Healthcare cybersecurity is a growing concern. The last few years have seen hacking and IT security incidents steadily rise and many healthcare organizations have struggled to defend their network perimeter and keep cybercriminals at bay.

2015 was a record year for healthcare industry data breaches. More patient and health plan member records were exposed or stolen in 2015 than in the previous 6 years combined, and by some distance. More than 113 million records were compromised in 2015 alone, 78.8 million of which were stolen in a single cyberattack. 2016 saw more healthcare data breaches reported than any other year, and 2017 looks set to be another record breaker.

Healthcare providers now have to secure more connected medical devices than ever before and there has been a proliferation of IoT devices in the healthcare industry. The attack surface is growing and cybercriminals are developing more sophisticated tools and techniques to attack healthcare organizations, gain access to data and hold data and networks to ransom.

The healthcare industry has been slow to respond and has lagged behind other industries when it comes to cybersecurity. However, cybersecurity budgets have increased, new technology has been purchased, and healthcare organizations are getting better at blocking attacks and keeping their networks secure.

The articles in this healthcare cybersecurity section are intended to help HIPAA covered entities decide on the best technologies to protect their networks from attack and develop effective policies, procedures and security awareness training programs to prevent costly data breaches.

Our healthcare cybersecurity section contains articles and new reports relating to:

New vulnerabilities that could be exploited to gain access to healthcare networks

Security warnings about new attack vectors currently being used by cybercriminals to gain access to healthcare networks and data

Details of new malware and ransomware that threaten the confidentiality, integrity, and availability of protected health information

Healthcare cybersecurity best practices

New guidelines for HIPAA covered entities on data and device security

Updates from the Healthcare Industry Cybersecurity Task Force

Details of cybersecurity frameworks that can be adopted by healthcare organizations to improve security posture

Advice related to the HIPAA Security Rule and the safeguards that must be applied to secure medical devices, networks and healthcare data

The latest healthcare cybersecurity surveys, reports and white papers

Small and Medium Sized Practices Under Increased Pressure from Cyberattacks
Mar05

Small and Medium Sized Practices Under Increased Pressure from Cyberattacks

2020 saw cyberattacks on healthcare organizations increase significantly. While large healthcare organizations are being targeted by Advanced Persistent Threat (APT) groups and ransomware gangs, there has also been a marked increase in attacks on small- to medium-sized healthcare organizations. A cyberattack on a large healthcare organization could allow the hackers to steal large quantities of protected health information and ransomware attacks typically see ransom demands issued for millions of dollars. The rewards from these attacks are considerable, but large healthcare organizations tend to invest heavily in cybersecurity and often have their own IT security teams to protect and monitor their IT networks. Cyberattacks on these organizations require more skill and they can be difficult and time consuming. Medium-sized healthcare organizations also store large amounts of sensitive data, yet their networks tend to be less well protected, which makes cyberattacks much easier and still highly profitable. Cyberattacks on Small- and Medium-Sized Healthcare Organizations are...

Read More
IBM X-Force: Healthcare Cyberattacks Doubled in 2020
Mar03

IBM X-Force: Healthcare Cyberattacks Doubled in 2020

A new report from IBM X-Force shows healthcare cyberattacks doubled in 2020 with 28% of attacks involving ransomware. The massive increase in healthcare industry cyberattacks saw the sector rise from last place to 7th, with the finance and insurance industry the most heavily targeted, followed by manufacturing, energy, retail, professional services, and government. Healthcare accounted for 6.6% of cyberattacks across all industry sectors in 2020. The 2021 X-Force Threat Intelligence Index report was compiled from monitoring data from over 130 countries and included data from more than 150 billion security events a day, with the data gathered from multiple sources including IBM Security X-Force Threat Intelligence and Incident Response, X-Force Red, IBM Managed Security Services, and external sources such as Intezer and Quad9. The most common way networks were breached was the exploitation of vulnerabilities in operating systems, software, and hardware, which accounted for 35% of all attacks up from 30% in 2019. This was closely followed by phishing attacks, which were the initial...

Read More
Multiple Threat Groups Exploiting Zero Day Microsoft Exchange Server Flaws
Mar03

Multiple Threat Groups Exploiting Zero Day Microsoft Exchange Server Flaws

Microsoft has released out-of-band security updates to fix four zero-day Microsoft Exchange Server vulnerabilities that are being actively exploited by a Chinese Advanced Persistent Threat (APT) group known as Hafnium. The attacks have been ongoing since early January, with the APT group targeting defense contractors, law firms, universities, NGOs, think tanks, and infectious disease research organizations in the United States. Exploitation of the flaws allows the attackers to exfiltrate mailboxes and other data from vulnerable Microsoft Exchange servers, run virtually any code on the servers, and upload malware for persistent access. Hafnium is a previously unidentified sophisticated APT group that is believed to be backed by the Chinese government. The group is chaining together the four zero-day vulnerabilities to steal sensitive data contained in email communications. While developing the exploits required some skill, using those exploits is simple and allows the attackers to exfiltrate large quantities of sensitive data with ease. While the APT group is based in China, virtual...

Read More
NSA Releases Guidance on Adopting a Zero Trust Approach to Cybersecurity
Mar02

NSA Releases Guidance on Adopting a Zero Trust Approach to Cybersecurity

The National Security Agency (NSA) has recently released new guidance to help organizations adopt a Zero Trust approach to cybersecurity to better defend against increasingly sophisticated cyber threats. Zero Trust is a security strategy which assumes that breaches are inevitable or have happened and an intruder is already inside the network. This approach assumes that any device or connection may have been compromised so it cannot be implicitly trusted. Continuous verification is required in real time from multiple sources before access is granted and for system responses. Adopting a Zero Trust approach to security means adhering to the concept of least-privileged access for every access decision and constantly limiting access to what is needed, with anomalous and potentially malicious activity constantly examined. “Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries,” explained the NSA in the guidance....

Read More
CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities
Feb25

CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity authorities Australia, New Zealand, Singapore, and the United Kingdom have issued an alert for users of the Accellion File Transfer Appliance (FTA) about 4 vulnerabilities which are being actively exploited by a threat actor to gain access to sensitive data. The Accellion FTA is a legacy file transfer appliance used to share large files. Accellion identified a zero-day vulnerability in the product in mid-December and released a patch to address the flaw, although further vulnerabilities have since been identified. The vulnerabilities are tracked as: CVE-2021-27101 – SQL injection vulnerability via a crafted HOST header CVE-2021-27102 – Operating system command execution vulnerability via a local web service CVE-2021-27103 – Server-side request forgery via a crafted POST request CVE-2021-27104 – Operating system command execution vulnerability via a crafted POST request The SQL injection flaw (CVE-2021-27011) allows unauthorized individual to run remote commands on targeted devices. An exploit for the...

Read More
Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity
Feb23

Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity

Throughout the pandemic, cybercriminals have taken advantage of new opportunities and have been attacking hospitals, clinics and other businesses and organizations on the front line in the fight against COVID-19. Ransomware attacks on the healthcare industry soared in 2020, especially in the fall when a coordinated campaign claimed many healthcare victims. Ransomware remains a major threat to the healthcare sector and the high numbers of attacks have continued into 2021. A recent report from the CTI League provides further information on these attacks and some of the other ways the healthcare industry was targeted in 2020. The report highlights the work conducted by the CTIL Dark team, which monitors the darknet and deep web for signs of data breaches and cybercriminal activity that has potential to impact the healthcare industry or general public health. This is the first report to be released that highlights the discoveries and achievements of the CTIL Dark team, and delves into realm of healthcare ransomware attacks and the dark markets where access to healthcare networks are...

Read More
100% of Tested mHealth Apps Vulnerable to API Attacks
Feb16

100% of Tested mHealth Apps Vulnerable to API Attacks

The personally identifiable health information of millions of individuals is being exposed through the Application Programming Interfaces (APIs) used by mobile health (mHealth) applications, according to a recent study published by cybersecurity firm Approov. Ethical hacker and researcher Allissa Knight conducted the study to determine how secure popular mHealth apps are and whether it is possible to gain access to users’ sensitive health data. One of the provisos of the study was she would not be permitted to name any of the apps if vulnerabilities were identified. She assessed 30 of the leading mHealth apps and discovered all were vulnerable to API attacks which could allow unauthorized individuals to gain access to full patient records, including personally identifiable information (PII) and protected health information (PHI), indicating security issues are systemic. mHealth apps have proven to be invaluable during the COVID-19 pandemic and are now increasingly relied on by hospitals and healthcare providers. According to Pew Research, mHealth apps are now generating more user...

Read More
Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers
Feb12

Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers

The Conti ransomware gang has dumped a large batch of healthcare data online that was allegedly stolen from Leon Medical Centers in Florida and Nocona General Hospital in Texas. Leon Medical Centers suffered a Conti ransomware attack in early November 2020, which was initially reported to the HHS’ Office for Civil Rights on January 8, 2021 as affecting 500 individuals. Leon Medical Centers explained in its substitute breach notice that the incident involved the use of malware and the investigation confirmed the attackers accessed the personal and protected health information of certain patients. It is unclear when the ransomware attack on Nocona General Hospital occurred, as notification letters do not appear to have been sent to affected individuals, no breach notice has been posted on its website, and the incident is not listed on the HHS’ Office for Civil Rights breach portal. According to NBC, which spoke with an attorney representing the hospital, none of its systems appeared to have been breached, files were apparently not encrypted, and no ransom note had been identified by...

Read More
Feds Release Ransomware Fact Sheet
Feb09

Feds Release Ransomware Fact Sheet

A ransomware factsheet has been released by the National Cyber Investigative Joint Task Force (NCIJTF) to raise awareness of the threat of ransomware attacks and provide insights that can be leveraged to prevent and mitigate attacks. The fact sheet was developed by an interagency group of more than 15 government agencies and is primarily intended for use by police and fire departments, state, local, tribal and territorial governments, and critical infrastructure entities. The factsheet was released as part of the “Reduce the Risk of Ransomware Campaign” launched by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) in January 2021. The fact sheet explains the impact ransomware attacks have had on the public sector, provides information on U.S. government efforts to combat ransomware threats, and details the most common methods used by threat actors to gain access to networks to deploy ransomware payloads: Phishing emails, Remote Desktop Protocol (RDP) vulnerabilities, and software vulnerabilities. Phishing emails contain either a malicious link or file attachment. If...

Read More
VMWare Carbon Black Explores the State of Healthcare Cybersecurity in 2020
Feb08

VMWare Carbon Black Explores the State of Healthcare Cybersecurity in 2020

Throughout 2020, the healthcare industry was on the frontline of the pandemic providing medical care to patients suffering from COVID-19 but also had to deal with increasing numbers of cyberattacks, as cybercriminals stepped up their attacks on hospitals and health systems. Recently, VMware Carbon Black conducted a retrospective review of the state of healthcare cybersecurity in 2020 that revealed the extent to which the healthcare industry was targeted by cybercriminals, how those attacks succeeded, and what healthcare organizations need to do to prevent cyberattacks in 2021. VMware Carbon Black analyzed data from attacks on its healthcare customers in 2020 and found 239.4 million cyberattacks were attempted in 2020, which equates to an average of 816 attempted attacks per endpoint. That represents a 9,851% increase from 2019. As it became clear that the outbreak in Wuhan was turning into a pandemic, cyberattacks on healthcare providers started to increase. Between January and February 2020, cyberattacks on healthcare customers increased by 51% and continued to increase throughout...

Read More
FDA Appoints Kevin Fu as its First Director of Medical Device Security
Feb05

FDA Appoints Kevin Fu as its First Director of Medical Device Security

The U.S. Food and Drug Administration (FDA) has announced the appointment of University of Michigan associate professor Kevin Fu as its first director of medical device security. Fu will serve a one-year term as acting director of medical device security at the FDA’s Center for Devices and Radiological Health (CDRH) and the recently created Digital Health Center of Excellence, starting on January 1, 2021. Fu will help “to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.” Fu will help to develop the CDRH cybersecurity programs, public-private partnerships, and premarket vulnerability assessments to ensure the safety of medical devices including insulin pumps, pacemakers, imaging machines, and healthcare IoT devices and protect them against digital security threats. Fu has considerable experience in the field of medical device cybersecurity. Fu currently serves as chief scientist at the University of Michigan’s Archimedes Center for Medical Device Security, which he founded, he co-founded the healthcare...

Read More
Global Law Enforcement Action Disrupts NetWalker Ransomware Operation
Jan29

Global Law Enforcement Action Disrupts NetWalker Ransomware Operation

The U.S. Department of Justice (DOJ) has announced a dark web website used by the NetWalker ransomware gang has been seized as part of a global action to disrupt operations and bring the individuals responsible for the file-encrypting extortion attacks to justice. The action was taken in coordination with the United States Attorney’s Office for the Middle District of Florida, the Computer Crime and Intellectual Property Section of the Department of Justice, with substantial assistance provided by the Bulgarian National Investigation Service and General Directorate Combatting Organized Crime. The announcement comes just a few hours after Europol an international effort that resulted in the takedown of the Emotet Botnet. The NetWalker ransomware gang is one of around 20 ransomware-as-a-service (RaaS) operators that recruit affiliates to distribute ransomware for a cut of any ransom payments they generate. The NetWalker gang started operating in late 2019. Since then, the ransomware has proven popular with affiliates and many attacks have been conducted. It has been estimated that in...

Read More
Multinational Law Enforcement Operation Takes Down the Emotet Botnet
Jan28

Multinational Law Enforcement Operation Takes Down the Emotet Botnet

Europol has announced the notorious Emotet Botnet has been taken down as part of a multinational law enforcement operation. Law enforcement agencies in Europe, the United States, and Canada took control of the Emotet infrastructure, which is comprised of hundreds of servers around the world. The Emotet botnet was one of the most prolific malware botnets of the last decade and the Emotet Trojan was arguably the most dangerous malware variant to emerge in recent years. The Emotet operators ran one of the most professional and long-lasting cybercrime services and was one of the biggest players in the cybercrime world. Around 30% of all malware attacks involved the Emotet botnet. The Emotet Trojan was first identified in 2014 and was initially a banking Trojan, but the malware evolved into a much more dangerous threat and became the go-to solution for many cybercriminal operations. The Emotet Trojan acted as a backdoor into computer networks and access was sold to other cybercriminal gangs for data theft, malware distribution, and extortion, which is what made the malware so dangerous....

Read More
Ransomware Attacks Account for Almost Half of Healthcare Data Breaches
Jan28

Ransomware Attacks Account for Almost Half of Healthcare Data Breaches

A new report published by Tenable has revealed almost half of all healthcare data breaches are the result of ransomware attacks, and in the majority of cases the attacks were preventable. According to the Tenable Research 2020 Threat Landscape Retrospective Report, 730 data breaches were reported across all industry sectors in the first 10 months of 2020 and more than 22 billion records were exposed. 8 million of those records were exposed in healthcare data breaches. Healthcare registered the highest number of data breaches of any industry sector between January and October 2020, accounting for almost a quarter (24.5%) of all reported data breaches, ahead of technology (15.5%), education (13%), and the government (12.5%). Due to the high number of healthcare data breaches, Tenable researchers analyzed those breaches to identify the main causes and found that ransomware attacks accounted for 46.4% of all reported data breaches, followed by email compromise attacks (24.6%), insider threats (7.3%), app misconfigurations (5.6%) and unsecured databases (5%). Across all industry...

Read More
FBI Issues Warning Following Spike in Vishing Attacks
Jan25

FBI Issues Warning Following Spike in Vishing Attacks

Many data breaches start with a phishing email, but credential phishing can also occur via other communication channels such as instant messaging platforms or SMS messages. One often overlooked way for credentials to be obtained is phishing over the telephone. These phishing attacks, termed vishing, can give attackers the credentials they need to gain access to email accounts and cloud services and escalate privileges. Recently, the Federal Bureau of Investigation (FBI) issued an alert after a spike in vishing incidents to steal credentials to corporate accounts, including credentials for network access and privilege escalation. The change to remote working in 2020 due to COVID-19 has made it harder for IT teams to monitor access to their networks and privilege escalation, which could allow these attacks to go undetected. The FBI warned that it has observed a change in tactics by threat actors. Rather than only targeting credentials of individuals likely to have elevated privileges, cybercriminals are now trying to obtain all credentials. While the credentials of low-ranking...

Read More
At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020
Jan20

At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020

Ransomware attacks have had a massive impact on businesses and organizations in the United States, and 2020 was a particularly bad year. The healthcare industry, education sector, and federal, state, and municipal governments and agencies have been targeted by ransomware gangs and there were at least 2,354 attacks on these sectors in 2020, according to the latest State of Ransomware report from the New Zealand-based cybersecurity firm Emsisoft. The number of ransomware attacks increased sharply toward the end of 2019, and while the attacks slowed in the first half of 2020, a major coordinated campaign was launched in September when attacks dramatically increased and continued to occur in large numbers throughout the rest of the year. In 2020 there were at least 113 ransomware attacks on federal, state, and municipal governments and agencies, 560 attacks on healthcare facilities in 80 separate incidents, and 1,681 attacks on schools, colleges, and universities. These attacks have caused significant financial harm and in some cases the disruption has had life threatening...

Read More
2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020
Jan19

2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website. In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year. More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010. Key Takeaways 25% year-over-year increase in healthcare data breaches. Healthcare data breaches have doubled since 2014. 642 healthcare data breaches of 500 or more records were reported in 2020. 1.76 data breaches of 500 or more healthcare records were reported each day in 2020. 2020 saw more than 29 million healthcare records breached. One breach involved more than 10...

Read More
December 2020 Healthcare Data Breach Report
Jan18

December 2020 Healthcare Data Breach Report

2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average. There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 642 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website.   December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached. Largest Healthcare Data Breaches Reported in December 2020 Name of...

