Search This Blog

Showing posts with label Healthcare. Show all posts

AIIMS Server Shut Down for 7th Day, Two System Analysts Suspended


AIIMS Servers Compromised

The server of All India Institute of Medical Sciences is still out of service consecutively for the seventh day. The network is currently being inspected before restoring the services like hospital services which include outpatient, in-patient, and laboratories, as they continue to operate in manual mode. 

The restoration process takes some time due to the enormous volume of data and a large number of computers/servers for hospital services. AIIMS is taking cybersecurity measures to deal with the issue. 

Investigation Launched

The Intelligence Fusion and Strategic Operations (IFSO) unit of Delhi police registered a case of extortion and cyber terrorism on November 25. In the process, AIIMS suspended two system analysts on Monday after serving show-cause notices for alleged dereliction of duty. 

As per the official sources, internet services in the hospital are blocked as per the recommendations of the investigating authorities. 

News18 reports, "the CERT-In, the Delhi cybercrime special cell, the Indian Cybercrime Coordination Centre, the Intelligence Bureau, the Central Bureau of Investigation, National Investigation Agency, among others, are investigating the ransomware incident."

According to official sources, the NIC e-Hospital at AIIMS uses 24 servers for various hospital modules and four of these servers were hit with ransomware- primary and secondary database servers of the e-Hospital, and primary application and primary database servers of Laboratory Information System (LIS). 

Current state

Afterward, ransomware was also discovered in the elastic search virtual server 1.4. All compromised servers were separated, as per the sources. Four new servers were brought in, which includes two from external agencies, for restoring e-Hospital apps. 

The databases were restored on these four servers (now scanned) and the data can be accessed. Besides this, four servers of NIC applications were also scanned. Out of these, viruses were discovered in two servers. 

"AIIMS has around 40 physical and 100 virtual servers. Five have shown signs of the virus. These servers are also being set up for scanning and new servers with updated configurations are being purchased as most servers at AIIMS where the end of life/end of support," said a source to News18. 

The antivirus has been installed manually in around 2400 computers.



Cyberattack Targets US Hospital in Texas

Just several weeks following one of the largest healthcare cyberattacks in the US, another hospital system was taken down by a ransomware attack. 

According to a report, OakBend discovered that cybercriminals had accessed its network and encrypted parts of its system on September 1, 2022. In reaction, OakBend started working on network restoration before getting in touch with a third-party data security organization to help with the business's investigation into the event.

The investigation revealed that OakBend Medical Center's computer system had been accessed without authorization and that the hackers had been able to delete some of the material that was accessible.

OakBend Medical Center started looking through the affected files after learning that private customer information had been made available to an unauthorized entity, in order to ascertain what information had been hacked and whose customers were impacted.

On October 28, the medical system notified the Department of Health and Human Services (HHS) of a data breach affecting approximately 500,000 people. The attack has been linked to the ransomware and data extortion gang Daixin Team.

The group, which was formed in June of this year, has financial motivations. Fitzgibbon Hospital in Missouri was its prior victim, and the gang claims to have stolen 40GB of confidential data, including personnel and patient records.

Additionally, CommonSpirit, which manages over 140 hospitals in the US, decided not to reveal the precise number of its locations that were experiencing delays. However, a number of hospitals have reported being impacted, including CHI Memorial Hospital in Tennessee, some St. Luke's hospitals in Texas, and Virginia Mason Franciscan Health in Seattle.

According to Brett Callow, a cybersecurity specialist at Emsisoft, ransomware has been used to breach 19 significant hospital chains in the United States this year.

OakBend stated: "Our analysis shows that only a small quantity of data was really transported outside of the OakBend computing environment, even though we are aware that the hackers had access to OakBend's servers to encrypt our data. However, it does seem that the cybercriminals were able to access or remove several employee data sets and some reports that contained the private and medical information pertaining to our present and past patients, employees, and connected individuals."

To all those whose information was affected as a result of the current data breach, OakBend Medical Center handed out data breach notifications on October 31, 2022.

Another Health Entity Reports Breach Linked to Meta Pixel Use


About the Breach

Another healthcare enterprise is treating its earlier use of FB's Pixel website tracking code in patient portals for a data breach requiring regulatory notification. WakeMed Health and Hospitals from North Korea informed the Department of Health and Human Services on 14 October of an unauthorized access/leak compromise impacting around 500,000 individuals. 

The entity's compromise notification statement said "select data"- it includes email addresses, novel coronavirus vaccine status and appointment info, and phone numbers- may have been sent to Facebook parent Meta via its deployment tracking number code. 

Breached Information

Impacted information didn't consist of Social Security numbers or other financial info, except when the info was put into a free text box by the user. As per WakeMed, it started using Pixel in 2018 and stopped its use after May. 

"WakeMed is a co-defendant in at least one proposed class action lawsuit filed in a North Carolina federal court involving its use of Pixel. That lawsuit, filed against Meta Platforms, WakeMed, and Duke University Health System on Sept. 1, alleges the medical systems violated medical privacy by the use of Pixel in the websites and patient portals. Neither WakeMed, Duke University Health nor Meta responds to Information Security Media Group's request for comment.," reports Bank Info Security.

