HC3 Warns Against Scattered Spider Threat Group

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued a warning about a financially driven threat group called Scattered Spider. Cybercriminal groups are mostly Russian-speaking and headquartered in Russia or the Commonwealth of Independent States. But Scattered Spider members speak native English and are thought to be mostly living in the U.S. or the U.K. The authorities in those countries have made four arrests of group members, but the group is still operating. Intelligence collected about the group indicates that members are mostly 19 to 22 years old.

Scattered Spider does not create and use their own malware payloads or attack tools. The group uses tools and malware created by other cyber criminals that are available to the public. For example, the group used remote monitoring and management tools, such as Connectwise Control, AnyDesk, ASG Remote Desktop, Splashtop, and Screenconnect. It also used LaZagne and Mimikatz for stealing credentials and Ngrok for building safe passage to remote web servers.

In the past, the group has used several malware variants for its operations including Atomic, VIDAR Stealer, Racoon Stealer, and Meduza Stealer. It also used the phishing kits EIGHTBAIT and Oktapus and the ransomware variants BlackCat and Ransomhub. It also worked together with the Qilin threat group.

Attackers commonly use information stealers to get credentials for preliminary access, and living-off-the-land techniques to elude security software as the group moves laterally inside the system, deactivating security programs and stealing sensitive information like PHI. Attacks frequently conclude with ransomware deployment.

Scattered Spider members are also known to use advanced social engineering tactics, smishing, spear phishing, and voice phishing. One campaign linked to Scattered Spider had used spear phishing voice techniques, which target members of the IT Help Desk over the telephone. The threat group posed as staff, sometimes assisted by artificial intelligence to imitate voices. The goal is to fool the IT Help Desk into executing password resets and enrolling the threat group member’s device to receive multifactor authentication codes. The Help Desk is given the personal data of the individual they are impersonating, including usernames and staff IDs acquired in earlier phases of its attacks. HC3 has already released a warning concerning this campaign because healthcare companies were included in the threat group’s victims.

Scattered Spider has been operating since around 2022 and was at first targeting customer relationship management (CRM), telecommunications, technology firms, and business process outsourcing (BPO). However, the group has shifted to a wider range of industries. Although the healthcare sector has not been greatly targeted, the group has attacked a few healthcare organizations. HC3 provided Scattered Spider’s threat actor profile with indicators of compromise and suggested steps to strengthen defenses.

Hospital IT Helpdesks Targeted in Social Engineering Campaign

The Health Sector Cybersecurity Coordination Center (HC3) and the American Hospital Association (AHA) have issued warnings concerning a social engineering campaign that targets IT helpdesk at American hospitals. Based on the AHA, the campaign utilizes the stolen credentials of revenue cycle staff or personnel in other sensitive financial positions. The attacker gets in touch with the IT helpdesk and utilizes stolen protected health information (PII) to reply to security questions presented by IT helpdesk personnel. As soon as the attacker has gone through the questions, they ask for a password reset and the enrollment of a new device, usually having a local area code, to check sent multi-factor authentication (MFA) codes.

As soon as the new device is registered, the attacker sign into the user’s account and passes the MFA verification, the MFA code is delivered to the newly enrolled device. The AHA states that these cyberattacks could also get around phishing-resistant MFA. The primary objective of the campaign seems to be to reroute legit payments. When access is acquired to a staff’s email account, payment information is altered particularly the payment processors, which results in bogus transactions to U.S. bank accounts. Access could also be utilized to download malware on the system.

HC3 knows this social engineering campaign and stated IT helpdesks are informed that the user’s phone is broken and is unable to get any MFA codes. The helpdesk is given the last four numbers of the target staff’s corporate ID number, Social Security number (SSN), and demographic information to get security check approval. HC3 hints the data is probably extracted from publicly accessible resources like professional networking websites and/or previous data breaches. The strategies in the campaign reflect those utilized by a threat group called Scattered Spider (UNC3944). Scattered Spider professed responsibility for an identical campaign attacking the hospitality and entertainment business, which resulted in the use of BlackCat ransomware to encrypt system files. It is believed that no ransomware is used in the campaigns attacking the healthcare industry and it is uncertain which threat group is responsible for the campaign.

The AHA first became aware of the attacks in January 2024 and published an alert to hospitals. The alert is reissued because of an increase in cases. The risk presented by this modern and advanced tactic could be avoided by providing stringent IT help desk security practices. At least, a call back to the phone number on file is required for the worker asking for password resets and new device registration, according to AHA’s national expert for cybersecurity and risk, John Riggi. Companies may also want to call on the supervisor of the requesting employee. Additionally, a video call with the requesting staff may be initiated and a screenshot is taken while the staff is showing a genuine government ID. One big health system has updated its guidelines and processes after a successful attack and currently demands the personnel to see the IT helpdesk face-to-face before resetting their password or registering another device.

The HC3 advisory and suggested mitigations are available in this article.
.

Ransomware Groups Attacks the Citrix Bleed Vulnerability and Critical ownCloud Vulnerabilities

Ransomware groups are taking advantage of a critical vulnerability discovered in NetScaler ADS (in the past known as Citrix ADC) and NetScaler Gateway (Citrix Gateway) devices, called Citrix Bleed.

On October 10, 2023, Citrix published a security advisory regarding the vulnerability and created a patch for the vulnerability, which can be employed to elude password protection and multifactor authentication. Vulnerability CVE-2023-4966, a buffer overflow vulnerability, is assigned a CVSS severity score of 9.4 out of 10. From August 2023, ransomware groups are exploiting the vulnerability in the wild. Threat actors could exploit the vulnerability and manipulate legitimate user sessions. The moment initial access is obtained, threat actors can alter privileges, gather credentials, move laterally, and access sensitive data and assets.

The vulnerability affects the following versions of Gateway and NetScaler ADC:

  • NetScaler ADC 12.1-FIPS 12.1-55.300 and succeeding versions of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and succeeding versions of 12.1-NDcPP
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and succeeding versions of 13.1-FIPS
  • NetScaler ADC and NetScaler Gateway  13.1-49.15 and succeeding versions of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and succeeding versions of 13.0
  • NetScaler ADC and NetScaler Gateway 14.1-8.50 and succeeding versions

NetScaler ADC and NetScaler Gateway version 12.1 have reached End-of-Life (EOL). Users still using these versions have to update their units to an approved version.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) already listed the vulnerability in its directory of Identified Exploited Vulnerabilities last October 18, 2023, and released a security advisory regarding the vulnerability last November 21, 2023. This is for the reason that the vulnerability was exploited extensively by ransomware groups like the LockBit 3.0 ransomware group.

Last November 22, 2023, the Health Sector Cybersecurity Coordination Center (HC3) published a major security advisor to the healthcare and public health (HPH) sector regarding the vulnerability along with an extra advisory on November 30, 2023, informing healthcare companies to patch the vulnerability right away to protect against exploitation. Utilizing the patch will avoid vulnerability exploitation; nevertheless, if it had been exploited, the breached sessions would still be live. The client should do something to make sure to clear out all active sessions.

To remove active and ongoing sessions after using the patch, admins must implement these instructions:

  • kill icaconnection -all
  • kill aaa session -all
  • kill pcoipConnection -all
  • kill rdp connection -all
  • clear lb persistent sessions

The user must likewise do something to consider possible vulnerability exploits. NetScaler has published guidance for assessments and CISA has published Indicators of Compromise associated with LockBit 3.0 along with the tactics, techniques, and procedures (TTPs) used by the group and mitigation tips for safeguarding against ransomware attacks.

The American Hospital Association has published a security advisory informing hospitals to accomplish the required action right away to avoid the Citrix Bleed vulnerability exploitation, given that ransomware groups are mainly attacking hospitals. This necessary advisory by HC3 shows the urgency of the Citrix Bleed vulnerability and the speedy need to establish the present Citrix patches and upgrades to safeguard systems as recommended by John Riggi, AHA’s national advisor for cybersecurity and risk. This concern likewise demonstrates the aggressiveness of international ransomware groups, primarily Russian-speaking ransomware groups, in constantly attacking healthcare systems and hospitals. Ransomware attacks disrupt and delay the provision of health care, putting patient lives in danger. Healthcare companies need to stay alert and reinforce their cyber defenses, considering that it is clear that cybercriminals will continue focusing on the field, especially all through the holiday season.