Read More
CISA Warns of Hackers Exploiting Poor Cyber Hygiene to Access Cloud Environments
Jan15

CISA Warns of Hackers Exploiting Poor Cyber Hygiene to Access Cloud Environments

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that threat actors are exploiting poor cyber hygiene to gain access to enterprise cloud environments. The alert was issued after CISA observed a surge in attacks on organizations that have transitioned to a largely remote workforce in response to the pandemic. While some of the tactics outlined in the report may have been used by the hackers behind the SolarWinds Orion supply chain attack, these tactics have not been tied to any specific threat group and are being used by multiple threat actors to gain access cloud environments and obtain sensitive data. According to the alert, threat actors are using a variety of tactics, techniques, and procedures to attack cloud environments, including brute force attacks to guess weak passwords, phishing attacks, and the exploitation of unpatched vulnerabilities and weaknesses in cloud security practices. Phishing is commonly used to obtain credentials to remotely access cloud resources and applications. The phishing emails typically include hyperlinks to...

Read More
Healthcare Industry Web Application Attacks Have Increased by 51% in the Past Two Months
Jan14

Healthcare Industry Web Application Attacks Have Increased by 51% in the Past Two Months

There has been a significant increase in healthcare industry web application attacks according to new data published by cybersecurity firm Imperva. Imperva Research Labs monitored a 51% increase in web application attacks between November 2020 and December 2020, which coincided with the start of the rollout of COVID-19 vaccines. Imperva SVP Terry Ray said 2020 had been an unprecedented year of cyber activity, with healthcare web application attack volume up 10% year-over-year. On average there were 187 million web application attacks on healthcare targets each month in 2020, with each organization monitored by Imperva experiencing an average of 498 attack a month. The top targets were located in the United States, United Kingdom, Brazil, and Canada. In December, Imperva Research Labs detected significant increases in four types of attacks. The largest increase was seen in protocol manipulation attacks, which increased 76% from the previous month and were the third most common attack type. There was a 68% increase in remote code execution / remote file inclusion attacks, although...

Read More
Hackers Leak Data Stolen in European Medicines Agency Cyberattack
Jan14

Hackers Leak Data Stolen in European Medicines Agency Cyberattack

In December, the European Medicines Agency (EMA) suffered a cyberattack and hackers gained access to third party documents. Some of the data stolen in the attack has now been leaked online. The EMA is the agency responsible for regulating the assessments and approvals of COVID-19 vaccines, treatments, and research in the EU. The EMA had previously issued an update on investigation into the cyberattack and said only one IT application had been compromised. The EMA said all third parties had been notified about the attack, although those companies were not named. In the updates on the investigation, the EMA said the primary goal of the attackers was to gain access to COVID-19 medicine and vaccine information. While it was clear that documents had been accessed, the EMA has only just confirmed that data was exfiltrated by the attackers. Prior to the cyberattack, BioNTech and Pfizer submitted their vaccine data to the EMA as part of the approval process and the server accessed by the hackers contained documents related to the regulatory submissions by Pfizer and BioNTech. Pfizer and...

Read More
HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law
Jan12

HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law

On January 5, 2020, President Trump added his signature to a bill (HR 7898) that amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and creates a safe harbor for companies that have implemented recognized security best practices prior to experiencing a data breach. While the bill does not go as far as preventing the Department of Health and Human Services’ Office for Civil Rights from imposing financial penalties for HIPAA compliance issues that contributed to a data breach, the amendment requires OCR to take into consideration the security measures that were in place to reduce cybersecurity risk in the 12 months prior to a data breach. The main aim of the bill is to incentivize healthcare organizations to adopt an established, formalized, and recognized cybersecurity framework and adhere to industry security best practices, as doing so will provide a degree of insulation against regulatory enforcement actions. The bill requires the HHS to consider an entity’s use of recognized security best practices when investigating reported data breaches...

Read More
FBI Issues Warning About Increasing Egregor Ransomware Activity
Jan11

FBI Issues Warning About Increasing Egregor Ransomware Activity

The Federal Bureau of Investigation (FBI) has issued a Private Industry Alert about the growing threat of Egregor ransomware attacks. Egregor ransomware is a ransomware-as-a-service operation that was first identified in September 2020. The threat actors behind the operation recruit affiliates to distribute their ransomware and give them a cut of any ransoms they generate. The affiliates have been highly active over the past three months and have conducted attacks on many large enterprises. High-profile victims include Barnes & Noble, Ubisoft, Kmart, Crytek, and the Canadian transportation agency TransLink. The threat group claims to have gained access to more than 150 corporate networks and deployed their ransomware, with the ransom demands exceeding $4 million. Many affiliates have been recruited by the Egregor ransomware gang and each has their preferred method of distributing the ransomware. With a wide range of tactics, techniques, and procedures used to deliver the ransomware, defending against attacks can be a challenge for network defenders. Initial access to corporate...

Read More
Vulnerabilities Identified in Innokas Yhtymä Oy Vital Signs Monitors
Jan08

Vulnerabilities Identified in Innokas Yhtymä Oy Vital Signs Monitors

Two medium-severity vulnerabilities have been identified in Innokas Yhtymä Oy vital signs monitors which allow communications between downstream devices to be modified and certain features of the monitors to be disabled. The vulnerabilities affect All versions of VC150 patient monitors prior to software version 1.7.15. Vulnerable patient monitors have a stored cross-site scripting (XSS) vulnerability which allows a web script or HTML to be injected via the filename parameter to update multiple endpoints of the administrative web interface. The vulnerability is due to improper neutralization of input during web page generation. The vulnerability is tracked as CVE-2020-27262 and has been assigned a severity score of 4.6 out of 10. The second vulnerability, tracked as CVE-2020-27260, is due to improper neutralization of special elements in the output used by downstream components. HL7 v2.x injection vulnerabilities allow physically proximate attackers with a connected barcode reader to inject HL7 v2.x segments into HL7 v2.x messages via multiple expected parameters. The vulnerability...

Read More
Federal Task Force Says SolarWinds Supply Chain Attack Likely Russian in Origin
Jan07

Federal Task Force Says SolarWinds Supply Chain Attack Likely Russian in Origin

A joint statement has been issued by the Federal Bureau of Investigation (FBI), the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) on behalf of the Trump Administration attributing the supply chain attack on SolarWinds Orion software to Russian threat actors. Following the attack, the National Security Council created a task force known as the Cyber Unified Coordination Group (UCG) to investigate the breach, which consisted of the FBI, CISA, and ODNI, with support provided by the NSA. The task force is still investigating the scope of the data security incident but has announced that the attack was conducted by an Advanced Persistent Threat (APT) actor and was “likely Russian in origin.” Evidence has been mounting that the SolarWinds software was compromised as part of an intelligence gathering operation run by Russia. While several media outlets have previously reported the security breach as being a Russia-led operation, and Secretary of State Mike Pompeo and former...

Read More
NSA Releases Guidance on Eliminating Weak Encryption Protocols
Jan06

NSA Releases Guidance on Eliminating Weak Encryption Protocols

The National Security Agency (NSA) has released guidance to help organizations eliminate weak encryption protocols, which are currently being exploited by threat actors to decrypt sensitive data. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols were developed to create protected channels using encryption and authentication to ensure the security of sensitive data between a server and a client.  The algorithms used by these protocols to encrypt data have since been updated to improve the strength of encryption, but obsolete protocol configurations are still in use. New attacks have been developed that exploit weak encryption and authentication protocols, which are being actively used by threat actors to decrypt and obtain sensitive data. The NSA explains that most products that use obsolete TLS versions, cipher suites, and key exchange methods have been updated, but implementations have often not kept up and continued use of these out-of-date TLS configurations carries an elevated risk of exploitation. Continued use of outdated protocols provides a false sense...

Read More
Healthcare Industry Cyberattacks Increase by 45%
Jan06

Healthcare Industry Cyberattacks Increase by 45%

In the fall of 2020, a warning was issued to the healthcare and public health sector following a spike in ransomware activity. The joint CISA, FBI, and HHS cybersecurity advisory explained that the healthcare industry was being actively targeted by threat actors with the aim of infecting systems with ransomware. Several ransomware gangs had stepped up attacks on the healthcare and public health sector, with the Ryuk and Conti operations the most active. A new report from Check Point shows attacks continued to increase in November and December 2020, when there was a 45% increase in cyber-attacks on healthcare organizations globally. The increase was more than double the percentage rise in attacks on all industry sectors worldwide over the same period. Globally, there was an average of 626 cyberattacks on healthcare organizations each week in November and December, compared to 430 attacks in October. The vectors used in the attacks have been varied, with Check Point researchers identifying an increase in ransomware, botnet, remote code execution, and DDoS attacks in November and...

Read More
Hidden Backdoor Identified in 100,000 Zyxel Devices
Jan05

Hidden Backdoor Identified in 100,000 Zyxel Devices

A vulnerability has been identified in Zyxel devices such as VPN gateways, firewalls, and access point (AP) controllers that could be exploited by threat actors to gain remote administrative access to the devices. By exploiting the vulnerability, threat actors would be able to make changes to firewall settings, allow/deny certain traffic, intercept traffic, create new VPN accounts, make internal services publicly accessible, and gain access to internal networks behind Zyxel devices. Around 100,000 Zyxel devices worldwide have the vulnerability. Zyxel manufacturers networking equipment and its devices are popular with small to medium sized businesses and are also used by large enterprises and government agencies. The vulnerability, tracked as CVE-2020-29583, was identified by Niels Teusink of the Dutch cybersecurity firm EYE, who discovered a hidden user account in the latest version of Zyxel firmware (4.60 patch 0).  The user account, zyfwp, which was not visible in the user interface of the products, was discovered to have a hardcoded plain-text password which Teusink found in one...

Read More
Largest Healthcare Data Breaches in 2020
Jan01

Largest Healthcare Data Breaches in 2020

2020 was the worst ever year for healthcare industry data breaches. 616 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights. 28,756,445 healthcare records were exposed, compromised, or impermissibly disclosed in those breaches, which makes 2020 the third worst year in terms of the number of breached healthcare records. The chart below clearly shows how healthcare industry data breaches have steadily increased over the past decade and the sharp rise in breaches in the past two years. The Largest Healthcare Data Breaches in 2020 When a breach occurs at a business associate of a HIPAA-covered entity, it is often the covered entity that reports the breach rather than the business associate. In 2020, a massive data breach was experienced by the cloud service provider Blackbaud Inc. Hackers gained access to its systems and stole customer fundraising databases before deploying ransomware. Blackbaud was issued with a ransom demand and a threat that the stolen data would be released publicly if the ransom was not paid. Blackbaud decided to pay the ransom...

Read More
CISA Launches SolarWinds Supply Chain Compromise Website and Free Malicious Activity Detection Tool
Dec30

CISA Launches SolarWinds Supply Chain Compromise Website and Free Malicious Activity Detection Tool

The DHS’ Cybersecurity and Infrastructure Security Agency has launched a website providing resources related to the ongoing cyber activities of the advanced persistent threat (APT) group responsible for compromising the SolarWinds Orion software supply chain. The threat actors behind the attack gained access to the networks of federal, state, and local governments, critical infrastructure entities, and private sector organizations around the world. In addition to compromising the software update mechanism of SolarWinds Orion, the hackers also exploited vulnerabilities in commonly used authentication mechanisms to gain persistent access to networks. According to Microsoft, the main goal of the attackers appears to be to gain persistent local access to networks by delivering the Sunburst/Solarigate backdoor, then pivot to victims’ cloud assets. Recently it has become clear that more than one threat group is conducting cyber espionage after the discovery of a different malware variant that was introduced through the SolarWinds Orion software update feature. Microsoft and Palo Alto...

Read More
NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem
Dec22

NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has released final guidance for healthcare delivery organizations on securing the Picture Archiving and Communication System (PACS) ecosystem. PACS is a medical imaging technology that is used to securely store and digitally transmit medical images such as MRIs, CT scans, and X-rays and associated clinical reports and is ubiquitous in healthcare. These systems eliminate the need to store, send, and receive medical images manually, and assist healthcare delivery organizations by allowing the images to be securely and cheaply stored offsite in the cloud. PACS allows medical images to be easily retrieved using PACS software from any location. PACS is a system that by design cannot operate in isolation. In healthcare delivery organizations, PACS is usually integrated into highly complex environments and interfaces with many interconnected systems. The complexity of those environments means securing the PACS ecosystem can be a major challenge and it is easy for...

Read More
FBI Warns of DoppelPaymer Ransomware Attacks Targeting Critical Infrastructure
Dec21

FBI Warns of DoppelPaymer Ransomware Attacks Targeting Critical Infrastructure

The Federal Bureau of Investigation (FBI) has issued a private industry notification warning of an increase in DoppelPaymer ransomware activity and a change in tactics by the threat actors to pressure victims into paying. DoppelPaymer ransomware first emerged in the summer of 2019 and has since been used in attacks on a range of verticals including healthcare, education, and the emergency services. The ransomware is believed to be operated by the Evil Corp (TA505) threat group, which was behind Locky ransomware and the Dridex banking Trojan. Like many human-operated ransomware operations, the threat group exfiltrates data prior to the encryption of files and uses the stolen data as leverage to get the ransom paid. While victims may be able to recover encrypted files from backups, the threat of the public release or sale of stolen data is sufficient to get them to pay the ransom demand. The threat group is known for demanding large ransom payments, often as high as seven figures. The gang is also believed to have been the first to start cold calling victims to pressure them into...

Read More
NSA Warns of Authentication Mechanism Abuse to Gain Access to Cloud Resources
Dec21

NSA Warns of Authentication Mechanism Abuse to Gain Access to Cloud Resources

The U.S. National Security Agency (NSA) has issued an alert that warns about two hacking techniques that are currently being used by threat groups to gain access to cloud resources containing protected data. These techniques abuse authentication mechanisms and allow attackers to steal credentials and maintain persistent access to networks. These techniques have been used by the threat actors who compromised SolarWinds Orion platform. The hackers behind the attacks have yet to be identified, but some evidence has emerged that suggest this is a nation state attack by a Russian threat group, possibly APT29 (Cozy Bear). Secretary of State Mike Pompeo said in a radio interview on Friday that “now we can say pretty clearly that it was the Russians that engaged in this activity,” although on Saturday President Trump downplayed the attack and suggested there is a possibility China is responsible, although President Trump is largely alone in having that viewpoint. The SolarWinds Orion platform supply chain attack was used to push malware out to customers through the SolarWinds...

Read More
OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules
Dec18

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules. The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their...

Read More
House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices
Dec16

House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices

A new bill (HR 7898) has been passed by the House Energy and Commerce Committee which seeks to amend the HITECH Act to require the Department of Health and Human Services to recognize whether cybersecurity best practices have been adopted by HIPAA-covered entities and business associates when making certain determinations, such as financial penalties following security breaches or for other regulatory purposes. The HIPAA Safe Harbor Bill, if signed into law, would reward covered entities and business associates that have met cybersecurity practices through reduced financial penalties and shorter compliance audits. The legislation calls for the HHS Secretary to consider whether the entity has adequately demonstrated recognized security practices have been in place for no less than 12 months, which may mitigate financial penalties, result in an early, favorable termination of an audit, or mitigate other remedies which may otherwise have been agreed with respect to resolving potential HIPAA Security Rule violations. The bill defines ‘Recognized Security Practices’ as “standards,...

Read More
CISA: SolarWinds Orion Software Under Active Attack
Dec15

CISA: SolarWinds Orion Software Under Active Attack

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that sophisticated hackers are actively exploiting SolarWinds Orion IT monitoring and management software. The cyberattack, which is ongoing, is believed to be the work of a highly sophisticated, evasive, nation state hacking group who created a Trojanized version of Orion software that has been used to deploy a backdoor into customers’ systems dubbed SUNBURST. The supply chain attack has impacted around 18,000 customers, who are understood to have downloaded the Trojanized version of SolarWinds Orion and the SUNBURST backdoor. SolarWinds Orion is used by large public and private organizations and government agencies. SolarWinds customers include all five branches of the U.S. military, the Pentagon, State Department, NASA and National Security Agency. Its solutions are also used by 425 of the 500 largest publicly traded U.S. companies. The US Treasury, US National Telecommunications and Information Administration (NTIA), and Department of Homeland Security are known to have been attacked. The campaign...

Read More
Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers
Dec14

Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers

Three serious vulnerabilities have been identified in Medtronic MyCareLink (MCL) Smart Patient Readers, which could potentially be exploited to gain access to and modify patient data from the paired implanted cardiac device. Exploitation of the vulnerabilities together could permit remote code execution on the MCL Smart Patient Reader, allowing an attacker to take control of a paired cardiac device. In order to exploit the vulnerabilities, an attacker would need to be within Bluetooth signal proximity to the vulnerable product. The flaws are present in all versions of the MCL Smart Model 25000 Patient Reader. The first vulnerability, tracked as CVE-2020-25183, is an authentication protocol vulnerability. The method used to authenticate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app can be bypassed. An attacker using another mobile device or malicious app on the patient’s smartphone could authenticate to the patient’s MCL Smart Patient Reader, tricking it into believing it is communicating with the patient’s smartphone app. The vulnerability has been...

Read More
What is Considered PHI?
Dec13

What is Considered PHI?

In response to questions sent to HIPAA Journal, we have written a series of posts answering some of the most basic elements of HIPAA, the latest being what is considered PHI? What is PHI, PII, and IIHA? Terms such as PHI and PII are commonly referred to in healthcare, but what do they mean and what information do they include? PHI is an acronym of Protected Health Information, while PII is an acronym of Personally Identifiable Information. Before explaining these terms, it is useful to first explain what is meant by health information, of which protected health information is a subset. Health information is information related to the provision of healthcare or payment for healthcare services that is created or received by a healthcare provider, public health authority, healthcare clearinghouse, health plan, business associate of a HIPAA-covered entity, or a school/university or employer. Health information relates to past, present, and future health conditions or physical/mental health that is related to the provision of healthcare services or payment for those services. Personally...

Read More
Russian State-Sponsored Hackers Exploiting Vulnerability in VMWare Virtual Workspaces
Dec10

Russian State-Sponsored Hackers Exploiting Vulnerability in VMWare Virtual Workspaces

The U.S. National Security Agency (NSA) has issued a cybersecurity advisory warning Russian state-sponsored hacking groups are targeting a vulnerability in VMWare virtual workspaces used to support remote working. The flaw, tracked as CVE-2020-4006, is present in certain versions of VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products and is being exploited to gain access to enterprise networks and protected data on the affected systems. The flaw is a command-injection vulnerability in the administrative configurator component of the affected products. The vulnerability can be exploited remotely by an attacker with valid credentials and access to the administrative configurator on port 8443. If successfully exploited, an attacker would be able to execute commands with unrestricted privileges on the operating system and access sensitive data. VMWare released a patch to correct the vulnerability on December 3, 2020 and also published information to help network defenders identify networks that have already been compromised, along...

