During massive pandemic strain on hospitals and healthcare IT systems, CybelAngel research shows how attackers seek and obtain credentials and third-party access for fraud and ransomware attacks
CybelAngel, a provider of digital risk protection, today published in-depth original research revealing how cybercriminals plan healthcare-related fraud, ransomware and other attacks by obtaining stolen credentials, leaked database files and other materials from specialized sources in the cybercrime underground. In their new paper, “Healthcare Data Actively Targeted and Sold on the Dark Web,” CybelAngel analysts describe how the ongoing COVID-19 pandemic’s strain on hospitals, coupled with the healthcare industry’s porous cybersecurity defenses, give criminals ample ability and resources to methodically launch lucrative intrusions jeopardizing patient safety.
“Cybercrime attacks that disable hospitals and weaponize stolen medical records are unconscionable – and particularly ruthless during a pandemic, when the uptime of every care facility and accuracy of every health record determines whether lives are saved,” said Camille Charaudeau, Vice President of Product Strategy at CybelAngel. “While the volume and stakes of these attacks can feel overwhelming, our research shows that sealing off a few specific types of exposed data could have a meaningful effect by disrupting the supply chains adversaries rely on to execute these attacks.”
To better understand threats to healthcare facilities, CybelAngel researchers tracked bad actors targeting French hospitals, the criminals’ methods and perceived gains. Available here, the research includes in-depth analysis with attackers conversations and security recommendations. Key findings include:
- Open databases mean hospitals often leak the data used against them: In underground forums, CybelAngel observes savvy brokers amassing lists of open, exposed databases inside healthcare organizations, which they seek to monetize by selling to attackers and other parties. Exposed databases can lie in on-premises servers and connected specialty equipment, or exist in SaaS or other cloud-based platforms where misconfigurations or poor access controls leave data and network inroads visible.
- Attackers combine credential-stuffing with third-party access to beat detection: The ongoing SolarWinds breach response is a reminder that privileged third-party software and partners are effective ways to bypass victims’ otherwise rigorous security controls. The same holds true for healthcare sector threats. CybelAngel’s research includes screenshots and detail of reputedly well-connected actors selling a file containing thousands of employee credentials from “a company that works with many (if not all) hospitals.” Many breaches and ransomware attacks are traced back to compromises of third-parties the healthcare sector relies on for software, tech support, billing, and data reporting. It only takes victimizing one service provider to access or ransom many of their downstream customers.
- Sharing medical records comes at the cost of control: The proliferation of cheap network-attached storage and other high-capacity devices means that both authorized and hidden, shadow IT systems alike are discoverable by bad actors and leave millions of sensitive health records in the public domain. A common example in CybelAngel’s latest research is a vetted actor’s offering “500,000 French hospital records” on an underground marketplace. CybelAngel examined disclosed portions of the records and assesses them to be likely authentic. While not referencing COVID-19, the stolen records list personally identifiable information (PII) for patients and their relationships with specific physicians, nurses and pharmacies, making the cache potentially useful for fraud or refining social-engineering themes used for phishing and ransomware.
According to CybelAngel they are the only Digital Risk Protection Platform comprehensively monitoring for data leaks across every layer of the Web, including the billions of exposed internet-connected devices that exist outside organizations’ defended perimeters. CybelAngel’s AI-powered platform and analyst team additionally study underground activity to identify credible threats to customers and inform the wider security community. Practical, urgent security recommendations in today’s research include:
- Maintain a focus on employee awareness: Beyond taking care to recognize and avoid personal security threats, like phishing emails and transferring sensitive data to unapproved devices, every employee plays a crucial role in making sure their team’s moves in fast-paced healthcare environments do not inadvertently break security controls and compliance policies.
- Maximize patching and encryption defenses: CybelAngel researchers conclude that unpatched software susceptible to years-old exploits remains a massive segment of healthcare’s attack surface. Just as worrisome is a clear, widespread failure to activate built-in encryption features on software, collaboration and device platforms. Encrypted data is useless to attackers, yet this powerful defense is unutilized when systems are misconfigured or have unclear ownership.
- Monitor necessary but risky remote connections: Healthcare rely on remote connections, but incomplete asset discovery and inventories raise the risk of abuse of privileges and widespread compromise if only one device or department is compromised. When remote desktop protocol (RDP) and VPN access is required, it is imperative to ensure all enhanced security settings are enabled and monitor Internet traffic to look for signs of abuse, like anomalous large-scale data exfiltration.