Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Healthcare Hack. Show all posts

Ransomware's Alarming Surge and Active Adversaries


Ransomware attacks have increased dramatically recently, worrying the cybersecurity community and heralding a new era of cyber threats. The convergence of sophisticated tactics used by hostile actors, as described in numerous reports, highlights the necessity of increased attention and proactive protection tactics.

According to reports, ransomware attacks have increased to previously unheard-of levels, and threat actors are continually modifying their strategies to find weak points. Targets increasingly include crucial infrastructure, the healthcare industry, and even political entities, going beyond traditional industries. Additionally, the demands of the attackers have grown exponentially, with multi-million dollar ransoms becoming distressingly regular.

The Sophos research on an active adversary targeting IT executives provides a window into the daring methods used by cybercriminals. The intricacy of contemporary cyber threats is being demonstrated by this adversary's capacity to influence supply chains and sneak inside businesses. These threats are now part of a larger, well-planned campaign rather than separate instances.

The cyber threat intelligence reports by NCC Group offer priceless insights into the changing strategies used by ransomware operators. These papers emphasize the evolving nature of cyber threats and the necessity for enterprises to stay on top of the situation. Organizations may efficiently enhance their defenses thanks to the comprehensive studies of threat vectors, malware families, and mitigation techniques.

The effects of a successful ransomware assault go beyond monetary losses because of how linked the digital world is becoming. The loss of vital services, the compromising of private information, and the deterioration of public confidence are just a few of the serious repercussions. Organizations need to take a multifaceted strategy for cybersecurity to combat this.

Organizations must first make significant investments in solid security measures, such as frequent software updates, vulnerability analyses, and personnel training. Systems for proactive monitoring and threat detection are essential given the constantly changing strategies used by hackers. Additionally, by keeping offline backups, you may prevent giving in to ransom demands and ensure that data recovery is still possible even during an attack.

Collaboration within the cybersecurity community is equally vital. Sharing threat intelligence and best practices helps fortify collective defenses and pre-empt emerging threats. Government bodies, private enterprises, and security researchers must collaborate to create a united front against cyber threats.

Here's How Microsoft Fought Against Ireland's HSE Attackers

 

Hackers exploited the victim's infected computer to access Ireland's public health system and tunnel across the network for weeks after luring a worker with a phishing email and a spreadsheet that was laced with malware. Infecting thousands of more systems and servers, they prowled from hospital to hospital, explored folders, and opened personal files. 

By the time they demanded a ransom, they had already taken over more than 80% of the IT infrastructure, knocked out the organisation's 100,000+ employees, and put the lives of thousands of patients in danger.

The attackers employed a "cracked," or exploited and unauthorised, legacy version of a powerful tool to launch the 2021 attack on Ireland's Health Service Executive (HSE). The tool, which is used by credible security professionals to simulate cyberattacks in defence testing, has also become a favourite tool of criminals who steal and manipulate previous versions to launch ransomware attacks around the world. In the previous two years, hackers have attempted to infect over 1.5 million devices using cracked copies of the tool Cobalt Strike. 

However, Microsoft and the tool's owner, Fortra, now have a court order authorising them to seize and block infrastructure associated with cracked versions of the software. The order also permits Microsoft to interrupt infrastructure linked with the misuse of its software code, which thieves have utilised in some of the attacks to disable antivirus systems. Since the order was carried out in April, the number of compromised IP addresses has decreased dramatically. 

"The message we want to send in cases like these is: 'If you think you're going to get away with weaponizing our products, you're going to get a rude awakening,'" states Richard Boscovich, assistant general counsel for Microsoft's Digital Crimes Unit (DCU) and head of the unit's Malware Analysis & Disruption team. 

The effort to take down cracked Cobalt Strike began in 2021, when DCU — a diverse, multinational organisation of cybercrime fighters — aimed to make a deeper dent in the rising number of ransomware attacks. Previous operations had separately targeted particular botnets such as Trickbot and Necurs, but ransomware investigator Jason Lyons advocated a large operation targeting multiple malware groups and focusing on what they all had in common: the usage of cracked, old Cobalt Strike. 

"We kept seeing cracked Cobalt Strike as the tool in the middle being leveraged in ransomware attacks," Lyons explained, basing his evaluations on internal information about Windows-based attacks. 

Lyons, a former US Army counterintelligence special agent, had spent many nights and weekends responding to ransomware attacks and breaches. The opportunity to pursue multiple crooks at once allowed him to "bring a little pain to the bad guys and interrupt their nights and weekends, too," he adds.

