Articles written by Adlumin’s Threat Research Team on emerging threats, industry stats, and defense tactics against cyberattacks.
Gain insights into the unique challenges that government entities face in maintaining cybersecurity. Explore strategies to mitigate risks and safeguard sensitive information.
Adlumin’s Threat Insights 2024 Volume II highlights significant trends, cyberattacks, and vulnerabilities faced by U.S. and global sectors, as observed by Adlumin’s Threat Research Team for March, April and May 2024. Discover three emerging threats, each presenting unique challenges to cybersecurity professionals.
Stay informed and proactive to defend your organization’s assets against evolving cyber threats in a dynamic landscape.
Stay informed and proactive to defend your organization’s assets against evolving cyber threats in a dynamic landscape.
Join our webinar on June 28th, 2024, focusing on cyber threats in educational institutions. Featuring insights from Adlumin’s Threat Research team and industry expert Mark Sangster, learn actionable strategies to strengthen your defenses. Topics include live demonstrations of MFA bypass techniques and tailored solutions for K-12 and higher education challenges.
In our quarterly industry spotlight series, we highlight the evolving threats faced by various industries and provide recommendations to enhance their security posture. Today, we shift our focus to the healthcare sector, a critical industry that faces unique challenges in safeguarding sensitive patient data and maintaining crucial healthcare operations.
Mitigating cybersecurity risks is critical in the healthcare industry due to the highly sensitive nature of patient information stored within Electronic Health Records (EHRs) and the important role these systems play in patient care. Healthcare organizations are prime targets for cybercriminals seeking to exploit vulnerabilities for financial gain or disrupt essential services.
Recent cyberattacks on healthcare organizations, like the Change Healthcare cyberattack, have demonstrated the growing sophistication and persistence of threat actors targeting this sector. Ransomware attacks, such as those leveraging Ransomware-as-a-Service (RaaS) and employing double extortion techniques, have caused significant disruptions and financial losses for healthcare providers. In response to these threats, organizations recognize the need to strengthen their cybersecurity defenses.
Adlumin previously detailed significant trends and developments in the threats, vulnerabilities, and cyberattacks faced by the healthcare industry in the U.S observed from January to March 2024 by Adlumin’s Threat Research Team, in Cybersecurity for Healthcare: 2024 Threat Insights.
Healthcare Threat Highlights:
Shifting from the identification of ransomware as the top threat in the healthcare industry, Adlumin’s Threat Research Team has developed crucial mitigation strategies and recommendations to help healthcare organizations better defend against these malicious attacks. Let’s explore key strategies recommended by Adlumin’s experts to enhance cybersecurity resilience in the healthcare sector.
Cybercriminals are continuously evolving their strategies, highlighting the importance for entities within the healthcare sector to remain alert and proactive. Key developments in their methodologies include:
For healthcare organizations looking to amplify their cybersecurity resilience against the pervasive threat of ransomware and other evolving cyber threats, the implementation of a comprehensive and integrated security strategy is paramount. By leveraging a centralized Security Operations Platform that incorporates all the recommended mitigation strategies and practices, organizations can streamline their cybersecurity efforts and enhance their ability to detect, respond to, and mitigate potential threats effectively.
Additionally, partnering with Managed Detection and Response (MDR) services can provide organizations with the expertise, tools, and continuous monitoring needed to mitigate risks, optimize threat response, and ensure a proactive defense against cyber threats. By adopting this holistic approach, healthcare organizations can strengthen their cybersecurity posture, safeguard patient data, and protect critical infrastructure in the face of threats.
Adlumin ensures swift setup, unrivaled visibility spanning endpoints, users, and the perimeter, and provides contextual insights for rapid, informed decision-making.
Adlumin’s Threat Research Team is the innovator behind Adlumin’s comprehensive threat hunting to improve visibility, reduce complexity, and manage risk. The team proactively searches for cyber threats lurking undetected in your network environment. They dig deep to identify non-remediated threats and other malicious activities to reinforce security defenses.