Read More
Critical Vulnerabilities Identified in More Than 100 GE Healthcare Imaging and Ultrasound Products
Dec09

Critical Vulnerabilities Identified in More Than 100 GE Healthcare Imaging and Ultrasound Products

Two critical severity vulnerabilities have been identified in GE Healthcare medical imaging devices that allow remote code execution and access/alteration of sensitive patient data. The vulnerabilities affect GE Healthcare’s proprietary management software and impact more than 100 GE Healthcare imaging devices including MRI, Ultrasound, Advanced Visualization, Interventional, X-Ray, Mammography, Computed Tomography, Nuclear Medicine and PET/CT devices. Affected GE Healthcare Products Device Product Families MRI Brivo, Optima, Signa Ultrasound EchoPAC, Image Vault, LOGIQ, Vivid, Voluson Advanced Visualization AW Interventional Innova, Optima X-Ray AMX, Brivo, Definium, Discovery, Optima, Precision Mammography Seno, Senographe Pristina Computed Tomography BrightSpeed, Brivo, Discovery, Frontier LightSpeed, Optima, Revolution Nuclear Medicine, PET/CT Brivo, Discovery, Infinia Optima, PET Discovery, PETtrace, Ventri, Xeleris The vulnerabilities were identified by Lior Bar Yosef and Elad Luz of CyberMDX who reported them to GE Healthcare in May 2020. CyberMDX has dubbed the flaws...

Read More
COVID-19 Vaccine Cold Chain Organizations Targeted in Global Phishing Campaign
Dec04

COVID-19 Vaccine Cold Chain Organizations Targeted in Global Phishing Campaign

The Cybersecurity Infrastructure and Security Agency has issued a warning about a global spear phishing campaign targeting organizations in the cold storage and supply chain that are involved with the distribution of COVID-19 vaccines. Two of the first vaccines to be produced must be kept and low temperatures during storage and transit prior to being administered. The Pfizer/BioNTech vaccine must be kept at -94°F (-70°C) and the Moderna vaccine at -4°F (-20°C), so cold chain organizations are a key element of the supply chain. At the start of the pandemic, IBM X-Force established a cyber threat task force to track threats targeting organizations involved in the fight against COVID-19. The task force recently published a report about an ongoing spear phishing campaign that started in September 2020 which is targeting organizations supporting the Cold Chain Equipment Optimization Platform program. The program was launched in 2015 by the United Nations Children’s Fund and partner organizations to distribute vaccines worldwide. Phishing emails have been sent to executives in sales,...

Read More
Vulnerabilities in OpenClinic Application Could Allow Unauthorized PHI Access
Dec03

Vulnerabilities in OpenClinic Application Could Allow Unauthorized PHI Access

Four vulnerabilities have been identified in the OpenClinic application, the most severe of which could allow authentication to be bypassed and protected health information (PHI) to be viewed from the application by unauthorized users. OpenClinic is an open source, PHP-based health record management software that is used in many private clinics, hospitals, and physician practices for administration, clinical and financial tasks. A BishopFox Labs researcher has identified four vulnerabilities in the software which have yet to be corrected. The most serious vulnerability involves missing authentication, which could be exploited to gain access to any patient’s medical test results. Authenticated users of the platform can upload patient’s test results to the application, which are loaded into the /tests/ directory. Requests for files in that directory do not require users to be authenticated to the application to return and display the test results. In order for the test results to be obtained, an unauthenticated user would need to guess the names of the files; however, the BishopFox...

Read More
Researchers Describe Possible Synthetic DNA Supply Chain Attack
Dec02

Researchers Describe Possible Synthetic DNA Supply Chain Attack

A team of researchers at Ben-Gurion University in Israel have described a possible bioterrorist attack scenario in which the supply chain of synthetic DNA could be compromised. DNA synthesis providers could be tricked into producing harmful DNA sequences and delivering them to unsuspecting customers. Synthetic DNA is currently produced for research purposes and is available in many ready-to-use forms. Clients of DNA synthesis providers specify the DNA sequences they require and the DNA synthesis company generates the requested sequences to order and ships them to their customers. There are safety controls in place to prevent DNA being synthesized that could be harmful, but the Ben-Gurion University researchers point out that those safety checks are insufficient. Hackers could potentially exploit security weaknesses and inject rogue genetic information into the synthesis process, unbeknown to the customers or DNA synthesis providers. For example, rogue genetic material could be inserted that encodes for a harmful protein or a toxin. The researchers describe an attack scenario where...

Read More
FBI Issues Warning About Increasing Ragnar Locker Ransomware Activity
Nov26

FBI Issues Warning About Increasing Ragnar Locker Ransomware Activity

Threat actors using Ragnar Locker ransomware have stepped up their attacks and have been targeting businesses and organizations in many sectors, according to a recent private industry alert from the Federal Bureau of Investigation (FBI). Ragnar Locker ransomware was first identified by security researchers in April 2019, with the first known attack targeting a large corporation that was issued with an $11 ransom demand for the keys to decrypt files and ensure the secure deletion of the 10 terabytes of sensitive data stolen in the attack. While not named in the FBI alert, the attack appears to have been on the multinational energy company, Energias de Portugal. The gang was also behind the ransomware attacks on the Italian drinks giant Campari and the Japanese gaming firm Capcom. Since that attack, the number of Ragnar Locker victims has been steadily growing. Attacks have been successfully conducted on cloud service providers, and companies in communication, construction, travel, enterprise software, and other industries. As with other human-operated ransomware attacks, the threat...

Read More
Free Google Services Abused in Phishing Campaigns
Nov26

Free Google Services Abused in Phishing Campaigns

Several phishing campaigns have been identified that are using free Google services to bypass email security gateways and ensure malicious messages are delivered to inboxes. Phishing emails often include hyperlinks that direct users to websites hosting phishing forms that harvest credentials. Email security gateways use a variety of methods to detect these malicious hyperlinks, including blacklists of known malicious websites, scoring of domains, and visiting the links to analyze the content on the destination website. If the links are determined to be suspicious or malicious, the emails are quarantined or rejected. However, by using links to legitimate Google services, phishers are managing to bypass these security measures and ensure their messages are delivered. The use of Google services by phishers is nothing new; however, security researchers at Arborblox have identified an uptick in this activity that has coincided with increased adoption of remote working. The researchers identified 5 campaigns abusing free Google services such as Google Forms, Google Drive, Google Sites,...

Read More
HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations
Nov25

HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations

On Friday last week, the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) and Office of Inspector General (OIG) published final rules that aim to improve the coordination of care and reduce regulatory barriers. Both final rules contain safe harbor provisions that allow hospitals and healthcare delivery systems to donate cybersecurity technology to physician practices. The CMS released the final version of the 627-page Modernizing and Clarifying the Physician Self-Referral Regulations, commonly called Stark Law, and the OIG finalized revisions to the 1,049-page Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Regarding Beneficiary Inducements. Physician practices often have limited resources, which makes it difficult for them to implement solutions to address cybersecurity risks. Without the necessary protections, sensitive healthcare data could be accessed by unauthorized individuals, stolen, deleted, or encrypted by threat actors. Threat actors could also conduct attacks on small physician practices and...

Read More
October 2020 Healthcare Data Breach Report
Nov23

October 2020 Healthcare Data Breach Report

October saw well above average numbers of data breaches reported the HHS’ Office for Civil Rights. There were 63 reported breaches of 500 or more records, which is a 33.68% reduction from September but still 41.82% more breaches than the monthly average over the last 12 months. The elevated numbers of breaches can be partly explained by continued reports from healthcare organizations that were impacted by the ransomware attack on the cloud software firm Blackbaud. The protected health information of more than 2.5 million individuals were exposed or compromised in those 63 breaches, which is 74.08% fewer records than September, but still 26.81% more than the monthly average number of breached records over the past 12 months. Largest Healthcare Data Breaches Reported in October 2020 Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected Breach Cause Luxottica of America Inc. Business Associate Hacking/IT Incident 829,454 Ransomware Attack AdventHealth Orlando Healthcare Provider Hacking/IT Incident 315,811 Blackbaud Ransomware Presbyterian Healthcare Services...

Read More
Microsoft Warns of Ongoing Sophisticated Phishing Campaign Targeting Office 365 Users
Nov19

Microsoft Warns of Ongoing Sophisticated Phishing Campaign Targeting Office 365 Users

Microsoft has issued a warning to Office 365 about an ongoing phishing campaign targeting user credentials. The campaign uses sophisticated techniques to bypass email security gateways and social engineering tactics to fool company employees into visiting websites where credentials are harvested. A variety of lures are used in the phishing emails which target remote workers, such as fake password update requests, information on teleconferencing, SharePoint notifications, and helpdesk tickets. The lures are plausible and the websites to which Office 365 users are directed are realistic and convincing, complete with replicated logos and color schemes. The threat actors have used a range of techniques to bypass secure email gateways to ensure the messages are delivered to inboxes. These include redirector URLs that can detect sandbox environments and will direct real users to the phishing websites and security solutions to benign websites, to prevent analysis. The emails also incorporate heavy obfuscation in the HTML code. Microsoft notes that the redirector sites have a unique...

Read More
ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector
Nov18

ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector

The HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) has issued an update on ransomware activity targeting the healthcare and public health sectors, saying, “At this time, we consider the threat to be credible, ongoing, and persistent.” In late October, a joint alert was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the HHS warning of an imminent increase in ransomware activity targeting the healthcare sector. Within a week of the alert being issued, six healthcare providers reported ransomware attacks in a single day. More than a dozen healthcare organizations have reported being attacked in the past two months, with over 62 attacks reported by healthcare organizations so far in 2020. Human-operated ransomware attacks have previously seen attackers gain access to networks many weeks and even months prior to the deployment of ransomware. ASPR notes that in many recent ransomware attacks, the time from the initial compromise to the deployment of ransomware has been very short, just a...

Read More
Vendor Access and HIPAA Compliance: Are you Secured?
Nov17

Vendor Access and HIPAA Compliance: Are you Secured?

It can be hard to remember a time before the Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in 1996. These were the days that paper files were still stored in cabinets and sensitive information was generally delivered by hand, or if you were really sophisticated, it was sent via a fax machine. Fast forward almost 25 years later and unsurprisingly, the world in the healthcare industry looks completely different, except some do still use fax machines. Nothing surprising here, but everything is now stored on computers and transmitted over the internet, which has led to obvious increases in terms of efficiency, but, with this comes risk. We’ve seen an increase in serious data breaches tied to healthcare entities that are exposing highly sensitive personal health information. And not just any type of data breach, these are the ones that are tied to third-party and vendor access, which are known to be more costly in terms of fines and reputational damage. A hacker can quickly access hundreds of patient files and cause widespread damage, including a...

Read More
Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development
Nov16

Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development

Advanced Persistent Threat (APT) groups in Russia and North Korea are targeting companies involved in research into COVID-19 and vaccine development, according to Microsoft. Six large pharmaceutical firms and a clinical research company are known to have been targeted by three APT groups who are attempting to gain access to research and vaccine data. The cyberattacks have been on “pharmaceutical companies in Canada, France, India, South Korea and the United States,” according to Microsoft and three APT groups are known to be conducting attacks – the Russian APT group Strontium (aka Fancy Bear/APT28) and two APT groups with links to North Korea – The Lazarus Group (aka Zinc) and Cerium. Additionally, in the summer of 2020, warnings were issued by several government agencies about attacks on COVID-19 research firms by another Russian APT group, Cozy Bear (aka APT29). The targeted organizations have contracts with or investments from governments to advance research into COVID-19 and vaccine development. Most of the targeted companies have developed vaccines which are currently...

Read More
Phishing Campaign Uses Employment Termination Lure to Deliver Bazar and Buer Malware
Nov12

Phishing Campaign Uses Employment Termination Lure to Deliver Bazar and Buer Malware

A new phishing campaign is being conducted using the TrickBot botnet to deliver the Bazar backdoor and Buer loader malware. The campaign was detected by researchers at Area 1 Security and has been running since early October. The Bazar backdoor is used to gain persistent access to victims’ networks, while the Buer loader is used to download additional malicious payloads. Previously, Buer has been used to deliver ransomware payloads such as Ryuk and tools such as CobaltStrike. Area 1 Security researchers detected two email lures in this campaign. One is a fake notification about termination of employment and the other a fake customer compliant. The employment termination email appears to have been sent by an authority figure in the head office of the company being targeted and states that the individual has been terminated. Further information on the termination and payout are provided in a document that appears to be hosted on Google Docs. If the link is clicked, the user will be directed to a Google Doc decoy preview page and is advised to click another link if they are not...

Read More
Half of Ransomware Attacks Now Involve the Theft of Data Prior to Encryption
Nov06

Half of Ransomware Attacks Now Involve the Theft of Data Prior to Encryption

Coveware has released its Quarterly Ransomware report for Q3, 2020 highlighting the latest ransomware attack trends. The report confirms that data exfiltration prior to the use of ransomware continues to be a popular tactic, with around half of all ransomware attacks involving data theft. Attacks involving the theft of data doubled in Q3, 2020. In cases where data are stolen prior to file encryption, victims are told that if they do not pay the ransom demand their data will be leaked online or sold to pressure victims into paying, but ransomware victims should carefully consider whether or not to pay. There are no guarantees that paying the ransom will prevent publication of stolen data. Ransomware Gangs Renege on Promises to Delete Data The Maze ransomware gang started the double-extortion trend in 2019 and many ransomware operators soon followed suit. In some cases, two ransomware demands are issued; one to return or delete stolen data and the other for the keys to unlock the encrypted files, The operators of the AKO and Ranzy ransomware variants have adopted this dual ransom...

Read More
Majority of Microsoft 365 Admins Have Not Enabled Multi-Factor Authentication
Oct30

Majority of Microsoft 365 Admins Have Not Enabled Multi-Factor Authentication

A new report published by CoreView has revealed the majority of Microsoft 365 admins have not enabled multi-factor authentication to protect their accounts from unauthorized remote access and are failing to implement other basic security practices. According to the study, 78% of Microsoft 365 administrators have not activated multi-factor authentication and 97% of Microsoft 365 users are not using MFA. “This is a huge security risk – particularly during a time where the majority of employees are remote – that IT departments must acknowledge and address in order to effectively deter cyberattacks and strengthen their organization’s security posture,” explained the researchers. The SANS Institute says 99% of data breaches can be prevented by using MFA, while Microsoft explained in an August 2020 blog post that MFA is the single most important measure to implement to prevent unauthorized account access, explaining that 99.9% of account breaches can be prevented by using MFA. The CoreView study also revealed 1% of Microsoft 365 admins do not use strong passwords, even though hackers are...

Read More
Advisory Warns of Targeted Ryuk Ransomware Attacks on the Healthcare and Public Health Sector
Oct29

Advisory Warns of Targeted Ryuk Ransomware Attacks on the Healthcare and Public Health Sector

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued an advisory warning about increased Ryuk ransomware activity targeting the healthcare and public health sector. Credible evidence has been obtained indicating an increased and imminent threat to hospitals and healthcare providers in the United States. The advisory details some of the tactics, techniques, and procedures (TTPs) used by the operators of Ryuk ransomware and other cybercriminal groups who are assisting with the distribution of the ransomware to help the healthcare sector manage risk and protect their networks from attacks. The advisory explains that Ryuk ransomware is commonly delivered as a secondary payload by the TrickBot Trojan. TrickBot is a banking Trojan that was first identified in 2016 that has since been updated with a host of new functions. In addition to stealing banking credentials, TrickBot is capable of mail exfiltration, cryptomining, data exfiltration from point of sale systems, and acts as...

Read More
Survey Explores Cybersecurity Impact of COVID-19 Enforced Switch to a Remote Working Environment
Oct27

Survey Explores Cybersecurity Impact of COVID-19 Enforced Switch to a Remote Working Environment

Prior to the 2019 Novel Coronavirus pandemic, many companies allowed some of their employees to spend some of the week working from home; however, COVID-19 dramatically changed the way people work, with national lockdowns forcing employers to rapidly change working practices and allow virtually all of their employees to work remotely. When lockdowns were lifted, many employees continued to work from home. The new remote working environment is considered by many to be now be the new normal. Remote working has created many challenges, especially for cybersecurity as it is harder for organizations to prevent, detect, and contain cyberattacks when much of the workforce is working remotely. A recent survey conducted on 2,215 IT and IT security professionals by the Ponemon Institute on behalf of Keeper Security explores the cybersecurity challenges of teleworking and assesses how companies have adapted cybersecurity practices to address the risks of teleworking. One of the key findings from the survey is remote working has significantly reduced the effectiveness of organizations’...

Read More
Office 365 Users Targeted in Microsoft Teams Phishing Scam
Oct26

Office 365 Users Targeted in Microsoft Teams Phishing Scam

A new Office 365 phishing campaign has been detected by researchers at Abnormal Security that spoofs Microsoft Teams to trick users into visiting a malicious website hosting a phishing form that harvests Office 365 credentials. Microsoft Teams has been adopted by many organizations to allow remote workers to maintain contact with the office. In healthcare the platform is being used to provide telehealth services to help reduce the numbers of patients visiting healthcare facilities to control the spread of COVID-19. Microsoft reported in in a June call announcing financial earnings for the quarter ended June 30, 2020 that Microsoft Teams is now used by more than 150 million students and teachers. Over 1,800 different organizations have more than 10,000 Teams users, and 69 organizations have over 100,000 Teams  users. The use of Microsoft Teams in healthcare has also been growing, with 46 million Teams meetings now being conducted for telehealth purposes. The increase in usage due to the pandemic has presented an opportunity for cybercriminals. According to figures from Abnormal...

