Hackermania runs wild, Required Reading Department: The Anatomy of a Ransomware Attack

July 2, 2020 | by

Cue the Duke Ellington score and Jimmy Stewart for the defense, we now have a moment-by-moment look at how a ransomware attack on an organization unfolds. The example is from a Ryuk ransomware attack last October on an unnamed organization.

      • The first step was a probe of the network via the Trickbot malware
      • Hackers then explored the network to determine a valuation–to monetize data
      • They then unleashed other tools in the Pivot and Profile phase–PowerTrick and Cobalt Strike–to search for open ports and other devices
      • The hackers, finding what they want, deploy their Anchor backdoor and Ryuk ransomware to secure their hold on the network
      • Total time from initial malware to Ryuk ransomware encryption: about two weeks

Ryuk has been a highly successful ransomware, netting its extortioners $61m in ransom between February 2018 and October 2019 according to the FBI. UK’s National Cyber Security Centre advisory indicates global attacks starting in later 2018.

The value in this study is substantial–the SentinelOne article is chock full of terminology and screenshots a programmer or white hat would love. It also reveals a multi-step process that if stopped at step 1 (the Trickbot malware) means a tougher nut to crack for the hackers, and a nearly two-week window for a response. ZDNet’s article is written for us ‘civilians’. The sidebar has links to several articles, including this horror compendium from UK victims, ‘The most stressful four hours of my career‘.  Earlier: Hackermania runs wild…all the way to the bank!

News roundup: stroke rehab uses Hollywood technology, 3M sues IBM Watson Health on analytics software misuse, AI-based skin cancer detection apps fail, Dictum’s successful telemed use post-pediatric surgery, malware attacks Boston practice network

February 14, 2020 | by

Motion capture technology being used in stroke and TBI rehab. Best known for turning actors into cartoon superheroes, motion capture tech is now being used at Spaulding Rehabilitation Hospital in Boston for returning mobility to stroke and TBI patients. Attached to the patient are sensors–reflective markers–on key parts of the body. Using an array of infrared cameras, the patient is tracked on gait and other affected motion areas. Doctors and therapists can then better target therapy, plus assistive technologies from orthotics to full exoskeletons. Includes video. STAT

When Giants Sue. 3M is suing IBM Watson Health on their use of licensed 3M software in ‘unauthorized ways’ and charging direct copyright infringement and contract breaches. 3M’s Grouper Plus System analyzes claims and other coded data to help calculate reimbursement. 3M contends that IBM was licensed only for internal use dating back to a Truven agreement in 2007, years before their acquisition by IBM. The suit also adds that IBM then integrated the software into Watson platforms without a license transfer and expansion to cover the use, as well as dodged an audit of the use. The suit is in NY Federal Court. Becker’s Health IT Report

Algorithm-based dermatology apps fail to accurately detect risk for melanomas and similar skin cancer.  A just-published BMJ study determined that these smartphone apps, which use algorithms that catalogue and classify images of lesions into high or low risk for skin cancer and return an immediate risk assessment with subsequent recommendation to the user, are not effective. Six apps were examined, including two with a CE mark. None were FDA-approved and two were cited by the Federal Trade Commission for deceptive marketing. Only one, SkinVision, is still commercially available. Study results do not apply to apps that physicians use in direct telemedicine consults. IEEE Spectrum

Successful test and planned rollout of telemedicine tablet for post-surgery checks at Children’s Hospital of Richmond (Virginia–CHoR). The Dictum Health eVER-HOME tablet used for virtual visits had a 92 percent acceptance rate of telemedicine visits in place of in-person visits, zero return to hospital/ER events, earlier patient discharge post-surgery (12 to 24 hours), and avoidance of long-distance travel by patients for follow-up visits, a significant factor as CHoR is a destination hospital for specialized pediatric surgery. The rollout will include AI capabilities in Dictum’s Care Central platform to help determine rising risk and more. Dictum Health is a company best known for telemedicine units for remote workers (e.g. oil rigs) using their Virtual Exam Room (VER) technologies. Dictum release, mHealth Intelligence

CHoR is having a better week than a physician’s network affiliated with Boston Children’s Hospital. Pediatric Physician’s Organization at Children’s (PPOC) is the victim of a malware attack affecting computer systems at about 500 affiliated physicians and clinicians. The impacted systems have been quarantined and does not affect BCH. Becker’s Hospital Review, Health IT Security  Health IT Security also rounds up other recent data breaches, hacks, and phishing attacks.

News roundup: Proteus may be no-teous, DOJ leads on Google-Fitbit, HHS’ mud fight, Leeds leading in health tech, malware miseries, comings and goings

December 12, 2019 | by

Proteus stumbles hard, cuts back. The original ‘tattle-tale pill’ company, Proteus Digital Health, plans to lay off 292 people in the San Francisco Bay Area and to permanently close its three Redwood City and Hayward locations, starting 18 January, according to notices sent to California state and local offices, including the state employment development department. It is unclear where Proteus will be located after the closures.

