By Jacob Denton, chief information security officer, Mosaic451.
Unless your security team has been living in a cave in one of the last remaining places on the planet where you can still unplug, you have certainly heard about the Petya and NotPetya ransomware attacks and the chaos caused by them. Petya was a somewhat “typical” ransomware attack in 2016: It encrypted the master boot record of infected computers and asked for ransom in the form of Bitcoin. But NotPetya, a potentially state-sponsored attack against Ukraine, was more similar to WannaCry, which occurred shortly before in 2017. In addition to ransoming companies to pay the hackers in Bitcoin, NotPetya also took advantage of the EternalBlue exploit and was a “worm” that could self-propagate, like WannaCry.
What made NotPetya unique was its intrusion into MeDoc, a Ukrainian tax and accounting software package. About 80 percent of Ukrainian businesses used this software at the time of the attack. The NotPetya hackers employed an innovative strategy: They put in a slightly different version of a file into MeDoc’s software updates.
Since MeDoc was so widely used throughout the Ukrainian business community, the hackers started spreading corrupted versions of MeDoc software in April. By June, undetected, they were able to insert the NotPetya ransomware. And since it was a worm, NotPetya was able to spread rapidly. It was a lot worse than Petya in its scope: It not only encrypted the master boot record, it also encrypted other important files, making the damage to companies’ hard drives even more serious.
Cyber security firm Cybereason reports that NotPetya cost companies approximately $892.5 million in lost revenue. While it first hit Ukraine, it hurt businesses worldwide, including FedEx, Merck, and Reckitt Benckiser.
What lessons have we learned?
First, that hackers have gone way past spamming naive end users. The NotPetya attack was particularly troubling because it was a “clickless” attack that didn’t need to rely on end users for access. It also took advantage of software updates, a holy grail of commonplace cyber security.
Thankfully, there are some precautions cyber professionals can heed from this hack. According to Johns Hopkins University Computer Science Professor Matthew Green, one limited action developers could do to help “prevent their software updates from being corrupted” is to “co-design.” This would mandate that anyone trying to add new code to an application would need to sign with a cryptographic key that cannot be forged. For example, MeDoc did not have co-designing, so hackers were able to alter code in the software update.
By Shane MacDougall, senior security engineer, Mosaic451
The other day I was asked what is the biggest information security threat facing any company in 2019. Is it ransomware? Some AI powered malware? Overpowering DDOS attacks? I didn’t hesitate – the answer is the same as it has been since I was first asked the question over two decades ago. The biggest threat to our infrastructure remains our users.
Social engineering, an attack where hackers extract information and access, not from traditional hacking attacks, but rather by interacting with a person in conversation, remains a devastatingly effective method of gaining unauthorized information or access to a network. It’s an attack vector that rarely fails. Unlike logical attacks, social engineering leaves no log entries to trip IDS or alert security admins. As organizations invest more dollars into security appliances and next-gen blinky boxes designed to harden their perimeter, attackers are increasingly opting to target the weakest link – the end user.
Recently, I was in Canada at the Hackfest hacker conference in Quebec, as host and organizer of the second installation of its social engineering “capture the flag” competition. The three part competition had the competitors first spend a week searching for specific pieces of information (flags) about their target company, from a list of items provided by Hackfest. The flags range from information that can be used for an onsite attack (who does your document disposal, what is the pickup schedule), those that can be used for a logical attack (type of operating system, service pack level, browser and email client information), networking information which gives the attacker information about the infrastructure (wifi info, VPN access, security devices), and finally information about the employee and the work environment, which could be used to help the attacker pose as an insider.
The second portion of the competition had the contestants hop into a sound proof booth, and were given 25 minutes to call their target company in front of an audience, and to gather as many flags as possible based on their dossier information. The third and final segment had competitors randomly draw a target, then each contestant had 30 minutes to use the audience members to search the web for flags or phone numbers to create a workable dossier. Each competitor was then put back into the booth to make another 25 minutes worth of calls in hunt of flags.
