Articles written by Adlumin’s Threat Research Team on emerging threats, industry stats, and defense tactics against cyberattacks.
Join Adlumin experts for a webinar on the “Fog” ransomware attack, exploring how their Ransomware Prevention technology stopped the breach and offering key strategies to defend against global cyber threats.
Join Adlumin experts for a webinar on the “Fog” ransomware attack, exploring how their Ransomware Prevention technology stopped the breach and offering key strategies to defend against global cyber threats.
Learn about common techniques and strategies used by threat actors to bypass MFA. Protect your business from cyber attacks with this informative blog post.
Learn about common techniques and strategies used by threat actors to bypass MFA. Protect your business from cyber attacks with this informative blog post.
Gain insights into the unique challenges that government entities face in maintaining cybersecurity. Explore strategies to mitigate risks and safeguard sensitive information.
Adlumin’s Threat Insights 2024 Volume II highlights significant trends, cyberattacks, and vulnerabilities faced by U.S. and global sectors, as observed by Adlumin’s Threat Research Team for March, April and May 2024. Discover three emerging threats, each presenting unique challenges to cybersecurity professionals.
Stay informed and proactive to defend your organization’s assets against evolving cyber threats in a dynamic landscape.
Stay informed and proactive to defend your organization’s assets against evolving cyber threats in a dynamic landscape.
Join our webinar on June 28th, 2024, focusing on cyber threats in educational institutions. Featuring insights from Adlumin’s Threat Research team and industry expert Mark Sangster, learn actionable strategies to strengthen your defenses. Topics include live demonstrations of MFA bypass techniques and tailored solutions for K-12 and higher education challenges.
In our quarterly industry spotlight series, we highlight the evolving threats faced by various industries and provide recommendations to enhance their security posture. Today, we shift our focus to the healthcare sector, a critical industry that faces unique challenges in safeguarding sensitive patient data and maintaining crucial healthcare operations.
Mitigating cybersecurity risks is critical in the healthcare industry due to the highly sensitive nature of patient information stored within Electronic Health Records (EHRs) and the important role these systems play in patient care. Healthcare organizations are prime targets for cybercriminals seeking to exploit vulnerabilities for financial gain or disrupt essential services.
Recent cyberattacks on healthcare organizations, like the Change Healthcare cyberattack, have demonstrated the growing sophistication and persistence of threat actors targeting this sector. Ransomware attacks, such as those leveraging Ransomware-as-a-Service (RaaS) and employing double extortion techniques, have caused significant disruptions and financial losses for healthcare providers. In response to these threats, organizations recognize the need to strengthen their cybersecurity defenses.
Adlumin previously detailed significant trends and developments in the threats, vulnerabilities, and cyberattacks faced by the healthcare industry in the U.S observed from January to March 2024 by Adlumin’s Threat Research Team, in Cybersecurity for Healthcare: 2024 Threat Insights.
Healthcare Threat Highlights:
Shifting from the identification of ransomware as the top threat in the healthcare industry, Adlumin’s Threat Research Team has developed crucial mitigation strategies and recommendations to help healthcare organizations better defend against these malicious attacks. Let’s explore key strategies recommended by Adlumin’s experts to enhance cybersecurity resilience in the healthcare sector.
Cybercriminals are continuously evolving their strategies, highlighting the importance for entities within the healthcare sector to remain alert and proactive. Key developments in their methodologies include:
For healthcare organizations looking to amplify their cybersecurity resilience against the pervasive threat of ransomware and other evolving cyber threats, the implementation of a comprehensive and integrated security strategy is paramount. By leveraging a centralized Security Operations Platform that incorporates all the recommended mitigation strategies and practices, organizations can streamline their cybersecurity efforts and enhance their ability to detect, respond to, and mitigate potential threats effectively.
Additionally, partnering with Managed Detection and Response (MDR) services can provide organizations with the expertise, tools, and continuous monitoring needed to mitigate risks, optimize threat response, and ensure a proactive defense against cyber threats. By adopting this holistic approach, healthcare organizations can strengthen their cybersecurity posture, safeguard patient data, and protect critical infrastructure in the face of threats.
Adlumin ensures swift setup, unrivaled visibility spanning endpoints, users, and the perimeter, and provides contextual insights for rapid, informed decision-making.
Adlumin’s Threat Research Team is the innovator behind Adlumin’s comprehensive threat hunting to improve visibility, reduce complexity, and manage risk. The team proactively searches for cyber threats lurking undetected in your network environment. They dig deep to identify non-remediated threats and other malicious activities to reinforce security defenses.
The recent ransomware attack on UnitedHealth’s Change Healthcare subsidiary highlighted the attractiveness of the data-rich U.S. healthcare industry to cybercriminals and the severe impact on patients and doctors. Total expenses from the attack are expected to surpass $1 billion, including a $22 million ransomware payment. With cybercriminals leveraging sophisticated techniques to infiltrate systems, encrypt data, and extract sensitive information, the healthcare sector faces significant challenges in safeguarding patient records and maintaining operational efficiency.