But before it could start inflicting pain, Microsoft needed to clean up its own house and get rid of the broken Cobalt Strike in Azure. Rodel Finones, a reverse engineer who deconstructs and analyses malware, jumped to work right away. He had transferred from the Microsoft Defender Antivirus team to DCU a few years earlier in order to play a more proactive role in combating criminality. 

Finones designed a crawler that connected to every active, publicly accessible Cobalt Strike command-and-control server on Azure — and, ultimately, the internet. The servers communicate with infected devices, enabling operators to spy on networks, move laterally, and encrypt information. He also began looking into how ransomware criminals used Microsoft's technologies in their operations. 

Crawling, though, was insufficient. The investigators had a difficult time distinguishing between legitimate security uses of Cobalt Strike and unlawful use by threat actors. Fortra assigns a unique licence number, or watermark, to each Cobalt Strike kit sold, which serves as a forensic clue in cracked copies. However, the corporation was not involved in the first operation, and DCU investigators worked alone to create an internal catalogue of watermarks associated with customer attacks while cleaning up Azure. 

Meanwhile, Fortra, which purchased Cobalt Strike in 2020, was addressing the issue of criminals exploiting cracked copies. When Microsoft proposed a joint venture, the corporation needed time to ensure that working with Microsoft was the appropriate decision, according to Bob Erdman, assistant vice president for business development. 

In early 2023, Fortra joined the action and released a list of over 200 "illegitimate" watermarks linked to 3,500 unauthorised Cobalt Strike servers. The company had been doing its own investigations and implementing new security procedures, but teaming with Microsoft allowed access to scale, extra knowledge, and an additional method of protecting its tool and the internet. Fortra and Microsoft examined around 50,000 distinct copies of cracked Cobalt Strike during the inquiry. 

Microsoft benefited from the collaboration as well, with Fortra's knowledge and watermark list significantly expanding the operation's reach. It aided the firms' case, which linked malicious infrastructure to 16 unknown defendants, each representing a unique threat group. 

Lawyers argued that the groups – ransomware authors, extortionists, victim lurers, and cracked Cobalt Strike sellers — collaborated in a thriving, profitable ransomware-as-a-service operation aimed at maximising profit and harm. They also linked broken Cobalt Strike to eight ransomware families, including LockBit, a quick encryption and denial-of-service attacker, and Conti, the malware suspected in the disastrous 2022 attacks on the Costa Rican government.

US Healthcare Department Issues Warning Regarding Venus Ransomware

 

Healthcare organizations across the United States have been warned by the Department of Health and Human Services (HHS) regarding Venus ransomware assaults following a recent breach against a healthcare provider. 

Despite the attack, no data leak site for the Venus ransomware actors has been identified, according to a report published by the Health Sector Cybersecurity Coordination Center (HC3). 

"HC3 is aware of at least one healthcare entity in the United States falling victim to Venus ransomware recently. The operators of Venus ransomware are not believed to operate as a ransomware-as-a-service (RaaS) model and no associated data leak site (DLS) exists at this time," said the report. 

Since its emergence in the middle of August 2022, ransomware has propagated throughout the networks of numerous corporate victims around the globe. 

The ransomware terminates 39 processes linked with database servers and Microsoft Office apps. It targets publicly exposed Remote Desktop Services and exploits them to secure initial access to the target endpoints. In addition, the ransomware deletes event logs, Shadow Copy Volumes, and disables Data Execution Prevention on exploited endpoints. 

Lucrative Target 

Since the outbreak of Covid-19, the healthcare industry has been a lucrative target for malicious hackers. Hospitals operate multiple computers, printers, and internet-linked smart devices, generating thousands of sensitive files. These devices are sometimes outdated and improperly secured, making them a perfect candidate for an initial entry endpoint.

Moreover, with the Covid-19 pandemic filling up every last space in hospitals, overworked healthcare workers are an easy target to prey on with phishing and social engineering attacks. 

Last month, government officials in the United States warned regarding multiple ransomware attacks targeting healthcare facilities nationwide. Warnings showed that the attackers are employing ransomware variants such as Maui and Zeppelin against healthcare and public health (HPH) institutions. 

And in February, in a data breach report, debt management firm Professional Finance Corporation, Inc (PFC) revealed that 657 healthcare organizations were impacted by a Quantum ransomware attack. 