Read More
FDA Approves Tool for Scoring Medical Device Vulnerabilities
Oct23

FDA Approves Tool for Scoring Medical Device Vulnerabilities

The FDA has approved a new rubric designed by the MITRE Corporation for assigning Common Vulnerability Scoring System (CVSS) scores to medical device vulnerabilities. The CVSS was designed for assigning scores to vulnerabilities in IT systems according to their severity, and while the system works well for many IT systems, it is less well suited to scoring vulnerabilities in medical devices. When vulnerabilities are discovered in medical devices, device manufacturers use the CVSS as a consistent and standardized way of communicating the severity of a vulnerability to the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and other agencies. The scores are used by IT teams in hospitals and clinics for prioritizing patching and software updates. If a vulnerability has a score of 9.0, it naturally takes priority over a vulnerability with a CVSS score of 3.0, for instance. However, CVSS base scores do not adequately reflect the clinical environment and potential patient safety impacts. To address this issue, the FDA contracted the...

Read More
Vulnerabilities Identified in B. Braun OnlineSuite and SpaceCom
Oct23

Vulnerabilities Identified in B. Braun OnlineSuite and SpaceCom

Several vulnerabilities have recently been identified in B. Braun products used by healthcare organizations in the United States. B.Braun OnlineSuite Three vulnerabilities have been identified in B. Braun OnlineSuite, a clinical IT solution for creating and sending drug libraries and managing infusion devices and other medical equipment. If exploited, an attacker could escalate privileges, upload and download arbitrary files, and remotely execute code. The most serious flaws are a relative path traversal vulnerability – CVE-2020-25172 – which allows uploads and downloads of files by unauthenticated individuals, and a remote code execution vulnerability – CVE-2020-25174 – which allows a local attacker to execute code as a high privileged user. The flaws have been assigned CVSS v3 base scores of 8.6 and 8.4 out of 10. An Excel macro vulnerability – CVE-2020-25170 – has also been identified in the export feature, caused by the mishandling of multiple input fields, which has been assigned a CVSS v3 base score of 6.9. The flaws are present in OnlineSuite AP 3.0 and earlier....

Read More
September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised
Oct22

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020. Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records. Causes of September 2020 Healthcare Data Breaches The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers. Blackbaud was able to contain the breach; however, prior...

Read More
6 Russian Hackers Indicted for Offensive Cyber Campaigns Including 2017 NotPetya Wiper Attacks
Oct21

6 Russian Hackers Indicted for Offensive Cyber Campaigns Including 2017 NotPetya Wiper Attacks

The U.S. Department of Justice has announced 6 Russian hackers have been indicted for their role in the 2017 NotPetya malware attacks and a long list of offensive cyber campaigns on multiple targets in the United States and other countries. The six individuals are suspected members of the GRU: Russia’s Main Intelligence Directorate, specifically GRU Unit 74455, which is also known as Sandworm. The Sandworm unit is believed to be behind a long list of offensive cyber campaigns spanning several years. Sandworm is suspected of being instrumental in attempts to influence foreign elections, including the 2016 U.S. presidential election and the 2017 French Presidential election. One of the most destructive offensive campaigns involved the use of NotPetya malware in 2017. NotPetya was a wiper malware used in destructive attacks worldwide that leveraged the Microsoft Windows Server Message Block (SMBv1) vulnerability. Several hospitals and medical clinics were affected by NotPetya and had data wiped and computer systems taken out of action. NotPetya hit the pharmaceutical giant Merck,...

Read More
Active Threat Warning Issued About SharePoint RCE Vulnerability
Oct20

Active Threat Warning Issued About SharePoint RCE Vulnerability

The UK National Cyber Security Centre (NCSC) has recently issued a security alert advising organizations to patch a serious remote code execution vulnerability in Microsoft SharePoint. The DHS Cybersecurity and infrastructure Security Agency is also urging organizations to patch the flaw promptly to prevent exploitation. The vulnerability, tracked as CVE-2020-16952, is due to the failure of SharePoint to check the source markup of an application package. If exploited, an attacker could run arbitrary code in the context of the SharePoint application pool and SharePoint server farm account, potentially with administrator privileges. To exploit the vulnerability an attacker would need to convince a user to upload a specially crafted SharePoint application package to a vulnerable version of SharePoint. This could be achieved in a phishing campaign using social engineering techniques. The vulnerability has been assigned a CVSS v3 base score of 8.6 out of 10 and affects the following SharePoint releases: Microsoft SharePoint Foundation 2013 Service Pack 1 Microsoft SharePoint Enterprise...

Read More
Universities Targeted in Silent Librarian Spear Phishing Campaign
Oct16

Universities Targeted in Silent Librarian Spear Phishing Campaign

The Iran-based hacking group known as Silent Librarian – aka Cobalt Dickens and TA407 – has recommenced spear phishing attacks on universities in the United States and around the world. The hacking group has been conducting attacks since 2013 to gain access to login credentials and steal intellectual property and research data. Credentials and data stolen in the attacks are subsequently sold via the hacking group’s portals. The U.S. Department of Justice indicted 9 Iranians in connection with the attacks in 2018, but the indictments have had no effect on the campaigns which have continued. Those individuals have yet to be brought to justice. The spear phishing campaigns usually recommence in September to coincide with the start of the new academic year. The hackers have developed many different phishing websites which are used in the campaigns, and while many of these sites are taken down, sufficient numbers are used to ensure the campaigns can continue. This year, the group is known to be using sites hosted in Iran, which could hamper efforts to have the sites shut down due...

Read More
Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Flaw Now, Warns CISA
Oct16

Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Flaw Now, Warns CISA

On October 2020 Patch Tuesday, Microsoft released a patch to correct a critical remove code execution vulnerability in the Microsoft Windows Transmission Control Protocol (TCP)/IP stack. The flaw concerns how the TCP/IP stack handles Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. The flaw was assigned a CVSS v3 score of 9.8 out of 10. While all patches should be applied promptly to prevent exploitation, there is usually a delay between patches being released and exploits being developed and used offensively against organizations; however, due to the severity of the flaw and the ease at which it can be exploited, patching this vulnerability is especially important. So much so that the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) took to Twitter to urge all organizations to apply the patch immediately. An attacker could exploit the flaw remotely in a Denial of Service attack, resulting in a ‘blue screen of death’ system crash; however, exploitation could also allow the remote execution of arbitrary code on...

Read More
CISA/FBI: APT Groups Chaining Legacy Vulnerabilities with Netlogon Flaw
Oct13

CISA/FBI: APT Groups Chaining Legacy Vulnerabilities with Netlogon Flaw

A joint advisory has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warning about sophisticated advanced persistent threat actors chaining exploits for multiple vulnerabilities in cyberattacks against federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure, and election support systems. While there have been successful attacks on the latter, no evidence has been found to suggest any election data have been compromised to date. Several legacy vulnerabilities are being targeted along with more recently discovered vulnerabilities, such as the Windows Server Netlogon remote protocol vulnerability – CVE-2020-1472 – also known as Zerologon. A patch for the flaw was issued by Microsoft on August 2020 Patch Tuesday but patching has been slow. Chaining vulnerabilities in a single cyberattack is nothing new. It is a common tactic used by sophisticated threat groups to compromise networks and applications, elevate privileges, and achieve persistent access to victims’...

Read More
CISA Issues Alert Following Increase in Emotet Malware Attacks
Oct07

CISA Issues Alert Following Increase in Emotet Malware Attacks

Following a period of dormancy between February 2020 and July 2020, the Emotet botnet sprang back to life and recommenced spam runs distributing the Emotet Trojan. Since August 2020, attacks on state and local governments have increased sharply, prompting the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to issue a cybersecurity alert for all industry sectors. The Emotet botnet resumed activity in July with a massive phishing campaign using messages with malicious Word attachments and hyperlinks. Since then, multiple spam runs have been conducted which typically consist of more than 500,000 emails. The Emotet Trojan is a dangerous banking Trojan which is used as a downloader of other types of malware, notably the TrickBot and Qbot Trojans. The secondary payloads in turn deliver other malware payloads, including Ryuk and Conti ransomware. One infected device could easily result in further infections across the network. Emotet infects other devices in a worm-like fashion, creating multiple copies of itself which are written to shared drives....

Read More
CISA Releases Telework Toolkit to Help Businesses Transition to a Permanent Telework Environment
Oct05

CISA Releases Telework Toolkit to Help Businesses Transition to a Permanent Telework Environment

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has published a Telework Essentials Toolkit to help business leaders, IT staff, and end users transition to a permanent teleworking environment. The COVID-19 pandemic forced businesses to rapidly change from having a largely office-based workforce to allowing virtually all employees to work from home to reduce the risk of infection. The speed at which the transition had to be made potentially introduced security vulnerabilities that weakened organizational cybersecurity defenses. The CISA Toolkit is intended to provide support to organizations to help them re-evaluate and strengthen their cybersecurity defenses and fully transition into a long-term teleworking solution. The Toolkit includes three personalized modules that include best practices for executive leaders, IT professionals and teleworkers, and include the security considerations appropriate to each role. Executive leaders are provided with information to help them drive cybersecurity strategy, investment, and develop a cyber...

Read More
Treasury Department Warns of Sanctions Risks if Facilitating or Paying a Ransomware Payment
Oct02

Treasury Department Warns of Sanctions Risks if Facilitating or Paying a Ransomware Payment

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has warned that companies that facilitate ransom payments to cybercriminals on behalf of victims of the attacks could face sanctions risks for violating OFAC regulations. Victims of ransomware attacks that pay ransoms to cyber actors could similarly face steep fines from the federal government if it is discovered that the criminals behind the attacks are already under economic sanctions. “Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business,” explained OFAC in its advisory on potential sanctions risks for facilitating ransomware payments. “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” Several individuals involved in ransomware attacks...

Read More
NIST Publishes Updated Security and Privacy Controls Guidance for Information Systems and Organizations
Sep25

NIST Publishes Updated Security and Privacy Controls Guidance for Information Systems and Organizations

The National Institute of Standards and Technology (NIST) has released updated guidance on Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Revision 5). This is the first time that NIST has updated the guidance since 2013 and is a complete renovation rather than a minor update. NIST explained that the updated guidance will “provide a solid foundation for protecting organizations and systems—including the personal privacy of individuals—well into the 21st century.” The updated guidance is the result of years of effort “to develop the first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size, and all types of systems—from super computers to industrial control systems to Internet of Things (IoT) devices.” This is the first control catalog to be released worldwide that includes privacy and security controls in the same catalog. The guidance will help to protect organizations from diverse threats and risks, including cyberattacks, human error, natural disasters, privacy...

Read More
CISA Issues Alert Following Surge in LokiBot Malware Activity
Sep24

CISA Issues Alert Following Surge in LokiBot Malware Activity

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following a surge in LokiBot malware activity over the past two months. LokiBot – also known as Lokibot, Loki PWS, and Loki-bot – first appeared in 2015 and is an information stealer used to steal credentials and other sensitive data from victim machines. The malware targets Windows and Android operating systems and employs a keylogger to capture usernames and passwords and monitors browser and desktop activity. LokiBot can steal credentials from multiple applications and data sources, including Safari, Chrome, and Firefox web browsers, along with credentials for email accounts, FTP and sFTP clients. The malware is also capable of stealing other sensitive information and cryptocurrency wallets and can create backdoors in victims’ machines to provide persistent access, allowing the operators of the malware to deliver additional malicious payloads. The malware establishing a connection with its Command and Control Server and exfiltrates data via HyperText Transfer Protocol....

Read More
August 2020 Healthcare Data Breach Report
Sep22

August 2020 Healthcare Data Breach Report

37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average. The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.     Largest Healthcare Data Breaches Reported in August 2020   Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Incident Northern Light Health Business Associate 657,392 Hacking/IT Incident Network Server, Other Blackbaud ransomware attack Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident Network Server Blackbaud ransomware attack Assured Imaging Healthcare Provider 244,813 Hacking/IT Incident Network Server Ransomware attack MultiCare Health System Healthcare Provider 179,189 Hacking/IT Incident Network Server Blackbaud...

Read More
Hospital Ransomware Attack Results in Patient Death
Sep18

Hospital Ransomware Attack Results in Patient Death

Ransomware attacks on hospitals pose a risk to patient safety. File encryption results in essential systems crashing, communication systems are often taken out of action, and clinicians can be prevented from accessing patients’ medical records. Highly disruptive attacks may force hospitals to redirect patients to alternate facilities, which recently happened in a ransomware attack on the University Clinic in Düsseldorf, Germany. One patient who required emergency medical treatment for a life threatening condition had to be rerouted to an alternate facility in Wuppertal, approximately 21 miles away. The redirection resulted in a one-hour delay in receiving treatment and the patient later died. The death could have been prevented had treatment been provided sooner. The attack occurred on September 10, 2020 and completely crippled the clinic’s systems. Investigators determined that the attackers exploited a vulnerability in “widely used commercial add-on software” to gain access to the network. As the encryption process ran, hospital systems started to crash and medical records could...

Read More
CISA Warns of Public Exploit for Windows Netlogon Remote Protocol Vulnerability
Sep18

CISA Warns of Public Exploit for Windows Netlogon Remote Protocol Vulnerability

CISA has published information on a critical vulnerability in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) now that a public exploit for the flaw has been released. If exploited, an attacker could gain access to a domain controller with administrator privileges. MS-NRPC is a core component of Active Directory that provides authentication for users and accounts. “The Netlogon Remote Protocol (MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel,” explained Microsoft. The vulnerability, tracked as CVE-2020-1472, is an elevation of privilege vulnerability that can be exploited when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller. MS-NRPC reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode, which would allow an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and gain domain administrator privileges. Microsoft is addressing the...

Read More
Vulnerabilities Identified in Philips Clinical Collaboration Platform
Sep18

Vulnerabilities Identified in Philips Clinical Collaboration Platform

5 low- to medium-severity vulnerabilities have been identified in the Philips Clinical Collaboration Platform (Vue PACS). If successfully exploited, an attacker could convince an authorized user to execute unauthorized actions or could result in the disclosure of information that could be used in further attacks. Philips has not received any reports to indicate exploits for the vulnerabilities have been developed or used in real world attacks, and there have been no reports of incidents from clinical use associated with the vulnerabilities. The vulnerabilities affect versions 12.2.1 and prior and range in severity from low (CVSS v3 base score 3.4) to medium (CVSS v3 base score 6.8). CVE-2020-16200 – Resource exposed to the wrong control sphere – Allows unauthorized access to the resource (CVSS 6.8) CVE-2020-16247 – Algorithm downgrade – A failure to control the allocation and maintenance of a limited resource, potentially leading to exhaustion of available resources. (CVSS 6.5) CVE-2020-16198 – Protection mechanism failure – Failure or insufficient checks to verify the identity...

Read More
CISA/FBI Warn of Targeted Attacks by Iranian Hacking Groups
Sep17

CISA/FBI Warn of Targeted Attacks by Iranian Hacking Groups

A hacking group with links to the Iranian government has been observed exploiting several vulnerabilities in attacks on U.S. organizations and government agencies, according to a recent joint cybersecurity advisory released by the Cybersecurity Security and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). The alert closely follows a similar cybersecurity advisory warning about hackers linked to the Chinese government conducting attacks exploiting some of the same vulnerabilities. The Iranian hacking group, known as UNC757 and Pioneer Kitten, has been exploiting vulnerabilities in F5 networking solutions, Citrix NetScaler, and Pulse Secure VPNs to gain access to networks. The hacking group has also been observed using open source tools such as Nmap to identify vulnerabilities, such as open ports within vulnerable networks. Exploited Vulnerabilities Two vulnerabilities in Pulse Secure products are being exploited. The first, CVE-2019-11510, affects Pulse Secure Connect enterprise VPN servers and is a file reading vulnerability. The second is an...

Read More
CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws
Sep15

CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning hackers affiliated with China’s Ministry of State Security (MSS) are conducting targeted cyberattacks on U.S. government agencies and private sector companies. The attacks have been ongoing for more than a year and often target vulnerabilities in popular networking devices such as Citrix and Pulse Secure VPN appliances, F5 Big-IP load balancers, and Microsoft Exchange email servers. The hacking groups use publicly available information and open source exploit tools in the attacks such as China Chopper, Mimikatz, and Cobalt Strike. The hacking groups, which have varying levels of skill, attempt to gain access to federal computer networks and sensitive corporate data and several attacks have been successful. The software vulnerabilities exploited by the hackers are all well-known and patches have been released to correct the flaws, but there are many potential targets that have yet to apply the patches and are vulnerable to attack. Some of the most...

Read More
8 Vulnerabilities Identified in Philips Patient Monitoring Devices
Sep14

8 Vulnerabilities Identified in Philips Patient Monitoring Devices

8 low- to moderate-severity vulnerabilities have been identified in Philips patient monitoring devices. Exploitation of the vulnerabilities could result in information disclosure, interrupted monitoring, denial of service, and an escape from the restricted environment with limited privileges. The vulnerabilities affect the following Philips patient monitoring devices: Patient Information Center iX (PICiX) Versions B.02, C.02, C.03 PerformanceBridge Focal Point Version A.01 IntelliVue patient monitors MX100, MX400-MX850, and MP2-MP90 Versions N and prior IntelliVue X3 and X2 Versions N and prior Vulnerabilities CVE-2020-16212 – CVSS 6.8/10 – Moderate Severity. A resource is exposed to wrong control sphere, which could allow an unauthorized individual to gain access to the resource and escape the restricted environment with limited privileges. Physical access to a vulnerable device is required to exploit the flaw. CVE-2020-16216 – CVSS 6.5/10 – Moderate Severity. The product does not validate or incorrectly validates input or data to ensure it has the necessary properties to allow it...

Read More
Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats
Sep08

Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats

September 2020 is the second annual National Insider Threat Awareness Month (NITAM). Throughout the month, resources are being made available to emphasize the importance of detecting, deterring, and reporting insider threats. NITAM is a collaborative effort between several U.S. government agencies including the National Counterintelligence and Security Center (NCSC), Office of the Under Secretary of Defense Intelligence and Security (USD(I&S)), National Insider Threat Task Force (NITTF), Department of Homeland Security (DHS), and the Defense Counterintelligence and Security Agency (DCSA). NITAM was devised last year to raise awareness of the risks posed by insiders and to encourage organizations to take action to manage those risks. Security teams often concentrate on protecting their networks, data, and resources from hackers and other external threat actors, but it is also important to protect against insider threats. An insider is an individual within an organization who has been granted access to hardware, software, data, or knowledge about an organization. Insiders include...