Similar Compromise

WakeMed while reporting itself to the HHS' Office for Civil Rights for a data compromise by web tracking tech, joined another big healthcare entity in wanting to be proactive with regulators. Midwest Health System "Advocate Aurora Health" reported in October its usage of Pixel as a data breach impacting 3 million individuals. 

FB Pixel and likewise tracking tools are being scrutinized by privacy advocates, lawmakers, and class action attorneys who gave risen concerns over health data privacy in the wake of the Supreme Court's June decision changing the right to an abortion nationwide. 

The tracking pixels, if used in the manner intended, can gather and send considerable information about the user. 

In the case of a patient portal, it can include sensitive health info entered and viewed by patients that in the end get transferred to third parties. Consumer activity tracking used for marketing is not a right fit for the health sector. 

Lawmakers have contacted Meta CEO Mark Zuckerberg and expressed concern over the company's ability to get across its website tracking tools sensitive health information, which includes medial conditions, treating physician names, and appointment dates. 

BankInfo Security said, "Meta also faces at least four other proposed class action lawsuits about to be consolidated in the Northern District of California related to its use of Pixel and the privacy of health data."


Cyber-Attackers Claim to Have Accessed Customer Data at Medibank Australia

 


According to Medibank, which covers one in six Australians, an unidentified person notified the company that some 200 gigabytes of data had been stolen. This included medical diagnoses and medical treatments, as part of a theft that began a week earlier when the company disclosed a theft of 200 gigabytes of data.

As far as the number of its 4 million customers who may have been affected, the company did not provide information. However, it warned that the number is likely to rise as the issue unfolds. It was announced by the Australian Federal Police that they had opened an investigation into the breach, but that they had no further comments to make.

An Australian newspaper report has warned that the data of at least 10 million customers may have been stolen. This adds a heightened layer of intrigue to a wave of cyberattacks on the country's largest companies since No. 2 Telco Optus, owned by Singapore Telecommunications Ltd, revealed a month ago that the data of ten million customers may have been stolen. 

The majority of public commentary has so far focused on the possibility that hackers could gain access to bank accounts if they steal data or used identity theft to gain access to personal information. An article in the Sydney Morning Herald stated that it received a message from a person claiming to be the Medibank hacker threatening to publish medical records for high-profile individuals without receiving any payment until the hacker has been paid for his or her work.

Currently, the Melbourne-based security company is working with several cyber-security firms and has also contacted the Australian Cyber Security Centre (ACSC), which is the government's lead agency for cyber security.

"This is a situation where we have very sensitive information regarding healthcare and that information, if made public by itself, could cause severe harm to Australians, and that is why we at the Australian Broadcasting Corporation are so actively involved with this," said Cybersecurity Minister Clare O'Neill in an exclusive interview with the ABC.

As cyber security experts pointed out, it was unclear whether the three disclosures on data breaches were related to a single incident. This is because these attacks were diverse. However, the perceived publicity generated by the Optus attack may have drawn public attention to the hacker networks created by this company.

"When there is the highly visible breach, such as what happened to Optus in Australia, then hackers take notice of it and think they are planning to try to see what I can get away with down there," said the executive editor Jeremy Kirk for Information Security Media Group, one of the leading cybersecurity specialist magazines out there.

Interestingly, more than 2.2 million shoppers get their bargains on a bargain website that is used by Optus rival Telstra Corp Ltd. which on Tuesday disclosed an issue with employee data breaches, while Woolworths Group Ltd on Thursday said an unidentified party gained unauthorized access to the customer database of that site.

It has been well documented that high-profile data breaches demonstrate how crucial it is to use multi-factor authentication at every level of a company's network - i.e. when the person uses an authentication code sent to a separate device to log in - to prevent data breaches, according to Sanjay Jha, chief scientist at the University of New South Wales Institute for Cybersecurity.

Jha told Reuters over the phone that, although they have implemented such controls for end users, they should have even tougher controls for internal servers, since server security is a major concern.

"Continuous authentication is necessary for people not to log in and leave after logging in and leave forever, allowing attackers to access your computer and compromise it." Jha continued.

Founder and chief intelligence officer of F5, Dan Woods, a former FBI cyberterrorism investigator, commented that Australia had "undoubtedly endured its most difficult few weeks from a cybercrime perspective, but on the positive side, it's been a wake-up call for the country, one that it may have needed." 

Health System Ransomware Attack Outlines Patients' Vulnerability

 

A crippling ransomware attack on the second-largest nonprofit health system in the United States demonstrates how many patients can be left in the dark when critical healthcare infrastructure fails. 

The attack earlier this month on CommonSpirit Health, which operates 142 hospitals in 21 states, resulted in IT being locked down, surgeries being delayed, and widespread disruptions in patient care. According to experts, it also left millions of patients waiting at least two weeks to learn if their personal information had been compromised. 

"We don't know what was disrupted," Israel Barak, chief information security officer at Boston-based Cybereason, told Axios.

For instance, patients don't know what sort of potential disruptions this has caused to certain services or procedures and they have no idea the extent their personal information might have been stolen. As consumers of these services we don't have a way to control our destiny or manage our risk," Barak added.