To mitigate risks, security experts recommended healthcare organizations implement an email security solution, consider adding a banner to emails from external sources, disable hyperlinks in emails, and provide regular security awareness training to the employees.

 Cyberattacks Against US Hospitals are Growing Rapidly

Ransomware has emerged as one of the most challenging issues in cybersecurity and a threat to industries worldwide. With ransomware, hackers extort businesses and organizations by breaking into and frequently holding computers and files hostage. However, it can have a particularly negative impact on patient care when it affects hospital networks and cascades across the nation. 

According to The Des Moines Register, ransomware hackers targeted MercyOne in the first few days of October as part of a more significant attack that resulted in hospital-wide outages at many other health systems. It was unclear how many of the 140 hospitals under the management of CommonSpirit Health, a nonprofit healthcare organization with headquarters in Chicago, were impacted, and the organization declined to disclose the number.

Since having the tonsils removed, Kelley Parsi brought her 3-year-old son to a hospital in Des Moines, Iowa, where she anticipated that the staff would treat his pain and dehydration and then send him home. She claimed that instead, the excursion turned into one of her most terrifying days ever.

She was told by the resident doctor that he had accidentally given him five times what was prescribed, due to the computer system that automatically calculated medication doses not functioning. Later, she found out that part of the hospital's digital equipment had been disabled by a cyberattack. While her son's body digested the overdose, she waited several hours in fear.

In addition, CommonSpirit, which operates more than 140 hospitals in the United States, opted not to disclose the number of its locations experiencing delays. However, a number of hospitals have reported being impacted, including Virginia Mason Franciscan Health in Seattle, certain St. Luke's hospitals in Texas, and CHI Memorial Hospital in Tennessee.

According to Brett Callow, an expert at the cybersecurity company Emsisoft, ransomware has been used to hack into 19 major hospital chains in the United States this year.

Due to patient confidentiality, MercyOne, Parsi's hospital, declined to comment on her condition. "It was dedicated to delivering safe, high-quality treatment for all patients we serve in their time of need," a representative said in a statement.

The U.S. government lists health care as one of 16 important infrastructure sectors. Hackers view healthcare organizations as prime targets.

However, a significant assessment by the government Cybersecurity and Infrastructure Security Agency and a poll of healthcare IT experts concluded that a ransomware attack on a hospital puts more strain on its capabilities generally and raises death rates there.

Data Breach at Ciox Health Exposed Information on Over 12,000 Patients

 

Thousands of people's protected health information (PHI) may have been compromised in a hacking attack at a Georgia-based healthcare information management organization. Clinical or treatment information, as well as social security numbers, were among the sensitive data compromised during Ciox Health's cyber-attack last summer. The headquarters of Ciox Health is in Alpharetta, Georgia. In the release of information department (ROI), record retrieval, and health information management, the organization offers a variety of services. Ciox serves three out of every five hospitals and over 16,000 physician practices. 

According to a recent Ciox Health notification, an unauthorized person accessed a Ciox employee's email account between June 24 and July 2, 2021. The threat actor may have utilized that access to download emails and attachments related to the compromised account, according to the firm. 

“Ciox reviewed the account’s contents to determine whether sensitive information was contained in the account,” said the notice. “On September 24 2021, Ciox learned that some emails and attachments in the employee’s email account contained limited patient information related to Ciox billing inquiries and/or other customer service requests.” 

According to the company, no fraud or theft has been detected as a result of the incident. "We believe that the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox, not to access patient information," Ciox Health said in a statement. "Protecting the privacy and security of the information Ciox maintains is critically important to us, and we are continuing to take steps to further strengthen our email security." 

Ciox investigated the case in early November and began alerting patients later that month. The account information was related to billing inquiries and customer service requests, and it could have included patient names, provider names, dates of birth, dates of service, health insurance information, clinical information, or social security or driver's license numbers. 

On December 30, the data breach was reported to the US Department of Health and Human Services' Office for Civil Rights as a hacking/IT issue affecting 12,493 people. The security notice was issued on behalf of 32 different healthcare providers, including Children's Healthcare of Atlanta, Indiana University Health, Niagara Falls Memorial Medical Center Health System, and Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System, and was published on Ciox Health's website.