Alert Concerning Critical ownCloud Vulnerabilities

Three critical vulnerabilities were discovered in the ownCloud platform. One of the three vulnerabilities is actively exploited by malicious actors. It is necessary to take quick action to manage the vulnerabilities to protect sensitive systems anda data.

The healthcare industry widely uses the ownCloud platform for storing, synchronizing, and sharing data files and for working together and merging work processes. As a result, the platform is an appealing target for threat actors because it allows them to access highly sensitive data. The Clop hacking groups showed the problems associated with the vulnerabilities found in file sharing platforms when it exploited the vulnerabilities in the MOVEit Transfer solution of Progress Software and the GoAnywhere MFT of Fortra.

ownCloud published security advisories on November 21, 2023 concerning three vulnerabilities. One critical vulnerability was given a CVSS v3.1 severity score of 10, two vulnerabilities were assigned CVSS scores of 9 and 9.8. The cybersecurity firm Greynoise discovered the beginning of active vulnerabilities exploitation to be on November 25, 2023. The malicious activity began via 32 different IP addresses.

Critical vulnerability CVE-2023-49103 found in graphapi app versions 0.2.0 – 0.3.0 makes it possible for the exposure of sensitive data and configurations in containerized deployments. The graphapi app utilizes third-party library having a URL. Whenever accessing the link, the configuration details of the PHP environment are disclosed, which includes the factors of the webserver’s environment. In containerized deployments, the exposed information can include the ownCloud admin password, license key and mail server details. The vulnerability’s CVSS severity score is 10.

CVE-2023-49105, which is a critical WebDAV API authentication bypass vulnerability that use pre-signed URLs affects core 10.6.0 – 10.13.0 and can be exploited to access, alter, or eliminate any file without authentication when the username of the victim is determined and the victim is without a signing-key setting, which is the setting be dafault. The vulnerability has an assigned CVSS severity score of 9.8 out of 10.

CVE-2023-49104, which is a critical subdomain validation bypass vulnerability, is identified in oauth2 < 0.6.1. A threat actor could pass in a specifically made redirect-URL that bypass the validation code, allowing the attacker to redirect callbacks to a TLD under the attacker’s control. The vulnerability was assigned a CVSS severity score of 9.0.

The Health Sector Cybersecurity Coordination Center (HC3) published an advisory on December 5, 2023 https://www.hhs.gov/sites/default/files/owncloud-vulnerability-white-paper-tlpclear.pdf, telling HPH sector groups to do something immediately and carry out the actions recommended by ownCloud. Because this system is integrated into the data infrastructure of a client firm to work, giving attackers a target that could perhaps give access to sensitive information, and a holding position for further attacks.

At present, malicious actors actively exploit vulnerability CVE-2023-49103 in attacks in the wild. It is necessary to handle this vulnerability with great care. The other vulnerabilities should also be handled without delay since exploitation is likely.

ownCloud says that even though the graphapi application may be deactivated, that will not completely solve vulnerability CVE-2023-49103. It is also necessary to remove the owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file and the phpinfo function should be deactivated within Docker containers. Owncloud similarly recommends changing possibly exposed information such as the particulars for ownCloud admin, the mail server, the database, and the Object-Store/S3 access key. The suggested mitigations for the vulnerabilities are accessible on these URLs: CVE-2023-49103 mitigations, CVE-2023-49104 mitigations and CVE-2023-49105 mitigations.

The Akira Ransomware Group and the Scripps Health Ransomware Attack

Akira Ransomware Group Targeting the Healthcare and Public Health Sector

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) published a health and public health (HPH) sector warning regarding another ransomware group known as Akira, which is at work starting March 2023. Akira is a ransomware-as-a-service (RaaS) group that gets affiliates to carry out attacks on its behalf and pays them a portion of the earnings they make. The group primarily targets SME businesses, though demands big ransom payments, which are usually from $200,000 to $4 million. The group stated that it had about 60 victims within 5 months of activity, which include companies in the HPH field.

The group uses double extortion strategies, where it identifies valuable data first and exfiltrates them before encrypting files. The group demands a ransom payment in exchange for the files’ decryption keys and to stop the exposure of stolen information. Victims must get in touch with the group through their TOR website to discuss the ransom payment. Victims who give ransom payments are provided a security report that talks about the vulnerabilities the group took advantage of to access their system.

The group employs various techniques for preliminary access which includes compromised credentials and the vulnerabilities exploited in virtual private networks (VPNs), particularly where multi-factor authentication is not yet carried out. The group uses a Windows and Linux ransomware variant and attacks both VMware ESXi and Windows servers. The incident response data indicate that the ransomware group utilizes different tools when it attacks, such as the MASSCAN port scanner, the PCHunter toolkit, Mimikatz for credential harvesting, PsExec, and WinSCP.

The Akira group is believed to have a connection with the disbanded Conti ransomware group because it and Conti ransomware use identical codes, directory exclusions, and cryptocurrency wallets. HC3 has provided Indicators of Compromise (IoCs) in the Akira ransomware sector warning and gives a number of suggested mitigations to enable network defenders to boost toughness to attacks and identify ongoing attacks.

Russian National 6sCharged for Scripps Health Ransomware Attack; 11 TrickBot/Conti Actors Penalized

Several members of the TrickBot and Conti Ransomware groups have just been charged and the United States and the United Kingdom has penalized the 11 members of these cybercriminal group.

A federal grand Jury from the Southern District of California charged Russian citizen, Maksim Galochkin, for his part in a cyberattack launched on Scripps Health last May 2021. Galochkin together with his co-conspirators are claimed to have carried out over 900 cyberattacks around the world utilizing Conti ransomware, which include the cyberattack on Scripps Health. A federal grand jury from the Northern District of Ohio charged Galochkin along with co-conspirators Mikhail Mikhailovich Tsarev, Maksim Rudenskiy, Andrey Yuryevich Zhuykov, Sergey Loguntsov, Dmitry Putilin, Max Mikhaylov, Maksim Khaliullin, and Valentin Karyagin for using TrickBot malware to rob funds and private data from companies and financial establishments in America since 2015. The Middle District of Tennessee federal grand jury returned an allegation charging Galochkin along with co-conspirators Tsarev, Rudenskiy, and Zhuykov with conspiring to utilize Conti ransomware for attacking companies, governments, and nonprofits in America from 2020 up to June 2022 when the Conti operation was discontinued.

Galochkin was additionally one of 11 persons lately punished by the Department of the Treasury’s Office of Foreign Assets Control (OFAC),
the U.S. Department of Justice, and the United Kingdom for being a member of the Russian TrickBot cybercrime group. In 2016, TrickBot was initially discovered as a banking Trojan. It was created from the Dyre Trojan and was employed to assault and rob non-Russian companies. The modular malware developed through the years and new features were included which enabled the TrickBot group to carry out a variety of malicious activities, which include ransomware attacks. The group is thought to have extorted over $180 million from affected individuals all over the world and carried out a lot of attacks on medical centers and other healthcare companies in America. Although the TrickBot group is a cybercriminal group, group members are linked to the Russian intelligence services and have carried out cyberattacks on the U.S. federal government and other U.S. entities consistent with the goals of the Russian intelligence solutions.

The 11 accused persons materially helped with TrickBot operations and consisted of managers, administrators, coders and developers. Galochkin (also known as Bentley, Volhvb, Crypt) allegedly guided a team of testers and had tasks for the creation, administration, and execution of tests. The other 10 accused persons are HR manager Maksim Khaliullin (also known as Kagas); senior administrator Andrey Zhuykov (also known as Dif, Defender); lead coder Maksim Rudenskiy; finance and human resources manager Mikhail Tsarev; infrastructure purchaser Dmitry Putilin (also known as grad, staff); internal utilities group member Mikhail Chernov (aka Bullet); TrickBot creator Sergey Loguntsov; administrative team member Alexander Mozhaev (also known as Green and Rocco); and coders Vadym Valiakhmetov (also known as Weldon, Vasm, Mentos) and Artem Kurov (aka Naned).