The recent ransomware attack on UnitedHealth’s Change Healthcare subsidiary highlighted the attractiveness of the data-rich U.S. healthcare industry to cybercriminals and the severe impact on patients and doctors. Total expenses from the attack are expected to surpass $1 billion, including a $22 million ransomware payment. With cybercriminals leveraging sophisticated techniques to infiltrate systems, encrypt data, and extract sensitive information, the healthcare sector faces significant challenges in safeguarding patient records and maintaining operational efficiency.
This industry spotlight highlights significant trends and developments in the threats, vulnerabilities, and cyberattacks faced by the healthcare industry in the U.S observed from January to March 2024 by Adlumin’s Threat Research Team.
Last year, the FBI’s Internet Crime Complaint Center released its latest report on Internet crimes and identified the healthcare and public health sectors as the most victimized by ransomware[1]. In fact, the healthcare sector had over 33% more reported victims than the second leading sector, critical manufacturing; 82% more than government facilities, and well more than double the number reported by the financial service sector. While waiting for the latest data reflecting 2023 cases, it’s almost certain that the healthcare sector will continue to see more ransomware attacks.
Ransomware gangs which operate under affiliate models often capture vital data, impose hefty ransoms for data retrieval, and significantly hinder patient care operations. The ransomware affiliate model resembles legitimate affiliate programs – hackers code the malware, while affiliates distribute it through Ransomware-as-a-Service (RaaS), then share the ransom profits. There may also be shared infrastructure for payout and money laundering operations. Combined, this lowers the barrier to entry for attackers and increases attack volume, fueling the overall threat.
Adlumin has observed wide adoption of a tactic known as double extortion in healthcare sector attacks. In double extortion operations, attackers encrypt sensitive and critical data as part of traditional ransomware operations, and exfiltrate or steal sensitive data. Ransomware actors then threaten public release of the data, meant to force payment of hefty ransoms even if defenders can recover encrypted data and systems from backups or other sources.
Adlumin has also observed ransomware operators increasingly threaten to report victims to regulatory authorities such as the SEC, resulting in almost certain fines if applicable under a host of old and new laws and regulations. Additionally, in uncovering Play ransomware. operations, Adlumin uncovered that ransomware attackers threaten to notify organization’s partners and customers as part ransom messages, a tactic meant to coerce payment. These factors can be especially important for those in the healthcare sector as HIPAA (Health Insurance Portability and Accountability Act) can impose fines for data breaches involving protected health information (PHI). The four categories used for the penalty structure are:[2]
| Tier | Description | Fines per Violation* |
|---|---|---|
| Tier 1 | A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules. | $137 to $68,928 |
| Tier 2 | A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA Rules). | $1,379 to $68,928 |
| Tier 3 | A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation. | $13,785 to $68,928 |
| Tier 4 | A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days. | $68,928 to $2,067,813 |
*Yearly cap of $2,067,813
Ransomware operators are also beginning to forgo encryption entirely, favoring data exfiltration and extortion operations. Both types have seen usage of Living-Off-the-Land (LOTL) techniques.
LOTL attacks are a stealthy tactic where attackers exploit legitimate tools already present on a system, like PowerShell, the command prompt, or native binaries like certutil, to carry out malicious activities. These “Living Off the Land Binaries” (LOLBins) blend in with normal system operations, making them more difficult to detect and allows attackers to steal data, move laterally within a network, or gain persistence without relying on easily identifiable malware.
On December 19, 2023, the FBI announced disruption of RaaS operations carried out by AlphV (also known as “BlackCat”). The FBI seized several websites created by the group and gained visibility into the BlackCat ransomware group’s computer network as part of the investigation[3]. Additionally, authorities offered victims access to an FBI-developed decryption tool allowing for recovery of encrypted data.
In response BlackCat called for open season against the healthcare sector stating, “Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS. You can now block hospitals, nuclear power plants, anything, anywhere.”[4]
On February 27, 2024, CISA, the FBI, and the Department of Health and Human Services (HHS), released a joint advisory which addressed BlackCat’s operations and attacks against the healthcare sector. They noted that, “Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most victimized. This is likely in response to the AlphV / Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”[5]
In late February 2024, as part of attacks against the healthcare sector, insurance provider UnitedHealth found itself in the crosshairs of BlackCat operations, it was reported the attack “had a knock-on effect on players across the U.S. healthcare system, as disruptions triggered by the attack have impacted electronic pharmacy refills and insurance transactions.”[6] In a quickly deleted post to its darknet hosted website, BlackCat stated that it stole millions of sensitive records.