Fertility Centers of Illinois Hit by Cyberattack Impacting Nearly 80,000 Patients

 

A Chicago-based Fertility Centers of Illinois (FCI) has suffered a data breach, impacting 79,943 current and former patients. According to a breach notification by FCI, the incident did not compromise its electronic medical records system, however, an unauthorized third party secured access to some of the patients’ protected health information (PHI) and private files belonging to FCI employees.

FCI detected the breach on its internal systems on Feb 01, 2021, and took instant action to secure its systems. Independent forensic specialists were then hired to determine the nature and scope of the security breach. Fertility Centers of Illinois reported the data breach to the Department of Health and Human Services’ Office for Civil Rights (OCR), affecting nearly 80,000 current and former patients. 

Although the exact modus operandi of the attack remains unknown, the compromised files contained a range of patient data, including names in combination with one or more of the following types of details:

Social Security numbers, passport numbers, financial account information, payment card information, diagnoses, treatment information, medical record numbers, billing/claims information, prescription information, Medicare/Medicaid identification information, health insurance group numbers, health insurance subscriber numbers, patient account numbers, encounter numbers, referring physicians, usernames and passwords with PINs, or account login information.

Staff data most likely compromised in the cyber-attack included names, employer-assigned identification numbers, ill-health/retirement information, occupational health-related information, medical benefits and entitlements information, patkeys/reason for absence, and sickness certificates. 

To mitigate further risks, FCI has enhanced its cybersecurity system, including executing business-class identity verification software and providing extra training to its employees on cybersecurity practices.

"Additional security measures have been taken since the incident to further secure access to data, individual accounts, and equipment, including the implementation of enterprise identity verification software," FCI says. The organization is also offering affected individuals complimentary credit monitoring and identity theft protection services for 12 months through Equifax.

In recent years, the healthcare industry has been the sweet spot for threat actors as the benefits are huge. Last week, Florida’s Broward Health System confirmed the data breach of 1,357,879 patients. In November 2021, a fertility clinic in the United Kingdom also became the victim of attackers when ransomware was employed to target a medical record scanning firm used by Lister Fertility Clinic.

More Than 1.3 Million People Affected by Broward Health Data Breach

 

South Florida-based Broward Health public health system has revealed a large-scale data breach incident impacting more than 1.3 million patients and staff members. 

The leak data included names, addresses, contact numbers, Social Security numbers, bank details, Insurance data, medical history such as condition, diagnosis, medical history, treatment, and medical record number, and driver’s license number of patients and staff members. 

Broward healthcare system which operates over thirty locations provides a wide range of medical services and receives over 60,000 admissions per year. The security breach was announced on January 1, 2022, when the healthcare system revealed that unauthorized access to a third-party medical provider resulted in patient and employee data being compromised. 

On October 15, 2021, threat actors accessed the healthcare system’s network through a third-party medical provider. The organization discovered the intrusion four days later, on October 19, and instantly reported the FBI and the US Department of Justice. The DOJ requested Broward Health officials to hold off on sending out breach notification letters to ensure that it does not impact the ongoing law enforcement investigation.

Although Broward Health acknowledges the data breach but denies the reports of threat actors misusing the data. Notably, the intrusion point was determined to be a third-party medical provider who was permitted access to the system to provide their services. 

"In response to this incident, Broward Health is taking steps to prevent recurrence of similar incidents, which include the ongoing investigation, a password reset with enhanced security measures across the enterprise, and the implementation of multifactor authentication for all users of its systems. We have also begun implementation of additional minimum-security requirements for devices that are not managed by Broward Health Information Technology that access our network, which will become effective in January 2022," explains the data breach notification.

To mitigate further risks, all employees were recommended to reset their passwords, and Broward Health contracted a third-party cybersecurity expert to help with the investigations. The organization has also executed multi-factor authentication on all systems, and has started implementing “minimum-security requirements for devices that are not managed by Broward Health Information Technology that access our network, which will become effective in January 2022.”

Due to the critical nature of the leaked data, recipients of the notices need to remain vigilant against all forms of communication. Additionally, the hospital is offering a two-year membership of identity theft protection services via Experian, with details on how to enroll enclosed in the letter.

UMass Memorial Health Suffers Data Breach, 209,000 Users Affected

 

UMass Memorial health, a health care network based in Massachusetts reported a phishing incident that might have leaked personal information of hundreds of thousands of victims. An unauthorised access to restricted employee mail accounts lasted for around seven months, from June 2020 to Jan 2021, before the attack was identified, UMass Memorial said in its statement on the official website. UMass Memorial health consists a medical center, three other healthcare institutes along with a medical group, in a report to Department of Health and Human services mentioned about an email incident affecting around 209,000 individuals. 