18 members of the TrickBot operation are already sanctioned with the most recent 11 causing the 7 members to be charged by the United Kingdom and the United States in February. The inclusion of these persons to OFAC’s sanctions list suggests all property and interests in property of the people in the U.S. or in the control of U.S. individuals should be obstructed and documented to OFAC. All negotiations with these people by U.S. persons are not allowed, such as paying ransoms. Those who participate in transactions with approved persons may allow themselves to be revealed to OFAC certification and any foreign fiscal establishment that knowingly helps a substantial transaction or offers considerable financial services for any of the certified people can be under U.S. reporter or payable-all through account sanctions.

Every one of the accused and sanctioned persons are still at large. That is probably to stay as is as they are thought to dwell in Russia where there’s no extradition treaty with America.

Fortinet FortiOS & FortiProxy Vulnerability and MOVEit Transfer Released by Progress Software Vulnerabilities

Immediate Patching Advised for Critical Fortinet FortiOS & FortiProxy Vulnerability

Malicious actors potentially exploited a critical vulnerability in the FortiOS and FortiProxy SSL VPN of Fortinet. The vulnerability, monitored as CVE-2023-27997, concerns a heap buffer overflow problem in FortiOS and FortiProxy SSL-VPN that could be exploited remotely, pre-authentication, to execute code through malicious requests to vulnerable gadgets. The vulnerability could be exploited even with the multifactor authentication activated.

Fortinet firewalls and VPNs are widely employed and malicious actors are actively targeting their vulnerabilities and have quickly exploited them previously. A lookup on the Shodan search engine reveals there are about 250,000 Fortinet firewalls accessible online and most of those are considered to be vulnerable. Fortinet stated it identified the vulnerability while conducting a code audit after a number of attacks in January targeting CVE-2022-42475, another zero-day vulnerability in FortiOS SSL VPN. Those attacks were associated with Volt Typhoon, the Chinese state-sponsored threat group, which is active as of the middle of 2021 and has earlier attacked critical infrastructure entities in the U.S. Fortinet hasn’t associated exploits of the lately exposed vulnerability to Volt Typhoon, however, stated the threat actor and other threat groups will probably focus on the vulnerability and that there may actually have been restricted attacks against government, critical infrastructure and manufacturing.

Fortinet released a security alert on June 12 regarding the vulnerability, which impacts almost all versions of FortiProxy and FortiOS. Patches were released to resolve the vulnerability and clients were advised to update their software to the most recent version. Fortinet stated the vulnerability is mitigated when clients aren’t operating SSL-VPN; nevertheless, all users were advised to change to the most recent firmware version irrespective.

Although it is believed there is limited exploitation of the vulnerability, threat actors could assess the patches that are released now with prior firmware versions to see what has been improved and will probably quickly find and create exploits for the vulnerability. Therefore, quick patching is highly encouraged. All users ought to be sure they have made updates to these firewall and VPN versions:

FortiOS
FortiOS version 6.0.17 or later versions
FortiOS version 6.2.14 or later versions
FortiOS version 6.4.13 or later versions
FortiOS version 7.0.12 or later versions
FortiOS version 7.2.5 or later versions
FortiOS version 7.4.0 or later versions

FortiProxy
FortiProxy version 7.0.10 or later versions
FortiProxy version 7.2.4 or later versions

FortiOS-6K7K
FortiOS-6K7K version 6.0.17 or later versions
FortiOS-6K7K version 6.2.15 or later versions
FortiOS-6K7K version 6.4.13 or later versions
FortiOS-6K7K version 7.0.12 or later versions

Patches For Another Critical Vulnerability in MOVEit Transfer Released by Progress Software

Progress Software has introduced a service pack to deal with three lately revealed vulnerabilities in its MOVEit Transfer software. An unauthenticated user could exploit remotely one vulnerability that is rated critical. As per Progress Software, vulnerability CVE-2023-36934 is a SQL injection defect that an unauthorized individual could exploit to acquire access to the MOVEit Transfer database.

The second vulnerability, tracked as CVE-2023-36932, is a second SQL injection vulnerability that has been fixed. Exploiting this vulnerability would allow an authenticated individual to obtain access to the MOVEit Transfer database, causing changes or disclosure of the MOVEit database content. The vulnerability is rated high-severity.

The third vulnerability is monitored as CVE-2023-36933 and has a high-severity rating. When exploited, the vulnerability could invoke a procedure that produces an unhandled exception making the application terminate without warning.

As of the latest security updates, there is no information about any exploitation of the three vulnerabilities in the wild yet. There are also no proof-of-concept exploits released. However, Progress Software strongly recommended prompt patching. The Clop ransomware group exploited a vulnerability, CVE-2023-34362, disclosed in May 2023 enabling the group to steal customer information from the MOVEit Transfer database. After the exploitation of that vulnerability, Progress Software carried out an audit and discovered other critical severity vulnerabilities, that had been also patched not long ago.

The affected software versions by the corresponding vulnerabilities are listed below together with the fixed software versions:

1. MOVEit Transfer 2020.0.x (12.0.x) and older were affected by vulnerabilities CVE- CVE-2023-36934 (Critical) and CVE-2023-36932 (High). Upgrade was needed to a supported MOVEit Transfer version.

2. MOVEit Transfer 2020.1.6 (12.1.6) and later versions were affected by vulnerabilities CVE- CVE-2023-36934 (Critical) and CVE-2023-36932 (High). Service pack MOVEit Transfer 2020.1.11 (12.1.11) was released.

3. MOVEit Transfer 2021.0.x (13.0.x) and older versions were affected by CVE-2023-36933 (High), CVE-2023-36932 (High), and CVE-2023-36934 (Critical). Service pack MOVEit Transfer 2021.0.9 (13.0.9) was released.

4. MOVEit Transfer 2021.1.x (13.1.x) and older versions were affected by CVE-2023-36934 (Critical), CVE-2023-36933 (High), and CVE-2023-36932 (High). MOVEit Transfer 2021.1.7 (13.1.7) service pack was released.

5. MOVEit Transfer 2022.0.x (14.0.x) and older versions were affected by CVE-2023-36934 (Critical), CVE-2023-36933 (High), and CVE-2023-36932 (High). MOVEit Transfer 2022.0.7 (14.0.7) service pack was released.

6. MOVEit Transfer 2022.1.x (14.1.x) and older versions were affected by CVE-2023-36934 (Critical), CVE-2023-36933 (High), and CVE-2023-36932 (High). MOVEit Transfer 2022.1.8 (14.1.8) service pack released

7. MOVEit Transfer 2023.0.x (15.0.x) and older versions affected by CVE-2023-36934 (Critical), CVE-2023-36933 (High), and CVE-2023-36932 (High). MOVEit Transfer 2023.0.4 (15.0.4) service pack issued.

There are various paths for resolving the most recent trio of vulnerabilities based on whether the May 2023 patch and remediation measures were employed, information of which are accessible from Progress Software. Progress Software has likewise stated that it is going to release service packs every month to enable system administrators to deal with security concerns faster and easier down the road.

 

Hive Ransomware Operation Disturbed After FBI Took Over the Group’s Infrastructure

While the Hive ransomware operation attacked servers, exfiltrated information, and asked their victims to pay the ransom, the FBI was observing their activities from within. The FBI was able to penetrate Hive’s ransomware servers beginning in July 2022 and studied the group’s strategies, which helped with the victim’s recovery without making any ransom payment.

The FBI was just waiting to attack and it did when the appropriate time came. The Department of Justice (DOJ) has reported seizing the digital infrastructure of the Hive ransomware group, which includes the group’s data leak website, Tor payment website, and the infrastructure its leadership and affiliates used for communications.

The Hive ransomware gang was among the most active and hostile ransomware-as-a-service (RaaS) operations, having executed over 1,500 attacks on organizations from 80 countries in under two years. Although certain ransomware actors have agreements that tell their affiliates not to attack the healthcare industry, the Hive ransomware gang does not adopt that policy. In fact, the group has carried out a lot of attacks on hospitals and health systems, together with schools, critical infrastructure entities and financial companies. Healthcare victims consist of Lake Charles Memorial Health, Consulate Health, Tift Regional Medical Center, Johnson Memorial Health, Greenway Health, Partnership HealthPlan, Missouri Delta Medical Center, and First Choice Community Healthcare.