Read More
CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity
Sep07

CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity

The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued guidance for network defenders and incident response teams on identifying malicious activity and mitigating cyberattacks.  The guidance details best practices for detecting malicious activity and step by step instructions for investigating potential security incidents and securing compromised systems. The purpose of the guidance is “to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.” The guidance will help incident response teams collect the data necessary to investigate suspicious activity within the network, such host-based artifacts, conduct a host analysis review and analysis of network activity, and take the right actions to mitigate a cyberattack. The guidance document was created in collaboration with cybersecurity authorities in the United States, United Kingdom, Australia, New Zealand and Canada and includes technical help for security teams to help them identify malicious attacks in progress and mitigate attacks...

Read More
Cisco Warns of Active Exploitation of Zero Day Flaws in IOS XR Software Used by Cisco Carrier-Grade Routers
Sep02

Cisco Warns of Active Exploitation of Zero Day Flaws in IOS XR Software Used by Cisco Carrier-Grade Routers

Two zero-day vulnerabilities in the IOS XR software used by Cisco Network Converging System carrier-grade routers are being actively exploited by hackers. The first attempts at exploitation of the vulnerabilities were detected by Cisco on August 25, 2020. While patches have yet to be released by Cisco to correct the vulnerabilities, there are workarounds that can be used to reduce the risk of the vulnerabilities being exploited. The vulnerabilities, tracked as CVE-2020-3566 and CVE-2020-3569, are present in the distance vector multicast routing protocol (DVMRP) and affect all Cisco devices that use the IOS XR version of its Internetworking Operating System, if the software has been configured to use multicast routing. Multicast routing is used to save bandwidth and involves sending certain data in a single stream to multiple recipients. An unauthenticated attacker could exploit the flaws to exhaust the process memory of a device by remotely sending specially crafted internet group management protocol (IGMP) packets to the device. If the flaws are successfully exploited it would...

Read More
Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE
Sep01

Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE

A sophisticated COVID-19 themed phishing campaign has been detected that spoofs chemical manufacturers and importers and exporters offering the recipient personal protective equipment (PPE) such as disposable face masks, forehead temperature thermometers, and other medical supplies to help in the fight against COVID-19. The campaign was detected by researchers at Area 1 Security, who say the campaign has been active since at least May 2020 and has so far targeted thousands of inboxes. The threat actors behind the campaign regularly change their tactics, techniques, and procedures (TTPs) to evade detection by security tools, typically every 10 days. The threat actors regularly rotate IP addresses for each new wave of phishing emails, frequently change the companies they impersonate, and revise their phishing lures. In several of the intercepted emails, in addition to spoofing a legitimate company, the names of real employees along with their email addresses and contact information are used to add legitimacy. The emails use the logos of the spoofed companies and the correct URL of...

Read More
OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory
Aug27

OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory

The risk analysis is one of the most important requirements of the HIPAA Security Rule, yet it is one of the most common areas of noncompliance discovered during Office for Civil Rights data breach investigations, compliance reviews, and audits. While there have been examples of HIPAA-covered entities ignoring this requirement entirely, in many cases noncompliance is due to the failure to perform a comprehensive risk analysis across the entire organization. In order to perform a comprehensive risk analysis to identity all threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI), you must first know how ePHI arrives in your organization, where it flows, where all ePHI is stored, and the systems that can be used to access that information. One of the common reasons for a risk analysis compliance failure, is not knowing where all ePHI is located in the organization. In its Summer 2020 Cybersecurity Newsletter, OCR highlighted the importance of maintaining a comprehensive IT asset inventory and explains how it can assist with the...

Read More
Study Reveals Increase in Credential Theft via Spoofed Login Pages
Aug26

Study Reveals Increase in Credential Theft via Spoofed Login Pages

A new study conducted by IRONSCALES shows there has been a major increase in credential theft via spoofed websites. IRONSCALES researchers spent the first half of 2020 identifying and analyzing fake login pages that imitated major brands. More than 50,000 fake login pages were identified with over 200 brands spoofed. The login pages are added to compromised websites and other attacker-controlled domains and closely resemble the genuine login pages used by those brands. In some cases, the fake login is embedded within the body of the email. The emails used to direct unsuspecting recipients to the fake login pages use social engineering techniques to convince recipients to disclose their usernames and passwords, which are captured and used to login to the real accounts for a range of nefarious purposes such as fraudulent wire transfers, credit card fraud, identity theft, data extraction, and more. IRONSCALES researchers found the brands with the most fake login pages closely mirrored the brands with the most active phishing websites. The brand with the most fake login pages – 11,000...

Read More
FBI and CISA Issue Joint Warning About Vishing Campaign Targeting Teleworkers
Aug24

FBI and CISA Issue Joint Warning About Vishing Campaign Targeting Teleworkers

An ongoing voice phishing (vishing) campaign is being conducted targeting remote workers from multiple industry sectors. The threat actors impersonate a trusted entity and use social engineering techniques get targets to disclose their corporate Virtual Private Network (VPN) credentials. The Federal Bureau of Investigation (FBI) and the DHS Cybersecurity and infrastructure Security Agency (CISA) have issued a joint advisory about the campaign, which has been running since mid-July. The COVID-19 pandemic forced many employers to allow their entire workforce to work from home and connect to the corporate network using VPNs. If those credentials are obtained by cybercriminals, they can be used to access the corporate network. The threat group first purchases and registers domains that are used to host phishing pages that spoof the targeted company’s internal VPN login page and SSL certificates are obtained for the domains to make them appear authentic. Several naming schemes are used for the domains to make them appear legitimate, such as [company]-support, support-[company], and...

Read More
Millions of Devices Affected by Vulnerability in Thales Wireless IoT Modules
Aug21

Millions of Devices Affected by Vulnerability in Thales Wireless IoT Modules

A vulnerability in components used in millions of IoT devices could be exploited by hackers and used to steal sensitive information and gain control of vulnerable devices, which could then be used in attacks on internal networks. Thales components are used by more than 30,000 companies, whose products are used across a broad range of industry sectors including energy, telecommunications, and healthcare. The flaw exists in the Cinterion EHS8 M2M module, along with several other products in the same line (BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62). The embedded modules provide processing power and allow devices to send and receive data over wireless mobile connections. The module is also used as a digital secure repository for sensitive information such as passwords, credentials and operational code. The flaw would allow an attacker to gain access to the contents of that repository. X-Force Red researchers discovered a method for bypassing security measures protecting code and files in the EHS8 module. “[The modules] store and run Java code, often containing confidential...

Read More
New FritzFrog P2P Botnet Targets SSH Servers of Banks, Educational Institutions, and Medical Centers
Aug21

New FritzFrog P2P Botnet Targets SSH Servers of Banks, Educational Institutions, and Medical Centers

A new peer-to-peer (P2P) botnet has been discovered that is targeting SSH servers found in IoT devices and routers which accept connections from remote computers. The botnet, named FritzFrog, spreads like a computer worm by brute forcing credentials. The botnet was analyzed by security researchers at Guardicore Labs and was found to have successfully breached more than 500 servers, with that number growing rapidly. FritzFrog is modular, multi-threaded, and fileless, and leaves no trace on the machines it infects. FritzFrog assembles and executes malicious payloads entirely in the memory, making infections hard to detect. When a machine is infected, a backdoor is created in the form of an SSH public key, which provides the attackers with persistent access to the device. Additional payloads can then be downloaded, such as a cryptocurrency miner. Once a machine is compromised, the self-replicating process starts to execute the malware throughout the host server. The machine is added to the P2P network, can receive and execute commands sent from the P2P network, and is used to...

Read More
Three Vulnerabilities Identified in Philips SureSigns Vital Signs Monitors
Aug21

Three Vulnerabilities Identified in Philips SureSigns Vital Signs Monitors

Three low- to medium-severity vulnerabilities have been identified in Philips SureSigns VS4 vital signs monitors. If exploited, an attacker could gain access to administrative controls and system configurations and alter settings to send sensitive patient data to a remote destination. The vulnerabilities were identified by the Cleveland Clinic, which reported the flaws to Philips. Philips is unaware of any public exploits for the vulnerabilities and no reports have been received to date to indicate any of the vulnerabilities have been exploited. The flaws have been categorized as improper input validation (CWE-20), Improper access control (CWE-284), and improper authentication (CWE-287). Philips SureSigns VS4 receives input or data, but there is a lack of input validation controls to check the input has the properties to allow the data to be processed safely and correctly. This vulnerability is tracked as CVE-2020-16237 and has been assigned a CVSS V3 base score of 2.1 out of 10. When a user claims to have a given identity, there are insufficient checks performed to prove that the...

Read More
Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed
Aug17

Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed

A new report has revealed the personal and protected health information of patients and other sensitive data are being exposed online without the knowledge of covered entities and business associates through public GitHub repositories. Jelle Ursem, a security researcher from the Netherlands, discovered at least 9 entities in the United States – including HIPAA-covered entities and business associates – have been leaking sensitive data via GitHub. The 9 leaks – which involve between 150,000 and 200,000 patient records – may just be the tip of the iceberg. The search for exposed data was halted to ensure the entities concerned could be contacted and to produce the report to highlight the risks to the healthcare community. Even if your organization does not use GitHub, that does not necessarily mean that you will not be affected. The actions of a single employee or third-party contracted developer may have opened the door and allowed unauthorized individuals to gain access to sensitive data. Exposed PII and PHI in Public GitHub Repositories Jelle Ursem is an ethical security...

Read More
NIST Publishes Final Guidance on Establishing Zero Trust Architecture to Improve Cybersecurity Defenses
Aug14

NIST Publishes Final Guidance on Establishing Zero Trust Architecture to Improve Cybersecurity Defenses

NIST has published the final version of its zero trust architecture guidance document (SP 800-207) to help private sector organizations apply this cybersecurity concept to improve their security posture. Zero trust is a concept that involves changing defenses from static, network-based perimeters to focus on users, assets, and resources. With zero trust, assets and user accounts are not implicitly trusted based on their physical or network location or asset ownership. Under the zero trust approach, authentication and authorization are discreet functions that occur with subjects and devices before a session is established with an enterprise resource. The use of credentials for gaining access to resources has been an effective security measure to prevent unauthorized access; however, credential theft – through phishing campaigns for instance – is now commonplace, so cybersecurity defenses need to evolve to better protect assets, services, workflows, and network accounts from these attacks. All too often, credentials are stolen and are used by threat actors to gain access to...

Read More
Patches Released to Fix Critical Vulnerabilities in Citrix Endpoint Management / XenMobile Server
Aug13

Patches Released to Fix Critical Vulnerabilities in Citrix Endpoint Management / XenMobile Server

Two critical flaws have been found in Citrix Endpoint Management (CEM) / XenMobile Server. The flaws could be exploited by an unauthenticated attacker to access domain account credentials, take full control of a vulnerable XenMobile Server, and access VPN, email, and web applications and obtain sensitive corporate and patient data. CEM/ XenMobile Server is used by many businesses to manage employees’ mobile devices, apply updates, manage security settings, and the toolkit is used to support many in-house applications. The nature of the flaws make it likely that hackers will move to develop exploits quickly, so immediate patching is essential. The two critical flaws are tracked as CVE-2020-8208 and CVE-2020-8209. Information has only been released on one of the critical flaws – CVE-2020-8209 – which is a path traversal vulnerability due to insufficient input validation. If exploited, an unauthenticated attacker could read arbitrary files on the server running an application. Those files include configuration files and encryption keys could be obtained, which would allow sensitive...

Read More
More Than 1,000 Companies Targeted in New Business Email Compromise Scam
Aug11

More Than 1,000 Companies Targeted in New Business Email Compromise Scam

More than 1,000 companies worldwide have been targeted in a business email compromise (BEC) campaign that has been running since March 2020. The scam was uncovered by researchers at Trend Micro who report that more than 800 sets of Office 365 credentials have been compromised so far. Trend Micro has attributed the campaign to a cybercriminal group called Water Nue. While the group is not particularly technically sophisticated, the attacks have proven to be successful and the gang is extremely proficient. Trend Micro identified the campaign when it appeared that a large number of email domains were being used to phish for credentials and most of the victims were individuals in high corporate positions. The attackers target the Office 365 accounts of executives, particularly those working in finance. Cloud-based email distribution services are used to send emails containing malicious hyperlinks that direct the recipient to a fake Office 365 login page. The emails claim a voicemail message has been left and a hyperlink is included that must be clicked to listen to the message....

Read More
FBI Urges Enterprises to Upgrade Windows 7 Devices to a Supported Operating System
Aug06

FBI Urges Enterprises to Upgrade Windows 7 Devices to a Supported Operating System

The FBI Cyber Division has issued a Private Industry Notification advising enterprises still using Windows 7 within their infrastructure to upgrade to a supported operating system due to the risk of security vulnerabilities in the Windows 7 operating system being exploited. The FBI has observed an increase in cyberattacks on unsupported operating systems once they reach end-of-life status. Any organization that is still using Windows 7 on devices faces an increased risk of cybercriminals exploiting vulnerabilities in the operating system to remotely gain network access. “As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered,” warned the FBI. The Windows 7 operating system reached end-of-life on January 14, 2020 and Microsoft stopped releasing free patches to correct known vulnerabilities. Microsoft is only providing security updates for Windows 7 Professional, Windows 7 Enterprise, and Windows 7 Ultimate if users sign up for the Extended Security Update (ESU) program. The ESU program will only run...

Read More
CISA Warns of Increase in Cyberattacks by Chinese Nation State Threat Groups using the Taidoor RAT
Aug05

CISA Warns of Increase in Cyberattacks by Chinese Nation State Threat Groups using the Taidoor RAT

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a high priority alert warning enterprises of the risk of cyberattacks involving Taidoor malware, a remote access Trojan (RAT) used by the Chinese government in cyber espionage campaigns. Taidoor was first identified in 2008 and has been used in many attacks on enterprises. The alert was issued after CISA, the FBI and the Department of Defense (DoD) identified a new variant of the Taidoor RAT which is being used in attacks on US enterprises. Strong evidence has been found suggesting the Taidoor RAT is being used by threat actors working for the Chinese government. CISA explains in the alert that the threat actors are using the malware in conjunction with proxy servers to hide their location and gain persistent access to victims’ networks and for further network exploitation. Two versions of the malware have been identified which are being used to target 32-bit and 64-bit systems. Taidoor is downloaded onto victims’ systems as a service dynamic link library (DLL) and consists of two...

Read More
Vulnerability Identified in Philips DreamMapper Software
Aug03

Vulnerability Identified in Philips DreamMapper Software

A vulnerability has been identified in Philips DreamMapper software, a mobile app that is used to monitor and manage sleep apnea. The app is not used to provide therapy to patients, so exploitation of the flaw does not place patient safety at risk, but the vulnerability could be exploited to gain access to log files, obtain guidance from the information in the log files, and insert additional data. The vulnerability was identified by Lutz Weimann, Tim Hirschberg, Issam Hbib, and Florian Mommertz of SRC Security Research & Consulting GmbH. The flaw was reported to the Federal Office for Information Security (BSI) in Germany, who alerted Philips to the vulnerability. Philips alerted the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) about the flaw under its responsible disclosure policy, and CISA issued an advisory about the flaw on July 30, 2020. The vulnerability affects version 2.24 and prior versions of the software and is being tracked as CVE-2020-14518. The flaw has been assigned a CVSS v3 base score of 5.3 out of 10 – Medium...

Read More
$53 Million Cash Injection Proposed to Improve Cybersecurity and Protect COVID-19 Research Data
Jul30

$53 Million Cash Injection Proposed to Improve Cybersecurity and Protect COVID-19 Research Data

There is a considerable weight of evidence suggesting nation state hacking groups are targeting organizations involved in COVID-19 research and vaccine development to obtain information to further the research programs in their respective countries. Security agencies in the United States, Canada and United Kingdom have recently warned that there is strong evidence that state-sponsored hacking groups linked to Russia, China, and Iran are conducting attacks to obtain COVID-19 research data, and earlier this month the U.S. Department of Justice indicted two Chinese nationals for hacking into the networks of U.S. organizations over a 10-year period, with recent hacks conducted to obtain COVID-19 vaccine research data. Director of CISA, Christopher Krebs confirmed this week that research organizations working on vaccines are vulnerable to attack and that their hardware, software, and services are already under stress due to the increase in teleworking due to the pandemic.  A recent study conducted by BitSight on biomedical companies revealed many have unaddressed vulnerabilities that...

Read More
FBI Issues Flash Alert Warning of Increasing Netwalker Ransomware Attacks
Jul30

FBI Issues Flash Alert Warning of Increasing Netwalker Ransomware Attacks

This week, the Federal Bureau of Investigation (FBI) issued a (TLP:WHITE) FLASH alert following an increase in attacks involving Netwalker ransomware. Netwalker is a relatively new ransomware threat that was recognized in March 2020 following attacks on a transportation and logistics company in Australia and the University of California, San Francisco. UC San Francisco was forced to pay a ransom of around $1.14 million for the keys to unlock encrypted files to recover essential research data. One of the most recent healthcare victims was the Maryland-based nursing home operator, Lorien Health Services. The threat group has taken advantage of the COVID-19 pandemic to conduct attacks and has targeted government organizations, private companies, educational institutions, healthcare providers, and entities involved in COVID-19 research. The threat group initially used email as their attack vector, sending phishing emails containing a malicious Visual Basic Scripting (.vbs) file attachment in COVID-19 themed emails. In April, the group also started exploiting unpatched vulnerabilities...

