According to Microsoft, the company’s Digital Crimes Unit (DCU), Fortra and Health Information Sharing and Analysis Center (Health-ISAC) are taking both legal and technical action to disrupt the use of abused copies of Cobalt Strike and Microsoft software, which are favorite tools of ransomware groups.

This represents a new way of disrupting cybercrime, with a greater scope and more complex operation that doesn’t just disrupt the command and control infrastructure of malicious actors. Instead, Microsoft and Fortra are working to remove illegal, legacy copies of Cobalt Strike so they can no longer be used for malicious purposes.

Cobalt Strike, a brand owned by Fortra, is a legitimate and popular post-exploitation tool used for simulated attacks. However, older versions of the software have been abused and altered by hacking groups to launch attacks, including ransomware campaigns against the Government of Costa Rica and the Irish Health Service Executive.

Microsoft says the company’s software development kits and APIs are also abused as part of the coding of the malware as well as the criminal malware distribution infrastructure used to target and mislead the victims.

Amy Hogan-Burney, general manager of Microsoft’s DCU, writes in a blog that the ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware families impacting healthcare organizations.

The activity comes after Microsoft, Fortra and Health-ISAC obtained a court order form the U.S. District Court of the Eastern District of New York to disrupt the infrastructure, which includes notifying relevant internet service providers and computer emergency readiness teams to help severe the connection between operators and infected victim computers.

Investigation efforts between the companies included detection, analysis, telemetry and reverse engineering, with additional data and insights from partners to help strengthen the legal case. The actions focused only on disrupting cracked, legacy copies of Cobalt Strike and compromised Microsoft software, Hogan-Burney writes.

The company is also expanding a legal method used to disrupt malware and nation state operations to target the abuse of security tools used by a broad spectrum of hacking groups, which is hoped to significantly hinder the monetization of those tools and slow their use in attacks. This action is designed to force cybercriminals to change their tactics.

To that end, the action also included copyright claims against the malicious use of Microsoft and Fortra’s software code, which are altered for use by malicious actors.

Fortra is also taking steps to prevent the misuse of its software, including more stringent customer vetting, but criminals have historically stolen older versions of security software to create cracked copies to gain backdoor access into victim devices. Some infamous ransomware groups have been observed doing so, including Conti, LockBit and other groups involved in the ransomware-as-a-service model, according to Hogan-Burney.

However, ransomware groups and cybercriminals are notorious for regrouping and adopting new tactics, and they will likely do so again in this case.

“While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts,” Hogan-Burney writes. “Our action is therefore not one and done. Through ongoing legal and technical action, Microsoft, Fortra and Health-ISAC, along with our partners, will continue to monitor and take action to disrupt further criminal operations, including the use of cracked copies of Cobalt Strike.”

The post Microsoft, Fortra Take Action to Disrupt Ransomware Groups Targeting Healthcare appeared first on My TechDecisions.

The 2022 report, released Monday by digital security firm Emsisoft, determined 89 education sector organizations were impacted by ransomware. Broken down, hackers demanded ransoms from 44 universities and colleges, and 45 school districts that operate 1,981 schools. Comparatively, in 2021, 58 districts running 1,043 schools were impacted, as were 26 colleges and universities.

Most notable was a Sept. 2022 attack on the Los Angeles Unified School District, the second largest district in the U.S. which serves 1,300 schools and 500,000 students. Working closely with local law enforcement, the FBI, and the federal Cybersecurity and Infrastructure Security Agency (CISA), Superintendent Alberto Carvalho said he would not negotiate or pay a ransom. The hackers leaked stolen data the following day.

“Unfortunately, as expected, data was recently released by a criminal organization. In partnership with law enforcement, our experts are analyzing the full extent of this data release,” the district wrote in a statement. “Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.”

The statement echoes sentiments from the FBI, which maintains organizations should not pay a ransom because it doesn’t guarantee they’ll get data back and it encourages more ransomware activities. At least three organizations paid a demand last year, including the Glenn County Education Office in Calif., which paid $400,000.

Also notable, just three days into the new year, Swansea (Mass.) Public Schools announced it canceled classes Wednesday due to a ransomware attack. The district has hired a cybersecurity provider to determine the extent of the attack on the district’s network. A study by NBC10 Boston investigators found that at least 10 Massachusetts communities that were victimized by ransomware gangs have paid their hackers to unlock their files.