According to the Washington Post, the latest attack occurs as the Biden administration considers how to strengthen minimum cybersecurity standards in critical infrastructure such as health care. In accordance with a recent report from Crowdstrike, there has been a nearly 50% increase in interactive intrusion campaigns this year, with some of the most notable increases targeting health institutions.

As per Fierce Healthcare, 45 million people will be affected by healthcare attacks in 2021, up from 34 million in 2020.

State of play:

Experts believe health-care systems remain particularly vulnerable to threats. According to Barak, they are highly complex, relying on vulnerable supply chains and connections with numerous small clinics and vendors. With lives at stake, hospitals stand to lose more if they do not pay up.

However, health systems have fewer incentives to prioritise cybersecurity, according to Grant Elliott, CEO of Arlington, Virginia-based risk management platform Ostendio.

"There is a distinct lack of enforcement within health care generally, and as a result, there isn't a huge amount of consequence to these organisations for failing to build an effective security programme," Elliott explained.

According to a 2020 study conducted by CybelAngel, more than 45 million X-rays, CT scans, and other medical images could be accessed on unprotected, unencrypted, and password-less servers.

What's next?

CommonSpirit confirmed in a statement Monday it is still working to bring systems back online.

"As previously shared, we took immediate steps to protect our systems, contain the incident, begin an investigation, and maintain continuity of care. It will take some time before we can restore full functionality and we continue work to bring our systems up as quickly and safely as we can," CommonSpirit said in an emailed statement.

They said they could not provide additional information because of an ongoing investigation. A page on their website said there was "no impact to clinic, patient care and associated systems at Dignity Health, Virginia Mason Medical Center, TriHealth or Centura Health facilities."

According to Elliott, there is no industry consensus on the best way to handle a ransomware attack, and while there are reporting requirements, it can also take health systems some time to fully determine what information has been compromised.

However, he stated that the problem with many federal health care regulations for hospitals when it comes to data breaches is that they are not specific enough.

"Especially when you have something like a ransomware breach," he said. "Is this particular breach, they've simply frozen the assets and the organization can no longer access information which is its own concern? Or has the third party actor actually gained access to that information and downloaded it and threatening to release that information?"

While the impact of ransomware attacks on patient safety is the primary concern, the speed and specificity with which hospitals communicate the threat to patients is also critical.

"As an industry, there's a lot more we can do to regulate how healthcare data is managed," Barak concluded.

XSS Bugs in Canon's Vitrea View Tool, Can Expose Patient Data


XSS Bugs in Canon's Vitrea View

In a penetration test, Trustwave Spiderlabs' experts found two reflected cross-site scriptings (XSS) flaws, together termed as CVE-2022-3746, in third-party software for Canon Medical's Vitrea View. The Vitrea View feature lets you view and safely share medical images via DICOM standard. 

"Canon Medical released a patch for these issues in version 7.7.6. We recommend all customers on version 7. x to update to the latest release. We always appreciate vendors like Canon Medical that approach the disclosure process with transparency and in the interest of the security of their products and users."

A threat actor can activate the bugs to access/change patient details (i.e. stored scans and images) and get extra access to some features related to Vitrea View. 

The first problem is an unauthorized Reflected XSS that exists in an error message at /vitrea-view/error/, reflecting all input following the /error/ subdirectory back to the user, with minor limitations. 

How does the bug work?

The researchers observed that space characters and single and double quotes can alter the reflection. The use of base 64 encoding and backticks (`) can allow to escape these restrictions, as well as importing remote scripts. 

The second problem is one more Reflected XSS within the Vitrea View Administrative panel. A threat actor can access the panel by luring the victims to click on a specially made link. 

The researchers found the search for 'limit', 'offset', and 'group' in the 'Group and Users' page of the admin panel all highlight their inputs back to the user, after the text is entered rather than anticipated numerical inputs. 

The report says :

"Like the previous finding, the reflected input is slightly restricted, as it does not allow spaces. Once an authenticated admin is coerced into visiting the affected URL, it is possible to create and modify the Python, JavaScript, and Groovy scripts used by the Vitrea View application.”

The researchers also wrote a proof-of-concept for both these vulnerabilities. Canon Medical handled these two vulnerabilities by releasing Vitrea View version 7.7.6. 




FDA Issues Cybersecurity Alert on Medtronic Insulin Pumps

The U.S. Food and Drug Administration issued a warning on Tuesday regarding the vulnerability of some insulin pump devices made by Medtronic. The flaw makes the devices vulnerable to cyberattacks while presenting a possibility for hackers to interfere with insulin delivery by gaining access to the device.

The FDA, a U.S. government organization, has issued an advisory regarding the MiniMed 600 Series Insulin Pump System from Medtronic, which includes the MiniMed 630G and MiniMed 670G devices.

The Department of Health and Human Services safeguards the public's health by ensuring the efficacy, security, and safety of pharmaceuticals for use in humans and animals, medical devices, and vaccinations. The agency is in charge of regulating tobacco products as well as the safety and security of our country's food supply, cosmetics, nutritional supplements, and devices that emit electronic radiation.

The FDA pointed out that many parts, including the insulin pump, constant glucose monitoring (CGM) transmitter, blood glucose meter, and CareLink USB device, connect wirelessly. A technical malfunction could make it possible for someone to break in and trigger the pump to administer the patient with either too much or too little insulin.

