NHS 111 Services Held to Ransom by Cyber Attack

NHS 111 services are down for much of the UK following a cyber-attack Thursday morning against the infrastructure of software vendor 'Advanced'. The company's Adastra system is used by call handlers to dispatch ambulances, to book urgent care appointments, and for out of office hours emergency prescriptions. It’s Caresys software is used extensively across more than 1,000 care homes, while Carenotes, Crosscare and Staffplan are used extensively by providers. Advanced supplies software to NHS facilities and doctors nationally, including hospitals, doctors’ offices, care homes and mental health services, so disruption has been widespread.

The systems outage is causing significant delays as call handlers are forced to use other systems or to revert to paper. Emergency ambulance dispatch is taking priority it has been reported, meaning that everyone else has to wait. Meanwhile, applications managed by Advanced have been isolated to prevent lateral spread of malware to other NHS systems.

According to the Telegraph, the cyber-attack appears to have been conducted by an organized criminal ransomware group looking to shut down crucial systems rather than a hostile state-actor as had been originally feared. Healthcare and other critical national infrastructure services have been on high alert since the start of the war in Ukraine given heightened tensions with Moscow. The UK’s National Cyber Security Centre is working with the NHS as it attempts to recover systems from backups and restore services.

UK businesses have been warned about paying ransoms and incentivizing extortionists. According to the Telegraph last month, the head of the UK’s National Cyber Security Centre (NCSC) and the Information Commissioner warned businesses that they risked “incentivizing” attacks by cybercrime gangs by paying ransom demands.

According to Sky News, Advanced, said the issue was contained to "a small number of servers" representing 2% of its health and care infrastructure. Chief operating officer Simon Short added: "We continue to work with the NHS and health and care bodies as well as our technology and security partners, focused on recovery of all systems over the weekend and during the early part of next week."

This latest cyber-attack against the NHS is an unwelcome test of its resiliency and preparedness for various outages including cyber-extortion. As a critical infrastructure industry, the NHS is a target for pariah nation state attack, although in this case evidence appears to suggest that the attack was orchestrated by a Russian criminal gang. Given the known close working relationship between the Russian government and the country’s organized crime gangs, the Kremlin may not be entirely off the hook in this case. A forensic investigation of the cyberattack will take time and a positive attribution of the attackers may be many months away.


NSH 111 services previously known as ‘NHS Direct’ is used for non-emergency Urgent Care services and puts callers in touch with highly trained advisers supported by healthcare professionals. It was designed to reduce the call volume on the UK’s 999 Emergency services (similar to the US’s 911 call system) for non-critical healthcare issues, or to force patients to have to wait several days for an appointment with their general practitioner / primary care provider. The free 111 service is widely used and can be accessed by anyone dialing the number from within the UK.

Advanced is owned by Vista Equity Partners and BC Partners.

Read More

Ransomware and Increased Attacks against Healthcare

The number of attacks against healthcare and hospitals continues to rise as cyber criminals and pariah nation states take advantage of the current Coronavirus crisis where hospitals in many part of the United States and around the world are distracted by large numbers of infected patients and a workforce that by and large, is now entirely remote outside of clinical care.

This was the subject of discussion for a panel of healthcare security experts today at the Washington HIMSS Chapter Meet Up.

Read More

Hospitals Targeted by Cyber Attack During Covid Crisis

Cyber-criminals and pariah nation-states are taking advantage of the disruption caused by the pandemic to run amok. 

Few things elicit the question of ethics than a lawyer chasing an ambulance leaving a road traffic accident or a hacker targeting a hospital during a global crisis, but the latter is precisely what has been happening since February.

The public and government officials alike, are outraged that cyber criminals would target health systems during a time of global pandemic crisis.

Increase in Cyber Attacks Against Healthcare

As our brave doctors and nurses fight each day to save lives those infected with the coronavirus, hackers and pariah nation-states fight each day to break into our health systems and research centers working on a vaccine or a cure. Ironically, both the virus and many of those engaged in the theft of research into a vaccine appear to come from the same country.