Since June 2021, the Hive ransomware gang has been occupied in its operations earning over $100 million in ransom payments. The group typically acquires preliminary access to systems using a variety of strategies, such as phishing, remote desktop protocol, stolen credentials, VPNs, and by taking advantage of vulnerabilities in compromised devices. After getting access to systems, the group goes laterally, locates the data of interest, extracts files, and then asks the victim to pay for the decryption keys so that the stolen data will not be exposed to the public. When victims do not want to pay, the stolen information is publicly published on its data leak website.

The seizure of the Hive group’s infrastructure happened after a months-long penetration of its infrastructure, with the help offered by Europol, the U.S. Attorney’s Office for the Central District of California, the U.S. Attorney’s Office for the Eastern District of Virginia, the U.S. Secret Service, and the law enforcement bureaus in the Netherlands and Germany. The FBI accessed one of the gang’s virtual servers and two dedicated servers hosted by a hosting provider in California. The Netherlands law enforcement helped with the seizure of two backup servers being hosted by the country’s hosting provider. The servers were hosting the gang’s main data leak website, negotiation webpage, and the Internet interfaces utilized by the gang’s members and affiliates.

The FBI acquired data about organized attacks and got in touch with victims to alert them. Therefore, in the last 6 months, the FBI was able to prevent the payment of around $130 million in ransom. The FBI has acquired the decryption keys for around 300 attacked victims and has sent out about 1,000 decryption keys to prior victims. The FBI additionally acquired recorded communications,  malware file hash values and details about the 250 affiliates that were carrying out attacks for the group, together with a record of previous victims. The websites employed by the group currently show a notice switching between the English and Russian languages stating that the websites were taken over.

Deputy Attorney General Lisa O. Monaco states that the Department of Justice’s take down of the Hive ransomware group’s operations sends a clear message to both cybercrime victims and culprits. Thanks to its 21st century cyber surveillance, the investigative team flipped the tables on Hive, taking their decryption keys, giving them to victims, and eventually preventing ransomware payments valued over $130 million dollars. The department will keep on hitting against cybercrime by any means possible and make victims the focus of its efforts to offset the cyber danger.

The Hive gang speaks Russian and is thought to be outside America. Russia and the United States have no extradition treaty, and Russia has formerly been hesitant to do something against ransomware groups working inside its region. The details acquired about group members and affiliates will probably result in indictments, though it may turn out challenging to bring those people to court. Although the operation has brought about considerable interruption to the Hive campaign, the group has enough resources and has received substantial amounts in ransom payments therefore it is likely to rebuild the infrastructure and start operations again using another name. Having said that, this is a big accomplishment and has averted a lot of detrimental attacks on the healthcare industry.

The takedown of the Hive service will not bring about a serious dent in total ransomware activity however it is a setback to a threatening group that has harmed many lives by targeting the healthcare industry. Sadly, the criminal marketplace in the middle of the ransomware dilemma makes sure a Hive rival will be ready to provide an identical service, nevertheless, they may think again before permitting the use of their ransomware to attack hospitals. According to John Hultquist, Head of Mandiant Threat Intelligence, activities like this put friction to ransomware campaigns. Hive might need to regroup, retool, and rebrand. When the group can’t be arrested, the focus must be on tactical solutions and more security. Unless the Russian safe haven and the resistant cybercrime marketplace are resolved, this is going to be the focus.

HC3 Reveals Information on BlackCat and Royal Ransomware Campaigns

The Health Sector Cybersecurity Coordination Center (HC3) has provided threat information on two advanced and aggressive ransomware groups, the Blackcat and Royal. Both present a considerable risk to the healthcare and public health (HPH) sector.

From 2021 to the beginning of 2022, the Conti ransomware-as-a-service (RaaS) operation dominated the ransomware threat landscape; nevertheless, the operation was shut down in 2022. Although the Conti RaaS does not operate using that name now, the group members remain active although are scattered throughout a number of smaller semi-independent and independent ransomware groups. These small ransomware operations are more flexible, more difficult to monitor and get less attention from the police authorities.

The BlackCat ransomware group, also called AlphaV, was initially discovered in November 2021 and is thought to be the replacement to Darkside/BlackMatter ransomware. The BlackCat admin is thought to be a previous member of the well-known REvil threat gang. The BlackCat RaaS operation uses triple extortion, engaging in data theft, encryption of files, and denial of service (DDoS) attacks. The group exposes the stolen data on its data leak website and launches DDoS attacks if it does not receive ransom payments. The group mainly attacks companies in the United States.

In contrast to a number of ransomware operations that encourage attacking the healthcare industry, BlackCat’s operating rules forbid affiliates to attacks hospitals, medical organizations, and ambulance providers, though pharmaceutical firms and private clinics aren’t restricted. HC3 has cautioned that although there are operating guidelines, they aren’t absolute, and ransomware groups that have equally forbidden attacks on healthcare companies have not done so in past times. Although the operation is considerably smaller compared to Conti, the group has performed a lot of attacks, including on 60 companies in the initial 4 months of its operation.

Royal is a new ransomware group that was first seen executing attacks in the beginning of 2022. The group is likewise thought to involve ex – Conti members. At first, Royal utilized an encryptor similar to BlackCat’s, then used its own encryptor on September 2022. Royal is currently the ransomware operation that is most active, having overtaken Lockbit. Royal uses double extortion strategies including stealing data, encrypting files and threatening to post stolen information when no ransom is paid. Just like Conti, Royal is regarded to perform callback phishing attacks to acquire preliminary access to systems. Callback phishing begins with a harmless email that contains a phone number, and social engineering techniques are employed to persuade the victim to contact the supplied number and give access to their device. The Royal group is likewise identified to carry out attacks utilizing an encryptor that disguises as healthcare patient information software stored on legit-looking software download websites. As opposed to BlackCat, the healthcare sector is not restricted, and a number of attacks were done on healthcare companies. As a result, Royal presents a considerable threat to the HPH industry

HC3 provided comprehensive data for system defenders on the tactics, techniques, and procedures employed by the two operations, together with Indicators of Compromise (IoCs), Yara regulations, and proposed mitigations.

Healthcare Providers Cannot Evaluate and Mitigate Supply Chain Risks

Healthcare providers could have numerous cybersecurity procedures ready to protect their systems and stop direct attacks by threat actors. However, substantial challenges are encountered when protecting the supply chain. Healthcare providers employ vendors to deliver services that can’t be managed in-house, and although they deliver essential services they likewise generate risks that must be efficiently handled. Vendors frequently need privileged access to systems to execute their work, meaning an attack on a vendor could enable a threat actor to acquire access to a healthcare provider’s system via the backdoor.

Cybercriminals are more and more attacking healthcare vendors considering that they are a significantly vulnerable part of the supply chain. In 2022, a lot of the biggest healthcare data breaches documented had vendors involved.

  • Shields Health Care Group, a medical imaging services provider to over 50 healthcare centers, encountered a breach involving over 2 million records,
  • Professional Finance Company, a debt collection service provider to healthcare providers, encountered a breach impacting a lot of its clients and compromised the information of 1.91 million individuals.
  • Eye Care Leaders, an electronic medical record vendor, suffered an attack that impacted around 41 eye care companies and over 3.6 million patients.
  • Though efforts must keep going to protect healthcare systems from direct attacks, prompt action is necessary to protect the supply chain.

A new survey carried out by the Ponemon Institute for the Healthcare and Public Health Sector Coordinating Councils (HSCC) looked into the present status of supply chain risk in medical care and affirmed that quite a lot must be completed, with numerous healthcare providers discovered to experience substantial difficulties in acquiring their supply chains. The survey was performed on 400 U.S. healthcare companies, affirmed that there is still substantial potential and budget breaks between big and modest healthcare companies with regards to managing and lowering supply chain threat, yet companies of different sizes are faltering at the essentials of supply chain risk supervision.