Overall, the number of incidents involving the education sector has remained consistent over the last four years, highlighting the increased attention to the issue of cyber attacks by both public and private entities.

Nearly 300 Hospitals Impacted by Ransomware in 2022

In previous years, Emsisoft tracked incidents across the healthcare sector. However, due to the volume of incidents and unclear disclosures, tracking in 2022 was limited to only hospitals. Last year, there were 25 incidents involving hospitals and multi-hospital health systems, potentially impacting patient care at up to 290 hospitals, the report found.

Data including Protected Health Information (PHI) was stolen in at least 17 cases (68%). The most significant was an attack on CommonSpirit Health, which operates almost 150 hospitals in 21 states. The incident resulted in the personal data of 623,774 patients being compromised.

Patient safety was also compromised when a computer system for calculating doses of medication was offline. As a result, a three-year-old patient received an extreme overdose of pain medicine. Other affected hospitals temporarily stopped scheduling surgeries or had to redirect ambulances to other hospitals. The latter proved fatal in Germany in 2020 when a woman died after she was diverted to another hospital 20 miles away when a ransomware attack shut down the university-affiliated hospital where she was being admitted.

The report ends with a request to “retire” the term ransomware, which Emsisoft says could help provide more accurate insights into the number of organizations impacted by cyberattacks.

“Historically, the word was used to describe the malicious software which is used to lock data so that a ransom can be demanded to unlock it. Early ransomware attacks were simple and mostly automated. However, today’s attacks are often complex, human-directed events in which data is exfiltrated and encryption, if it happens at all, is the very last step in the attack chain,” reads the report. “To put it another way, attacks can be exfiltration-only, even when carried out by groups that usually encrypt data – and that means we have ransomewareless attacks by ransomware groups. This creates confusion as to what should and should not be counted as a ‘ransomware’ attack for the purpose of statistics.”

This article originally appeared on MyTechDecisions’ sister-site Campus Safety Magazine. 

The post Education, Healthcare And Government Organizations Impacted by Ransomware in 2022 appeared first on My TechDecisions.

The U.S. Cybersecurity and Infrastructure Security Agency, FBI and Department of Health and Human Services’ joint advisory says the Daixin Team has been targeting healthcare organizations with ransomware and data extortion operations and have caused major security incidents at multiple organizations.

According to the advisory, the Daixin Team has deployed ransomware to encrypt servers responsible for healthcare services, such as electronic health records, diagnostic services, imaging services and intranet. The group also seeks to exfiltrate personal information and health information of patents, threatening to release the data if a ransom is not paid.

Ransomware actors with the Daixin Team gain access to victim networks through VPN servers, including exploiting unpatched vulnerabilities in the server. Other methods include using phishing to compromise credentials to access legacy VPN servers without multifactor authentication enabled.

After obtaining access to the victim’s VPN server, Daixin actors use Secure Shell (SSH) and Remote Desktop Protocol (RDP) to move laterally, according to the advisory. Officials say Daixin actors also seek to gain access to privileged accounts through credential dumping and pass the hash to access VMware vCenter Server and reset passwords for ESXi servers in the environment.

The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware [on those servers, per the advisory.

According to the advisory, the actual Daixin Team ransomware is based on leaked Babuk Locker source code. This third-party reporting and FBI analysis show that the ransomware targets ESXi servers and encrypts files located in /vmfs/volumes/ with the following extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn. A ransom note is also written to /vmfs/volumes/.

Like many other ransomware groups, Diaxin hackers also exfiltrate data using publicly available tools.

Recommendations listed in the advisory follow other standard ransomware mitigation measures, such as implementing multifactor authentication, patching systems, securing RDP, segmenting networks and more.

However, agencies also call on healthcare organizations to better secure patient data, including encryption and firewall protection.

Read the advisory for more information.

The post This Ransomware Group is Targeting the Healthcare Industry appeared first on My TechDecisions.

The survey of 405 senior IT, networking and security decision-makers in the U.S., Canada and the U.K. revealed 83% of organizations agreed building cybersecurity programs is expensive due to required tools, licenses and personnel; 80% agreed it’s challenging to fill specialized security roles. Most organizations (78%) have an incident management process, but half (49%) agree they lack the teams and tools to be effective 24/7/365. Evolving security threats (53%) and the task of integrating new technology (53%) are cited as top challenges in maintaining security posture.