Photo: H.Shaw

 
Between the months of February and May of this year, there have been 132 reported breaches of healthcare covered entities, according to the HHS. This is an almost 50% increase in reported breaches during the same time last year. Perpetrators appear to be taking advantage of a distracted often remote workforce easily susceptible to phishing and other scams, or gaining access to hospital networks through insecure medical devices and other healthcare IoT systems. "These systems are notoriously difficult to secure and are an acknowledged cybersecurity risk," claimed Tim Ozekcin, CEO of biomedical security company, Cylera.

In a letter this week signed by international political and business leaders, the International Committee of the Red Cross called for governments to take “immediate and decisive action” to punish cyber attackers.

“There are more and more cyberattacks...on the healthcare sector and unless there are really strong measures taken, they will continue,” said Cordula Droege, chief legal officer at the ICRC. “What we’re seeing at the moment are still indications of how devastating it could be.”

Also this week, NATO, issued a statement condemning the "destabilising and malicious cyber activities directed against those whose work is critical to the response against the pandemic, including healthcare services, hospitals and research institutes. These deplorable activities and attacks endanger the lives of our citizens at a time when these critical sectors are needed most, and jeopardise our ability to overcome the pandemic as quickly as possible."

Invoking its founding principle of Collective Defense and its’s more recent Cyber Defence Pledge, NATO confirmed that it is ready to take action against the perpetrators of these cyber attacks.

"Reaffirming NATO's defensive mandate, we are determined to employ the full range of capabilities, including cyber, to deter, defend against and counter the full spectrum of cyber threats," NATO said.

The World Health Organization has reported a 500% increase in cyberattacks on its systems during the spread of the Coronavirus pandemic through April compared with the same period last year, and has been dealing with a major email security breach at the same time while trying to deal with the largest pandemic to hit the world on over a century.

So far this year, the U.S. Department of Health and Human Services has investigated 177 data-breach incidents at medical organizations, nearly double the 91 under investigation in the same period in 2019.

Photo: Lianhao Qu

Opportunistic Rise in Cyber-Crime

Cyber-crime appears on the rise everywhere while most of us are out of our comfort zone working from home or otherwise disrupted. According to the FBI, the number of reported cybercrimes has quadrupled for the period of December - April compared to the same period last year. The FBI’s Internet Crime Complaint Center, known as the IC3, has been swamped with 3 to 4 times the usual number of calls each day as COVID-19 spread across the United States.

According to Tonya Ugoretz, Deputy Assistant Director of the FBI Cyber Division, "there was this brief shining moment when we hoped that, you know, 'gosh cyber criminals are human beings too,' and maybe they would think that targeting or taking advantage of this pandemic for personal profit might be beyond the pale. Sadly, that has not been the case," she reported.

The US FTC has reported that approximately $12 million has been lost due to Corona-virus-related scams since January. But it’s not just the US that has been targeted either. One man in Singapore tried to abscond with €6.64 million from a European pharmaceutical company after taking an order for surgical masks and hand sanitizer that he had no intention of delivering. Thanks to the quick actions of Interpol and Singapore authorities the money was returned and the man arrested.

“We’re very concerned now that we have these very sophisticated actors - nation-states, particularly China and Russia - targeting Covid-19 research, treatment protocols and vaccine development,” said John Riggi, Strategic Advisor for Cybersecurity and Risk at the American Hospital Association.

The message to watch out for potential theft of intellectual property has gone out right across the industry, especially by sophisticated nation-state actors according to officials at a number of leading academic medical centers. "Its like we're fighting two battles at the same time - the Covid-19 pandemic and defending against an escalation in cyber attacks against healthcare, " claimed Chad Wilson, CISO of Stanford Childrens' Hospital.

Hundreds of fake domains have been registered by criminals with names to entice the unsuspecting to click a link to a coronavirus news site, health and well-being site, to a charity site supporting everything from animal shelters for abandoned pets to food banks for the suddenly unemployed. At least one has even attempted to purport to be part of the Centers for Disease Control in Georgia otherwise known as the CDC. And there have been a whole range of scam sites setup to supply N95 masks, rubber gloves and other personal protective equipment (PPE) where users place an order never to see any goods – only fraudulent transactions on their credit cards. Many hospitals have also been defrauded in similar ways, receiving sub-par equipment from mainly Chinese manufacturers or none at all.