This industry spotlight highlights significant trends and developments in the threats, vulnerabilities, and cyberattacks faced by the healthcare industry in the U.S observed from January to March 2024 by Adlumin’s Threat Research Team.
Last year, the FBI’s Internet Crime Complaint Center released its latest report on Internet crimes and identified the healthcare and public health sectors as the most victimized by ransomware[1]. In fact, the healthcare sector had over 33% more reported victims than the second leading sector, critical manufacturing; 82% more than government facilities, and well more than double the number reported by the financial service sector. While waiting for the latest data reflecting 2023 cases, it’s almost certain that the healthcare sector will continue to see more ransomware attacks.
Ransomware gangs which operate under affiliate models often capture vital data, impose hefty ransoms for data retrieval, and significantly hinder patient care operations. The ransomware affiliate model resembles legitimate affiliate programs – hackers code the malware, while affiliates distribute it through Ransomware-as-a-Service (RaaS), then share the ransom profits. There may also be shared infrastructure for payout and money laundering operations. Combined, this lowers the barrier to entry for attackers and increases attack volume, fueling the overall threat.
Adlumin has observed wide adoption of a tactic known as double extortion in healthcare sector attacks. In double extortion operations, attackers encrypt sensitive and critical data as part of traditional ransomware operations, and exfiltrate or steal sensitive data. Ransomware actors then threaten public release of the data, meant to force payment of hefty ransoms even if defenders can recover encrypted data and systems from backups or other sources.
Adlumin has also observed ransomware operators increasingly threaten to report victims to regulatory authorities such as the SEC, resulting in almost certain fines if applicable under a host of old and new laws and regulations. Additionally, in uncovering Play ransomware. operations, Adlumin uncovered that ransomware attackers threaten to notify organization’s partners and customers as part ransom messages, a tactic meant to coerce payment. These factors can be especially important for those in the healthcare sector as HIPAA (Health Insurance Portability and Accountability Act) can impose fines for data breaches involving protected health information (PHI). The four categories used for the penalty structure are:[2]
| Tier | Description | Fines per Violation* |
|---|---|---|
| Tier 1 | A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules. | $137 to $68,928 |
| Tier 2 | A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA Rules). | $1,379 to $68,928 |
| Tier 3 | A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation. | $13,785 to $68,928 |
| Tier 4 | A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days. | $68,928 to $2,067,813 |
*Yearly cap of $2,067,813
Ransomware operators are also beginning to forgo encryption entirely, favoring data exfiltration and extortion operations. Both types have seen usage of Living-Off-the-Land (LOTL) techniques.
LOTL attacks are a stealthy tactic where attackers exploit legitimate tools already present on a system, like PowerShell, the command prompt, or native binaries like certutil, to carry out malicious activities. These “Living Off the Land Binaries” (LOLBins) blend in with normal system operations, making them more difficult to detect and allows attackers to steal data, move laterally within a network, or gain persistence without relying on easily identifiable malware.
On December 19, 2023, the FBI announced disruption of RaaS operations carried out by AlphV (also known as “BlackCat”). The FBI seized several websites created by the group and gained visibility into the BlackCat ransomware group’s computer network as part of the investigation[3]. Additionally, authorities offered victims access to an FBI-developed decryption tool allowing for recovery of encrypted data.
In response BlackCat called for open season against the healthcare sector stating, “Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS. You can now block hospitals, nuclear power plants, anything, anywhere.”[4]
On February 27, 2024, CISA, the FBI, and the Department of Health and Human Services (HHS), released a joint advisory which addressed BlackCat’s operations and attacks against the healthcare sector. They noted that, “Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most victimized. This is likely in response to the AlphV / Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”[5]
In late February 2024, as part of attacks against the healthcare sector, insurance provider UnitedHealth found itself in the crosshairs of BlackCat operations, it was reported the attack “had a knock-on effect on players across the U.S. healthcare system, as disruptions triggered by the attack have impacted electronic pharmacy refills and insurance transactions.”[6] In a quickly deleted post to its darknet hosted website, BlackCat stated that it stole millions of sensitive records.
In November 2023, the Health Sector Cybersecurity Coordination Center (HC3) at the U.S. Department of Health and Human Services (HHS), released a detailed analysis on BlackSuit, a new ransomware strain that poses a credible threat to the healthcare and public health (HPH) sector.
BlackSuit emerged in May 2023 and exhibits significant parallels to the Royal ransomware family, which succeeded the infamous Conti group linked to Russia. BlackSuit’s ties to these active threat actors suggest ongoing, aggressive targeting of the healthcare industry. HC3 outlined BlackSuit’s operations, including its use of double extortion tactics, specific technical details, and potential impact on healthcare services, alongside recommended defenses, and mitigation strategies.
As outlined in the HC3 report, BlackSuit’s impact could be significant, particularly if the group’s ties to the Royal and Conti ransomware families are confirmed. With its use of double extortion tactics, BlackSuit not only encrypts sensitive data on compromised healthcare networks but also threatens to leak stolen data unless a ransom is paid. This approach poses a dual threat: the immediate disruption of healthcare services due to inaccessible patient records and systems, and the long-term damage from the potential exposure of confidential patient data.