To correctly measure and deal with risks, healthcare companies need to have a complete listing of all vendors that they utilize. The survey showed that just 20% of the 400 surveyed companies had a complete listing of all of their vendors, with smaller healthcare companies being three times more likely to be without inventory whatsoever. One popular strategy undertaken by healthcare companies is to concentrate their supply chain risk administration plans on new vendors while they are onboarded, yet they are unsuccessful in evaluating and handling risk for their present vendors, which was the scenario for nearly half (46%) of surveyed companies. 35% of surveyed companies weren’t considering supplier risks associated with patient results, with smaller healthcare companies 2 times as likely to have this difference than bigger companies. Only 41% of companies had incorporated their cyber risk plans with their purchasing and contracting teams. Smaller healthcare companies lack budgetary resources to correctly handle supply chain danger, with 57% of smaller companies having supply chain risk management funds of $500,000 or much less, as opposed to 5% of big companies that got supply chain risk management finances of around $1 million to $5 million.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) comprises supply chain risk management procedures that could – and ought to – be followed – yet doing this can be a problem for small- and medium-sized healthcare companies. To make supply chain risk management easier, the HSCC has customized this reference and created a free toolkit (HICSCRiM), particularly for small to medium-sized healthcare companies which normally have more minimal resources for taking care of supply chain danger.

Ed Gaudet, CEO, and Founder of Censinet as well as HSCC Supply Chain Cybersecurity Task Group member said the healthcare supply chain group is under a growing amount of pressure to move immediately while dealing with a lot of risks throughout the purchase process. Because cyberattacks just like ransomware come to be more advanced, this survey emphasizes the immediate requirement for automation and useful risk ideas to help supply chain frontrunners efficiently handle inventory, fraudulence, cyber risk, and supplier redundancy.

HPH Sector Cautioned Regarding Clop Ransomware-as-a-Service Operation

The Health Sector Cybersecurity Coordination Center (HC3) has provided details about the Clop (Cl0p) ransomware-as-a-service operation. The affiliates of this group are identified to be performing attacks on the healthcare and public health (HPH) sector.

Clop ransomware was initially discovered in February 2019 and it replaced the CryptoMix ransomware. The group is very active and was seemingly not affected when six operators of the ransomware were arrested in 2021. Their activity proceeded regardless of the arrests. The Clop ransomware group was active all through 2022. There was one month wherein the group carried out attacks on 21 companies. The group usually attacks organizations with a yearly income above $10 million. It had demanded large ransom payments even if the attacks were done on smaller healthcare providers like doctors’ and dentists’ practices with earnings above $5 million.

The group employs double extortion strategies and steals sensitive information before file encryption and demands a ransom payment to stop publishing the stolen information and to get the keys for file decryption. Some attacks associated with the group just involved stealing of data and extortion. The group pushes through with its threats to post stolen information if it doesn’t receive the ransom payment, just like the attack on the pharmaceutical company ExecuPharm. The group’s leak site published the stolen emails, financial information, documents, and database files of the company.

The group works together with some other cybercriminal groups, which include the financially-driven threat group monitored as FIN11. A threat group connected to the Clop ransomware group was responsible for a string of attacks that took advantage of a vulnerability in the Accellion File Transfer Appliance (FTA) last December 2020. A number of healthcare providers were impacted and had their sensitive information exposed.

The tactics, techniques, and procedures employed by the Clop ransomware group affiliates are extremely diverse and are continuously changing. First access was initially acquired to victims’ systems by means of phishing, credential abuse, remote desktop compromise, and the exploitation of unpatched vulnerabilities. At the end of 2022, a number of attacks were carried out utilizing TrueBot malware to acquire preliminary access to systems.

The group knows healthcare IT systems and workflows very well which has aided the threat actor in successfully launching attacks on the HPH sector many times. In 2022, the group purportedly began having issues getting ransom payments which resulted in using different tactics. Intercepted communications among ransomware group members showed it had begun attacking medical practices that provide telehealth consultations. With these attacks, the affiliates sign up online as new patients and ask for telehealth services. They then send emails prior to their appointments and attach
files of medical images that have malicious code, hoping that the practices will open the files before the set appointments.

The Clop ransomware group is remarkably capable, well-financed, and prolific, and is known to present a considerable threat to the HPH industry.

Ransomware Groups Use New Strategies for Attacking Victims to Increase Odds of Payment

Ransomware is still one of the most critical threats faced by the healthcare sector. Attacks can be extremely expensive to deal with, they can bring about substantial disruption to business functions, and can endanger patient safety. Ransomware groups are continuously altering their tactics, techniques, and procedures to get preliminary access to systems, avert security options, and easily recover without paying the ransom, and with a lot more victims not paying the ransom demand, ransomware groups have began adopting more aggressive strategies to force victims into paying the ransom.

Targeting Telemedicine Providers

Various strategies are utilized to obtain access to healthcare systems, which include remote access technologies like Remote Desktop Protocol (RDP) and VPNs and taking advantage of unpatched vulnerabilities, along with phishing a top attack vector. One of the newest phishing strategies used is to attack healthcare companies that provide telemedicine solutions, particularly those providing consultation services to patients online. The threat actor impersonates a new patient and gives the healthcare company a decoy file that resembles the their health records. The ransomware group presumes that before the consultation, the physician is going to open the file to look at the patient’s information. Doing so will install malware and give the threat actor access to the device.

One of the major issues for ransomware groups is getting compensated. When ransomware use was just starting, recovery of encrypted files require payment. Organizations that adopted guidelines for data backups could restore their files without making ransom payments. To boost the likelihood of getting payment, ransomware groups engaged in double extortion strategies. Sensitive information is exfiltrated before encrypting files and the attacker issues threats to leak the information when the ransom demand is not paid. Even when there are backups, payment is usually given to stop the exposure of stolen information. Nevertheless, this strategy is not very successful now. According to Coveware’s report, fewer victims are giving ransom payments even if data is compromised.

Using Triple Extortion Tactics

A number of ransomware groups have began utilizing triple extortion tactics to increase pressure on victims to pay. This tactic had been used in a number of attacks on healthcare companies. Triple extortion has different types, for example, getting in touch with patients using the contact details in the stolen files to attempt to extort money from them. The REvil ransomware group, now presumed to be behind the BlackCat ransomware, began contacting the victims’ clients or the press, informing them about the attack. Several groups have likewise performed Distributed Denial of Service (DDoS) attacks on affected entities that won’t pay up. LockBit began demanding payment to give back the stolen information besides getting the decryptor and to avert the leak of data.

A recent report by Brian Krebs of Krebs on Security talks about another new tactic discovered by Alex Holden, founder of the cybersecurity company Hold Security. This tactic is being used by Clop and Venus, two ransomware operations that target healthcare companies.

The Clop ransomware group used a tactic for attacking healthcare companies, which sends malicious files masked as ultrasound photos to doctors and nurses. This gang is one of those that started targeting healthcare companies that provide online consultation services. One successful attack involved a patient with cirrhosis of the liver requesting for a web consultation. The attacker chose cirrhosis of the liver because it would be very likely that a physician would need an ultrasound scan and other medical tests to diagnose the condition and the records can be attached to the email.

Framing Executives for Insider Trading

Holden also described a new method tried by the Venus gang to compel victims to pay the ransom. They are trying to frame officers of public firms by modifying email inboxes to look like the officers were engaging in insider trading. One attack proved successful. The group inserted messages that talked about plans to buy and sell big volumes of the company’s stock depending on non-public data.

Holden cited one of the blackmail messages created by the Venus gang. The message to the CEO states that it imitated its correspondence with a trading insider who gives the financial reports of the firms by which its victim purportedly trades in the stock market. This practice is obviously a criminal offense as per the US federal legislation and violators could be sentenced to about 20 years imprisonment.

Holden mentioned that implanting communications into inboxes is hard however it is likely for a ransomware actor that has access to Outlook .pst files, which an attacker would probably have in case they breached the victims’ system. Holden stated the implanting of email messages may not withstand forensic evaluation, however, it may still be sufficient to result in a scandal and reputation loss, which might be sufficient to force the victim to pay the ransom.

HPH Sector Cautioned of Lorenz Ransomware Group

The healthcare and public health sector (HPH) is cautioned about the threat of ransomware attacks executed by the Lorenz threat group, which has carried out a number of attacks in the U.S. over the last two years, without any indication that attacks are lessening.