This followed after Proteus failed to launch a twelfth funding round of $100 million. According to reports, they furloughed most of their employees for two weeks in November and are reorganizing. This is after a substantial number of investors have put in about $487M in funding through a Series H (Crunchbase), including a game-changing investment by Novartis dating back to 2010.  Proteus achieved unicorn status about three years ago, but its high-priced pill tracking technology with a pill sensor tracked by a skin-worn monitor reporting into a smartphone has a built-in limited market to expensive medication. Otsuka Pharmaceutical in 2017 partnered with Proteus for an FDA-cleared digital medicine system called Abilify MyCite that basically put an off-patent behavioral drug back into a more expensive tracking methodology. But Proteus remains a great idea on tracking compliance in search of a real market, and may not have much of a future. San Jose Mercury News, CNBC

But ingestible detectable pills are still being tested. On Monday, as Proteus’ bad news broke, eTectRx announced its FDA clearance of the ID-Cap System and its testing at Brigham and Women’s Hospital and Fenway Health, focusing on HIV medication when used for treatment and prevention. Release, HISTalk

Department of Justice taking the lead on scrutinizing Google’s Fitbit acquisition. The Federal Trade Commission also sought jurisdiction over the transaction. According to the New York Post, “both agencies are concerned that a Google-owned Fitbit would give the search giant an even bigger window into people’s private data, including sensitive health information, sources said. Under the Hart-Scott-Rodino Act, all large mergers must file proposals with both the DOJ and the FTC, but only one antitrust agency reviews the merger.”

Coal from stockings being thrown about at HHS. According to POLITICO and the New York Times, the disagreements between Seema Verma, the head of the Centers for Medicare and Medicaid Services (CMS), and the Cabinet-level Secretary of Health and Human Services (HHS), Alex Azar, have boiled over, enough to have to be settled by the President’s acting chief of staff, Mick Mulvaney. According to the Times, both President Trump and VP Mike Pence have told them to find a way to work together. Both are administration appointees, but President Trump has not been reluctant to cut a mis-performing or overly contrary appointee loose. The latest salvo from those obviously not on Ms. Verma’s side was the revelation that she requested compensation for jewelry stolen on a business trip, contrary to government policy of course. She was compensated for other items which is standard. (Isn’t that what homeowners’ insurance is for? And what sensible person actually travels with valuable jewelry?) Under Ms. Verma, CMS has been quite progressive in developing new business models in Medicare fee-for-service, moving providers to two-sided risk, and innovating in both Medicare and Medicaid. It will either be settled, or one or both will be gone. Pass the popcorn.

Leeds picks up another health tech company. Mindwave Ventures is opening an office there, as well as appointing Dr Victoria Betton and Dr Janak Gunatilleke to the roles of chief innovation officer and chief operating officer. Mindwave develops technologies around digital products and services in healthcare and health research. Leeds reportedly is home to over 250 health tech companies and holds an annual Leeds Digital Festival in the spring [TTA 11 April].

Ransomware attack hits Hackensack Meridian. Systems were down for about a week. While this large New Jersey health system hasn’t admitted it, sources told the Asbury Park Press that it was ransomware. And if it’s not ransomware, its Emotet and Trickbot. Read ZDNet and be very apprehensive for 2020, indeed, as apparently healthcare is just one big target.

Comings and Goings: There may be some end of year bombshells, but after last week’s big news about John Halamka, it’s been fairly quiet. Paul Walker, whom this Editor knew at New York eHealth Collaborative, has joined CommonWell Health Alliance as executive director. Mr. Walker was most recently Philips Interoperability Solutions’ vice president of strategy and business development. CommonWell’s goal is improving healthcare interoperability and its services are used by more than 15,000 care provider sites nationwide. Blog release, Healthcare Innovation ….Dr. Jacqueline Shreibati, the chief medical officer for AliveCor, is joining Google Health in the health research area. Mum’s the word when it comes to Fitbit (see above). CNBC ….Peter Knight has pleaded guilty to falsifying educational credentials to gain his position as chief information and digital office at Oxford University Hospitals NHS Foundation Trust. He held that position from August 2016 until September 2018. BBC News

WannaCry’s anniversary: have we learned our malware and cybersecurity lessons?

May 16, 2018 | by

Hard to believe that WannaCry, and the damage this malware wreaked worldwide, was but a year ago. Two months later, there was Petya/NotPetya. We’ve had hacking and ransomware eruptions regularly, the latest being the slo-mo malware devised by the Orangeworm hackers. What WannaCry and Petya/NotPetya had in common, besides cyberdamage, was they were developed by state actors or hackers with state support (North Korea and–suspected–Russia and/or Ukraine).