In November 2023, the Health Sector Cybersecurity Coordination Center (HC3) at the U.S. Department of Health and Human Services (HHS), released a detailed analysis on BlackSuit, a new ransomware strain that poses a credible threat to the healthcare and public health (HPH) sector.
BlackSuit emerged in May 2023 and exhibits significant parallels to the Royal ransomware family, which succeeded the infamous Conti group linked to Russia. BlackSuit’s ties to these active threat actors suggest ongoing, aggressive targeting of the healthcare industry. HC3 outlined BlackSuit’s operations, including its use of double extortion tactics, specific technical details, and potential impact on healthcare services, alongside recommended defenses, and mitigation strategies.
As outlined in the HC3 report, BlackSuit’s impact could be significant, particularly if the group’s ties to the Royal and Conti ransomware families are confirmed. With its use of double extortion tactics, BlackSuit not only encrypts sensitive data on compromised healthcare networks but also threatens to leak stolen data unless a ransom is paid. This approach poses a dual threat: the immediate disruption of healthcare services due to inaccessible patient records and systems, and the long-term damage from the potential exposure of confidential patient data.
BlackSuit operates by encrypting sensitive data on compromised networks, employing a double extortion scheme that has so far targeted a limited number of victims across various sectors, including healthcare, in countries such as the U.S., Canada, Brazil, and the U.K. The analysis reveals BlackSuit’s operational techniques, encrypted file extensions, ransom demand methods, and its distribution via infected email attachments, torrent websites, malicious ads, and trojans.
Despite its limited use, the connections to Royal and Conti hint at a potentially significant threat landscape for the healthcare sector. Technical similarities with the Royal ransomware family, based on binary comparison tools, suggest BlackSuit could be a variant or affiliate of these larger, well-organized ransomware operations.
HHS emphasizes the importance of heightened security measures and preparedness within the healthcare industry to mitigate risks associated with ransomware attacks.
To protect against evolving cyber threats in the healthcare sector, Adlumin recommends practicing good cyber hygiene by staying informed of the threat landscape, updating software regularly, implementing a Security Awareness Program, and deploying endpoint protection solutions.
Adlumin’s threat research team advises healthcare organizations to regularly update software, segment their networks, and plan for incident response. They also recommend implementing security monitoring, and anomaly detection tools. In addition, secure backups, encryption of sensitive data, and HIPAA compliance are crucial elements of a strong cybersecurity strategy.
With a deep understanding of the healthcare sector’s unique challenges and vulnerabilities, Adlumin stands as a reliable partner in strengthening cybersecurity posture and ensuring regulatory compliance. Partnering with Adlumin equips healthcare organizations with the necessary tools and expertise to combat ransomware and protect critical infrastructure effectively.
Stay tuned, Adlumin’s Threat Research team is releasing in-depth mitigation strategies for the healthcare sector.
References:
[1] https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf
[2] https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
[3] https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant
[4] https://krebsonsecurity.com/2023/12/blackcat-ransomware-raises-ante-after-fbi-disruption/
[5] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a
[6] https://www.reuters.com/technology/unitedhealth-confirms-blackcat-group-behind-recent-cyber-security-attack-2024-02-29/
The Adlumin team recently investigated a security incident in which a malicious actor(s) successfully managed to gain unauthorized access to a company’s networks by completely bypassing Duo, a popular zero-trust security solution used by hundreds of organizations worldwide.
The incident occurred in early February 2024 when threat actor(s) used two compromised sets of email credentials to log in remotely to the targeted company’s network from servers with IP addresses registered to Russia and Brazil. Subsequently, the company’s security tools, including Adlumin, generated several alerts for malicious activity detected within the network. This activity included credential brute forcing attempts, attacks against Microsoft Active Directory and Kerberos, and the use of Netscan to enumerate endpoints and servers.
