The article addresses the rise in cyber threats in the health sector. Congressional lawmakers are introducing policies and recommendations that address and mitigate the threats. The chairman of the Senate Intelligence Committee published a report that was divided into 3 sections: recommend that the federal government improve the country’s cybersecurity risk posture in the health care sector, help the private sector mitigate cyber threats, and assist health care providers in responding to and recovering from cyber-attacks. The rising challenges of cybersecurity insurance and the labor shortage of cyber workers across industries were also topics included in the report. The article also addresses that “the health care industry has been vulnerable to cyber-attacks because of the sensitive data and handles patient’s safety and health”. Due to life or death on the line, hospitals are more willing to pay ransoms and quickly pay them, than other industries or sectors that do not involve life or death situations. The article also states that there has been a 90% increase from 1st quarter 2022 to 2nd quarter 2022 on the number of attacks on the health care sector. US federal agencies issued a warning that ransomware “Maui” has been targeting the healthcare sector and is linked to North Korea. The article also states that the agencies also discourage health care providers from paying ransoms because it doesn’t guarantee the recovery of the stolen data. Finally, the article ends by stating “the question is no longer a matter of if or when but how often and how catastrophic the consequences”. Reading the article is pretty concerning to me. I knew that the health care sector was at a higher risk of being attacked, but I didn’t realize how often it was happening. Hopefully, with the congressional lawmakers stepping up their efforts, this can mitigate the attacks on the healthcare industry.
The article I have chosen to highlight this week speaks to the growing issue of Phishing attacks. Phishing comes in a variety of flavors. As we’ve discussed in weeks prior, phishing can be targeted via whaling or spear phishing, or it can be spammy in nature. There is now PhaaS or Phishing as a service. Cybercriminals are literally selling them know how to up and coming wannabe criminals a way to start the ground running with their very own effective phishing campaigns. No longer are we in the days where if you wanted to try and do bad things to people you needed the know-how. Now you can just pay other mature cybercriminals to do all the heavy lifting. With these growing threats CISA has published guidelines around MFA as a combat to the ever-growing phishing attacks. Not all MFA is up to par. Phone MFA such as SMS is susceptible to sim swapping attacks, and typical push notification stating, “yes it’s me” or “No it’s not me” MFA prompts are being combatted by cybercriminals using MFA Fatigue attacks. Where they just bombard the user with MFA prompts in hopes it wares the user down and they just finally agree to it to make the prompts stop. CISA speaks to implementing number matching to deter users from just accepting the prompts as it requires them to either choose from 1 of several number choices that only could be known by looking at the person trying to sign in. As well as having to manually type the numbers to eliminate the user from just trying to guess one of the numbers listed.
I chose this article because it showcases how the health sector has been one of the most targeted sector by cyber criminals. Aveanna a Georgia-based home healthcare and hospice provider became a target of about 600 phishing campaign. At one point, company employees received an email appearing to come from the company president asking for their participation in a survey. A complaint from the Massachusetts attorney general says more than 50 employees succumbed to the two-month phishing onslaught. Social engineering is oft used tactics used by these criminals. Many companies alike are currently paying millions of US dollars to settle class action lawsuit.
VMware has released security updates related to three critical vulnerabilities in Workspace ONE Assist solution that allows remote attackers to bypass authentication and elevate privileges to admin. Workspace ONE Assist provides remote control, screen sharing, file system management, and remote command execution for remote staff to access and troubleshoot devices. The attacks that exploited these vulnerabilities are low-complexity and do not require user interaction for privilege escalation. The newest version, 22.10, patched these vulnerabilities as well as a reflected XSS vulnerability that allows injecting javascript code and a session fixation vulnerability that allows authentication after obtaining a valid session token, presumably as a method of a replay attack. Several similar vulnerabilities have been found throughout the year, such as in August when VMware warned admins about a potential authentication bypass with a week later a PoC being released by a researcher.