Read More
IBM Security 2020 Cost of Data Breach Report Shows 10% Annual Increase in Healthcare Data Breach Costs
Jul29

IBM Security 2020 Cost of Data Breach Report Shows 10% Annual Increase in Healthcare Data Breach Costs

The 2020 Cost of Data Breach Report from IBM Security has been released and reveals there has been a slight reduction in global data breach costs, falling to $3.86 million per breach from $3.92 million in 2019 – A reduction of 1.5%. There was considerable variation in data breach costs in different regions and industries. Organizations in the United States faced the highest data breach costs, with a typical breach costing $8.64 million, up 5.5% from 2019. COVID-19 Expected to Increase Data Breach Costs This is the 15th year that IBM Security has conducted the study. The research was conducted by the Ponemon Institute, and included data from 524 breached organizations, and 3,200 individuals were interviewed across 17 countries and regions and 17 industry sectors. Research for the report was conducted between August 2019 and April 2020. The research was mostly conducted before the COVID-19 pandemic, which is likely to have an impact on data breach costs. To explore how COVID-19 is likely to affect the cost of a data breaches, the Ponemon Institute re-contacted study participants to...

Read More
FBI Warns of Increase in Destructive Distributed Denial of Service Attacks and Risk of Malware in Chinese Tax Software
Jul27

FBI Warns of Increase in Destructive Distributed Denial of Service Attacks and Risk of Malware in Chinese Tax Software

The FBI’s Cyber Division has issued two recent cybersecurity alerts, the first following an increase in destructive Distributed Denial of Service (DDoS) on U.S. companies and the second concerns the risk of malware infections when installing Chinese tax software. Increase in Destructive DDoS Attacks on US Networks Cybercriminals have been exploiting new built-in network protocols to conduct amplified destructive DDoS attacks on US networks.  Three network protocols have been developed for use in devices such as smartphones, Macs, and IoT devices, which are being leveraged by cybercriminals in the DDoS attacks. The protocols – CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), and ARMS (Apple Remote Management Service) have already been leveraged to conduct massive real-world DDoS attacks. The alert also covers the built-in network protocol used by Jenkins servers, which could also potentially be used in similar attacks, although the vulnerability has not currently been exploited in the wild. Jenkins is an open source server used by software...

Read More
Study Reveals COVID-19 Research Companies are Vulnerable to Cyberattacks
Jul23

Study Reveals COVID-19 Research Companies are Vulnerable to Cyberattacks

The biomedical community is working hard to develop vaccines against SARS-CoV-2 and discover new treatments for COVID-19 and nation-state hackers and cybercriminal organizations are targeting those organizations to gain access to their research data. Recently, security agencies in the United States, Canada, and the United Kingdom issued alerts about state-sponsored Russian hackers targeting organizations involved in COVID-19 research and vaccine development. The security agencies had found evidence that the Russian hacking group APT29 was actively conducting scans against the external IP addresses of companies engaged in COVID-19 research and vaccine development, and that it was almost certain that the hackers were working with the Russian intelligence services. An joint alert was also issued by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the FBI indicating hackers linked to China were conducting similar attacks on pharmaceutical companies and academic research facilities to obtain intellectual property and sensitive data related to...

Read More
Emotet Botnet Reactivated and Sending Large Volumes of Malicious Emails
Jul21

Emotet Botnet Reactivated and Sending Large Volumes of Malicious Emails

The Emotet botnet has been reactivated after a 5-month period of dormancy and is being used to send large volumes of spam emails to organizations in the United States and United Kingdom. The Emotet botnet is a network of compromised computers that have been infected with Emotet malware. Emotet malware is an information stealer and malware downloader that has been used to distribute a variety of banking Trojans, including the TrickBot Trojan. Emotet hijacks email accounts and uses them to send spam emails containing malicious links and email attachments, commonly Word documents and Excel spreadsheets containing malicious macros. If the macros are allowed to run, a PowerShell script is launched that silently downloads Emotet malware. Emotet malware can also spread to other devices on the network and all infected devices are added to the botnet. The emails being used in the campaign are similar to previous campaigns. They use fairly simple, yet effective lures to target businesses, typically fake invoices, purchase orders, receipts, and shipping notifications. The messages often only...

Read More
70% of Companies Have Suffered a Public Cloud Data Breach in the Past Year
Jul20

70% of Companies Have Suffered a Public Cloud Data Breach in the Past Year

A recent study conducted by Sophos has revealed 96% of companies are concerned about the state of their public cloud security. There appears to be a valid cause for that concern, as 70% of companies that host data or workloads in the cloud have experienced a breach of their public cloud environment in the past year. The most common attack types were malware (34%), followed by exposed data (29%), ransomware (28%), account compromises (25%), and cryptojacking (17%). Data for the study came from a survey conducted by Vanson Bourne on 3,521 IT managers in 26 countries including the United States, Canada, France, Germany, India, and the United Kingdom. More than 10 industry sectors were represented.  Respondents used one or more public clouds from Azure, Oracle Cloud, AWS, VMWare Cloud on AWS, Alibaba Cloud, Google Cloud and IBM Cloud. The findings of the survey were published in the Sophos report: The State of Cloud Security 2020. The biggest areas of concern are data loss, detection and response and multi-cloud management. Companies that use two or more public cloud providers...

Read More
Russian APT Group is Targeting Organizations Involved in COVID-19 Research
Jul17

Russian APT Group is Targeting Organizations Involved in COVID-19 Research

The APT29 hacking group, aka Cozy Bear, is targeting healthcare organizations, pharma firms, and research entities in the United States, United Kingdom, and Canada and is attempting to steal COVID-19 research data and information about vaccine development. On July 16, 2020, a joint advisory was issued by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), UK National Cyber Security Centre (NCSC), Canada’s Communications Security Establishment (CSE), and the National Security Agency (NSA) to raise awareness of the threat. APT29 is a cyber espionage group that is almost certainly part of the Russian intelligence services. The group primarily targets government entities, think-tanks, diplomatic and energy targets in order to steal sensitive data. The group has been highly active during the COVID-19 pandemic and has conducted multiple attacks on entities involved COVID-19 research and vaccine development. The group conducts widespread scanning to identify unpatched vulnerabilities and uses publicly available exploits to gain a foothold in vulnerable systems. The group has...

Read More
Vulnerability Identified in Capsule Technologies SmartLinx Neuron 2 Medical Information Collection Devices
Jul16

Vulnerability Identified in Capsule Technologies SmartLinx Neuron 2 Medical Information Collection Devices

A high severity flaw has been identified in Capsule Technologies SmartLinx Neuron 2 medical information collection devices running version 6.9.1 of the software. SmartLinx Neuron 2 is a bedside mobile clinical computer that automatically collects vital signs data and connects to hospitals’ medical device information systems. The flaw, tracked as CVE-2019-5024, is a restricted environment escape vulnerability due to the failure of a protection mechanism in kiosk mode. The flaw is present in all versions of Capsule Technologies SmartLinx Neuron 2 prior to version 9.0. Kiosk mode is a restricted environment that prevents users from exiting the running applications and accessing the underlying operating system. By exploiting the flaw, an attacker can exit kiosk mode and access the underlying operating system with full administrative rights. That could allow the attacker to gain full control of a trusted device on the hospital’s internal network. To exploit the flaw an attacker would need to have physical access to the device. The flaw could be exploited by connecting to the device...

Read More
Microsoft Releases Patch to Correct Critical Wormable Windows DNS Server Vulnerability
Jul16

Microsoft Releases Patch to Correct Critical Wormable Windows DNS Server Vulnerability

Microsoft has released a patch to correct a 17-year old wormable remote code execution vulnerability in Windows DNS Server. The flaw can be exploited remotely, requires little skill to exploit, and could allow an attacker to take full control of an organization’s entire IT infrastructure. The vulnerability, CVE-2020-1350, was discovered by security researchers at Check Point who named the flaw SIGRed. The vulnerability is present on all Windows Server versions from 2003 to 2019 and has been assigned the maximum CVSS v3 score of 10 out of 10. The flaw is wormable, which means an attacker could exploit the vulnerability on all vulnerable servers on the network after an initial attack, with no user interaction required. The flaw is due to how the Windows Domain Name System servers handle requests and affects all Windows servers that have been configured as DNS servers. The flaw can be exploited remotely by sending a specially crafted request to the Windows DNS Server. The DNS serves as a phone book for the internet and is used to link an IP address to a domain name, which allows that...

Read More
At Least 41 Healthcare Providers Experienced Ransomware Attacks in the First Half of 2020
Jul15

At Least 41 Healthcare Providers Experienced Ransomware Attacks in the First Half of 2020

The New Zealand-based cybersecurity firm Emsisoft has released ransomware statistics for 2020 that show there have been at least 41 successful ransomware attacks on hospitals and other healthcare providers in the first half of the year. There were 128 successful ransomware attacks on federal and state entities, healthcare providers, and educational institutions in the first 6 months of 2020, with the healthcare industry accounting for 32% of those attacks. The large number of ransomware attacks in 2020 follows on from a spike in attacks in late 2019. 2019 saw more than double the number of ransomware attacks as 2018, attacks on healthcare providers increased by 350% in the final quarter of 2019. 966 entities were successfully attacked with ransomware across all industry sectors in 2019 and those attacks are estimated to have cost $7.5 billion. 2020 started badly for the healthcare industry with 10 successful ransomware attacks on healthcare providers in January, followed by a further 16 successful ransomware attacks in February. There was a marked decrease in attacks in March as...

Read More
FBI and CISA Issue Joint Alert About Threat of Malicious Cyber Activity Through Tor
Jul09

FBI and CISA Issue Joint Alert About Threat of Malicious Cyber Activity Through Tor

A joint alert was recently issued by the FBI and the DHS’ Cybersecurity Infrastructure Security Agency (CISA) regarding cybercriminals’ use of The Onion Router (Tor) in cyberattacks. Tor is free, open source software that was developed by the U.S. Navy in the mid-1990s. Today, Tor is used to browse the internet anonymously. When using Tor, internet traffic is encrypted multiple times and a user is passed through a series of nodes in a random path to a destination server. When a user is connected to the Tor network, their online activity cannot easily be traced back to their IP address. When a Tor user accesses a website, rather than their own IP address being recorded, the IP address of the exit node is recorded. Unsurprisingly, given the level of anonymity provided by Tor, it has been adopted by many threat actors to hide their location and IP address and conduct cyberattacks and other malicious activities anonymously. Cybercriminals are using Tor to perform reconnaissance on targets, conduct cyberattacks, view and exfiltrate data, and deploy malware, ransomware, and conduct...

Read More
Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps
Jul09

Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps

A large-scale phishing campaign conducted in 62 countries has been shut down by Microsoft.  The campaign was first identified by Microsoft’s Digital Crimes Unit (DCU) in December 2019. The phishing campaign targeted businesses and was conducted to obtain Office 365 credentials. Those credentials were then used to access victims’ accounts to obtain sensitive information and contact lists. The accounts were then used for business email compromise (BEC) attacks to obtain fraudulent wire transfers and redirect payroll. Initially, the emails used in the campaign appeared to have been sent by an employer and contained business-related reports with a malicious email attachment titled Q4 Report – Dec19. Recently, the phishing campaign changed and the attackers switched to COVID-19 lures to exploit financial concerns related to the pandemic. One of the lures used the term “COVID-19 bonus” to get victims to open malicious email attachments or click malicious links. When the email attachments were opened or links clicked, users were directed to a webpage hosting a malicious application. The...

Read More
NSA Issues Guidance on Securing IPsec Virtual Private Networks
Jul07

NSA Issues Guidance on Securing IPsec Virtual Private Networks

The U.S. National Security Agency (NSA) has issued guidance to help organizations secure IP Security (IPsec) Virtual Private Networks (VPNs), which are used to allow employees to securely connect to corporate networks to support remote working. While IPsec VPNs can ensure sensitive data in traffic is protected against unauthorized access through the use of cryptography, if IPsec VPNs are not correctly configured they can be vulnerable to attack. During the pandemic, many organizations have turned to VPNs to support their remote workforce and the large number of employees working remotely has made VPNs a key target for cybercriminals. Many attacks have been performed on vulnerable VPNs and flaws and misconfigurations have been exploited to gain access to corporate networks to steal sensitive information and deploy malware and ransomware. The NSA warns that maintaining a secure VPN tunnel can be complex and regular maintenance is required. As with all software, regular software updates are required. Patches should be applied on VPN gateways and clients as soon as possible to prevent...

Read More
Serious Vulnerabilities Identified in Apache Guacamole Remote Access Software
Jul06

Serious Vulnerabilities Identified in Apache Guacamole Remote Access Software

Several vulnerabilities have been identified in the remote access system, Apache Guacamole.  Apache Guacamole has been adopted by many companies to allow administrators and employees to access Windows and Linux devices remotely. The system has proven popular during the COVID-19 pandemic for allowing employees to work from home and connect to the corporate network. Apache Guacamole is also embedded into many network accessibility and security products such as Fortress, Quali, and Fortigate and is one of the most prominent tools on the market with more than 10 million Docker downloads. Apache Guacamole is a clientless solution, meaning remote workers do not need to install any software on their devices. They can simply use a web browser to access their corporate device. System administrators only need to install the software on a server. Depending on how the system is configured, a connection is made using SSH or RDP with Guacamole acting as an intermediary between the browser and the device the user wants to connect to, relaying communications between the two. Check Point Research...

Read More
Serious Vulnerabilities identified in the OpenClinic GA Integrated Hospital Information Management System
Jul03

Serious Vulnerabilities identified in the OpenClinic GA Integrated Hospital Information Management System

12 vulnerabilities have been identified in the open source integrated hospital information management system, OpenClinic GA. OpenClinic GA is used by many hospitals and clinics for the management of administrative, financial, clinical, lab and pharmacy workflows, and is used for bed management, medical billing, ward management, in-patient and out-patient management, and other hospital management functions. Brian D. Hysell has been credited with finding the vulnerabilities, three of which are rated critical and 6 are rated high severity. Exploitation of the vulnerabilities could allow an attacker to bypass authentication, gain access to restricted information, view or manipulate database information, and remotely execute malicious code. The vulnerabilities require a low level of skill to exploit, several can be exploited remotely, and there are public exploits for some of the flaws. The vulnerabilities have been assigned CVSS v3 base codes ranging from 5.4 to 9.8. The flaws were identified in OpenClinic GA Versions 5.09.02 and 5.89.05b. The most serious flaws include: CVE-2020-14495...

Read More
University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack
Jun29

University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack

University of California San Francisco has paid a $1.14 million ransom to the operators of NetWalker ransomware to resolve an attack that saw data on servers within the School of Medicine encrypted. The attack occurred on June 1, 2020. UCSF isolated the affected servers, but not in time to prevent file encryption. UCSF School of Medicine is engaged in research to find a cure for COVID-19 and the university is heavily involved in antibody testing. The ransomware attack did not impede the work being conducted on COVID-19, patient care delivery operations were not affected, and UCSF does not believe the attackers gained access to patient data, although some files were stolen in the attack. The encrypted data was essential to research being conducted by the university, and since it was not possible to recover files from backups, UCSF had little option other than to negotiate with the attackers. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the...

Read More
Surge in Attacks Prompts Fresh Warning to Patch Microsoft Exchange Server Vulnerability
Jun26

Surge in Attacks Prompts Fresh Warning to Patch Microsoft Exchange Server Vulnerability

Microsoft has issued a further warning to all Exchange users to patch the critical Microsoft Exchange memory corruption vulnerability CVE-2020-0688. Microsoft released an update to correct the vulnerability in February 2020 and an alert was issued in March when the flaw started to be exploited by APT groups, yet even though the vulnerability was being actively exploited in the wild, patching was still slow. Now Microsoft has detected a surge in attacks on vulnerable Exchange servers and is advising all Exchange customers to ensure the flaw is patched immediately. Any vulnerability in Microsoft Exchange should be treated as high priority. By exploiting Exchange flaws, an attacker can gain access to the email system, which often contains an extensive amount of highly sensitive information, and often protected health information in healthcare. As is the case with this vulnerability, attackers can gain access to highly privileged accounts and not only compromise the entire email system, but also gain administrative rights to the server and from there take control of the network....

Read More
Vulnerability identified in Philips Ultrasound Systems
Jun26

Vulnerability identified in Philips Ultrasound Systems

Philips has discovered an authentication bypass issue affecting Philips Ultrasound Systems that could potentially be exploited by an attacker to view or modify information. The flaw is due to the presence of an alternative path or channel that can be used to bypass authentication controls. The flaw has been assigned CVE-2020-14477 but is considered a low severity flaw and has been assigned a CVSS v3 base score of 3.6 out of 10. To exploit the vulnerability, an attacker would require local access to a vulnerable system. The vulnerability cannot be exploited remotely and does not place patient safety at risk. The flaw affects the following Philips Ultrasound Systems: Ultrasound ClearVue Versions 3.2 and prior Ultrasound CX Versions 5.0.2 and prior Ultrasound EPIQ/Affiniti Versions VM5.0 and prior Ultrasound Sparq Version 3.0.2 and prior and Ultrasound Xperius all versions The flaw has been corrected for Ultrasound EPIQ/Affiniti systems in the VM6.0 release. Users of these systems should contact their Philips representative for further information on installing the update. Users of...

Read More
May 2020 Healthcare Data Breach Report
Jun23

May 2020 Healthcare Data Breach Report

May 2020 saw a marked fall in the number of reported healthcare data breaches compared to April, with 28 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights. That is the lowest number of monthly breaches since December 2018 and the first time in 17 months that healthcare data breaches have been reported at a rate of less than one per day. The monthly total would have been even lower had one breach been reported by the business associate responsible for an improper disposal incident, rather than the 7 healthcare providers impacted by the breach.   Several cybersecurity companies have reported an increase in COVID-19-related breaches, such as phishing attacks that use COVID-19-themed lures. While there is strong evidence to suggest that these types of attacks have increased since the start of the pandemic, the number of cyberattacks appears to have broadly remained the same or increased slightly. Microsoft has reported that its data shows a slight increase in attacks, but says it only represents a blip and the number of threats and cyberattacks has...