Security teams responded to the alerts and successfully halted and locked out the threat actors before they could inflict more harm on the network, but questions remained as to why Duo’s two-factor authentication (2FA) was not prompted to verify the legitimacy of the login sessions which would have protected against compromised credential-based attacks.
The Adlumin investigation revealed that the two compromised email accounts used by the threat actor(s) were stale accounts which had been mistakenly configured with a policy that allows for unenrolled or partially enrolled users to authenticate into their network without 2FA.
According to Duo’s online documentation (last updated on Jan. 29, 2024), a “New User Policy” to allow access without 2FA, does not prompt users to complete enrollment and they are granted access without two-factor authentication.1
This type of user policy is made available to organizations for several reasons, including facilitating a gradual rollout of 2FA within the organization or a slow adoption of new zero-trust practices. However, it remains important to monitor events generated by users that bypass 2FA. Duo does offer such a monitoring feature to companies using Duo Premier, Duo Advantage, and Duo Essentials Plan.
With any 2FA solution, it’s important to consider the risks of enabling or using user policies that bypass it in any scope. Bypassing 2FA for certain users or scenarios reduces the overall security posture of the system and network. It can create fringe but exploitable instances where authentication relies solely on a single factor (e.g., username and password) that may be more susceptible to compromise – which was the case in the security incident investigated by Adlumin.
When users are not required to use 2FA, there is an increased vulnerability window. Attackers may exploit this period, especially if users with reduced authentication factors can enable access to sensitive information or critical systems.
In its online documentation, Duo does warn account owners and administrators who configure login access to remember that users with bypass status are not subject to restrictions and can bypass Duo authentication entirely.2
To protect against similar attacks at organizations that use Duo or other zero-trust solutions, Adlumin recommends that companies and organizations ensure user access policies are correctly configured and consider the security risks that come with allowing some users to bypass 2FA.
Organizations can avoid or reduce their exposure to an attack by practicing good account hygiene. This includes routinely conducting account reviews to identify and deactivate accounts that are no longer needed, establishing efficient communication between IT departments and human resources when employees leave an organization, and automating account provisioning and deprovisioning processes.
References:
[1] https://duo.com/docs/policy#new-user-policy
[2] https://duo.com/docs/policy#overview
Thursday, April 18, 2024
1:00 PM ET
Mark Sangster, VP, Chief of Strategy, Adlumin
Kevin O’Connor, Director of Threat Research, Adlumin
Explore the latest ransomware cyber-threat trends in this new research from the Adlumin Threat Research Team.
The Adlumin Threat Research Team has been dedicated to tracking and analyzing the most important cybersecurity trends, including ransomware. Keeping up to date with these threats can make the difference between a minor event and an operational shutdown.
Join Kevin O’Connor, Director of Threat Research, and our host, Mark Sangster, VP, Chief of Strategy at Adlumin as the pair reviews significant takeaways, trends, and vulnerabilities in the new Threat Insights 2024 Volume I report.
What you will learn:
Adlumin’s Threat Insights 2024 Volume I reveals significant trends and developments in threats, vulnerabilities, and cyberattacks faced by U.S. industries from December to February 2024. Discover three key threats, each presenting unique challenges to cybersecurity professionals.
Stay informed and proactive to defend your organization’s assets against evolving cyber threats in a dynamic landscape.
Thursday, March 21, 2024
1:00 PM EST
Mark Sangster, Chief of Strategy at Adlumin
Kevin O’Connor, Director of Threat Research
Cybersecurity professionals preach the power of multi-factor authentication (MFA), but what happens when a cybercriminal goes around it?
Join Adlumin’s Mark Sangster and Kevin O’Connor as they demonstrate MFA bypass techniques using EvilGinx 3. In this webinar, you’ll also see how attackers can leverage hijacked session cookies and EvilGinx phishlets to compromise user accounts and access. The pair will also dive into how to combat these attacks, along with the benefits of a fully visible network for cybersecurity.
The Adlumin Threat Research Team has peered into the future and unveiled their top predictions for the upcoming year.
With each passing year, hackers become more sophisticated and the consequences of a breach become more severe. To help organizations prepare for the challenges that lie ahead, we have compiled this list of the top four cybersecurity threats to be aware of.