The insulin pumps are offered by Medtronic's diabetes division, which generated $2.41 billion in sales in 2021, or 8% of the business's overall revenue.

In the aftermath of the security incident, Medtronic cautioned users about the dangers and offered suggestions, such as advising them to permanently disable the 'Remote Bolus' function on the pump, refrain from disclosing the serial number of the device to unauthorized individuals, and avoid connecting or linking devices in public.

The business warned that patients should never accept remote connection requests and other remote activities unless patients or support persons initiated them and should always detach the USB device from their laptop while it is not being used to download pump data.

Although medical equipment is frequently connected to the internet, hospital networks, and other devices, the FDA warned that these same characteristics may pose cybersecurity threats.

According to the FDA advisory, "Medical devices, like other computer systems, might be subject to security breaches, possibly affecting the device's safety and effectiveness."

The MiniMed 508 and Paradigm insulin pumps have security flaws that Medtronic is unable to fully fix with software updates or patches. The FDA said that it was working with Medtronic to identify, discuss, and anticipate the negative consequences of this risk.


Rapid7 Finds Four Flaws in SIGMA Spectrum Infusion Pump and WiFi Battery



Rapid7 discovers four vulnerabilities

Rapid7 on April 20, 2022 found vulnerabilities in two TCP/IP enabled medical devices found by Baxter Healthcare. The four vulnerabilities impacted the company's SIGMA Spectrum Infusion Pump and SIGMA Wifi battery. 

After five months when Rapid7 reported the issue to Baxter, the organizations are now disclosing they have collaborated to discuss the effect, solution, and a team strategy for these flaws. 

InfoSecurity reports: all these vulnerabilities have now reportedly been fixed, but in the new disclosure report, Heiland clarified that even before the patches were released, the issues could not have been exploited over the internet or at a great distance.

About the vulnerability 

Rapid7 has covered the findings in a recent report, where the firm mentioned Sigma bugs were found by Deral Heiland, Rapid7’s main IoT (Internet of Things) expert. 

To give readers a general idea, Baxter’s SIGMA infusion pumps are generally used by hospitals to give medicine and nutrition directly into a patient's circulatory system. 

The first vulnerability (known as CVE–2022–26390) discovered by Rapid7 made the pump to send the WiFi credentials to the battery unit when it was connected to the primary infusion pump and the infusion pump got power. 

The second vulnerability (known as CVE–2022–26392), on the contrary, observed the exposure of the command 'hostmassage' to format string vulnerability while executing a telnet session on the Baxter SIGMA WiFi battery firmware version 16. 

The third vulnerability (known as CVE–2022–26393) is also a format string vulnerability on WiFi battery software version 20 D29. 

The last and fourth vulnerability (known as CVE–2022–26394) observed WiFi battery units (versions 16, 17 and 20 D29) enabling remote unauthorised modification of the SIGMA GW IP address (used in configuration of back-end communication services for devices' working). 

How does the attack take place?

The threat actor has to be within atleast WiFi range of the impacted devices, and in few instances, he will need to have a direct physical access. 

But if the hacker gets a network access to the pump unit, with a single unauthorised packet, he can make the unit to redirect all back-end system to a host they control, making a scope for for a possible man in the middle (MiTM) attack.

Rapid7 reports:

This could impact the accuracy of the pump data being sent for monitoring and recording purposes, and also potentially be used to intercept Drug library data updates to the pumps — which could potentially be dangerous."



HHS Warns, Karakurt Ransomware Group Targeting Healthcare Providers

 

The US Department of Health and Human Services Cybersecurity Coordination Center (HC3) recently issued a warning about rising Karakurt activities against the healthcare centre. The department has now issued a new warning about Evil Corp attacks. 

According to the alert, Evil Corp is supposedly obtaining intellectual property from the United States healthcare sector on behalf of the Russian government. Evil Corp's Dridex trojan is competent in compromising the confidentiality and accessibility of operational systems and data, including financial and health data. 

The threat actor has constantly changed its tactics in order to avoid sanctions imposed by the US government, causing millions of dollars in damage.

Evil Corp has a plethora of tools and techniques at its disposal, which are frequently combined with commodity malware and off-the-grid tactics. Furthermore, HC3 is concerned because nation-state-sponsored threat actors, such as Evil Corp, see data exfiltration as a cost-effective way to steal intellectual property. 

In addition to the aforementioned, Evil Corp makes no distinction between large and small organisations, preferring to target wherever there is an opportunity. Karakurt has at least compromised an assisted living facility, a healthcare provider, a hospital, and a dental clinic, according to HC3. The group even transformed its leak site into a searchable database, making it easier to locate victims.

The healthcare sector has long been a favourite target of cybercriminals, and this has only increased since the pandemic's onslaught. On a regular basis, various threat groups target the sector. As a result, putting in place the necessary security measures is advised.

Data of 1.3M Patients of Novant Health was Leaked on Meta


More than 1.3 million users have received notices from healthcare provider Novant Health that their private health data (PHI) had unintentionally been leaked to Facebook parent firm Meta.

Facebook marketers can add JavaScript a monitoring script known as Meta Pixel to their website to monitor the effectiveness of their advertising. Unauthorized patient records access and disclosure started in May 2020, when Novant launched Facebook ad-based marketing campaigns to promote the COVID-19 vaccine.