Intellectual property theft especially at hospitals and research institutes working on investigation of the virus or potential vaccines for COVID-19 has also been rife, especially from so-called international partners, some of whom may have been already compromised. Nation-state-actors are focused on gathering information about the response of US states to the ongoing pandemic and the progress of the research on vaccines with more than one nation-state appearing to be involved.

Photo: CDC

Healthcare & Medical Research Targeted

Most alarmingly though, is a spate of targeted ransomware attacks against hospitals. Last month a number of Czech hospitals and medical research centers were attacked, by as yet unknown perpetrators in what is thought to be a combined infiltration-theft and ransomware attack. The attack breached one of the major Czech COVID-19 testing laboratories at Brno University Hospital in the city of Brno in Moravia. According to Reuters,“The country’s NUKIB cybersecurity watchdog said the attacks, designed to damage or destroy victims’ computers by wiping the boot sector of hard drives.” The similarity with Russian FSB and GRU attacks against Ukrainian and other targets last year would tend to indicate nation-state involvement as would the boot sector wiping first attributed to the Russian GRU's 'Not Petya' attacks.

 

Colorado Medical Center Hit

But ransomware attacks against hospitals have hit closer to home. At least one US hospital has been hit in the past week by ransomware that encrypted its entire EMR system and its local backups. This was not a random broadcast attack but one carefully crafted against a known Pueblo, Colorado hospital with a un-patched perimeter. The hospital and many of its IT systems are still off-line at the time of writing this post and patient care is still being impacted by the attack. Its website came back up as we were about to go to press with the following message to the community.

 

This represents a daring escalation by cyber extortionists and risks a very real response by the United States. A mere two days before Parkview was hit, Mike Pompeo, US Secretary of State warned that there would be "zero tolerance" for such attacks.

"As the world battles the COVID-19 pandemic, malicious cyber activity that impairs the ability of hospitals and healthcare systems to deliver critical services could have deadly results," Pompeo said. "Anyone that engages in such an action should expect consequences," he added.


Drawing a Line in the Sand

Whether the pandemic cyber-attacks are just highly opportunistic criminals with no moral compass, or are a deliberate escalation of the hybrid warfare executed by a few pariah nation-states that have been pushing the boundaries of acceptability over the past few years, the perpetrators are treading on very dangerous ground.

Attacks against national critical infrastructure risk a very different kind of response from governments the world over. Just over a year ago, the Israeli Defense Forces dealt a very firm blow to nefarious cyber actors planning an attack on Israel with an air strike that wiped out HamasCyberHQ flattening the building and all inside.

HAMAS CyberHQ. Photo: Forbes

The US has also taken out a number of cybersecurity adversaries with drone launched hellfire missile attacks in Syria over the past few years. In fact, the US has reserved the right to retaliate against cyber-attacks with military force since 2011. The prospects therefore, for those cybercriminal elements that deliberately target US hospitals and medical research facilities obviously don't look too good.

Whether, and how, the US and other countries decide to respond to attacks against life-sustaining critical infrastructure like hospitals and healthcare research is a topic of hot debate. One issue is the problem of attribution. It's difficult to positively attribute an attack to an individual or a group, especially when more sophisticated attackers are good at covering their tracks or leaving breadcrumbs that point to others. Its also time-consuming, meaning that many years can go by before the culprit of an attack can be finally identified and dealt with.

Once identified, however, there are a wide range of options open to governments, extradition being only one of them. The international rule of law is opaque at best and needs to meet different standards and evidentiary bars in each country and its respective legal system. Even then, some people are considered beyond the law due to their connections. Some countries, notably Russia and other former communist block states, lack extradition treaties with the rest of the world. Going after perpetrators via legal means in the Peoples Republic of China or North Korea is also senseless as they usually operate at the behest of the state, unlike Russia which employs freelance proxies in order to claim plausible deniability. Therefore, governments sometimes need to employ other methods, as Bobby Chesney the co-founder of the Lawfare blog and a highly respected figure in US national security circles, explained during a recent podcast. (Chesney is the Charles I. Francis Professor in Law at The University of Texas School of Law, where he serves as the Associate Dean for Academic Affairs and teaches courses relating to U.S. national security and constitutional law.)