“Strengthening cyber defenses and maintaining operation around-the-clock calls for businesses to make significant investments in sophisticated tools and highly skilled staff. Organizations often find their IT staff are stretched thin or not skilled enough to manage security technologies,” said Nathan Jenniges, vice president, cybersecurity product strategy at BlackBerry, in a statement. “With 24×7 monitoring and mitigation, Managed XDR could be the missing link, particularly for critical infrastructure organizations, which are greater targets for cyberattacks with potentially damaging results.”

Additional key findings from the survey include:

•  Cybersecurity Challenges for Healthcare and Energy Sectors
  • 77% of healthcare respondents and 72% of energy and utility respondents said the amount of work required to create their own dedicated security operations was daunting
  • Healthcare respondents were the least likely (63%) to agree they have an incident management process to handle threats
  • While 60% of energy and utility companies have a Security Operations Center (SOC) or equivalent in place, only 1 in 5 (20%) said they have the right skillsets to adopt XDR; as a result only 1 in 3 (33%) were confident in their ability to gain a strong return from XDR

• Use of IT/Cybersecurity Managed Services to Plug the Talent Gap
  • 80% of respondents use a managed service provider for at least some of their cybersecurity workloads
  • 45% say the ability to free up existing resources is the top anticipated benefit of leveraging managed IT/cybersecurity services
  • 42% report a better ability to address skills and resource gaps using managed services

• XDR Awareness and Adoption
  • 79% are likely to consider an XDR solution over the next 12 months; large enterprises and manufacturing organizations most likely to consider an XDR solution
  • 77% of those considering an XDR solution plan to outsource some or all XDR management
  • 51% who plan to outsource XDR management are extremely confident in their ability to gain a return from XDR, as opposed to 35% managing XDR themselves
  • Small businesses (53%) are most likely to be concerned about having the skills necessary to adopt XDR, compared to large enterprises (47%) and commercial businesses (41%)

Blackberry’s full report can be found here.

The post Organizations in All Sectors Lack Tools and Teams to Address Cybersecurity Threats appeared first on My TechDecisions.

The expansion includes products in select Industry Cloud base licenses. Salesforce says the new offering with enable businesses to complete more tasks with fewer resources, boost efficiency and deliver better customer experiences at scale.

With companies facing uncertain economic times with inflation, supply chain disruptions and labor shortages, any new efficiency helps, says Salesforce. Industry-specific automation can replace tedious, manual tasks.

At least 86% of senior IT leaders say the experience an organization provides its employees and customers is as important as its products and services. Meanwhile, four out of five senior IT leaders agree that improved customer-facing and employee technologies are critical for their organization to compete.

A study from Salesforce’s MuleSoft and Vanson Bourn showed that 91% of organizations say they they need automation technology, but only 23% have fully implemented automation across business functions.

Salesforce Flow for Industries

Users of Salesforce’s Flow for Industries can create intelligent process automation unique to their specific industry. According to Salesforce, these new tools help customers with the following:

• Create better customer and employee experiences: OmniStudio enables organizations to build branded, dynamic customer interactions and employee workflows fast. Flow easily connects them with enterprise data and applications, without code.

• Easily manage rules and actions: Business Rules Engine allows organizations to simplify and automate processes such as pricing discounts, care management or financial planning with declarative setup, management and evaluation of rules. Using a no-code interface, organizations are empowered to build, test and execute rules before they are integrated.

• Save time and resources: Document Generation gives organizations the ability to automatically generate and share documents using a no-code template designer, while Intelligent Form Reader uses optical character recognition (OCR) to automatically read and extract document data, unifying the end-to-end management process, and freeing up time for higher-value work.
• Simplify data management: Data Processing Engine helps organizations create definitions to transform data across multiple sources then surface that to customers within a workflow.

The Flow for Industries suite of automation products is generally available now. These tools are free to base license holders.

Learn more about the new Flow for Industries on Salesforce here.

The post Saleforce Expands Automation Product Suite appeared first on My TechDecisions.

The Asthma Guardian by Resmonics is a system to help asthmatics gain more control over their condition.

According to a recent Tech Acute report:

This helps monitor asthmatic symptoms and keep patients notified about their health status. It uses clinically validated digital biomarkers that have been developed throughout five years of medical research.

With this, it can detect the disease process, evaluate the different biological indicators of asthma, and help to detect asthma attacks, all from the user’s smartphone.