Read More
Lack of Visibility and Poor Access Management are Major Contributors to Cloud Data Breaches
Jun23

Lack of Visibility and Poor Access Management are Major Contributors to Cloud Data Breaches

More companies are now completing their digital transformations and are taking advantage of the flexibility, scalability, and cost savings provided by public cloud environments, but securing public clouds can be a major challenge. One of the main factors that has stopped companies from taking advantage of the public cloud has been security. Security teams often feel protecting an on-premise data center is much easier than protecting data in public clouds, although many are now being won over and understand that public clouds can be protected just as easily. Public cloud providers now offer a range of security tools that can help companies secure their cloud environments. While these offerings can certainly make cloud security more straightforward, organizations must still ensure that their cloud services are configured correctly, identities and access rights are correctly managed, and they have full visibility into all of their cloud workloads. Cloud security vendor Ermetic recently commissioned IDC to conduct a survey of CISOs to explore the challenges associated with cloud...

Read More
Advisories Issued About Vulnerabilities in Baxter, BD, and BIOTRONIK Medical Devices
Jun22

Advisories Issued About Vulnerabilities in Baxter, BD, and BIOTRONIK Medical Devices

The DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued medical advisories about vulnerabilities in medical devices manufactured by Baxter, Becton, Dickinson and Company (BD), and BIOTRONIK. The following products are affected: Baxter PrismaFlex (all versions) Baxter PrisMax (all versions prior to 3.x) Baxter ExactaMix EM 2400 (Versions 1.10, 1.11, 1.13, 1.14) Baxter ExactaMix EM 1200 (Versions 1.1, 1.2, 1.4, 1.5) Baxter Phoenix Hemodialysis Delivery System (SW 3.36 and 3.40) Baxter Sigma Spectrum Infusion Pumps (see below) BIOTRONIK CardioMessenger II-S T-Line (T4APP 2.20) BIOTRONIK CardioMessenger II-S GSM (T4APP 2.20) BD Alaris PCU (Versions 9.13, 9.19, 9.33, and 12.1) Before implementing any defensive measures it is important to conduct an impact analysis and risk assessment. Baxter PrismaFlex and PrisMax Three vulnerabilities have been identified in Baxter PrismaFlex and PrisMax systems that could allow an attacker to obtain sensitive data, although network access would first be required. The vulnerabilities are: CVE-2020-12036 – Cleartext transmission of...

Read More
CISA Warns of Ongoing Ransomware Campaign Exploiting Vulnerabilities in RDP and VPNs
Jun19

CISA Warns of Ongoing Ransomware Campaign Exploiting Vulnerabilities in RDP and VPNs

The DHS Cybersecurity & Infrastructure Security Agency (CISA) has issued an alert about an ongoing Nefilim ransomware campaign, following the release of a security advisory by the New Zealand Computer Emergency Response Team (CERT NZ). Nefilim ransomware is the successor of Nemty ransomware and was first discovered in February 2020. In contrast to Nemty, Nefilim ransomware is not distributed under the ransomware-as-a-service model. The developers of the ransomware conduct their own attacks and deploy the ransomware manually after gaining access to enterprise networks. As with other manual ransomware groups, data is stolen from victims prior to deploying the ransomware. The group then threatens to publish or sell the stolen data if the ransom demand is not met. The group responsible for the attacks gains access to enterprise networks by exploiting vulnerabilities in remote desktop protocol (RDP) and virtual private networks (VPNs). The group uses brute force tactics to exploit weak authentication and the lack of multi-factor authentication, and also exploits unpatched...

Read More
Exploitable ‘Ripple20’ RCE TCP/IP Flaws Affect Hundreds of Millions of Connected Devices
Jun17

Exploitable ‘Ripple20’ RCE TCP/IP Flaws Affect Hundreds of Millions of Connected Devices

19 zero-day vulnerabilities have been identified in the TCP/IP communication software library developed by Treck Inc. which impact hundreds of millions of connected devices across virtually all industry sectors, including healthcare. Treck is a Cincinnatti, OH-based company that develops low-level network protocols for embedded devices. The company may not be widely known, but its software library has been used in internet-enabled devices for decades. The code is used in many low-power IoT devices and real-time operating systems due to its high performance and reliability and is used in industrial control systems, printers, medical infusion pumps and many more. The vulnerabilities were identified by security researchers at the Israeli cybersecurity company JSOF, who named the vulnerabilities Ripple20 because of the supply chain ripple effect. A vulnerability in small component can have wide reaching consequences and can affect a huge number of companies and products. In the case of Ripple20, companies affected include HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar,...

Read More
Misconfigured Public Cloud Databases are Found and Attacked Within Hours
Jun11

Misconfigured Public Cloud Databases are Found and Attacked Within Hours

Misconfigured public cloud databases are often discovered by security researchers. Misconfigurations that leave cloud data exposed could be due to a lack of understanding about cloud security or policies, poor oversight to identify errors, or negligent behavior by insiders to name but a few. A recent report from Trend Micro revealed cloud misconfigurations were the number one cause of cloud security issues. Security researchers at Comparitech often discover unsecured cloud resources, commonly Elasticsearch instances and unsecured AWS S3 buckets. When the unsecured cloud databases are discovered, the owners are identified and notified to ensure data is secured quickly. Providing the owner can be identified, the databases are usually secured within a matter of hours, but there have been several cases where the database owner has been contacted but no response is received, and it is not always apparent to whom the data belongs. In these cases, data can be left exposed online for several days or even weeks. During that time, the databases remain unprotected and can be accessed and...

Read More
Attacks on Cloud Services Increased by 630% Between January and April
Jun10

Attacks on Cloud Services Increased by 630% Between January and April

COVID-19 has forced businesses to close their offices and allow employees to work from home. Cloud services have been provisioned to support home working and communication solutions such as Zoom, Cisco WebEx, and Microsoft Teams have allowed remote workers in collaborate effectively. A recently published report from cybersecurity company McAfee shows business use of cloud services increased by 50% in the first 4 months of 2020 and collaboration services saw an increase of 600% in usage during the same period. These solutions have allowed businesses to continue to operate, and many have reported productivity has actually improved during the pandemic; however, the rapid change to a largely at-home workforce has introduced vulnerabilities and cybercriminals have taken advantage. Attacks on Cloud Services Have Surged During the Pandemic An analysis of data from over 30 million McAfee cloud customers revealed cyberattacks on cloud services increased by 630% between January and April, 2020. Threats to cloud services were split into two main categories: Excessive usage from an anomalous...

Read More
Proof of Concept Exploit Released for Critical SMBGhost Windows 10 SMBv3 Vulnerability
Jun09

Proof of Concept Exploit Released for Critical SMBGhost Windows 10 SMBv3 Vulnerability

A functional proof of concept (PoC) exploit for a critical remote code execution vulnerability in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol has been released and is being used by malicious cyber actors to attack vulnerable systems, according to an alert issued by the DHS Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability, referred to as SMBGhost, is due to the way the SMBv3 protocol handles certain requests. If exploited, a malicious cyber actor could remotely execute code on a vulnerable server or client by sending a specially crafted packet to a targeted SMBv3 server. An attack against a client would also be possible if an attacker configured a malicious SMBv3 server and convinced a user to connect to it. The vulnerability could be exploited to spread malware from one vulnerable system to another in a similar fashion to the SMBv1 vulnerability that was exploited in the 2017 WannaCry ransomware attacks. No user interaction is required to exploit the flaw on vulnerable SMBv3 servers. The flaw – tracked as CVE-2020-0796 – is present in Windows...

Read More
Voicemail Phishing Scam Identified Targeting Remote Healthcare Workers
Jun08

Voicemail Phishing Scam Identified Targeting Remote Healthcare Workers

The COVID-19 pandemic has forced many companies to change working practices and allow large numbers of employees to work remotely from home. In healthcare, employees have been allowed to work remotely and provide telehealth services to patients. While this move is important for virus control and to ensure patients still have access to the medical services they need, remote working introduces cybersecurity risks and cybercriminals are taking advantage. There has been a significant rise in cyberattacks targeting remote workers over the past three months. A variety of tactics are being used to trick remote workers into installing malware or divulging credentials, now a new method has been uncovered by cybersecurity firm IRONSCALES. In a recent report, IRONSCALES revealed threat actors are spoofing messages automatically generated by Private Branch Exchange (PBX) systems to steal credentials. PBX is a legacy phone system used by many enterprises to automate the handling of calls. One of the features of these systems is the ability to record voicemail messages and send recordings...

Read More
Fake VPN Alerts Used as Lure in Office 365 Credential Phishing Campaign
Jun05

Fake VPN Alerts Used as Lure in Office 365 Credential Phishing Campaign

A phishing campaign has been identified that uses fake VPN alerts as a lure to get remote workers to divulge their Office 365 credentials. Healthcare providers have increased their telehealth services during the COVID-19 public health emergency in an effort to help prevent the spread of COVID-19 and ensure that healthcare services can continue to be provided to patients who are self-isolating at home. Virtual private networks (VPNs) are used to support telehealth services and provide secure access the network and patient data. Several vulnerabilities have been identified in VPNs which are being exploited by threat actors to gain access to corporate networks to steal sensitive data and deploy malware and ransomware. It is therefore essential for VPN systems to be patched promptly and for VPN clients on employee laptops to be updated. Employees may therefore be used to updating their VPN. Researchers at Abnormal Security have identified a phishing campaign that impersonates a user’s organization and claims there is a problem with the VPN configuration that must be addressed to allow...

Read More
Mobile Phishing Attacks Have Surged During the COVID-19 Health Crisis
Jun03

Mobile Phishing Attacks Have Surged During the COVID-19 Health Crisis

Cybercriminals have changed their tactics, techniques, and procedures during the COVID-19 health crisis and have been targeting remote workers using COVID-19 themed lures in their phishing campaigns. There has also been a sharp increase in the number of phishing attacks targeting users of mobile devices such as smartphones and tablets, according to a recent report from mobile security company Lookout. Globally, mobile phishing attacks on corporate users increased by 37% from Q4, 2019 to the end of Q1, 2020 with an even bigger increase in North America, where mobile phishing attacks increased by 66.3%, according to data obtained from users of Lookout’s mobile security software. Phishers have also been targeting remote workers in specific industry sectors such as healthcare and the financial services. While the sharp increase in mobile phishing attacks has been attributed to the change in working practices due to the COVID-19 pandemic, there has been a steady rise in mobile phishing attacks over the past few quarters. Phishing attacks on mobile device users tend to have a higher...

Read More
Russian Sandworm Group Targeting Exim Mail Servers, Warns NSA
Jun01

Russian Sandworm Group Targeting Exim Mail Servers, Warns NSA

A Russian hacking outfit called Sandworm (Fancy Bear) is exploiting a vulnerability in the Exim Mail Transfer Agent, which is commonly used for Unix-based systems. The flaw, tracked as CVE-2019-10149, is a remote code execution vulnerability that was introduced in Exim version 4.87. An update was released on June 5, 2019 to correct the flaw, but many organizations have still not updated Exim and remain vulnerable to attack. The vulnerability can be exploited by sending a specially crafted email which allows commands to be executed with root privileges. After exploiting the flaw, an attacker can install programs, execute code of their choosing, modify data, create new accounts, and potentially gain access to stored messages. According to a recent National Security Agency (NSA) alert, Sandworm hackers have been exploiting the flaw by incorporating a malicious command in the MAIL FROM field of an SMTP message. Attacks have been performed on organizations using vulnerable Exim versions that have internet-facing mail transfer agents. After exploiting the vulnerability, a shell script is...

Read More
HHS’ OIG to Scrutinize HHS COVID-19 Response and Recovery Efforts
May28

HHS’ OIG to Scrutinize HHS COVID-19 Response and Recovery Efforts

The HHS’ Office of Inspector General (OIG) has published a strategic plan for oversight of the COVID-19 response and recovery efforts of the Department of Health and Human Services. OIG will assess how well the HHS has performed in its mission to ensure the health and safety of Americans, determine whether HHS systems and data have been adequately protected, evaluate the effectiveness of the HHS response, and assess whether the $251 billion in COVID-19 funding has been correctly distributed by the HHS. OIG has a mandate to oversee the activities of the HHS to promote the economy, efficiency, effectiveness, and integrity of HHS programs. OIG explained that “COVID-19 has created unprecedented challenges for the HHS and for the delivery of health care and human services to the American people.” Through audits, risk assessments, and data analytics, OIG will be assessing the HHS’s COVID-19 response and recovery efforts. The HHS has a responsibility to protect the health and safety of Americans during a public health emergency such as the COVID-19 pandemic and protect beneficiaries that...

Read More
NetWalker Ransomware Gang Targeting the Healthcare Industry
May27

NetWalker Ransomware Gang Targeting the Healthcare Industry

While some threat groups have stated that they will not attack healthcare organizations on the frontline in the fight against COVID-19, that is certainly not the case for the operators of NetWalker ransomware, who have been actively targeting the healthcare industry during the COVID-19 public health emergency . Recent research conducted by Advanced Intelligence LLC has revealed the operators of the ransomware have been conducting extensive attacks on healthcare industry targets and operations are now being significantly expanded. Most ransomware attacks conducted by Russian-speaking threat actors involve large-scale phishing campaigns rather that targeted attacks. NetWalker ransomware has been spread in this manner during the COVID-19 pandemic through spam emails claiming to provide information about SARS-CoV-2 and COVID-19 cases. The emails include a Visual Basic script file attachment named CORONAVIRUS_COVID-19.vbs, which downloads the ransomware from a remote server. While phishing emails are still being used, the group is now moving into large-scale network infiltration....

Read More
Senators Seek Answers from CISA and FBI About Threat to COVID-19 Research Data
May26

Senators Seek Answers from CISA and FBI About Threat to COVID-19 Research Data

Four Senators have written to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) in response to the recent alert warning COVID-19 research organizations that hackers with links to China are conducting attacks to gain access to COVID-19 vaccine and research data. On May 13, 2020, CISA and the FBI issued a joint alert warning organizations in the healthcare, pharmaceutical, and research sectors that they are prime targets for hackers. Hacking groups linked to the People’s Republic of China have been attempting to infiltrate the networks of U.S. companies to gain access to intellectual property, public health data, and information related to COVID-19 testing, potential vaccines, and treatment information. “China’s efforts to target these sectors pose a significant threat to our nation’s response to COVID-19,” warned CISA and the FBI. “The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.” In the letter, Thom Tills (R-NC), Richard Blumenthal (D-CT), John Cornyn...

Read More
H-ISAC Publishes Framework for Managing Identity in Healthcare
May26

H-ISAC Publishes Framework for Managing Identity in Healthcare

The Health Information Sharing and Analysis Center (H-ISAC) has published a framework for CISOs to manage identity and defend their organization against identity-based cyberattacks. This is the second white paper to be published by H-ISAC covering the identity-centric approach to security. The first white paper explains why an identity-centric approach to cybersecurity is now needed, with the latest white paper detailing how that approach can be implemented. By adopting the framework, CISOs will be able to manage the full identity lifecycle of employees, patients, practitioners, and business partners in a way that guards against cyberattacks on identity, lowers risk, and increases operational efficiencies. The framework has been developed for CISOs at healthcare organizations of all sizes. As such, it does not offer a one-size-fits-all approach. Instead, components of the framework can be applied differently based on different environments and use cases. CISOs will need to assess the resources available and their unique risks and decide how best to apply the framework. The...

Read More
Web Application Attacks Double as Threat Actors Target Cloud Data
May21

Web Application Attacks Double as Threat Actors Target Cloud Data

The 2020 Verizon Data Breach Investigations Report shows malware attacks are falling as threat actors target data in the cloud.  This is the 13th year that the report has been produced, which this year contains an analysis of 32,002 security incidents and 3,950 confirmed data breaches from 81 global contributors in 81 countries. The report confirms that the main motivator for conducting attacks is financial gain. 86% of all security breaches were financially motivated, up from 71% last year. 70% of breaches were due to external actors, with 55% of attacks conducted by cybercriminals. 67% of breaches were the result of credential theft or brute forcing of weak credentials (37%) and phishing and other social engineering attacks (25%). 22% of those breaches involved human error. Only 20% of breaches were due to the exploitation of vulnerabilities. It should be noted that it is much easier to conduct attacks using stolen credentials rather than exploiting vulnerabilities, so the relatively low number of vulnerability-related attacks may not be due to organizations patching...

Read More
Guidance on Managing the Cybersecurity Tactical Response in a Pandemic
May19

Guidance on Managing the Cybersecurity Tactical Response in a Pandemic

Joint guidance has been issued by the Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) on managing the cybersecurity tactical response in emergency situations, such as a pandemic. Threat actors will try to exploit emergency situations to conduct attacks, which has been clearly seen during the COVID-19 pandemic. In many cases, the duration of an emergency will limit the potential for threat actors to take advantage, but in a pandemic the period of exposure is long. The SARS-CoV-2 outbreak was declared a public health emergency on January 30, 2020, giving threat actors ample time to exploit COVID-19 to conduct attacks on the healthcare sector. The key to dealing with the increased level of cybersecurity threat during emergency situations is preparation. Without preparation, healthcare organizations will find themselves constantly fighting fires and scrambling to improve security at a time when resources are stretched thin. The new guidance was created during the COVID-19 pandemic by HSCC’s Cybersecurity...

Read More
Study Suggests Paying a Ransom Doubles the Cost of Recovery from a Ransomware Attack
May15

Study Suggests Paying a Ransom Doubles the Cost of Recovery from a Ransomware Attack

Organizations that experience a ransomware attack may be tempted to pay the ransom to reduce downtime and save on recovery costs, but a survey commissioned by Sophos suggests organizations that pay the ransom actually end up spending much more than those that recover files from backups. The FBI does not recommend paying a ransom as giving attackers money enables them to conduct more attacks and could see a victim targeted further and there is no guarantee that valid keys will be supplied to decrypt data. The increased cost can now be added to the list of reasons not to pay. The survey was conducted by market research firm Vanson Bourne between January and February 2020 on approximately 5,000 IT decision makers at companies with between 100 and 5,000 employees across 26 countries including the United States, Canada, and the United Kingdom. 51% of the people surveyed said they had experienced a ransomware attack in the previous 12 months, 73% of whom said the attack resulted in the encryption of data. 26% of attacked organizations paid the ransom and 73% did not. 56% of firms said...