According to Chesney, there are many perfectly legal avenues for US government agencies to pursue in the apprehension of cybercriminals that attack critical US Infrastructure, especially at a time of declared national emergency. "There is an unpublished line in the sand that if crossed could mean significant consequences for those that do" he claims.

That includes a wide range of punitive measures including black ops, as Roman Seleznev the son of a close Putin ally who was widely regarded as being beyond the law in Russia found out in 2017. Renditioned to the USA, tried and convicted of cybercrimes in at least two different states, Seleznev has the next 27 years to look forward to as a guest of the US prison service.

Photo: NIST Cybersecurity Framework (CSF)

A Change of Focus

Recognizing that not all cyber attacks can be prevented, many CISOs are focusing more of their attention on the Detect, Response and Recover segments of the NIST CSF. Their focus is on limiting damage and restoring functionality as quickly as possible to minimize impact. "Every minute a critical hospital system is down could mean patient lives, so speedy restoration is critical," claimed Esmond Kane, CISO of Steward Health. "The fact that a breach occurred or a perpetrator was able to gain access to the network and HIT systems, is of secondary concern once systems are back up and running. We have to deal with that later" he adds.


Recovery from Attack

In order to turn the lights back on and restore systems following a cyberattack, a hospital must first eradicate all traces of the ransomware and other malware, then carefully restore data from off-site backup tapes or cloud storage. First, however, the malicious exploit and ransomware code must be identified, forensically preserved by law enforcement for later prosecution of perpetrators, and systems cleaned up and formatted. This can be very time consuming, taking many days and of course, will impact patient care and safety.

Perpetrators also know that thanks to better backup procedures following WannaCry, victims have comprehensive and disconnected backups of their data to avoid paying ransoms which would be illegal in many jurisdictions. Hence they are now executing combined infiltration-theft-extortion attacks, as was recently seen in the Czech Republic. Non-Public data is exfiltrated as part of the attack and when the ransomware clock runs out without a payment being made, a perpetrator will release some protected data to the public internet with a second extortion payment demand threatening to release more regulated PII and PHI data. This is similar to a recent REvil Attack against a Los Angeles celebrity law firm that claimed to have masses of dirty laundry on Donald Trump as well as contracts and other documents for celebrity clients.

Cisco's ZeroTrust Micro Segmentation

Containment and Risk Mitigation

While adoption of a Zero-Trust security framework and the implementation of network segmentation will severely limit the lateral spread of malware across a hospital network, one of the greatest recovery problems is the identification of sleeper malware or extraneous communications by that malware to command and control known as C2 severs. That's where Cylera’s MedCommand software comes into its element by quickly identifying suspicious network traffic, and tracing that traffic back to infected code that can then be eradicated from the network so that restoration of Health IT systems can commence.

Its just one more use of the Cylera MedCommand system. MedCommand identifies healthcare IoT (HIoT) connected assets, while profiling and risk assessing them for security group tag allocation and for network micro-segmentation under Zero Trust. A recent new feature also allows those who are responsible for managing medical devices and other HIoT assets to observe device utilization for better allocation of patients to available devices - something that has become critical when medical devices are short on supply and stretched to capacity under a global pandemic.

Covid patient in hospital isolation room

 

Read More

Ransomware – a wake up call for effective security controls

“The digital canary in the digital coal mine”

A “canary in the coal mine” is an idiom that refers to an early warning sign for upcoming trouble.  This comes from the day when there was no technology to detect leaks from unseen pockets of toxic gas in the rock of a coal mine. Canaries are more sensitive to the toxic gas in the mines than humans so miners used to take poor canaries with them as an early warning sign of toxic gas. If the canary is on the bottom of the cage it’s time to get out of the mine FAST! So how does this relate to ransomware – bear with me for a while and I will explain how ransomware is the early warning sign that security threats have a free rein in your environment.

