scams involve compromising a business email account through social engineering or phishing and using the account to arrange fraudulent transfers of funds. While these incidents were far less numerous than phishing, they were the biggest cause of losses. $1,866,642,107 was lost to BEC attacks in 2020. 2020 saw a 19% reduction in BEC attacks compared to 2019, although losses increased by 0.1 billion. In 2020, cybercriminals exploited the COVID-19 pandemic to scam businesses and individuals. IC3...

Read More
CISA/FBI Issue Joint Alert About Spear Phishing Attacks Delivering TrickBot Malware
Mar18

CISA/FBI Issue Joint Alert About Spear Phishing Attacks Delivering TrickBot Malware

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert about TrickBot malware. TrickBot was first identified in 2016 and started out as a banking Trojan; but the malware has since had a host of new capabilities added and is now extensively used as a malware loader for delivering other malware variants, including ransomware such as Ryuk and Conti. “TrickBot has evolved into a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities,” explained CISA/FBI in the alert. In late 2019, TrickBot survived an attempt by Microsoft and its partners to disrupt its infrastructure and spam campaigns distributing the malware soon recommenced, with TrickBot activity surging in recent weeks. Earlier this month, Check Point researchers warned about an increase in TrickBot infections following the takedown of the Emotet botnet. TrickBot was the 4th most prevalent malware variant in 2020 and rose to third in January 2021; however, since...

Read More
2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches
Mar16

2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches

2021 was a challenging year for healthcare organizations. Not only was the industry on the frontline in the fight against COVID-19, hackers who took advantage of overrun hospitals to steal data and conduct ransomware attacks. The 2021 Breach Barometer Report from Protenus shows the extent to which the healthcare industry suffered from cyberattacks and other breaches in 2020. The report is based on 758 healthcare data breaches that were reported to the HHS’ Office for Civil Rights or announced via the media and other sources in 2020, with the data for the report provided by databreaches.net. The number of data breaches has continued to rise every year since 2016 when Protenus started publishing its annual healthcare breach report. 2020 saw the largest annual increase in breaches with 30% more breaches occurring than 2019. Data was obtained on 609 of those incidents, across which 40,735,428 patient and health plan members were affected. 2020 was the second consecutive year that saw more than 40 million healthcare records exposed or compromised. Healthcare Hacking Incidents Increased...

Read More
Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras
Mar12

Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras

A hacking collective has gained access to the systems of the Californian security camera startup Verkada Inc. and viewed live feeds and archived footage from cloud-connected surveillance cameras used by large corporations, schools, police departments, jails, and hospitals. As initially reported by Bloomberg, Verkada’s systems were accessed by a white hat hacking collective named Advanced Persistent Threat 69420 using credentials they found on the Internet. Those credentials gave the group super admin level privileges, which provided root access to the security cameras and, in some cases, the internal networks of the company’s clients. The hackers also said they were able to obtain the full list of Verkada clients and view the company’s private financial information. Verkada’s systems were not accessed with a view to conducting any malicious actions, instead the aim was to raise awareness of the ease at which the systems could be hacked. Malicious threat actors could also have easily gained access to the Verkada’s systems for a range of malicious purposes. Till Kottmann, one of the...

Read More