The NHS managed to evade Petya, which was fortunate as they were still repairing damage from WannaCry, which initially was reported to affect 20 percent of NHS England trusts. The final count was 34 percent of trusts–at least 80 out of 236 hospital trusts in England, as well as 603 primary care practices and affiliates. 

Has the NHS learned its lesson, or is it still vulnerable? A National Audit Office report concluded in late October that the Department of Health and the NHS were warned at least a year in advance of the risk.  “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.” There was no mechanism in place for ensuring migration of Windows XP systems and old software, requested by April 2015, actually happened. Another basic–firewalls facing the internet–weren’t actively managed. Worse, there was no test or rehearsal for a cyberdisruption. “As the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications.” NHS Digital was especially sluggish in response, receiving first reports around noon but not issuing an alert till 5pm. It was fortunate that WannaCry had a kill switch, and it was found as quickly as it was by a British security specialist with the handle Malware Tech. 

Tests run since WannaCry have proven uneven at best. While there has been reported improvement, even head of IT audit and security services at West Midlands Ambulance Service NHS Trust and a penetration tester for NHS trusts, said that they were “still finding some real shockers out there still.” NHS Digital deputy CEO Rob Shaw told a Public Accounts Committee (PAC) in February that 200 NHS trusts tested against cyber security standards had failed. MPs criticized the NHS and the Department of Health for not implementing 22 recommendations laid out by NHS England’s CIO, Will Smart. Digital Health News

Think ‘cyber-resilience’. It’s not a matter of ‘if’, but ‘when’. Healthcare organizations are never going to fix all the legacy systems that run their world. Medical devices and IoT add-ons will continue to run on outdated or never-updated platforms. Passwords are shared, initial passwords not changed in EHRs. Add to firewalls, prevention measures, emphasizing compliance and best practices, security cyber-resilience–more than a recovery plan, planning to keep operations running with warm backups ready to go, contingency plans, a way to make quick decisions on the main functions that keep the business going. Are healthcare organizations–and the NHS–capable of thinking and acting this way? WannaBet? CSO, Healthcare IT News. Hat tip to Joseph Tomaino of Grassi Healthcare Advisors via LinkedIn.

Breached healthcare records down 72% but incident numbers steady. Then there’s MyFitnessPal’s 150 million…

April 5, 2018 | by

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Hackermania in healthcare may be running less wild…but what about consumer health devices? Year-end and top-of-year analyses indicate that the flood of breached records may be starting to drain. A Bitglass analysis of 2017 US Department of Health and Human Services (HHS) data from its infamous ‘Wall of Shame’ is encouraging. They found that the number of breached records decreased over the 2015-2017 period by 72 percent between 2015 and 2017 and by 95 percent from 2016. The calculation excludes the huge spike in breaches due to two 2015 incidents at Anthem and Premera Blue Cross [TTA 9 Sep 15]. Numerically, the breach incident numbers decreased but are relatively steady: 2017 at 294, 2016 at 328. Data security company Protenus in its tracking found more incidents in 2017 versus 2016 (477 in 2017 v. 450 in 2016) but the same reduction in records affected, with five times fewer records in 2017 versus 2016’s 27.3 million records.

What’s been successful has been reducing mega-breaches and containment of healthcare device loss and theft through education and enforcement of employee practices. What continues is the major cause of breaches continue to be insider-related via error and wrongdoing; this includes the major annual Verizon report. Healthcare Informatics

Protenus’ February report, while continuing the reduction trend, had its share of hacking and insider incidents. Of the 39 incidents in their report affecting over 348,000 records, insider actions such as the misuse of system credentials accounted for 51 percent of breached records while hacks were 46 percent, with the majority involving ransomware or malware. Hacking as a cause hasn’t disappeared but perhaps has shifted to easier targets.

UnderArmour’s MyFitnessPal delivers another breach blow. Late last month, the company revealed that 150 million user records were hacked in February. The MyFitnessPal mobile app (more…)

Dry the tears: WannaCry stymied, North Korea hackers suspect. Is this a poke for a worse attack?

May 16, 2017 | by | 1 Comment

Breaking News This morning’s (Tuesday 16 May) news is about reputable security organizations–Kaspersky Lab and Symantec–connecting the dots that lead for now to a North Korea-linked hacking organization, the Lazarus Group. This group has been identified in previous hack attacks and is based upon WannaCry code appearing in Lazarus programs. US Homeland Security has admitted seeing the same similarities, but all are working to gain more information.

Lazarus has been previously identified as the source of the 2014 Sony attack and the theft of $81 million from the Bangladesh central bank, again linked to fundraising for North Korea for its missiles, army, EMP and nuclear arming while its terrorized people starve. However, this attack was a flop; according to US Homeland Security, about $70,000 was raised in ransom. The Homeland Security spokesman also distanced the NSA from the original information which targeted weaknesses in Microsoft’s systems.