This article talks about a recent investigation in a ransomware and blackmail case that lead to charges against a somewhat notorious hacker that went by the rather uncreative name “ransom_man”. The article goes into some detail about the methods that investigators used to identify and charge Julius “Zeekill” Kivimaki, Poor security on the part of the hacker when posting a data dump lead to evidence that connected him to other activities and ultimately back to Kivimaki.
The company that was hacked was not blameless though. In an all-to-common narrative, a tech disrupter spun up a new service company with flashy features and poor attention to security or privacy. The investigation uncovered major lapses in security like a MySQL database exposed online. Finland’s health services have not implemented legislation like HIPPA or similar EU health data protection that would have caught this sort of lapse.
This article discusses the Robin Banks Phishing as a Service platform (Phaas) which came to light in July of 2022 and offers a ready made “phishing kit” that threat actors can leverage to steal financial information from unsuspecting individuals. Services offered include cookie-stealing functionality, use of false landing pages to prompt users to enter enter Google and Microsoft credentials, and using ad fraud to redirect phishing targets to rogue websites. The infrastructure is designed to rely on open source code and off-the-shelf tooling which really makes phishing scams accessible for a broad population. Robin Banks was recently forced to move its infrastructure from Cloudflare to “DDoS-Guard, a Russian provider of bulletproof hosting services.” Cloudflare is popular amonf threat actors as they did not typically comply with takedown requests; however, Cloudflare dropped Robin Banks from its services for unknown reasons and caused a disruption of services for Robin Banks before they found their new platform. Ironically, Robin Banks has recently implemented multi-factor authentication in order for the threat actors to view the stolen information they acquired.
A cyber attack caused DSB trains in Denmark to be halted last week after threat actors hit an IT service provider. The Danish company, Supeo, provides enterprise asset management solutions to railway companies. The attack impacted the Digital Backpack 2 platform that allows train drivers to access operationally critical information and it was likely that the actors targeted operational technology. It was said to have been a ransomware attack that was financially motivated.
Australia is in the news again this week, it seems that they cannot catch a break when it comes to their online privacy. I had written last week pertained to another Australian data breach, lack of regulation and less strict data standards are to blame for this. Medibank has confirmed this morning that the group responsible for a data breach, affecting 4 million users, has begun to release private information on the dark web in response to Medibank’s ransom refusal. According to Medibank, information like names, addresses, dates of birth, phone numbers, email addresses, and Medicare numbers were all released. Medibank has taken a strong stance on not complying with ransom demands, not wanting to incentivize other criminals for attempting the same and even if they paid the ransom there is no guarantee of the data’s confidentiality. They were willing to take the risk, however, it is the data holders who ended up paying the price, now the records of 2,000 patients have been released; with many more to follow as the hackers claim. Medibank has also put out the same boilerplate response to this most recent data breach urging its customers to be vigilant against phishing, unauthorized credit card usage, and other identity theft attacks. It seems that Australia as a whole needs to assess what they have been doing wrong and quickly address it or they are going to suffer more attacks at the hands of international cyber criminals.
This article speaks about whether a SIEM is replaceable or not. According to the article, the answer is either yes or no, but its not easy to come with that decision. They ran a survey that shows 21.6% of the people as satisfied while 31.9% say they are getting over 80 percent of the value they expect from it.
The article went on to mention SIEM alternatives such as Integrated threat intelligence platform (TIP), Cloud-native data lake, Data centralization, normalization and enrichment which is I found interesting as it provides much mores techniques not found in the traditional SIEM.