Lorenz ransomware is man-operated and is used after the attackers have acquired access to systems and have extracted data. As soon as access to the system is obtained, the group is well-known to personalize its executable code and customize it for every targeted company. The Lorenz actors keep persistent and carry out substantial reconnaissance over a lengthy time frame prior to implementing ransomware to encrypt files. The group does double extortion tactics, where sensitive information is exfiltrated before encrypting files and ransom demands are given to stop the selling or posting of that records, besides payment being demanded to acquire the keys for file decryption.

Numerous ransomware threat actors steal information and threaten to post the stolen records on a data leak webpage in case the ransom is not settled. The procedure utilized by Lorenz is fairly unique. In case after trying to demand the victim to pay the ransom and it is not actually coming, the group tries to peddle the stolen information to other threat actors and rivals. When the ransom stays unpaid, Lorenz posts password-protected archives that contain the stolen information on its data leak site. If the group is not able to profit from the stolen information, the passwords for the archives are then posted, which enables anybody to get access to and download the stolen information. There were instances where the group kept access to victims’ systems and offered that access to some different threat actors.

Lorenz does big game hunting, most often attacking big companies, with the ransom demands usually about $500,000 to $700,000. There were no identified attacks on non-business targets, and most victims are English-speaking. As opposed to the majority of other ransomware groups, fairly little is understood regarding this group. The group utilizes methods to obtain preliminary access to victims’ systems like phishing, breaching remote access technologies for instance RDP and VPNs, taking advantage of unpatched vulnerabilities in program and OS systems, and executing attacks on managed service providers (MSPs), and then switching to target MSP customers.

The Health Sector Cybersecurity Coordination Center (HC3) Analyst Note includes references, Indicators of Compromise, and other resources that may be employed by system defenders to boost their security versus Lorenz ransomware attacks.

Feds Warns the HPH Sector Concerning Aggressive Hive Ransomware Group

The Hive ransomware-as-a-service (RaaS) operation initially appeared in June 2021 and has strongly attacked the health and public health sector (HPH) and do so until now. Between June 2021 and November 2022, the group executed attacks on over 1,300 institutions around the world, generating ransom payments of over $100 million.

Some of the affected organizations in the HPH sector are the public health system in Costa Rica, Lake Charles Memorial Health System, Memorial Health System, Partnership HealthPlan of California, Missouri Delta Medical Center, Hendry Regional Medical Center, and Southwell. The most recent attack this month, Lake Charles Memorial Health System, is still recovering. The attacks endanger patient safety and have compelled hospitals to reroute ambulances, postpone surgeries, delay consultations, and close urgent care facilities.

Last November 17, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Federal Bureau of Investigation (FBI) published a joint advisory to the HPH sector telling about the danger of attacks and shared Indicators of Compromise (IoCs) and information on the tactics, techniques, and procedures (TTPs) utilized by the group, together with suggested mitigations for preventing, identifying, and mitigating attacks.

Hive has advanced capabilities, uses double extortion tactics, and publicly posts stolen information on its leak website when victims do not give ransom payment. The group is known to attack victims again if they attempted to bounce back without giving ransom payment. As a RaaS operation, the group recruits affiliates to carry out attacks for the group in exchange for a portion of the ransom payments they make. Affiliates are known to have the skills needed for getting access to victims’ systems.

The most popular methods utilized for preliminary access are taking advantage of Remote Desktop Protocol (RDP) vulnerabilities and other remote network connection systems, exploiting Virtual Private Networks (VPNs), performing phishing attacks using malicious attachments, and taking advantage of unpatched vulnerabilities, such as the Microsoft Exchange Server vulnerabilities CVE-2021-31207, CVE-2021-34523, CVE-2021-34473 and CVE-2020-12812 vulnerability to gain access to FortiOS servers.

As soon as access to systems has been acquired, the group determines operations associated with backups, antivirus/anti-spyware, and file extraction, and stops those procedures. Volume shadow copy services are halted and all current shadow copies are erased, and Windows event records are removed, especially the System, Security, and Application records. Before encryption, virus definitions are deleted and all parts of Windows Defender and other usual antivirus applications are deactivated in the system registry, and sensitive information is exfiltrated making use of Rclone and Mega.nz, the cloud storage service. The group runs live chat support to interact with victims and has likewise been recognized to get in touch with victims by telephone and email to talk about payment. Ransom demands could be sizeable, which range from thousands to millions of dollars.

Healthcare providers are advised to see the shared security advisory, keep track of their systems utilizing the given IoCs, solidify defenses versus the determined TTPs, and apply the suggested mitigations.

Increased Risks in Using Connected Devices in Healthcare

Hospitals use an increasing number of connected devices. Although connected devices can enhance performance, security, and patient results, they also considerably elevated the attack surface. A lot of these devices do not have the right security features or the correct configuration.

A new Microsoft-sponsored research study conducted by the Ponemon Institute regarding the present state of IoT/OT cybersecurity showed that 65% of companies have weak security in their IoT/OT devices and 50% have experienced more attacks involving their IoT/OT devices. 88% of the respondents mentioned that their IoT devices are accessible online, and 51% have OT gadgets accessible online. More cybercriminals are attacking these gadgets because they have a weak spot that can be exploited easily. Malicious actors use malware and ransomware to get initial access to targeted devices.

In 2020, Forescout reviewed the kinds of devices employed in enterprise systems to find out which present the greatest threat, and this November
released the latest version of the report. The majority of devices that were regarded as high risk stay on the updated listing, and consist of programmable logic controllers (PLCs), networking tools, VoIP, and IP cameras. Hypervisors and human-machine interfaces (HMIs) are included this year.

Nearly all of the riskiest gadgets are listed because they are often exposed online or crucial to business functions, and they all have vulnerabilities. All companies depend on a mix of IT, IoT, and OT. Healthcare companies likewise depend on IoMT devices. So virtually all companies face an increasing attack surface because they have at least one form of risky device hooked up to their network.

A lot of the devices are hard to patch and maintain, therefore vulnerabilities aren’t resolved immediately. IoMT devices are dangerous since they can give access to internal systems and can include important patient data, and attacks on these gadgets can impact healthcare delivery and patient security. There were attacks on hospitals that resulted in the deactivation of fetal monitors. In 2020, a number of attacks were executed on radiation information systems.

Medical imaging devices like DICOM workstations, imaging devices, nuclear medicine systems, and PACS can have highly sensitive patient information. They likewise frequently use legacy IT OS and have considerable network capacity for the quick sharing of medical imaging information, typically utilizing the DICOM standard for sharing data files. DICOM wasn’t created thinking about security, and although DICOM does allow encryption of transmitted data, encryption configuration depends on the individual healthcare organization. Encryption isn’t turned on in lots of hospitals, which suggests that medical images are sent in plain text and can quickly be intercepted and made to contain malware. Patient monitors are likewise one of the most unsecured IoMT devices because they typically converse utilizing unencrypted protocols, meaning communications can be quickly intercepted and meddled with. Tampering can block the receipt of alerts.

What is important to handling risk is to know how the attack surface is expanding and to perform a thorough risk evaluation to know where the vulnerabilities can be found. Those risks can subsequently be put through a risk management process and be minimized to a low and suitable level.

Patch to Fix Critical OpenSLL Vulnerability Will Be Available on November 1, 2022

There is an alert given to the healthcare and public health industry concerning a critical vulnerability identified in the OpenSSL software library. Most operating systems and apps use OpenSLL, an open-source cryptographic library, for employing Transport Layer Security for safe Web communications, which include linking to websites and web apps.

The OpenSSL project team states the vulnerability impacts OpenSSL versions 3.0 to 3.0.6, however, doesn’t impact LibreSSL or OpenSSL 1.1.1.
There is no disclosure concerning information about the actual nature of the vulnerability yet to control the chance of exploitation. More details regarding the vulnerability are likely to be available together with the patch, which is going to be used in OpenSLL version 3.0.7. Presently, there is no CVE code assigned yet.

Although the OpenSLL project team has announced the vulnerabilities previously, critical vulnerabilities are unusual. A critical vulnerability impacts typical configurations and is most likely to be exploited. In 2014, OpenSLL found a critical vulnerability referred to as Heartbleed, which can be exploited to acquire encryption keys or passwords. The vulnerability made it possible for anybody online to view the memory of systems that utilized unsecured OpenSLL versions. Threat actors quickly exploited the bug to spy on communications, steal information directly from services and end users, and double as services and end users. Since OpenSLL is so greatly utilized, the intensity of this kind of vulnerability is huge. Patching each case where OpenSSL was used can take a long time.