From the growing threat of Ransomware-as-a-Service (RaaS) to the increasing impact of AI tools, these predictions will arm IT Directors with the knowledge they need to protect their organization from potential risks. So, buckle up and prepare for the top four cybersecurity challenges in the new year.
Ransomware attacks have become more sophisticated, causing financial, operational, and reputational damage to businesses and organizations. RaaS refers to the model where cybercriminals offer ransomware tools and infrastructure to other hackers, who then deploy the ransomware on their behalf. This has enabled malicious actors with less sophisticated technical skills to carry out ransomware attacks, and share the profits with the original creators.
The rise in RaaS actors is alarming because it lowers the barrier to entry, making ransomware attacks accessible to a broader range of cybercriminals. This means we can anticipate a surge in ransomware attacks as more individuals and groups access these tools. This trend threatens organizations of all sizes and sectors, as no one is immune to being targeted by ransomware attacks.
Ransomware has been a long-standing top cybersecurity threat, but in the new year, a shift in its tactics is predicted. Traditionally, ransomware attacks involved encrypting victims’ data and demanding a ransom for release. However, cybercriminals are expected to focus on data extortion increasingly.
This shift means threat actors will also exfiltrate sensitive information from victims’ systems and encrypt data. They will then threaten to release or sell this data if the ransom is not paid. This new approach adds an extra layer of pressure on organizations to comply with the attackers’ demands, as the exposure of sensitive data can lead to severe consequences, including reputational damage, regulatory penalties, and legal liabilities.
This cybersecurity threat prediction for the new year highlights the potential increased focus on attacks targeting the hospitality industry and the expected rise in the sophistication of fraud schemes. As the hospitality sector relies heavily on technology and handles a vast amount of customer data, it has become an attractive target for cybercriminals. This prediction suggests that attackers will continue to exploit vulnerabilities in hotel networks, reservation systems, point of sale (POS) terminals, and other digital platforms to steal confidential information.
For example, the Marriot Hotel has faced multiple cybersecurity breaches over the past couple of years. Their most recent breach resulted in losing 20 gigabytes of sensitive customer and employee data including credit card information in an extortion attempt.
The increased impact of malicious AI tools on both attackers and defenders is predicted to be a major cybersecurity threat. AI technology has evolved significantly, creating a new era in cyberattacks and defense strategies. Cybercriminals leverage AI tools to amplify the scale and sophistication of their attacks, making them harder to detect and mitigate. AI-powered malware can self-propagate, adapt, and evolve, posing immense challenges to traditional cybersecurity measures.
Organizations also protect themselves by using AI tools to enhance their security capabilities. AI can help identify and analyze threats in real-time, assist in incident response, and automate cybersecurity processes. However, these AI tools can generate false positives or negatives, leading to missed or misinterpreted threats and potentially unlocking vulnerabilities.
The use of AI on both sides creates a dynamic and rapidly evolving cybersecurity landscape. Attackers can leverage AI algorithms for advanced evasion techniques. On the other hand, defenders have the daunting task of keeping up with AI-powered attacks while navigating through potential inaccuracies or blind spots in their AI-enabled defense systems.
The threat of data breaches and ransomware attacks loom over organizations of all sizes and sectors. It’s no longer a matter of if your organization will get breached or attacked with ransomware but rather when. The harsh reality is that no system is invincible, and cybercriminals are continually finding new ways to exploit vulnerabilities.
While it can be challenging for IT teams to keep pace with evolving threats, innovative technology solutions and security measures are available to alleviate the strain. Organizations can automate threat detection and prevention processes by leveraging advanced security solutions like a Security Operations Platform and pairing them with Managed Detection and Response (MDR) Services, effectively mitigating the risks associated with cyber attacks.
Through the use of AI and machine learning, these solutions analyze vast amounts of data, identify anomalies, and respond to potential threats in real-time, empowering organizations to defend against cyber threats proactively.
Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.
1140 3rd St. NE, Suite 340
Washington, DC 20002
(202) 570-7907
Copyright 2024 Adlumin, Inc. All Rights Reserved