For Asthma Guardian to work, the patient must place their smartphone in their bedroom. From there, the app will automatically monitor the symptoms and report if there are any abnormalities as the patient sleeps soundly at night.

What if there was an app that’s able to quantify Covid-19 cough? And thereby help to collect data for the treatment of the disease? Read more about the Swiss startup Asthma Guardian in our #bitsdaily article: https://t.co/Lb5dTSI8dM Subscribe for more news https://t.co/Cg45QlPXaB pic.twitter.com/ESes4hvmz9

— Bits & Pretzels (@bitsandpretzels) June 8, 2020

The app works by monitoring potential respiratory attacks without waking the user, all while delivering data with detailed evaluations.

The Tech Acute report says Resmonics is trying to develop a variety of biomonitoring solutions for patients with various conditions, focusing on data collection and patient education.

While technology in healthcare always poses security and other ethical questions, I’m never short of fascinated by how much more efficient and effective some treatments can be when they embrace a technological approach.

Related: Misconfiguration is the Most Common Cause of Healthcare System Breaches

Consider this application, where tunable lighting temp and intensity were measured to have positive impacts on sleep and wellness in a Calif. nursing home.

I’m wishing the Resmonics team luck with their further app developments – both for the sake of technology advancement and the patients it has the potential to help.

The post Asthma Monitoring Technology Uses the OTHER Thing Asthmatics Typically Carry: A Smartphone appeared first on My TechDecisions.

Tom Burt, the corporate vice president of customer security and trust at Microsoft, said the company has detected cyberattacks from three nation-state actors on seven prominent companies involved in developing vaccines and treatments for the virus, including leading companies and researchers in the U.S., Canada, France, India and South Korea.

“We think these attacks are unconscionable and should be condemned by all civilized society,” Burt writes.

According to Burt, the attacks came from Strontium, a hacking group based in Russia, and two groups from North Korea, Zinc and Cerium. He describes the attackers’ methods in the post:

Strontium continues to use password spray and brute force login attempts to steal login credentials. These are attacks that aim to break into people’s accounts using thousands or millions of rapid attempts.

Zinc has primarily used spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters. Cerium engaged in spear-phishing email lures using Covid-19 themes while masquerading as World Health Organization representatives.

The majority of these attacks were blocked by security protections built into our products. We’ve notified all organizations targeted, and where attacks have been successful, we’ve offered help.

Read Next: Warning: Cybercriminals Targeting Healthcare Systems with Ransomware

Attacks on the healthcare industry during the pandemic have been frustratingly persistent, with some targeting hospitals and healthcare organizations, and others targeting groups like the World Health Organization.

Burt’s blog, published Friday, comes as Microsoft President Brad Smith participates in the Paris Peace Forum where he urged world governments to do more and affirm international law that protects health care facilities.

According to Burt, other international efforts to put a halt to nation-state hacking are underway, including the Paris Call for Trust and Security in Cyberspace, other initiatives from the CyberPeace Institute and Red Cross and others in the private sector.

“At a time when the world is united in wanting an end to the pandemic and anxiously awaiting the development of a safe and effective vaccine for Covid-19, it is essential for world leaders to unite around the security of our health care institutions and enforce the law against cyberattacks targeting those who endeavor to help us all,” Burt writes.

The post Microsoft: Cyberattacks On Healthcare Need To Stop appeared first on My TechDecisions.

The new offering, announced last week, includes “provides trusted and integrated capabilities that deliver automation and efficiency on high-value workflows as well as deep data analysis functionality for both structured and unstructured data, that enable healthcare organizations to turn insight into action,” wrote Tom McGuinness, corporate vice president of worldwide health at Microsoft, in a blog post.

“This end-to-end, industry-specific cloud solution includes released and new healthcare capabilities that unlock the power of Microsoft 365, Azure, Dynamics 365, and Power Platform,” McGuinness wrote.

“It makes it faster and easier to provide more efficient care and helps customers support end-to-end security, compliance, and interoperability of health data. A robust partner ecosystem extends the value of the platform with additional solutions to address the most urgent challenges the healthcare industry is facing today.”

Read Next: Microsoft Azure to Prioritize First Responders, Healthcare, Government During, Remote Work COVID-19

Specifically, the new solution includes tools to help healthcare organizations engage with patients virtually, empower the collaboration of healthcare organizations, improve clinical and operational data insights and support connected experiences across healthcare workflows.