The company said that Novant Health was employing a misaligned pixel on both its website as well as the Novant Health MyChart patient interface and the pixel carried code that allowed businesses to track website activity.

The healthcare company placed the Meta Pixel code on its website to track these advertisements and evaluate their effectiveness.

After a reporter contacted and questioned about the use of MetaPixel, the pixel was introduced to the portals in May 2020 and disabled in May 2022, after Novant Health learned of the potential data exposure.

Depending on a user's activity on the Novant Health website and MyChart interface, it was possible PHI would have been shared to Meta, Novant Health decided in June 2022.

Email addresses, phone numbers, computer IP addresses, contact information patients entered into Advanced Care Planning or Emergency Contacts, appointment information, the doctor they chose, and data like button/menu selections and or content typed into free text boxes were all potentially impacted information.

64 healthcare service providers in the United States use the MyChart portal, which enables their users to schedule medical appointments, ask for prescription refills, get in touch with their clinicians, and more.

Unfortunately, this means that due to the tracker's improper setting, even people who haven't actually used Novant's services may nonetheless have been exposed.

"Advertisers shouldn't send private data about individuals through our business tools. This is against our policies, and to avoid it from happening, we instruct advertising on how to set up business tools correctly. Our technology is built to weed out any potentially sensitive information it can find. We'll keep trying to get in touch with Novant," a Meta spokeswoman stated.

Only those who received notices may consider themselves victims of a breach, according to the company, which claims it has identified the affected persons following a thorough investigation that was finished on June 17, 2022. Novant claimed that it's not aware of any "improper or attempted use" of the information by Meta or any other third party. 

Neuro Practice Says 363,000 Users' Personal Info Leaked


About the leak

An Indiana neurology practice is informing around 363,000 people that their personal data was leaked in a recent ransomware attack and that a few of it was posted on the dark web.

The practice doesn't know which ransomware group or data leak site, however, the Russian ransomware group Hive - which was the topic of a recent federal advisor for the healthcare industry- is hinted at in the attack. Hive has been wildly attacking the U.S healthcare sector. 

What do experts have to say?

Nerve and gray matter experts Goodman Campbell Brain and Spine, in a data breach report to the attorney general of Maine in July, said a "sophisticated" ransomware attack that compromised its computer network and communications system- which includes phones and e-mails, compromised employees and patients data. 

"A healthcare entity informing individuals in a breach notification letter or statement that their information has been potentially listed on the dark web is a highly uncommon level of transparency," reports Bank Info Security. 

How did Practice combat the issue?

Once the attack was discovered on May 20, the practice took immediate steps to safeguard its systems and did a forensic analysis and incident response firm. Goodman Campbell also notified the FBI. An inquiry into the case revealed that a malicious third party had acquired info from the practice's systems.

However, the hacker didn't access the electronic medical record system, but accessed patient info and records in other locations in the internal networks, like appointment schedules, insurance eligibility documentation, and referral forms. 

Info compromised in the attack includes date of birth, names, telephone number, address, e-mail IDs, medical record number, patient account number, physician name, dates of service, diagnosis and treatment information, insurance info, and social security numbers. 

"While we have no indication that the information of any impacted individuals has been used inappropriately as a result of this incident, we do know that some information acquired by the attacker was made available for approximately 10 days on the dark web," says the practice notification. 


Data of 4,000 Patients at VCU Health Exposed

 

A recent incident compromising the privacy of user-protected health information has been reported by Virginia Commonwealth University Health System. 

The institution revealed the confidential health information of almost 4,000 individuals for 16 years. According to VCU Health's research, the information was available to donors, and recipients as early as January 4, 2006.

There is no proof, according to VCU Health, that any information has been exploited. There were 4,441 donors and beneficiaries in total for this incidence.

On February 7, 2022, a data leak was discovered. On March 29 and May 27, 2022, additional details about the categories of data involved, were disclosed. The information which could be seen in the medical records of other transplant patients or donors included names, Social Security numbers, lab results, medical record numbers, and dates of service.

Customers who are notified have been reminded to keep an eye out for any fraudulent behavior by regularly monitoring their financial account statements. Individuals who may have had their Social Security data exposed have been provided free credit monitoring. 

''Many health care systems are built in a way that sensitive data, such as SSNs, DOBs, or other PII/PHI, is either not shared at all, is at least hidden on the screen by default, and reading them requires additional step-up verification.'' The Synopsys Software Integrity Group's Ashutosh Rana, a senior security consultant, stated. 


Dark Web: 31,000 FTSE 100 Logins

 

With unveiling the detection of tens of thousands of business credentials on the dark web, security experts warn the UK's largest companies that they could unintentionally be exposed to significant vulnerability. Outpost24 trawled cybercrime sites for the compromised credentials, discovering 31,135 usernames and passwords related to FTSE 100 companies using its threat monitoring platform Blueliv.

The Financial Times Stock Exchange (FTSE) 100 Index comprises the top 100 companies on the London Stock Exchange in terms of market capitalization. Across several industry verticals, these businesses reflect some of the most powerful and lucrative businesses on the market. 