The Health Sector Cybersecurity Coordination Center (HC3) discussed in a cybersecurity warning the likely attempt of threat actors to greatly exploit the vulnerability and states that exploitation could start soon following the release of the patch. Cybercriminal and nation-state threat actors are likely to quickly commence reverse engineering the patch the moment it is introduced to find out the technical information of the vulnerability to enable the creation of an exploit.

HC3 is telling all HPH sector companies to look at this vulnerability as the top priority and make sure the patch is employed quickly. To ensure that happens, it is going to be required to find all cases where OpenSSL is employed. OpenSSL Project team states the patch is going to be available on November 1, 2022 from 13:00 to 1700 UTC.

On November 1, 2022, the OpenSSL Project affirmed that the two vulnerabilities are high-severity instead of critical, however quick patching is still highly recommended to go into remote code execution.

Government Warns Healthcare Providers Concerning Daixin Team Extortion and Ransomware Attacks

Daixin team is a fairly new data extortion and ransomware group. It is active in attacking U.S. healthcare providers. The Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Federal Bureau of Investigation (FBI) issued a warning regarding the Daixin team.

Daixin Team initially came out in June 2022. The group mainly engaged in data extortion and ransomware attacks targeting companies in the health and public health sector (HPH). Because of its attacks, data were encrypted, electronic health records access were blocked, and provision of healthcare services were disrupted resulting in postposed appointments, diagnostics, and imaging. The #StopRansomware: Daixin Team alert shared the identified tactics, techniques, and procedures that the Daixin team uses, the indicators of Compromise (IoCs) and a number of recommended mitigations to prevent these attacks.

Daixin Team acquires access to medical systems, performs reconnaissance, and identifies and extracts data of interest, which it uses for extortion of money from victims. The group warns the victims not to communicate with ransomware remediation agencies. In case there’s no response within 5 days after the attack, the attacker threatens to expose the stolen information to the public.

It is known that Daixin Team acquire access to the systems of victims by taking advantage of vulnerabilities in VPN servers, usually utilizing compromised VPN information for accounts without an enabled multi-factor authentication. In a number of attacks, the group has acquired VPN information by means of phishing emails having malicious attachments. As soon as access is acquired, they proceed laterally inside networks utilizing Secure Shell (SSH) and Remote Desktop Protocol (RDP), elevate privileges by means of credential disposal and pass the hash, extract information – such as utilizing tools like Rclone and Ngrok – then set up their ransomware payload, that is considered to be dependent on publicly-introduced Babuk Locker ransomware code.

In certain cases, privileged accounts had been used to access the VMware vCenter Server, and reset passwords for ESXi server accounts. Then, SSH had been used to link to the ESXi servers, where the attackers deployed the ransomware.

The FBI, the HHS and CISA have provided the following mitigations to guide healthcare providers to be safe against Daixin Team attacks:

  • Patching immediately and updating software regularly
  • Using phishing-proof multi-factor authentication
  • Protecting or deactivating Remote Desktop Protocol
  • Disabling SSH and network device management interfaces including
  • Winbox, Telnet, and HTTP for wide area networks (WANs)
  • Encrypting passwords
  • Using and implementing multi-layer network segmentation
  • Restricting access to information via public key infrastructure and digital certificates to validate linking to devices
  • Using encryption to protect ePHI at collection points
  • Strict HIPAA Security Rule compliance with regard to ePHI

LifeBridge Health to Pay $9.5 Million to Settle 2016 Data Breach Claims

LifeBridge Health Inc. has decided to negotiate a class action lawsuit to settle claims of patients impacted by a data breach it discovered in 2018. The full value of the settlement deal is $9.475 million, including $800,000 in funding to pay for claims of class members.

In March 2018, LifeBridge Health found a malware infection that allowed unauthorized persons to get access to a server hosting its patient registration, electronic health records, and billing systems. Based on the breach investigation, the preliminary attack happened 18 months earlier in September 2016. LifeBridge Health exposed the breach in May 2018, and the healthcare company confirmed the potential compromise of 582,174 patients’ data. The compromised data included names, birth dates, addresses, diagnoses, prescribed medicines, clinical and treatment data, insurance information, and several Social Security numbers.

The law company Murphy, Falcon & Murphy, filed the legal action – Johnson, et al. v. LifeBridge Health, Inc. in the Circuit Court for Baltimore City, MD, on behalf of patients impacted by the occurrence. The two patients referred to in the lawsuit, Darlene Johnson and Jahima Scott, stated that their identities may have been compromised because of the breach, as the two claimed they were affected by credit card fraud soon after the occurrence of the data breach.

The lawsuit claimed class members were exposed to considerable harm and that their personal data and PHI were in the possession of identity thieves, placing them at an instant and continuing risk of identity theft and fraud. The plaintiffs claimed to have encountered monetary deficits, had financial transactions rejected, encountered problems with their email accounts, bogus accounts were generated under their names, and their identities were employed to submit fake claims for unemployment gains and COVID-19 catastrophe small business funding.

The lawsuit claimed LifeBridge Health was at fault for failing to stick to fundamental security procedures, which violated a number of privacy protection regulations in Maryland, which includes the Maryland Personal Data Protection Act, Maryland Social Security Number Privacy Act, and Maryland Consumer Protection Act.

LifeBridge Health didn’t acknowledge any wrongdoing and didn’t take responsibility for the attack, however, it opted to resolve the lawsuit to keep additional legal expenses minimal and the uncertainness of a court trial. Based on the conditions of the negotiation, LifeBridge Health has consented to produce $800,000 in funding to take care of claims from class members and will spend $7.9 million in extra security measures to avoid other data breaches, such as data encryption, network tracking, security awareness program, resource tracking, and multi-factor authentication. The remaining $775,000 of the overall settlement amount is going to take care of the legal expenses.

Class members are eligible to file claims for compensation of ordinary and incredible deficits, which include around 3 hours of lost time and $20 per hour, and an additional 2 hours if they experienced remarkable losses. Claims for regular losses of around $250 for every class member may be filed to pay for bank charges, credit tracking, credit freeze, communication, and other expenses, and a declaration may be filed for remarkable losses as much as $5,000.

A final approval hearing is set for October 26, 2022. Claims should be published by February 1, 2023.

Vulnerability Identified in BD Totalys MultiProcessor

The Cybersecurity and Infrastructure Security Agency (CISA) has released a medical alert concerning a recently identified vulnerability that impacts the BD Totalys MultiProcessor, which hospitals and laboratories use for testing clinical tissue samples.

The vulnerability is because of using hard-coded credentials, which may enable an attacker to have access to a vulnerable Totalys MultiProcessor to view, change, or erase sensitive information, which includes personally identifiable information (PII) and protected health information (PHI).

An attacker cannot exploit the vulnerability remotely. To be able to exploit the vulnerability, a malicious actor must have physical access to a BD Totalys MultiProcessor or system access. If there are extra security controls, these must be bypassed.

The vulnerability, monitored as CVE-2022-40263, impacts all BD Totalys MultiProcessor versions which include versions before v1.70, and was given a medium CVSS severity score of 6.6 out of 10.

BD discovered the vulnerability and reported it to CISA following its responsible disclosure policy. According to BD, the vulnerability will be fixed in the next v1.71 software launch, which is anticipated to be accessible to end users in Q4 of 2022. For the time being, BD has recommended mitigations to stop vulnerability exploitation.

End users must be sure there are physical access controls set up to restrict access to the BD Totalys MultiProcessor to authorized persons only. In case the device should be linked to a network, industry-standard security guidelines and procedures must be adopted.

During the release of the alert, there were no known cases of vulnerability exploitation or exploits in the wild.

Vulnerability Found in Medtronic MiniMed 600 Series Insulin Pumps

The Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released an alert in regards to a lately uncovered vulnerability that impacts a number of Medtronic insulin pumps. A malicious actor can exploit the vulnerability to change patients’ insulin dosages, causing excessive or inadequate insulin delivery.