https://www.msn.com/en-us/health/other/here-e2-80-99s-how-lawmakers-are-tackling-rising-cyber-threats-in-the-health-sector/ar-AA13LHkl
The article addresses the rise in cyber threats in the health sector. Congressional lawmakers are introducing policies and recommendations that address and mitigate the threats. The chairman of the Senate Intelligence Committee published a report that was divided into 3 sections: recommend that the federal government improve the country’s cybersecurity risk posture in the health care sector, help the private sector mitigate cyber threats, and assist health care providers in responding to and recovering from cyber-attacks. The rising challenges of cybersecurity insurance and the labor shortage of cyber workers across industries were also topics included in the report. The article also addresses that “the health care industry has been vulnerable to cyber-attacks because of the sensitive data and handles patient’s safety and health”. Due to life or death on the line, hospitals are more willing to pay ransoms and quickly pay them, than other industries or sectors that do not involve life or death situations. The article also states that there has been a 90% increase from 1st quarter 2022 to 2nd quarter 2022 on the number of attacks on the health care sector. US federal agencies issued a warning that ransomware “Maui” has been targeting the healthcare sector and is linked to North Korea. The article also states that the agencies also discourage health care providers from paying ransoms because it doesn’t guarantee the recovery of the stolen data. Finally, the article ends by stating “the question is no longer a matter of if or when but how often and how catastrophic the consequences”. Reading the article is pretty concerning to me. I knew that the health care sector was at a higher risk of being attacked, but I didn’t realize how often it was happening. Hopefully, with the congressional lawmakers stepping up their efforts, this can mitigate the attacks on the healthcare industry.
https://www.infosecurity-magazine.com/news/cisa-mfa-guidelines-to-tackle/ – CISA Publishes Multi-Factor Authentication Guidelines to Tackle Phishing
The article I have chosen to highlight this week speaks to the growing issue of Phishing attacks. Phishing comes in a variety of flavors. As we’ve discussed in weeks prior, phishing can be targeted via whaling or spear phishing, or it can be spammy in nature. There is now PhaaS or Phishing as a service. Cybercriminals are literally selling them know how to up and coming wannabe criminals a way to start the ground running with their very own effective phishing campaigns. No longer are we in the days where if you wanted to try and do bad things to people you needed the know-how. Now you can just pay other mature cybercriminals to do all the heavy lifting. With these growing threats CISA has published guidelines around MFA as a combat to the ever-growing phishing attacks. Not all MFA is up to par. Phone MFA such as SMS is susceptible to sim swapping attacks, and typical push notification stating, “yes it’s me” or “No it’s not me” MFA prompts are being combatted by cybercriminals using MFA Fatigue attacks. Where they just bombard the user with MFA prompts in hopes it wares the user down and they just finally agree to it to make the prompts stop. CISA speaks to implementing number matching to deter users from just accepting the prompts as it requires them to either choose from 1 of several number choices that only could be known by looking at the person trying to sign in. As well as having to manually type the numbers to eliminate the user from just trying to guess one of the numbers listed.
I chose this article because it showcases how the health sector has been one of the most targeted sector by cyber criminals. Aveanna a Georgia-based home healthcare and hospice provider became a target of about 600 phishing campaign. At one point, company employees received an email appearing to come from the company president asking for their participation in a survey. A complaint from the Massachusetts attorney general says more than 50 employees succumbed to the two-month phishing onslaught. Social engineering is oft used tactics used by these criminals. Many companies alike are currently paying millions of US dollars to settle class action lawsuit.
https://www.bankinfosecurity.com/aveanna-healthcare-data-breach-could-cost-firm-more-than-1m-a-20428
https://www.bleepingcomputer.com/news/security/vmware-fixes-three-critical-auth-bypass-bugs-in-remote-access-tool/
VMware has released security updates related to three critical vulnerabilities in Workspace ONE Assist solution that allows remote attackers to bypass authentication and elevate privileges to admin. Workspace ONE Assist provides remote control, screen sharing, file system management, and remote command execution for remote staff to access and troubleshoot devices. The attacks that exploited these vulnerabilities are low-complexity and do not require user interaction for privilege escalation. The newest version, 22.10, patched these vulnerabilities as well as a reflected XSS vulnerability that allows injecting javascript code and a session fixation vulnerability that allows authentication after obtaining a valid session token, presumably as a method of a replay attack. Several similar vulnerabilities have been found throughout the year, such as in August when VMware warned admins about a potential authentication bypass with a week later a PoC being released by a researcher.
https://krebsonsecurity.com/2022/11/hacker-charged-with-extorting-online-psychotherapy-service/
This article talks about a recent investigation in a ransomware and blackmail case that lead to charges against a somewhat notorious hacker that went by the rather uncreative name “ransom_man”. The article goes into some detail about the methods that investigators used to identify and charge Julius “Zeekill” Kivimaki, Poor security on the part of the hacker when posting a data dump lead to evidence that connected him to other activities and ultimately back to Kivimaki.