The following are among the key findings from the study on stolen and leaked credentials: 

  • Around three-quarters (75%) of these credentials were obtained by traditional data breaches, while a quarter was gained through personally targeted malware infections. 
  • The vast majority of FTSE 100 firms (81%) had at least one credential hacked and published on the dark web, and nearly half of FTSE 100 businesses (42%) have more than 500 hacked credentials. 
  • Since last year, there were 31,135 hacked and leaked credentials for FTSE 100 organizations, with 38 of them being exposed on the dark web. 
  • Up to 20% of credentials are lost due to malware infections and identity thieves.
  • 11% disclosed in the last three months (21 in the last six months, and 68% for more than a year) Over 60% of stolen credentials come from three industries: IT/Telecom (23%), Energy & Utility (22%), and Finance (21%). 
  • With the largest total number (7,303) and average stolen credentials per company (730), the IT/Telecoms industry is the most in danger. They are the most afflicted by malware infection and have the most stolen credentials disclosed in the last three months.
  • Healthcare has the biggest amount of stolen credentials per organization (485) due to data breaches, as they have become increasingly targeted by cybercriminals since the pandemic started. 

"Malicious actors could use such logins to get covert network access as part of "big-game hunting" ransomware assault. Once an unauthorized third party or initial access broker obtains user logins and passwords, they can either sell the credentials on the dark web to an aspiring hacker or use them to compromise an organization's network by bypassing security protocols and progressing laterally to steal critical data and cause disruption," Victor Acin, labs manager at Outpost24 company Blueliv, explained.

Hackers Use Insulin Pump Management Vulnerability To Compromise Device

 

A recent study by Lyrebirds, a cybersecurity consultancy organization from Denmark, reveals that a design protocol vulnerability in the Insulet Omnipod Insulin Management System, aka Omnipod Eros, allows a hacker to take command of the device and send programming commands, which includes instant insulin injection. The flaw was found in the communication protocol, that makes it possible for a threat attacker to cut the signal through jamming or via sending messages after the nonce transmission, without the nonce being invalidated by the device. 

The nonce, alone, isn't linked to the device, meaning it can be used for any command the threat actor would like to execute and lets both devices to return to the anticipated, instant program flow, meanwhile continuing to send or set the harmful tactics. The controller and its pump communicate above 433 MHz radio with three packaging layers that exist on top of radio communication, which includes command and respond message and packet. The controller sends an order to the pump and it replies. The programming commands need a 4-byte nonce as the first parameter. 

Upon setting off a pump, the pump and the controller exchange the LOT and serial identification of the pump used for seeding a pseudo-random generator within both the pump and the controller. Once paired, the generators stay in synchronization for the lifetime of a pump. If it gets out of sync, a re-sync process is done but the new seed depends on the identification number sent during pump setup. The device needs a message with a serial number to deliver any packet, but it doesn't involve encryption within the system comes. 

Experts say that the information sent between controller and device isn't encrypted. As a result, the information in the message and packet headers can be exposed. "For example, the report shows a passive observer could parse the needed information from the pump status before a scheduled time. An attacker could also extract the data directly from the headers they’re trying to exploit from the programming command," SC Media.

Threat Actors Targeting Vaccine Manufacturing Facility with Tardigrade Malware

 

Biomanufacturing facilities in the US are being actively targeted by an anonymous hacking group leveraging a new custom malware called ‘Tardigrade’. 

In a new threat advisory, the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) claimed this week that the first attack was launched using this new malware in spring 2021, followed by the second assault in October.

 New malware strain

According to BIO-ISAC, Tardigrade possesses advanced features and is supposedly the work of an advanced threat detection group or a nation-state intelligence service. The malware is primarily used for espionage though it can also cause other issues including network outages. The recent assaults are also believed to be linked to Covid-19 research as the pandemic has shown just how crucial biomanufacturing research is when creating vaccines and other drugs. 

Tardigrade’s functionality includes a Trojan, keylogger, data theft, and also establishes a backdoor into targeted systems. There is some debate regarding the origins of the code used in Tardigrade as BIO-ISAC believes the malware is based on Smoke Loader, a Windows-based backdoor operated by a hacking group called Smoky Spider. However, security researchers that spoke with Bleeping Computer believe that it is a form of the Cobalt Strike HTTP. 

“The biomanufacturing industry along with other verticals are so far behind in cybersecurity, making them a prime target for bad actors. Cyberattacks mostly happen to those that provide easy access or least path of resistance,” George Gerchow, chief security officer of machine data analytics company Sumo Logic Inc., told SiliconANGLE. 

“This is a blatant example of how attackers are focusing on human health during a time of high anxiety, and bioscience is an easy target. The industry is going to have to move quickly to put proper cyber security controls in place. It is going to be a huge mountain for them to climb as some of the companies in the industry have antiquated technology, lacked the proper skill sets, and relied too much on legacy security tools,” Gerchow added. 

The BIO-ISAC report recommends the following steps for biomanufacturing sites that will enhance the security and response postures (i) Scan your biomanufacturing network segmentation, (ii)  Collaborate with biologists and automation experts to design a full-proof analysis for your firm, (iii) Employ antivirus with behavioral analysis capabilities, (iv) Participate in phishing detection training (v) Stay vigilant.