The vulnerability impacts the Medtronic NGP 600 Series Insulin Pumps along with their accessory parts listed below:

  • MiniMed 620G: MMT-1710
  • MiniMed 640G: MMT-1711, MMT-1712, MMT-1751, MMT-1752
  • MiniMed 630G: MMT-1715, MMT-1754, MMT-1755
  • MiniMed 670G: MMT-1740, MMT-1741, MMT-1742, MMT-1760, MMT-1762, MMT-1762, MMT-1780, MMT-1781, MMT-1782

The vulnerability is present in the communication program utilized by the pump system to match with other system parts. A threat actor successfully exploiting the vulnerability could slow down or end insulin delivery or bring about an unintentional insulin bolus. A threat actor cannot exploit the vulnerability remotely yet could control it if close to the wireless signal accessibility to the patient and system. The medium severity vulnerability is monitored as CVE-2022-32537 and was given an assigned CVSS severity report of 4.8 out of 10.

Sophisticated technical expertise is necessary to manipulate the vulnerability. The vulnerability could be exploited if the pump is being matched with other system parts, and the attacker should be close to the pump, which restricts the possibilities for exploitation. The FDA states it does not know of any instances of exploiting the vulnerability.

Medtronic has released an immediate medical device correction alert concerning the vulnerability and has advised all end users of the impacted insulin pumps to do something to stop vulnerability exploitation. In their default settings, the vulnerability affects all of the Medtronic NGP 600 Series Insulin Pumps listed above.

To avoid exploitation, Medtronic asks all end users to deactivate the Remote Bolus function on the pump when switched on, and users must not

connect devices in public. End users are encouraged to maintain their pumps and related system parts under their control all the time, to be mindful of pump notices, alarms, and warnings, to remove the USB device from the computer whenever it isn’t being utilized to download pump information, and do not verify remote connection requests or any type of other distant actions except if they are individually started or were started by their care partner.

More details on mitigations are available in Medtronic’s important healthcare device correction notification.

FBI Alerts Healthcare Providers Regarding the Risks of Unpatched and Obsolete Medical Devices

The Federal Bureau of Investigation (FBI) has released a private sector notification regarding the increasing number of vulnerabilities in healthcare devices. In case medical devices aren’t quickly patched and are using outdated software, malicious actors can exploit vulnerabilities and obtain access to sensitive patient information or the systems the medical devices link to. With access to the system, threat actors may carry out attacks that negatively affect the operations of healthcare establishments. Medical devices are usually utilized to support patients with slight to serious health conditions. Attacks on those healthcare devices could result in severe hurt to patients and even cause the loss of life.

The FBI states that vulnerabilities in medical devices mainly originate from device hardware structure and device software administration. If healthcare devices are run in the standard settings, that usually gives threat actors a chance to take advantage of vulnerabilities. Devices with personalized software may be hard to patch, usually needing specialized processes, which could delay updates and vulnerabilities stay unaddressed for much longer, increasing the odds of taking advantage of the vulnerabilities.

Medical devices were created to carry out special functions, however, security was by no means a concern since the devices were not regarded as a security risk. These devices are vulnerable and in case exposed to the Web could give threat actors a fast way to acquire access to the devices, change their features, or utilize them as a springboard to start an attack on a company.

The FBI mentions new research that indicates 53% of network-linked medical devices and other IoT devices employed in hospitals possess identified critical vulnerabilities that were not resolved, with about 33% of healthcare IoT devices getting a critical vulnerability that can impact the technical functionality or operation of healthcare devices. These devices comprise pacemakers, mobile cardiac telemetry, insulin pumps, intrathecal pain pumps, and intracardiac defibrillators.

A study suggests medical devices have typically 6.2 vulnerabilities for each device. Over 40% of medical devices that hit their end-of-life do not get security patches and program updates to fix vulnerabilities, and frequently stay used in spite of the security risks

Unpatched and obsolete medical devices present cyberattack potentials, therefore it is essential that vulnerabilities are dealt with and risk is minimized to a low and acceptable degree. The FBI provides a number of suggestions for enhancing the safety of medical devices:

  • Make sure endpoint protection steps are enforced such as antivirus applications and endpoint detection and response (XDR) solutions.
  • Apply encryption for sensitive information
  • Modify all default passwords and use difficult, unique passwords, and restrict the number of sign-ins for every user
  • Make sure a detailed listing is kept of all devices, which includes the patching status, software program version, and any vendor-created software parts utilized by the devices
  • Create a plan for updating medical and IoT devices before their end-of-life
  • Make certain vulnerabilities are immediately patched on all medical devices
  • Perform scheduled vulnerability tests before adding any new device to the operating program
  • Teach employees to help offset human threats, such as teaching workers how to determine and report risks, the attacks that target staff members like social engineering and phishing attacks, and put banners to emails that come from external sources.

The FBI notification – Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities – and the complete suggestions for mitigating vulnerabilities are available on this page.
.

Information About Risks of IoT in Healthcare and Security Recommendations

The Health Sector Cybersecurity Coordination Center (HC3) has posted a security notification cautioning the healthcare and public health industry regarding the risks related to Internet of Things (IoT) devices as well as suggestions for strengthening IoT devices’ security.

The Internet of Things (IoT) pertains to physical gadgets that have the functionality to swap data or link to other gadgets online. Presently, there are approximately 7 billion gadgets that are linked via IoT. The use of IoT devices is likely to grow to 20 billion devices globally by 2025. These gadgets have sensors that gather data and connect online and consist of a broad range of “smart” appliances like TVs, washing machines, Amazon Echo devices, doorbell cameras, wearable devices, and voice controllers. IoT devices are employed in industrial fields and a lot of medical devices employ IoT. Although there were significant improvements in IoT technology nowadays to make the technology less expensive and readily available, the primary architectural levels have mostly stayed the same and there is increasing concern that the devices can give a quick access point into healthcare systems.

The Threat of Cyberattacks Taking Advantage of Weak IoT Security

There is increasing concern about the safety of IoT and the threat of cyberattacks taking advantage of IoT vulnerabilities. These attacks can be launched as distributed Denial of Service (DDoS) attacks, which send massive traffic to IoT networks to avert communications. Threat actors target IoT devices to include them to botnets for performing massive DDoS attacks on web apps.

Man-in-the-middle attacks may happen, where bad actors bug on legit communications and steal sensitive information or tinker with communications. As with software programs, bad actors may identify vulnerabilities that could be exploited to acquire unauthorized access to the gadgets. In the healthcare sector, IoT medical devices may be accessed, the capabilities of the devices altered to harm patients, or sensitive patient data can be stolen.

Although it is a common security practice to alter all devices’ default passwords, IoT devices usually keep factory configurations, which include default passwords. Therefore, devices become at risk of brute force attacks, which can allow threat actors to access the systems connected to the devices.

When IoT devices aren’t physically secured, they can be meddled with or installed with malware. The software on the devices could be hijacked by forcing updates and doctored software, malware, or malicious drivers will be downloaded.

How to Reduce Threat from IoT Devices in Healthcare

The high percentage of usage of IoT devices in healthcare has increased the attack surface significantly, providing threat actors a bigger selection of devices to attack to obtain access to healthcare systems. In case healthcare companies have a flat system, where IoT devices, standard IT devices, and operational technology (OT) are all on a similar network, getting access to an IoT device can enable a threat actor to move side to side and gain access to all devices linked to the network. This is a big security threat, particularly with the comparably insufficient security on IoT devices.

One important action to take to enhance security is to have network segmentation to lessen the attack surface. Network segmentation requires dividing the network into zones or subnetworks. This can minimize congestion and restrict failures. It also confines lateral movement. Whenever a compromise of an IoT device happens, it cannot be employed for accessing other areas of the network.

HC3 recommended the following actions to reduce the threat from IoT devices:

  • Modify default configurations – Default configurations on routers must be modified together with the privacy and security configurations on every IoT device.
  • Do not use Universal Plug and Play (UPnP) – UPnP can make office equipment susceptible to cyberattacks.
  • Use strong passwords – Default passwords ought to be modified, and a unique, strong password must be employed for every device to minimize the chance of brute force attacks.
  • All software programs and firmware must be updated. The most recent releases offer fixes for active exploits and vulnerabilities.
  • Follow zero trust – Follow the zero trust principle. This means nothing is inherently trustworthy, even when it is inside the network. Restrict access to resources to a few people who need access to carry out their job responsibilities.