According to reports, WannaCry disproportionately affected Russia, Taiwan, Ukraine and India, according to Czech security firm Avast. No US Federal government systems were affected. China on Monday reported that it attacked traffic police and school systems.

The Telegraph has posted a speculative list of 34 NHS organizations which suffered IT failure during the WannaCry attack. The article includes a map produced by MalwareTech that geographically spots the infection locations; the Boston to Washington corridor is a sea of blue dots. And…Marcus Hutchins has been identified as the young UK tech working for Kryptos Logic who redirected the attacks by buying a domain embedded in the WannaCry code. How it worked, according to PC World, is that if the malware can’t connect to the unregistered domain, it infects the system. By registering the domain and creating a page for the malware to connect to, he stopped the malware spread. (Video in Telegraph article)  Also FoxNews

But is this a prelude to more and worse? Is this testing our preparedness? If so, we’ve been found wanting on an enterprise level with vulnerable systems and administrators not updating their software and OS. George Avetisov, the CEO of HYPR, a biometric authentication company, in The Hill, summarized it neatly today: “We’ve also learned the hard way that, simply through a coordinated phishing attack on unsuspecting users, hackers can disrupt the day-to-day activities of enterprises that provide communications, travel, freight and healthcare administration simply by remotely deploying malware.” He then goes on to praise President Trump’s executive order (EO), “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which he signed on Thursday–right before all this began. As if in confirmation…ShadowBrokers, the group that hacked the NSA files, today announced the availability of a subscription to a ‘members only data dump’ like a Wine of the Month Club. Watch out, banks and healthcare, it’s open season! NHS, better pay attention to another kind of hygiene–cyberhygiene. Without it, plans for patient apps and data sharing will go sideways–and deserved fodder for Dame Fiona [TTA 10 May]. The Hill  Earlier coverage here

The malware siege of Northern Lincolnshire and Goole NHS: a preview of more? (UK)

November 3, 2016 | by

By now our UK readers are well aware of the shutdown due to malware starting Sunday 30 Oct, only resolved today, of the Northern Lincolnshire and Goole NHS Trust hospitals: Diana, Princess of Wales; Goole and District; Scunthorpe General.

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2016/11/nhsalert-940×445.png” thumb_width=”300″ /] (NHS website via Krebsonsecurity.com, click to enlarge)

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2016/11/nhsalert2.png” thumb_width=”300″ /] (NHS website, click to enlarge)

It is estimated that it affected approximately 1,000 patients over the three shutdown days. Most patients were diverted to neighboring hospitals, according to The Guardian.

The Health Services Journal (paywalled) broke as an exclusive the NHS‘ high priority warning to providers around the country. Yet it seemed equivocal. According to The Sun, while NHS Digital marked the message as ‘severity: high’ and warned that “… we would like to remind all users of the need for proactive measures to reduce the likelihood of infection and minimise the impacts of any compromise.”, it was tempered with “We have no evidence that this is anything other than a local isolated incident but we will continue to keep health and care organisations informed.” Also according to The Sun, the Department of Health has noted that this has not been the first incident.

As our Readers know, US and Canadian hospitals and healthcare organizations have been subject of late to malware and its latest iteration, ransomware, with a large outbreak this summer. (more…)

Ransomware alert up in US, Canada: more details

April 3, 2016 | by

Ransomware threats are now the subject of a joint alert in both the US and Canada, with at least 14 hospitals under attack on both sides of the border. Ten of the hospitals are part of MedStar in Maryland [TTA 26 March, updated], and as your Editors have noted, it’s not just hospitals but also Mac iOS under attack and now, reportedly, even police and cafes (Telegraph.ukNPR). $24 million was lost to ransomware in 2015 in the US alone, according to the FBI. Healthcare IT News reports a new variation called PowerWare which is delivered through MS Word documents, but goes further than Locky in mimicking legitimate files and activities without writing new files on the system, which makes it hard to detect. It invades PowerShell which is used by system admins for task automation and configuration management.

If you are catching up and want a useful overview, see Wired. The headline states the obvious, at least to this Editor. Hospitals and their often-flawed IT managed by overworked staffs are the perfect target for ransomware and multiple viruses as lives are at stake, not widget production. Like most malware and internet Bad Things, ransomware originated in Eastern Europe (where else?) back in 2005. Most attacks include instructions on how to access bitcoin, the untraceable payment method demanded by the hospital hostage-takers.

How to prevent or mitigate? NPR cites Peter Van Valkenburgh, director of research at Coin Center, a digital currency advocacy non-profit, that hospitals can take safeguards including HTTPS encryption, two-factor authentication and implementing file backups on a separate server.