UMass Memorial Health Suffers Data Breach, 209,000 Users Affected

 

UMass Memorial health, a health care network based in Massachusetts reported a phishing incident that might have leaked personal information of hundreds of thousands of victims. An unauthorised access to restricted employee mail accounts lasted for around seven months, from June 2020 to Jan 2021, before the attack was identified, UMass Memorial said in its statement on the official website. UMass Memorial health consists a medical center, three other healthcare institutes along with a medical group, in a report to Department of Health and Human services mentioned about an email incident affecting around 209,000 individuals. 

According to UMass Memorial health, it confirmed the breach (on 7 January) when some employees' mail accounts were accessed by an unauthorised user. The information was posted on HIPAA-Breach Reporting Tool website (belonging to HHS' Office for Civil Rights.' Generally known as the "wall of shame," the website contains health data breaches impacting 500 or more users. The healthcare institute (on 25 August) concluded identifying the affected users whose information might have been leaked. 

For patients who have been affected with the breach, the leaked data includes names, ID numbers, subscribers, and election beneficiary information. Whereas for few individuals, driver's license number and social security numbers were also there in the breach. For health plan participant victims, the leaked data includes names, dob, health insurance information, medical record numbers and treatment information, like date of service, diagnoses, prescription information, procedure information and provider names. According to UMass, it does not have any evidence that any information was in fact viewed or accessed, only that it was simply contained within an email account that was compromised. 

UMass also says that there is no proof to suggest data misuse, however, the affected individuals would be offered one year complimentary credit and identify monitoring. "UMass Memorial Health says that to prevent similar incidents in the future, it has reinforced education with its staff regarding how to identify and avoid suspicious emails and the organization is also making additional security enhancements to its email environment, including enabling multifactor authentication," reports Gov Info Security.

Cyber Attacker had Prior Access to the IT Systems of OSF Healthcare Before Outage

 

The Journal Star reported that OSF HealthCare's computer systems were back up on April 25 following a two-day outage that forced the Peoria, Ill.-based health institution to implement downtime processes and policies. The outage occurred around 3:45 a.m. on April 23, as per the report. 

OSF HealthCare, based in Peoria, Ill.- started informing patients on October 1 that their personal health information had been exposed for more than six weeks as a result of a cyberattack on its IT systems earlier this year. At numerous OSF HealthCare hospitals and sites, the computer systems included patient information and records.

OSF HealthCare is a non-profit Catholic healthcare organization based in Illinois and Michigan that administers a medical group, hospital system, and other healthcare facilities. OSF HealthCare is owned and run by the Sisters of the Third Order of St. Francis and is headquartered in Peoria, Illinois. 

"During the outage, downtime procedures and protocols were closely followed, which included rescheduling some appointments and procedures," an OSF HealthCare spokesperson informed. "Patient safety is at the forefront of everything we do, and any decision to delay an appointment or procedure was made with safety in mind." 

OSF HealthCare announced on its website on Oct. 1 that the outage was caused by a data security problem. After conducting an investigation, the health system learned that an unauthorized entity obtained access to its networks from March 7 to April 23. The hacker gained access to various files relating to OSF Little Company of Mary and OSF Saint Paul patients. 

The compromised data include personally identifiable information, name, birthdates, Social Security numbers, treatment information, medication information, and health insurance information. As per the warning, financial information from a "smaller subset of patients" was also compromised. 

Patients whose Social Security numbers or driver's license information were disclosed will receive free credit and identity monitoring services from the health system. OSF HealthCare further stated that new precautions and technical security procedures have been adopted to safeguard its network infrastructure. 

OSF HealthCare operates 14 hospitals and a variety of other institutions throughout Illinois and Michigan. All institutions and facilities continued to operate and also admitted new patients during the April outage.

HC3 Issues a Warning About a LockBit Ransomware Variant

 

The Health Sector Cybersecurity Coordination Center issued a threat briefing on LockBit, a ransomware gang that recently published a new variation. The hackers were behind the widely publicized ransomware attack on Accenture this summer, in which the firm was supposedly held hostage for $50 million. Threat actors claimed to have acquired more than six terabytes of data, according to researchers from the cyber intelligence firm Cyble. 

"Through our security controls and protocols, we identified irregular activity in one of our environments," said Accenture in a statement. "We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from backup. There was no impact on Accenture's operations, or on our clients' systems." 

According to Eleanor Barlow, content manager at SecurityHQ, LockBit attacks are recognized for their ability to encrypt Windows domains using Active Directory group settings. When a domain is compromised, the malware generates new group policies and sends them to networked devices. The policies in this case disable antivirus protection and allow malware to be installed.

"Threat actors continue to view unpatched systems as an easy, if not preferred, method of intrusion," wrote officials from the cybersecurity arm of the U.S. Department of Health and Human Services in its brief.

LockBit was founded in September 2019 and began advertising its "ransomware as a service" affiliate scheme in January 2020, according to HC3. In May 2020, it began collaborating with Maze, another ransomware organization, and in September of the same year, it launched its own leak site. LockBit v2.0 was released in June of this year. Now, according to HC3, it employs a double extortion scheme involving the StealBit malware. It has improved encryption and circumvents user account control methods.

It also relaunched its affiliate programme, in which affiliates determine the ransom, choose the payment method, and receive the majority of the money before paying the gang. Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, and Uzbekistan are not part of the Commonwealth of Independent States. 

