.png)
Hospitals and healthcare organizations are struggling. Whether plagued by N95 mask shortages or liquidity issues caused by the inability to conduct elective surgeries, healthcare workers and administrators continue to face novel challenges. These vulnerabilities attract predators.
On April 20, 2020, 5 U.S. Senators wrote a letter to Chris Krebs, the Director of the Cybersecurity and Infrastructure Security Agency and Gen. Paul Nakasone, Commander of U.S. Cyber Command requesting 6 actions to enhance cybersecurity health and resiliency across the U.S. Department of Health and Hospitals, as well as healthcare nationwide. Senators Tom Cotton, David Perdue, Edward Markey, Mark Warner, and Richard Blumenthal identified “Russian, Chinese, Iranian, and North Korean hacking operations” as targeting the U.S. health care sector and using coronavirus to lure victims.
On April 27, 2020, CNN similarly reported that “Hospitals, research laboratories, health care providers and pharmaceutical companies have all been hit… struck by a surge of daily strikes[.]” According to CNN, Chinese group APT41 is carrying out the biggest portion of these cyberattacks, with many bad actors looking to steal coronavirus research and intellectual property. The Department of Justice contributed to the article, confirming the escalation of attacks against the healthcare industry.
Social engineering remains an extremely popular and effective method of attack, now taking the form of fast food coupons and free food delivery advertisements that are marketed to DHHS workers in hopes of luring victims into making the wrong click. However, CrowdStrike recently explained two common tech tactics being deployed against the healthcare industry:
Password Spraying Internet Login Portals: a brute-force attack in which a bad guy uses a single password against as many user accounts as possible before trying another password to avoid getting locked out of a single account. In other words, switch user accounts, not passwords. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts. This is a very effective tool to gain administrator credentials for programs like SharePoint and IIS.
After initial access, the bad actors then maneuver within the system using “living-off-the-land” (LOTL) capabilities like PowerShell, PowerKatz, and MimiKatz, to find other credentials within the network to access more valuable data and resources. Foreign actors are not as interested in personal information, as they are in intellectual property. Therefore, and as an example, obtaining credentials for payroll is insufficient. However, using payroll admin credentials to find the account credentials for the chief of Research and Development is jackpot. So, what are PowerKatz, PowerShell, and MimiKatz? Programs that recall and can decrypt passwords from memory within operating systems.
To protect themselves, healthcare entities need to stay vigilant and undertake the following actions:
Require multi-factor authentication (whether its multiple passwords, or password & text code) to strengthen internet-facing portals for network access;
Ensure utilization of Windows 10 – Windows 7 viability ended in March 2020 and no longer has available security patches;
Severely limit administrator privileges as these accounts are the most valuable to network infiltrators;
Implement modern endpoint detection and response (EDR) programs (CrowdStrike, Microsoft, McAfee, Carbon Black and others have programs) to monitor processes to detect suspicious actions, such abnormal command functions, changes in file locations, and alien program installations. Through EDR programs, an invasion can be detected and thwarted before information is stolen or damaged; and
Train all users on the importance of cybersecurity, physical security, and social engineering practices. Speak to IT staff and administrative users, they are both a risk and a resource. Did you know that MimiKatz was created by a disgruntled programmer who attempted to alert his supervisors to a deficiency within Windows and was ignored? Yep, French programmer Benjamin Delpy built the program and source code to prove his point to Microsoft and Windows when it was stolen by Russian hackers. Now, it may be used against all of us.