Ransomware is big business today. Ransomware miscreants encrypt a victim’s files and only provide the decryption keys after the victim pays the “ransom”—usually in the vicinity of $US300 to $US500. Unlike most other online crimes that target businesses exclusively, ransomware impacts end users directly. Ransomware campaigns are not discrete about their victims as this is a volume game and the bad guys will attempt to compromise tens of thousands of victims per day whether they be a grandparent at home looking at photos, or a corporate banker making billion dollar deals. The pay day for their efforts can be staggering. Cisco recently worked with Level 3 Threat Research Labs to disrupt an Angler exploit kit botnet which Cisco estimates to have be earning at least $US30M annually and I hope this disruption hurt the bad guys.

The effectiveness of Ransomware can be seen in a recent CERT Australia survey where 72% of companies reported malware incidents in 2015 which has more than quadrupled since 2013 (17%). 72% of respondents also stated that Ransomware “is the threat of most concern”.  These figures are staggering when the survey is targeting corporations and it’s not surprising as I have seen ransomware execute and encrypt data on ASX Top 200 companies' systems and Fortune 100 enterprise servers as well as our relatives' laptops.  Quite frankly, ransomware is everywhere and one of the key reasons why it’s a huge concern is that signature based anti-malware products such as anti-virus are mostly ineffective as ransomware is written and tested to avoid detection by AV products and the signatures can change hundreds of times in rapid succession.

Now let's get back to the “canary in the coal mine” analogy.  I believe that the most troubling aspect of ransomware is NOT its effect on the end user, but more that it is so incredibly effective in:

• Penetrating corporate network perimeter defences
• Able to execute as a new process on a victim machine
• Call out to a server on the Internet to download an encryption key (refer to the update below)
• Typically, the first time anyone detects the malware is because their work files (or cat videos) cannot be accessed because they are encrypted

 

I often get asked “can you restore my files?” Unfortunately, the answer most often is “No”. Ironically most ransomware uses strong and well implemented cryptography and it is not economically or technically viable for anyone to attempt decryption. The point here is that we need to move on from believing all attacks can be prevented; we also must realise that attacks must be detected quickly to prevent damage to the business. The fact that most attacks are not directly detected by the victim, but by the action of the external party (encrypting data) is what really troubles me as a security professional. Security controls should be preventing as close to 100% of attacks as possible, but there remains a fraction of successful attacks that we must detect and respond to before significant damage is done to our businesses.

I think we should be closely looking at the lessons we learn from ransomware to show us how effective our security preventative and detective controls are, and how they have failed. Every time ransomware is able to execute and encrypt data, our preventative controls have failed. We can use this incredibly destructive and annoying malware as a tool to learn about the shortcomings of our security program, or the digital canary in the digital coal mine (when the canary is dead it’s time to evacuate) so we can:

1. Prevent and detect more ransomware and other malware incidents
2. Be better able to defend our enterprises against more skilled and determined attackers such as organised crime and nation state funded actors

The point is that if ransomware can operate in your environment then there is little hope you have of being able to defend against the more skilled and determined attackers. The critical questions that must be answered is “how did the ransomware get through my perimeter controls?” and “how was it able to execute and encrypt data without being detected before a victim loses access to their critical business documents (and cat photos)?”

Detecting a threat in the environment is critical to minimising the damage malware does in the network, which is why we need multiple layers of controls to protect. We should not get too far into the preventative controls here, but like our mothers used to tell us “An ounce of prevention is worth a pound of cure” (my mother never went metric). There have been PLENTY of articles written about preventing ransomware and other malware so I do not want to rehash what has already been done. If you want to look for articles on prevention I suggest you have a read of the Cisco Talos blog “Ransomware: Past, Present, and Future”.