Microsoft Cloud for Healthcare is designed to help healthcare organizations integrate secure virtual health tools by creating workflow cohesive AI bots and virtual visits into the organization, according to McGuinness.

The solution helps facilitate patient access to secure portals and mobile tools to help connect them with healthcare professionals, and patient insights provide organizations with data that helps to optimize the patient experience.

For internal collaboration, the solution represents a 360-degree patient view that helps teams collaborate and share knowledge in a single secure place.

Advanced messaging features like priority notifications, smart camera and message delegation are also included. Teams can use data integrated across clinical systems and applications to help accelerate treatment decisions and improve care.

To learn more about Microsoft Cloud for Healthcare, visit the official website.

The post Microsoft Announces Microsoft Cloud for Healthcare appeared first on My TechDecisions.

In its October 22 notice to patients, the hospital said the October 11 incident “triggered a significant downtime event”:

Currently, the Hospital is maintaining operations while computer systems are being fully restored. We have maintained the ability to care for patients using our business continuity plan.

• Emergency Care remains available 24/7. Necessary surgeries and elective procedures have not been disrupted by the incident.
• The majority of diagnostics are being continued without interruption.
• The patient portal remains available but new results have not been posted to the portal since October 11.

The Hospital immediately initiated an investigation. We have partnered with outside experts to help us investigate and remedy this incident.  We will provide updates as the investigation progresses.

Some patients who were waiting for their test results were repeatedly told to check back with the hospital, reports the Sonoma Index-Tribune. One woman attempting to schedule a mammogram told the newspaper she was delayed in making her appointment for at least a week due to Sonoma Valley’s computer problems.

It is unclear what caused the security incident and if it was ransomware.

Sonoma Valley Hospital is just the latest medical facility to experience IT disruptions. In September, all 250 of Universal Health Services facilities’ computer networks were affected by a malware attack.

The cost of such breaches is expensive. In mid-October, 28 states won a nearly $5 million judgement against Tennessee-based CHS/Community Health Systems Inc. and its subsidiary, CHSPSC LLC, over a 2014 data breach that affected approximately 6.1 million patients. The settlement followed a $2.3 million settlement by the Department of Health and Human Services for Civil Rights over the same security incident.

The average cost of a data breach in the healthcare industry is $7.13 million, which is nearly double the average cost in other sectors.

This news comes as cybersecurity experts and U.S. federal agencies are warning of an increase in ransomware attacks on healthcare organizations using the Trickbot malware.

This article originally appeared on our sister site Campus Safety. 

The post Sonoma Valley Hospital Hit With Cyber Attack, Computers Briefly Shut Down appeared first on My TechDecisions.

According to NBC News, Universal Health Systems, an operator of more than 400 locations, was knocked offline over the weekend due to what the hospital system calls a “security issue.”

The hospital acknowledged the security issue in a statement and said it is working with IT security professionals to restore operations as quickly as possible.

No patient or employee data appears to have been compromised, the healthcare system said.

The company said its facilities reverted to using offline processes and documentation methods. According to NBC News, some of that included filing patient information with pen and paper.

Universal Health Services’ statement didn’t include information about the nature of the attack, but NBC News’ report suggests it was ransomware.

One person familiar with the company’s response efforts who was not authorized to speak to the press said that the attack “looks and smells like ransomware.”

Two Universal Health Services nurses, who requested to not be named because they weren’t authorized by the company to speak with the media, said that the attack began over the weekend and had left medical staff to work with pen and paper.

One of the nurses, who works in a facility in North Dakota, said that computers slowed and then eventually simply would not turn on in the early hours of Sunday morning. “As of this a.m., all the computers are down completely,” the nurse said.

Another registered nurse at a facility in Arizona who worked this weekend said “the computer just started shutting down on its own.”

“Our medication system is all online, so that’s been difficult,” the Arizona nurse said.

According to cybersecurity experts, cyberattacks of all kinds have been increasing for the better part of a year, and hospitals – once nontargets for cybercriminals – are now responding to these attacks.

A patient at a German hospital died earlier this month because the hospital they were brought to was knocked offline due to ransomware. On the way to a hospital 20 miles away, the patient died.

The post Huge Healthcare Ransomware Attack: What We Know So Far appeared first on My TechDecisions.