The company that was hacked was not blameless though. In an all-to-common narrative, a tech disrupter spun up a new service company with flashy features and poor attention to security or privacy. The investigation uncovered major lapses in security like a MySQL database exposed online. Finland’s health services have not implemented legislation like HIPPA or similar EU health data protection that would have caught this sort of lapse.
https://thehackernews.com/2022/11/robin-banks-phishing-service-for.html
This article discusses the Robin Banks Phishing as a Service platform (Phaas) which came to light in July of 2022 and offers a ready made “phishing kit” that threat actors can leverage to steal financial information from unsuspecting individuals. Services offered include cookie-stealing functionality, use of false landing pages to prompt users to enter enter Google and Microsoft credentials, and using ad fraud to redirect phishing targets to rogue websites. The infrastructure is designed to rely on open source code and off-the-shelf tooling which really makes phishing scams accessible for a broad population. Robin Banks was recently forced to move its infrastructure from Cloudflare to “DDoS-Guard, a Russian provider of bulletproof hosting services.” Cloudflare is popular amonf threat actors as they did not typically comply with takedown requests; however, Cloudflare dropped Robin Banks from its services for unknown reasons and caused a disruption of services for Robin Banks before they found their new platform. Ironically, Robin Banks has recently implemented multi-factor authentication in order for the threat actors to view the stolen information they acquired.
https://securityaffairs.co/wordpress/138127/cyber-crime/cyberattack-blocked-trains-denmark.html
A cyber attack caused DSB trains in Denmark to be halted last week after threat actors hit an IT service provider. The Danish company, Supeo, provides enterprise asset management solutions to railway companies. The attack impacted the Digital Backpack 2 platform that allows train drivers to access operationally critical information and it was likely that the actors targeted operational technology. It was said to have been a ransomware attack that was financially motivated.
Australia is in the news again this week, it seems that they cannot catch a break when it comes to their online privacy. I had written last week pertained to another Australian data breach, lack of regulation and less strict data standards are to blame for this. Medibank has confirmed this morning that the group responsible for a data breach, affecting 4 million users, has begun to release private information on the dark web in response to Medibank’s ransom refusal. According to Medibank, information like names, addresses, dates of birth, phone numbers, email addresses, and Medicare numbers were all released. Medibank has taken a strong stance on not complying with ransom demands, not wanting to incentivize other criminals for attempting the same and even if they paid the ransom there is no guarantee of the data’s confidentiality. They were willing to take the risk, however, it is the data holders who ended up paying the price, now the records of 2,000 patients have been released; with many more to follow as the hackers claim. Medibank has also put out the same boilerplate response to this most recent data breach urging its customers to be vigilant against phishing, unauthorized credit card usage, and other identity theft attacks. It seems that Australia as a whole needs to assess what they have been doing wrong and quickly address it or they are going to suffer more attacks at the hands of international cyber criminals.
https://www.infosecurity-magazine.com/news/medibank-confirms-data-stolen-now/
This article speaks about whether a SIEM is replaceable or not. According to the article, the answer is either yes or no, but its not easy to come with that decision. They ran a survey that shows 21.6% of the people as satisfied while 31.9% say they are getting over 80 percent of the value they expect from it.
The article went on to mention SIEM alternatives such as Integrated threat intelligence platform (TIP), Cloud-native data lake, Data centralization, normalization and enrichment which is I found interesting as it provides much mores techniques not found in the traditional SIEM.
https://latesthackingnews.com/2022/09/21/6-necessary-features-of-siem-alternatives/?utm_content=223202966&utm_medium=social&utm_source=linkedin&hss_channel=lis-wOuKVokQNR