One last word on prevention, before we move on to what we are here for. There’s a simple to deploy technique that is being overlooked by most information security professionals – blocking DNS lookups of known malicious sites. Cisco acquired OpenDNS in 2015. One of OpenDNS’ main functions is to provide a safe DNS infrastructure for name resolution services. The differentiator with OpenDNS over many standard DNS services is it provides protection by blocking name resolution for known malicious domains. The reason blocking DNS lookups for ransomware is effective, is that most, if not all, ransomware uses a multi-stage attack where an email is typically used to deliver the payload and when the payload executes it calls crypto.evil.com (for example) to generate an encryption key. Yes, it is not perfect as we are playing catch up, and would be preferable to prevent the initial infection, but if you don't get your data encrypted we can call that a win!  More details of this functionality can be found here.

Now lets get to the crux of concept of the canary in the coal mine analogy. What I’m trying to say is that the presence of ransomware is an indicator of bigger problems. You can think of ransomware as the (unfortunately) dead canary on the bottom of the cage that has detected the gas leak. I believe that you should be looking for the root cause of the ransomware incident rather than concentrating on your canary problem. Root cause analysis will show how the ransomware got into the enterprise and when you can understand that, you can start to fix the problem. Please do not go and buy a shiny new security object to fix the security problem before it is properly understood. Without fully understanding the problem you may be fixing something that will not improve your security posture commensurately. We all have the shiny object syndrome, but choose your time to act and resist the pressure from your peers as much as possible.

Consider the points I made above about:

1. Malware (typically) comes into the network through the corporate email system
2. Unknown software (ransomware) being able to run without human intervention on one of your corporate systems inside the corporate boundary
3. Then connects to the outside world through your corporate proxy server, IPS and firewall(s)

This is remarkably like the tactics used by nation state attackers when setting up their beachhead inside the corporate boundary before stealing your intellectual property.

Starting to smell rotten eggs now? This is the real reason why we are so concerned about where ransomware can run, because if ransomware can run, so can nation state attackers and they can do a far sight more damage to your business than encrypting a few files. The typical motivation of nation state attackers is to steal your intellectual property, pricing information, customer data et. al. for the financial benefit of their own country.

This brings into a stronger focus the benefits of doing a proper root cause analysis of the ransomware incident as it’s not just about the one, two or more systems that run the latest ransomware variant and cause the ensuing mayhem of trying to minimise the damage and recover the data.

If you have planned ahead and have decent backups of your critical data (kudos to you if you have), then you don't need to get too spun up about the effects of the ransomware and the recovery is pretty straight forward. Make sure you learn the lesson that the ransomware incident has taught you. Find out how the ransomware got inside your organisation, and put in better controls to stop it happening again, or at least minimise the chance of it happening again (there’s no panacea for all ransomware). Then work out what it did on the endpoint and build a strategy for stopping from that happening again.

Next is to look at the network communications and determine how you could have a) disconnected it (e.g. blocking DNS calls to known malicious domains); or b) detected it earlier to minimise the damage.

One of the key differences between nation state attackers and the cybercriminals behind ransomware is the end goal. Cybercriminals are after money and typically the faster the better, whereas nation state attackers are playing the long game and looking for the data of choice. They want to maintain access and stay in your network for the long term, whilst extracting the data that they are looking for. Nation state attackers move laterally, hopping from system to system, looking for the data that they have been tasked with finding, and acquiring the administrator credentials often necessary to get access to this data. All of these actions have signatures, or indicators of compromise that you can detect with the right tools.  If you have not looked for them, or had a skilled team working on your behalf, you might be shocked at what you discover.

The objective is to learn from the incident and make continuous improvements to your defences and detection capabilities. If ransomware can run in your environment, then so can the tools that nation state attackers use, and this is a cyber arms race against attackers, whether they be nation state, cybercriminals, or activists with a keyboard. So when you realise that the adversary is continuously improving their tools and techniques (as recently demonstrated by the cybercriminals and their ransomware campaigns), then you had better be doing the same to maintain your edge so your business can survive.

Remember that ransomware, whilst annoying and inconvenient, is just the canary in the coal mine. If your yellow bird is on the bottom of the cage, you’ve potentially got bigger problems.

Update: 20 July 2016

A new version of the Locky ransomware operates in offline mode so does not need to call back home to get encryption keys. Read the following PC World piece for more details.


Guest Blog - First published by my colleague and good friend Goma  and inspired by the Western Australia outback - not that there are many canaries there!

Read More