Read More
Chinese Hacking Groups are Targeting COVID-19 Research Organizations
May14

Chinese Hacking Groups are Targeting COVID-19 Research Organizations

Organizations involved in research into SARS-CoV-2 and COVID-19 have been warned that they are being targeted by hackers affiliated with the People’s Republic of China (PRC) and should take steps to protect their systems from attack. The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and the Federal Bureau of Investigation (FBI) have warned that organizations in the health care, pharmaceutical, and research sectors that are working on testing procedures, SARS-CoV-2 vaccines, and new treatments for COVID-19 are being targeted by hackers looking to gain access to research data to advance PRC’s research program. The Trump Administration has also warned that cyber espionage campaigns targeting COVID-19 research organizations are now being conducted by hackers linked to Iran. In the alert, CISA and the FBI warn that the theft of intellectual property in these attacks jeopardizes the delivery of secure, effective, and efficient treatment options. All organizations involved in COVID-19 research have been advised to apply the...

Read More
CISA and FBI Publish List of Top 10 Exploited Vulnerabilities
May14

CISA and FBI Publish List of Top 10 Exploited Vulnerabilities

On Tuesday, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint public service announcement detailing the top 10 most exploited vulnerabilities between 2016 and 2019. These vulnerabilities have been exploited by sophisticated nation state hackers to attack organizations in the public and private sectors to gain access to their networks to steal sensitive data. The vulnerabilities included in the list have been extensively exploited by hacking groups with ties to China, Iran, Russia and North Korea with those cyber actors are still conducting attacks exploiting the vulnerabilities, even though patches have been released to address the flaws. In some cases, patches have been available for more than 5 years, but some organizations have still not applied the patches. Exploiting the vulnerabilities in the top 10 list requires fewer resources compared to zero-day exploits, which means more attacks can be conducted. When patches are applied to address the top 10 vulnerabilities, nation state hackers will be forced to develop new exploits which will limit their...

Read More
Zoom Reaches Settlement with NY Attorney General Over Privacy and Security Issues
May12

Zoom Reaches Settlement with NY Attorney General Over Privacy and Security Issues

Zoom has reached an agreement with the New York Attorney General’s office and has made a commitment to implement better privacy and security controls for its teleconferencing platform. Zoom has proven to be one of the most popular teleconferencing platforms during the COVID-19 pandemic. In March, more than 200 million individuals were participating in Zoom meetings with usership growing by 2,000% in the space of just three months. As the number of users grew and the platform started to be used more frequently by consumers and students, flaws in the platform started to emerge. Meeting participants started reporting cases of uninvited people joining and disrupting private meetings. Several of these “Zoombombing” attacks saw participants racially abused and harassed on the basis of religion and gender. There were also several reported cases of uninvited individuals joining meetings and displaying pornographic images. Then security researchers started uncovering privacy and security issues with the platform. Zoom stated on its website that Zoom meetings were protected with end-to-end...

Read More
Government Healthcare Agencies and COVID-19 Research Organizations Targeted by Nigerian BEC Scammers
May08

Government Healthcare Agencies and COVID-19 Research Organizations Targeted by Nigerian BEC Scammers

Business email compromise scammers operating out of Nigeria have been targeting government healthcare agencies, COVID-19 research organizations, and pandemic response organizations to obtain fraudulent wire transfer payments and spread malware. The attacks were detected by Palo Alto Networks’ Unit 42 team researchers and have been attributed to a cybercriminal organization called SilverTerrier. SilverTerrier actors have been highly active over the past 12 months and are known to have conducted at least 2.1 million BEC attacks since the Unit 42 team started tracking their activity in 2014. In 2019, the group conducted an average of 92,739 attacks per month, with activity peaking in June when 245,637 attacks were conducted. The gang has been observed exploiting the CVE-2017-11882 vulnerability in Microsoft Office to install malware, but most commonly uses spear phishing emails targeting individuals in the finance department. The gang uses standard phishing lures such as fake invoices and payment advice notifications to trick recipients into opening malicious email attachments that...

Read More
CISA Issues Fresh Alert About Ongoing APT Group Attacks on Healthcare Organizations
May07

CISA Issues Fresh Alert About Ongoing APT Group Attacks on Healthcare Organizations

Advanced Persistent Threat (APT) groups are continuing to target healthcare providers, pharmaceutical firms, research institutions, and others involved in the COVID-19 response, prompting a further joint alert from cybersecurity authorities in the United State and United Kingdom. The latest warning from the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) follows on from an earlier joint alert issued on April 8, 2020 and provides further information on the tactics, techniques, and procedures being used by the APT groups to gain access to networks and sensitive data. In the latest alert, CISA/NCSC explained that APT groups are targeting organizations involved in COVID-19 research to obtain sensitive information on the COVID-19 response and research data to further the domestic research efforts in countries that fund the APT groups. APT groups often target healthcare organizations to obtain personal information of patients, intellectual property, and intelligence that aligns with national...

Read More
Worldwide Spike in Brute Force RDP Attacks During COVID-19 Pandemic
May01

Worldwide Spike in Brute Force RDP Attacks During COVID-19 Pandemic

COVID-19 has forced many organizations to rapidly scale up the numbers of employees working from home, which has created new opportunities for cybercriminals to conduct attacks. Cyberattacks on remote workers have increased substantially during the COVID-19 lockdown, with application-level protocols used by remote workers to connect to corporate systems now being extensively targeted. Remote Desktop Protocol (RDP) is a proprietary communications protocol developed by Microsoft to allow employees, IT workers, and others to remotely connect to corporate systems, services, and virtual desktops. The protocol has been used by many organizations to allow their employees to work from home on personal computers. RDP has also proven to be popular with cybercriminals. In line with the increase in remote workers accessing systems via RDP, cybercriminals have stepped up attacks. New data from Kaspersky show a major worldwide increase in brute force attacks on RDP. In order to connect via RDP, employees typically need to enter a username and password. Brute force attacks on RDP are conducted to...

Read More
NSA Cybersecurity Guidance for Teleworkers and Other Useful COVID-19 Threat Resources
May01

NSA Cybersecurity Guidance for Teleworkers and Other Useful COVID-19 Threat Resources

The National Security Agency has issued cybersecurity guidance for teleworkers to help improve security when working remotely. The guidance has been released primarily for U.S. government employees and military service members, but it is also relevant to healthcare industry workers providing telehealth services from their home computers and smartphones. There are many consumer and enterprise-grade communication solutions available and the cybersecurity protections offered by each can differ considerably. The guidance document outlines 9 important considerations when selecting a collaboration service. By assessing each service against the 9 criteria, remote workers will be able to choose the most appropriate solution to meet their needs. The NSA strongly recommends conducting high-level security assessments to determine how the security capabilities of each platform performs against certain security criteria. These assessments are useful for identifying risks associated with the features of each tool. The guidance document also provides information on using the collaboration...

Read More
Advice for Healthcare Organizations on Preventing and Detecting Human-Operated Ransomware Attacks
Apr30

Advice for Healthcare Organizations on Preventing and Detecting Human-Operated Ransomware Attacks

Human-operated ransomware attacks on healthcare organizations and critical infrastructure have increased during the COVID-19 pandemic. Dozens of attacks have occurred on healthcare organizations in recent weeks, including Parkview Medical Center, ExecuPharm, and Brandywine Counselling and Community Services. Many ransomware attacks are automated and start with a phishing email. Once ransomware is downloaded, it typically runs its encryption routine within an hour. Human-operated ransomware attacks are different. Access is gained to systems several weeks or months before ransomware is deployed. During that time, the attackers obtain credentials, move laterally, and collect and exfiltrate data before encrypting files with ransomware. The attackers can lay dormant in systems for several months before choosing their moment to deploy the ransomware to maximize the disruption caused. The COVID-19 pandemic is the ideal time for deployment of ransomware on healthcare organizations and others involved in the response to COVID-19, as there is a higher probability that the ransom will be paid...

Read More
EFF Warns of Privacy and Security Risks with Google and Apple’s COVID-19 Contact Tracing Technology
Apr30

EFF Warns of Privacy and Security Risks with Google and Apple’s COVID-19 Contact Tracing Technology

The contact tracing technology being developed by Apple and Google to help track people who have come into close contact with individuals confirmed as having contracted COVID-19 could be invaluable in the fight against SARS-CoV-19; however, the Electronic Frontier Foundation (EFF) has warned that in its current form, the system could be abused by cybercriminals. Google and Apple are working together on the technology, which is expected to be fully rolled out next month. The system will allow app developers to build contact tracing apps to help identify individuals who may have been exposed to SARS-CoV-2. When a user downloads a contact tracing app, each time they come into contact with another person with the app installed on their phone, anonymous identifier beacons called rolling proximity identifiers (RPIDs) will be exchanged via Bluetooth Low Energy. How Does the Contact-Tracing System Work? RPIDs will be exchanged only if an individual moves within a predefined range – 6 feet – and stays in close contact for a set period of time. Range can be determined by strength of...

Read More
WHO Confirms Fivefold Increase in Cyberattacks on its Staff
Apr28

WHO Confirms Fivefold Increase in Cyberattacks on its Staff

The World Health Organization is one of the leading agencies combating COVID-19 and has proven to be an attractive target for hackers and hacktivists, who have stepped up attacks on the organization during the COVID-19 pandemic. Cyberattacks on WHO are at five times the level they were at this time last year. Last month, WHO confirmed hackers had tried to gain access to its network and those of its partners by spoofing an internal WHO email system and the attacks have kept on coming. Last week, SITE Intelligence Group discovered the credentials of thousands of individuals involved in the fight against COVID-19 had been dumped online on 4chan, Pastebin, Telegram, and Twitter. Around 25,000 email and password combos were leaked in total, including around 2,700 credentials for WHO staff members. WHO said the data had come from an old extranet system and most of the credentials were no longer valid, but 457 were current and still active. In response, WHO said it performed a password reset to ensure the credentials could no longer be used, internal security has been strengthened, a more...

Read More
Senators Call for CISA and U.S. Cyber Command to Issue Healthcare-specific Cybersecurity Guidance
Apr24

Senators Call for CISA and U.S. Cyber Command to Issue Healthcare-specific Cybersecurity Guidance

A bipartisan group of Senators has written to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and U.S. Cyber Command requesting healthcare-specific cybersecurity guidance on how to deal with coronavirus and COVID-19-related threats. Richard Blumenthal, (D-CT), Mark Warner (D-VA), Tom Cotton (R-AR), David Perdue (R-GA), and Edward J. Markey (D-MA) penned the letter in response to the escalating cyber espionage and cybercriminal activity targeting the healthcare, public health, and research sectors during the COVID-19 pandemic. The letter cites a report from cybersecurity firm FireEye which identified a major campaign being conducted by the Chinese hacking group, APT41, targeting the healthcare sector. The hacking group is exploiting vulnerabilities in networking equipment, cloud software and IT management tools to gain access to healthcare networks – The same systems that are now being used by telecommuting workers for providing telehealth during the pandemic. Several other threat groups with links to China have also stepped up...

Read More
FBI Issues Flash Alert About COVID-19 Phishing Scams Targeting Healthcare Providers
Apr22

FBI Issues Flash Alert About COVID-19 Phishing Scams Targeting Healthcare Providers

The FBI has issued a fresh warning following an increase in COVID-19 phishing scams targeting healthcare providers. In the alert, the FBI explains that network perimeter cybersecurity tools used by US-based healthcare providers started detecting COVID-19 phishing campaigns from both domestic and international IP addresses on March 18, 2020 and those campaigns are continuing. These campaigns use malicious Microsoft Word documents, Visual Basic Scripts, 7-zip compressed files, JavaScript, and Microsoft Executables to gain a foothold in healthcare networks. While the full capabilities of the malicious code are not known, the FBI suggests that the purpose is to gain a foothold in the network to allow follow-on exploitation, persistence, and data exfiltration. In the alert, the FBI provides indicators of compromise for the ongoing phishing campaigns to allow network defenders to take action to block the threats and protect their environments against attack. Indicators of Compromise Email Sender Email Subject Attachment Filename Hash srmanager@combytellc.com PURCHASE ORDER PVT Doc35...

Read More
CISA Warns of Continuing Attacks on Pulse Secure VPNs After Patching
Apr20

CISA Warns of Continuing Attacks on Pulse Secure VPNs After Patching

The Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA) has issued a warning to all organizations using Pulse Secure VPN servers that patching vulnerabilities will not necessarily prevent cyberattacks. CISA is aware of attacks occurring even after patches have been applied to address known vulnerabilities. CISA issued an alert about a year ago warning organizations to patch a vulnerability (CVE-2019-1151) in Pulse Secure Virtual Private Network appliances due to a high risk of exploitation. Many companies were slow to apply the patch, and hackers took advantage. CVE-2019-1151 is an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances. The vulnerability was identified in the spring of 2019 and Pulse Secure released a patch to address the vulnerability in April 2019. Several advanced persistent threat groups are known to have exploited the vulnerability to steal data and install malware and ransomware. By exploiting the vulnerability and stealing credentials, the attackers were able to gain persistent access to networks even...

Read More
AHA and AMA Release Joint Cybersecurity Guidance for Telecommuting Physicians
Apr17

AHA and AMA Release Joint Cybersecurity Guidance for Telecommuting Physicians

The American Medical Association (AMA) and the American Hospital Association (AHA) have issued joint cybersecurity guidance for physicians working from home due to the COVID-19 pandemic to help them secure their computers, mobile devices, and home networks and safely provide remote care to patients. Physicians are able to use their mobile devices to access patients’ medical records over the internet as if they were in the office, and medical teleconferencing solutions allow them to conduct virtual visits using video, audio, and text to diagnose and treat patients. However, working from home introduces risks that can jeopardize the privacy and security of patient data. The AMA/AHA guidance is intended to help physicians secure their home computers and home network to protect patient data and keep their work environment safe from cyber threats such as malware and ransomware, which could have a negative impact on patent safety and well-being. “For physicians helping patients from their homes and using personal computers and mobile devices, the AMA and AHA have moved quickly to provide...

Read More
Scammers Target Healthcare Buyers Trying to Purchase PPE and Medical Equipment
Apr16

Scammers Target Healthcare Buyers Trying to Purchase PPE and Medical Equipment

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are attempting to steal money from state agencies and healthcare industry buyers that are trying to purchase personal protective equipment (PPE) and medical supplies. Healthcare industry buyers have been told to be on high alert following a rise in the number of scams related to the procurement of PPE and essential medical equipment such as ventilators, which are in short supply due to increased demand. The FBI has received reports of several cases of advance fee scams, where government agencies and healthcare industry buyers have wired funds to brokers and sellers of PPE and medical equipment, only to discover the suppliers were fake. There have also been several reported cases of business email compromise (BEC) scams related to PPE and medical equipment procurement. In these scams, brokers and vendors of goods and services are impersonated. The scammers use email addresses that are nearly identical to the legitimate broker or seller and request wire transfer payments for the goods and services. The...

Read More
Small-Sized and Medium-Sized Healthcare Providers Most Likely to Be Attacked with Ransomware
Apr16

Small-Sized and Medium-Sized Healthcare Providers Most Likely to Be Attacked with Ransomware

Ransomware gangs are concentrating their attacks on smaller healthcare providers and clinics, according to a new report from RiskIQ. Healthcare providers with fewer than 500 employees are key targets for the gangs, with these organizations accounting for 70% of all successful healthcare ransomware attacks since 2016. RiskIQ’s analysis of 127 healthcare ransomware attacks revealed there has been a 35% increase in attacks between 2016 and 2019. Hospitals and healthcare centers accounted for 51% of ransomware attacks, 24% of attacks were on medical practices, with 17% on health and wellness centers. The cybersecurity defenses at smaller healthcare organizations are likely to be far less effective than those at larger healthcare systems. RiskIQ reports that 85% of small- and medium-sized hospitals do not have a qualified IT security person on staff, so there is a higher chance of gaps in security being left unaddressed. Ransom payments are more likely to be paid to avoid the costly downtime that is often caused by an attack. It can often take several weeks for an organization to fully...

Read More
Microsoft Patches Three Actively Exploited Flaws and Delays End of Support for Software and Services
Apr15

Microsoft Patches Three Actively Exploited Flaws and Delays End of Support for Software and Services

On April 2020 Patch Tuesday, Microsoft released updates to correct 113 vulnerabilities in its operating systems and software solutions, 19 of which have been rated critical. This month’s round of updates includes fixes for at least 3 zero-day vulnerabilities that are being actively exploited in real world attacks. Two of the actively exploited vulnerabilities were announced by Microsoft in March and Microsoft suggested workarounds to limit the potential for exploitation. The flaws – CVE-2020-0938 and CVE-2020-1020 – both affect the Adobe Font Manager Library and can lead to remote code execution on all supported Windows versions. The flaws are partially mitigated in Windows 10 and could only result in code execution in an AppContainer sandbox with limited privileges and capabilities. The flaws could be exploited if a user is convinced to open a specially crafted document or if it is viewed in the Windows Preview pane. The third actively exploited zero-day is a Windows Kernel vulnerability that was discovered by Google’s Project Zero team. The flaw, tracked as...

Read More
More Than 82% of Public-Facing Exchange Servers Still Vulnerable to Actively Exploited Critical Flaw
Apr09

More Than 82% of Public-Facing Exchange Servers Still Vulnerable to Actively Exploited Critical Flaw

On February Patch Tuesday, 2020, Microsoft released a patch for a critical vulnerability affecting Microsoft Exchange Servers which could potently be exploited by threat actors to take full control of a vulnerable system. Despite Microsoft warning that the flaw would be attractive to hackers, patching has been slow. An analysis conducted by cybersecurity firm Rapid7 revealed more than 82% of public-facing Exchange servers remained vulnerable and had not been patched. The firm’s scan identified 433,464 public-facing Exchange servers, and at least 357,629 were vulnerable to an attack exploiting the CVE-2020-0688 vulnerability. Exchange administrators may not have prioritized the patch as the vulnerability is a post-authorization flaw; however, attacks could take place using any stolen email credentials or by using brute force tactics to guess weak passwords. Several proof-of-concept exploits for the flaw have been published on GitHub, and there have been reports of nation state Advanced Persistent Threat groups attempting to exploit the flaw using brute force tactics to obtain...

Read More