BlackSuit operates by encrypting sensitive data on compromised networks, employing a double extortion scheme that has so far targeted a limited number of victims across various sectors, including healthcare, in countries such as the U.S., Canada, Brazil, and the U.K. The analysis reveals BlackSuit’s operational techniques, encrypted file extensions, ransom demand methods, and its distribution via infected email attachments, torrent websites, malicious ads, and trojans.
Despite its limited use, the connections to Royal and Conti hint at a potentially significant threat landscape for the healthcare sector. Technical similarities with the Royal ransomware family, based on binary comparison tools, suggest BlackSuit could be a variant or affiliate of these larger, well-organized ransomware operations.
HHS emphasizes the importance of heightened security measures and preparedness within the healthcare industry to mitigate risks associated with ransomware attacks.
To protect against evolving cyber threats in the healthcare sector, Adlumin recommends practicing good cyber hygiene by staying informed of the threat landscape, updating software regularly, implementing a Security Awareness Program, and deploying endpoint protection solutions.
Adlumin’s threat research team advises healthcare organizations to regularly update software, segment their networks, and plan for incident response. They also recommend implementing security monitoring, and anomaly detection tools. In addition, secure backups, encryption of sensitive data, and HIPAA compliance are crucial elements of a strong cybersecurity strategy.
With a deep understanding of the healthcare sector’s unique challenges and vulnerabilities, Adlumin stands as a reliable partner in strengthening cybersecurity posture and ensuring regulatory compliance. Partnering with Adlumin equips healthcare organizations with the necessary tools and expertise to combat ransomware and protect critical infrastructure effectively.
Stay tuned, Adlumin’s Threat Research team is releasing in-depth mitigation strategies for the healthcare sector.
References:
[1] https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf
[2] https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
[3] https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant
[4] https://krebsonsecurity.com/2023/12/blackcat-ransomware-raises-ante-after-fbi-disruption/
[5] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a
[6] https://www.reuters.com/technology/unitedhealth-confirms-blackcat-group-behind-recent-cyber-security-attack-2024-02-29/
The Adlumin team recently investigated a security incident in which a malicious actor(s) successfully managed to gain unauthorized access to a company’s networks by completely bypassing Duo, a popular zero-trust security solution used by hundreds of organizations worldwide.
The incident occurred in early February 2024 when threat actor(s) used two compromised sets of email credentials to log in remotely to the targeted company’s network from servers with IP addresses registered to Russia and Brazil. Subsequently, the company’s security tools, including Adlumin, generated several alerts for malicious activity detected within the network. This activity included credential brute forcing attempts, attacks against Microsoft Active Directory and Kerberos, and the use of Netscan to enumerate endpoints and servers.
Security teams responded to the alerts and successfully halted and locked out the threat actors before they could inflict more harm on the network, but questions remained as to why Duo’s two-factor authentication (2FA) was not prompted to verify the legitimacy of the login sessions which would have protected against compromised credential-based attacks.
The Adlumin investigation revealed that the two compromised email accounts used by the threat actor(s) were stale accounts which had been mistakenly configured with a policy that allows for unenrolled or partially enrolled users to authenticate into their network without 2FA.
According to Duo’s online documentation (last updated on Jan. 29, 2024), a “New User Policy” to allow access without 2FA, does not prompt users to complete enrollment and they are granted access without two-factor authentication.1
This type of user policy is made available to organizations for several reasons, including facilitating a gradual rollout of 2FA within the organization or a slow adoption of new zero-trust practices. However, it remains important to monitor events generated by users that bypass 2FA. Duo does offer such a monitoring feature to companies using Duo Premier, Duo Advantage, and Duo Essentials Plan.
With any 2FA solution, it’s important to consider the risks of enabling or using user policies that bypass it in any scope. Bypassing 2FA for certain users or scenarios reduces the overall security posture of the system and network. It can create fringe but exploitable instances where authentication relies solely on a single factor (e.g., username and password) that may be more susceptible to compromise – which was the case in the security incident investigated by Adlumin.
When users are not required to use 2FA, there is an increased vulnerability window. Attackers may exploit this period, especially if users with reduced authentication factors can enable access to sensitive information or critical systems.
In its online documentation, Duo does warn account owners and administrators who configure login access to remember that users with bypass status are not subject to restrictions and can bypass Duo authentication entirely.2
To protect against similar attacks at organizations that use Duo or other zero-trust solutions, Adlumin recommends that companies and organizations ensure user access policies are correctly configured and consider the security risks that come with allowing some users to bypass 2FA.
Organizations can avoid or reduce their exposure to an attack by practicing good account hygiene. This includes routinely conducting account reviews to identify and deactivate accounts that are no longer needed, establishing efficient communication between IT departments and human resources when employees leave an organization, and automating account provisioning and deprovisioning processes.
References:
[1] https://duo.com/docs/policy#new-user-policy
[2] https://duo.com/docs/policy#overview
1140 3rd St. NE, Suite 340
Washington, DC 20002
(202) 570-7907
Copyright 2024 Adlumin, Inc. All Rights Reserved