According to HC3, hospitals are simple targets, but the LockBit affiliate showed "a great dislike for people who attack healthcare companies while providing contradicting information regarding whether he targets them himself." Although the United States has lucrative targets, data privacy regulations mandating victim organizations to notify all breaches have lowered the incentive for such entities to pay the ransom, according to HC3.

16.17 GB of User Data Stored in Fitness Bands, Exposed

 

The development and sudden boom in IoT equipment in the healthcare sector have resulted in the surge of cyber attacks. The use of wearable equipment such as health trackers and fitness bands has recently grown common. The safety and security features of these fitness trackers are an ongoing worry since they have a lot of important information about the user. 

Recently, 16.18 GB of unencrypted database disclosing over 61 million records of users stored in their fitness wearables was identified in the latest security analysis at WebsitePlanet. A substantial percentage of disclosed records were all related to IoT fitness and health monitoring devices. 

Following additional research, several references were made to "GetHealth," a New York City-based firm that claims a unified solution for hundreds of wearables, healthcare devices, and apps to access health and wellness data. The GetHealth database was not encrypted by default and allows easy accessibility for everyone. After researchers have notified GetHealth, the database is now encrypted. 

GetHealth platform can synchronize health-related information from a multitude of sources, such as Fitbit, Misfit Wearables, Microsoft Band, Strava, Google Fit, 23andMe, Daily Mile, FatSecret, Jawbone UP, Life Fitness, MapMyFitness, MapMyWalk, Moves App, PredictBGL, Runkeeper, Sony Lifelog, Strava, VitaDock, Withings, Apple HealthKit, Android Sensor, and S Health.

Plenty of the information leaked comprised the first and last names of users, date of birth, body weight, height, sex, geolocation, etc. “This information was in plain text while there was an ID that appeared to be encrypted. The geolocation was structured as in America/New_York, Europe/Dublin and revealed that users were located all over the world,” WebsitePlanet said. 

Whereas the researchers analyzed a sample of 20,000 records, the majority of leaked data were from Fitbit (2.766 times) as well as from Apple HealthKit (17,764). This security flaw affects a majority of the customers of Apple Healthkit because Healthkit gathers deeper health information than any other instruments or applications, like blood pressure, body weight, sleep levels, and blood glucose. 

Fitness trackers are equipped with vital information to monitor the user's health. This might also lead to several privacy problems, regrettably. The confidential material of users is a financial enterprise for individuals in charge of threats. In tailored phishing attacks, identity thefts, or social engineering attacks, the data may be abused by cybercriminals. 

“This case sets an example of how lack of care with sensitive data can make risks escalate indefinitely, as millions of people were exposed simply by wearing tracking devices during their workout sessions,” WebsitePlanet added.

COVID19 Vaccine Fraudsters Targeted Health Authorities in 40 Countries

 

INTERPOL has issued a global alert regarding organized criminal organizations approaching governments and peddling COVID-19 vaccinations through fraudulent offers. 

After INTERPOL reported about 60 incidents from 40 nations, the international law enforcement organization sent a warning to all 194 member countries. 

The staff of hospitals and health ministries was targeted, with fraudsters promising to offer COVID-19 vaccinations that had been licensed for distribution in their respective countries. To mislead their victims, the hackers pretended to be executives of vaccine manufacturers or government officials in charge of vaccine distribution. 

To finalize the deal, the fraudsters targeted their victims' work and personal email accounts, as well as tried to contact them over the phone, cold calling, and pitched about fraudulent vaccines. The fraudsters' techniques should raise certain red flags as vaccination purchases are negotiated on a government level or, in the case of the European Union (EU), by a special Joint Negotiation Team.

Vaccine producers also played a key role in drafting the warning, since INTERPOL based it on information supplied by the manufacturers, stressing additional scam strategies such as the use of counterfeit websites and social media profiles. 

The INTERPOL Secretary General Jürgen Stock stated, “As we see with cybercrime, usually it is the private sector which has the most information about attacks and trends, which is exactly what has happened with these attempted vaccine scams. Even when a fraud fails, it is important that it is reported to the police so that potential links can be identified and also, as in the case of the alert INTERPOL has issued, to warn law enforcement about these threats.” 

He further said that with the pandemic still spreading and nations striving to vaccinate their citizens promptly and safely, the vaccine rollout process needed to be safeguarded from the beginning of the production process until the vaccines are distributed. 

An Ongoing Issue

INTERPOL and the Homeland Security Investigations (HSI) of the United States published a joint alert earlier this year advising against the purchase of fraudulent COVID-19 vaccinations and treatments. 

Throughout the COVID-19 pandemic, cybercriminals have been highly active, attacking everyone from ordinary individuals to medical companies and government agencies engaged in the vaccine development, approval, and distribution process.  

Scammers have deployed a series of COVID-19 vaccine-related frauds in the past year, hacked an Oxford University research lab working on strategies to prevent the COVID-19 pandemic, and even hacked the European Medicines Agency and disclosed stolen vaccine papers. 

To avoid being scammed, using a trustworthy security solution with a spam filter is one of the simplest ways to remain secure. If people get an unsolicited email from someone they don't know, they should be extremely cautious and look out for general red flags.