Federal Agencies Warn of Cyberattacks on U.S. Hospitals

By Margaret Young Levi and Kathie McDonald-McClure

On October 28, 2020,  the Federal Bureau of Investigation (FBI), the U.S. Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory warning hospitals and the health care community about coordinated ransomware attacks on hospitals designed to steal data and freeze hospital information systems for financial gain. 

Six U.S. hospitals fell victim to this attack on October 27th and the FBI, HHS, and CISA have credible information that more hospitals will be targeted in this attack. The ransomware behind these attacks is known as Ryuk, which utilizes TrickBot malware and other malware to execute the attack. The Ryuk ransomware is designed to allow the cybercriminals to stealthily access, map and move laterally across the victim’s network before encrypting critical data files and deleting connected backups.

Network Best Practices. The Joint Cybersecurity Advisory provides some practical precautions that health care providers can put in place to protect their networks from these threats:

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version to prevent issues from arising that local users are unable to fix due to having local administration disabled.
  • Regularly change passwords to network systems and accounts.
  • Do not reuse the same password for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Ensure that your remote access and application “block lists” and “allow lists” are up-to-date so that only those programs and individuals with permission can access your system.
  • Audit user accounts with administrative privileges and configure access controls with minimum necessary privileges in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and address ports that are not needed. (Ports are your network’s gateways for internet data exchange. There are 65,535 TCP ports and 65,535 UDP ports. Cybercriminals scan these ports to find access into your network and you should too!)
  • Identify the critical data assets on your network and ensure that backups of these assets are not connected to the network 24-7 and the most recent backup is housed offline from the network.
  • Implement network segmentation to secure sensitive data.  For example, sensitive data files should not reside on the same server as email.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

End User Awareness and Training. As pointed out in the Joint Cybersecurity Advisory, a best practice includes focusing on user awareness and training. Because end users are the most common targets, ensure employees and stakeholders are aware of ransomware and phishing scams and how they are delivered. To ensure that you can timely mitigate the risk and deploy your data security incident response plan, ensure employees and stakeholders know who to contact if they see suspicious activity or believe they are a victum of an attack.

Addressing the Ransom Demand. The Joint Cybersecurity Advisory also includes information on what to immediately do when a ransomware attack is discovered.  In particular, it advises not paying ransoms.  For more information about this read our article on the Wyatt HITECH Law blog discussing two new Treasury Department advisories issued on October 1, 2020 about the risks of paying ransoms and the potential for sanctions when doing so.

The Wyatt Data Incident Response Team has prepared “Six Tips” on responding to a cybersecurity incident within the first 24-48 hours. For more information on Wyatt’s Data Privacy & Security Incident Response Team see our Data Privacy & Incident Response Team brochure and visit the Data Incident Response Team tab on this blog.

New Treasury Department Ransomware Advisories Warn that Ransom Payment May be Sanctionable

by Margaret Young Levi and Kathie McDonald-McClure

Cyber attacks using ransomware have been on the rise during the COVID-19 pandemic.  Ransomware, whether it encrypts computer files or locks an entire hard drive, can block access to an organization’s essential operating data, unless the organization can obtain a decryption key. In many if not most cases, a decryption key is only available by paying a ransom to the cybercriminal.

On October 1, 2020, the U.S. Department of the Treasury Office of Terrorism and Financial Intelligence announced the issuance of two advisories aimed at fighting ransomware scams and attacks.  In making the announcement, Deputy Secretary Justin G. Muzinich said:

Cybercriminals have deployed ransomware attacks against our schools, hospitals, and businesses of all sizes. Treasury will continue to use its powerful tools to counter these malicious cyber actors and their facilitators.

The advisories also warned that those who facilitate ransomware payments may be sanctioned for violating Treasury law and regulations. However, Treasury’s efforts to crack down on ransomware in this way places its victims in the crossfire.  Ransomware victims may feel they have no choice but to pay the ransom if this is the only way to regain access to essential data, which is often the case when the most recent data back-up is also attacked and a decryption key is not available by other means.  Moreover, paying the ransom may be a matter of public safety.  For example, ransomware that locks healthcare providers out of patient electronic medical records, attacks computers that support life-saving medical devices, or that shuts down computers connected to automobiles and other consumer devices, could pose a risk of injury or even death.

Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an advisory, entitled “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” (Treasury Advisory). The Treasury Advisory is intended to educate financial institutions and others involved in cyber incident response measures about ransomware trends and indicators of ransomware as well as related money laundering activities.  More specifically, the Treasury Advisory addresses the following areas of concern:

CONTINUE READING

Scammers Target Remote Workers with Email Phishing Campaigns

By Lindsay Scott and Kathie McDonald-McClure

According to a recent USA Today article, the Federal Trade Commission (FTC) reported that it had received 83,858 fraud reports this year through August 9th relating to COVID-19 and the economic stimulus packages. Many of these fraud reports are connected to email phishing campaigns that target remote, telework or furloughed employees.

In one type of phishing campaign, scammers send emails to workers telling them that their employment is being terminated as a result of COVID-19 and purports to offer termination package options. These termination email scams provide clickable links inviting the employee to attend a teleconference meeting or to obtain additional information concerning the termination packages. Instead, these links download malicious software or require the employee to enter personal information, such as a Social Security number, in an attempt to steal their identity and ultimately commit financial fraud that harms the employee. Employees who receive a suspicious email telling them they are being terminated should notify their human resources department or other designated person in the organization.

Continue reading

U.S. Department of Homeland Security Issues SAP Critical Vulnerability Alert

Written by:  Kathie McDonald-McClure

On Monday, July 13, 2020, the Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued a SAP cybersecurity alert, No. AA20-195A, regarding a critical vulnerability that an unauthenticated attacker could exploit through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications. CISA strongly recommends that organizations immediately apply patches, prioritizing internet-facing systems and then internal systems.  At least 15 SAP Java-based solutions are affected, including the SAP Supply Chain Management, the SAP Enterprise Portal, Central Process Scheduling and other widely used SAP applications.  See the Alert for the list of 15 affected SAP applications.

CISA/NCSC Joint Alert Warns of APT Groups Targeting Healthcare and Essential Services

by Margaret Young Levi and Kathie McDonald-McClure

On May 5, 2020, the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert warning of techniques that advanced persistent threat (APT) groups are using to exploit the COVID-19 pandemic.

APT groups target and exploit organizations responding to COVID-19, such as healthcare organizations, pharmaceutical companies, universities, medical research organizations, and local governments. These groups seek to steal “bulk personal information, intellectual property, and intelligence that aligns with national priorities.” For example, pharmaceutical companies, medical research organizations, and universities have been targeted in order to steal sensitive research into COVID-19-related medicine for both commercial and governmental benefit.

These cybercriminals employ a variety of techniques to steal data.

Continue reading