The results of this year’s contest were eye opening, but sadly reminiscent of last year’s event. Of the eight companies targeted, all gave out information that would give an attacker an advantage for a remote attack, on-site attack, or both. Specific breakdowns of results include:
75 percent visited a URL provided by their attacker
100 percent gave information about what version operating system/service pack version they were running
88 percent gave detailed information on what internet browser they were using
75 percent divulged information about Wi-Fi within their network
63 percent divulged information about secure document shredding, including their provider and the schedule for disposal
63 percent divulged detailed information about their email client
75 percent gave detailed information about the internal computer network
75 percent shared personal information about themselves and their work history
Guest post by Mike Baker, founder and principal, Mosaic451.
Over the past couple of months, hospitals and other healthcare facilities have come under siege by cyber-criminals. However, the hackers aren’t after patient data; they never even access it. Instead, they are infecting computers with ransomware, a type of malware that locks down a system and prevents the owner from accessing their data until they pay a ransom, usually in Bitcoin. Among the high-profile attacks that have made headlines:
In February, Hollywood Presbyterian Medical Center in Los Angeles fell victim to the Locky virus, which disabled the organization’s computers and kept employees from accessing patients’ electronic health records (EHRs). Access was restored a week later, after the hospital paid a $17,000.00 Bitcoin ransom to the hackers.
Shortly afterward, Methodist Hospital in Henderson, Kentucky, also fell victim to Locky and was forced to declare an internal “state of emergency.” However, instead of paying the ransom, the hospital reported that it was able to restore its data from backups.
In late March, Maryland/DC-based MedStar Health, which operates 10 hospitals and more than 250 outpatient clinics, was hit by an undisclosed ransomware virus that forced the organization to revert to paper records. Like Methodist Hospital, MedStar did not pay the ransom and restored its system using backups.
Although any organization can fall prey to ransomware, lately healthcare facilities have been the primary targets. Some experts feel the problem has reached crisis levels – and hackers are only getting started.
Why Ransomware Attacks are on the Rise
Ransomware is growing in popularity because it is far more lucrative than more traditional cyberattacks where hackers access and steal data. Once the data is stolen, the hacker must find a buyer. Then, the hacker has to negotiate a price. Conversely, in a ransomware attack, the hacker has a built-in “buyer” — the owner of the data, who is not in a position to negotiate on price.
Ransomware is also a simpler and quicker mode of attack than a data breach. Once a hacker has breached a system, downloading a large data set can take some time, during which the attack could be identified and halted. Because ransomware never actually accesses a system’s data – it just locks it down – it works far more quickly and covertly. Victims have no idea they have been compromised until they find they cannot access their system.
Data breaches and HIPAA violations became common, almost daily, news in 2015, exposing sensitive client information with devastating results. Understanding HIPAA compliance will be critical in 2016, especially since the Office for Civil Rights (OCR) will begin a new round of HIPAA audits.
In spite of record spending on firewalls, anti-virus software, malware detectors and the widget of the day, healthcare organizations keep getting hacked because the focus is in the wrong place. Here are three trends taking presence in 2016 that can help any organization fight the good fight against cyberattacks.
Buying Technology Alone is a Security Strategy That Does Not Work
Healthcare is under constant pressure to safeguard assets, however too many firms focus on security for HIPAA compliancy and then call it a day. Compliance is a legal necessity, but organizations expose themselves to cyberattack when use technology as a crutch. Many organizations will need to look at their operations as a critical network and seek ways to defend it.
A majority of breaches are from data that has been stolen, via record removal, virtually and physically. We see the trend in 2016 shifting from technology to people if healthcare organizations are going to defeat hackers.
Focus on the Human Element
Examine the largest data breaches of 2015. Technology did not protect the vast majority of these companies. In each case, data was breached due to hackers successfully exploiting humans.
The proliferation of mobile devices in healthcare like smartphones and tablets have also made the human element even more vulnerable because this area of security is often overlooked and is, in fact, the weakest link.
Technology is only as good as the people who use it and is merely a tool in the fight against cybercrime. Technology alone cannot fully protect an organization’s data, networks, or interests. This is a trend in 2016 and beyond that must be recognized if organization hope to safeguard patient records.