Identifying Security Priorities to Address New Healthcare Cyber Threats @Fortinet
By
The healthcare sector has long been seen as a lucrative target for cybercriminals. As today’s threat landscape continues to evolve, cybercriminals are leveraging new and old capabilities to exploit network vulnerabilities as efficiently as possible. In order to maintain an effective security posture in this complex cyber ecosystem, healthcare cybersecurity teams need to be aware of the current threats most prevalent within the healthcare sector, as well as the security measures and capabilities needed to properly address them.
Given the large amount of valuable protected health information (PHI), personal, and proprietary data held by healthcare organizations and facilities, it makes sense that the sector accounted for more than half of all cyberattacks in 2017. Today, cybercriminals are looking at the healthcare sector as an easy way to leverage data, extort networks for ransom, leach off of network elements for financial gain, and more.
As our latest Global Threat Landscape Report for Q1 reveals, cybercriminals are adopting a variety of capabilities that span across the kill chain—from reconnaissance and weaponization, to post-attack command and control. Should these threats successfully exploit network vulnerabilities, the consequences can be severe.
Cybersecurity Threats Facing the Healthcare Sector
Today’s increase in cyberattack capabilities is prompting the healthcare sector to exceed $65 billion on IT security within the next five years. However, it should come as no surprise that as cybersecurity spending continues to increase, the efforts of cybercriminals to adapt and find new ways to leverage vulnerabilities grows in tandem. Recently, we’ve noticed a variety of threats that should be on the radar of healthcare IT personnel:
Fileless Malware Variants:
Unlike traditional malware attacks that require cybercriminals to install a malicious executable on disk to infect a machine, fileless malware allows a cybercriminal to leverage tools already on many computers such as PowerShell and WMI to infect directly into memory. In addition to keep persistence these scripts can be installed into autorun registry settings ensuring the malware is loaded every time the infected machine reboots. Using these techniques makes it increasingly more difficult to detect.
Cryptomining Malware: Cryptomining malware, also known as cryptojacking, focuses on maliciously injecting exploits into the browsers of computers or distributing malware across servers and IoT devices with the goal of leaching CPU resources. Cybercriminals then use these resources to mine cryptocurrency for financial gain. These attacks can cause system crashes, poor network efficiency, and a sharp drop in machine speed for those within the infected network.
Cryptomining malware is also showing an increase in worm-like spreading capability, leveraging the EternalBlue exploits that made headlines for its use in the large-scale WannaCry ransomware attacks. Known as WannaMine, this one form of cryptomining malware has the capability to move laterally across a network, identifying and exploiting vulnerabilities and legacy systems that haven’t been properly patched.
Persistent Exploits: The threat landscape today also indicates that cyberattacks are becoming increasingly persistent, continuing to act within an infected network following system reboots. Cybercriminals are now leveraging ASEPs, Service Replacement, Scheduled Tasks, and DLL search order attacks to remain functional, making it necessary to properly clean a network following an identified attack.
Designer Attacks: Unlike many forms of cyberattacks where cybercriminals incorporate a “spray and pray” approach, usually related to a large phishing campaign hoping to find a user who will click on a link or attachment, designer attacks are highly sophisticated and target the specific network security and vulnerabilities of an organization. Cybercriminals are now doing extensive research into their targets, leveraging external vulnerability scanning and automated detection methods to identify core business information, high-value data, and areas where valuable network credentials can be obtained.
As demonstrated in the SamSam and Orangeworm malware variants, these “hands-on-the-keyboard” attacks are methodically carried out. Particularly effective at exploiting legacy systems prevalent within the healthcare sector, this malware variant has the capability to bypass hash-based detection and propagate rapidly within an infected network.
No hay comentarios.