According to UMass Memorial health, it confirmed the breach (on 7 January) when some employees' mail accounts were accessed by an unauthorised user. The information was posted on HIPAA-Breach Reporting Tool website (belonging to HHS' Office for Civil Rights.' Generally known as the "wall of shame," the website contains health data breaches impacting 500 or more users. The healthcare institute (on 25 August) concluded identifying the affected users whose information might have been leaked. 

For patients who have been affected with the breach, the leaked data includes names, ID numbers, subscribers, and election beneficiary information. Whereas for few individuals, driver's license number and social security numbers were also there in the breach. For health plan participant victims, the leaked data includes names, dob, health insurance information, medical record numbers and treatment information, like date of service, diagnoses, prescription information, procedure information and provider names. According to UMass, it does not have any evidence that any information was in fact viewed or accessed, only that it was simply contained within an email account that was compromised. 

UMass also says that there is no proof to suggest data misuse, however, the affected individuals would be offered one year complimentary credit and identify monitoring. "UMass Memorial Health says that to prevent similar incidents in the future, it has reinforced education with its staff regarding how to identify and avoid suspicious emails and the organization is also making additional security enhancements to its email environment, including enabling multifactor authentication," reports Gov Info Security.

Beaumont Health: The Latest Victim of Accellion Breach

 

Beaumont Health, headquartered in Michigan, is the latest victim of the Accellion data breach, which began in December 2020 and has so far claimed 100 victims. Threat actors exploited zero-day vulnerabilities in Accellion's File Transfer Application (FTA), compromising the data of millions of patients. 

Approximately 1500 patients have been alerted by Beaumont Health that their personal information may have been compromised as a result of the December cyberattack on Accellion software. Beaumont hired Goodwin Procter LLP to offer legal services, and the firm used Accellion's File Transfer software to make massive transfers on behalf of its customers. 

Goodwin notified the healthcare provider on February 5 that patient data had been breached. Following the announcement of the Accellion breach, Goodwin conducted a digital forensics investigation and discovered that an unknown person had exploited a vulnerability in the application to obtain specific documents. 

“The potentially impacted information included a listing of roughly 1500 patients who had one of two procedures performed at a Beaumont Hospital,” mentioned in a statement issued on August 27 by Beaumont Health. 

“The list included the patient name, procedure name, physician name, the internal medical record number and the date of service. This incident is limited to these patients and does not affect all patients of Beaumont.” 

The healthcare provider also stated that the breach had no financial implications and neither Beaumont nor Goodwin had discovered any indication of the exposed data being exploited. 

On behalf of Beaumont, Goodwin contacted impacted people via mail on August 27 at their last known address to inform them about the data breach. The letter advises patients on the actions they should take to protect themselves from identity theft. 

“The notice letter specifies steps impacted individuals may take to protect themselves against identity fraud, including enrolling in complimentary credit monitoring services (if eligible), placing a fraud alert/security freeze on their credit files, obtaining free credit reports, remaining vigilant in reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis and taking steps to safeguard themselves against medical identity theft,” stated Beaumont. 

“At Beaumont, protecting the privacy of personal information is a top priority,” the statement concluded. 

Goodwin is examining its data security policies and protocols in the aftermath of the incident. 

Accellion is now facing lawsuits

As the number of breaches escalates, Accellion is experiencing over a dozen lawsuits. In February, the Cybersecurity and Infrastructure Security Agency (CISA), together with security agencies in the United Kingdom, New Zealand, Singapore, and Australia, issued a warning to companies about the Accellion hack. 

Clop ransomware took responsibility for the assault and abused four previously unknown vulnerabilities. Some of the ransomware group's most recent victims include Kroger, Bombardier, Southern Illinois University School of Medicine, and Trillium Community Health Plan. 

In April, Trinity Health, located in Michigan, alerted over 580,000 patients that their information had been compromised. Demographic data, names, medical record numbers, and medical tests were among the information stolen. 

Centene also alerted over 1.3 million patients of the Accellion data leak in April. Contact information, birthdates, insurance ID numbers, and treatment information were all acquired by the hackers. 

During a major extortion attempt, the Clop ransomware published stolen data online, and some of the affected companies got emails from the intruders attempting to intensify extortion attempts. The number of victims continues to rise months after the initial attack.