Skip to main content

Health-ISAC Hacking Healthcare 4-27-2021

TLP White: This week, Hacking Healthcare begins by exploring how North Atlantic Treaty Organization (NATO) military alliance members are strengthening their collective response to cyberattacks and disinformation operations against critical infrastructure sectors, and how such exercises are especially beneficial to the healthcare sector in less cyber capable states. Next, we break down the US Department of Justice’s (DOJ) new ransomware task force to discuss why it may or may not be effective at countering ransomware. Finally, we examine the Pulse Connect Secure vulnerability to illustrate the necessity of patching older vulnerabilities.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

1. NATO Holds Annual Cyber Readiness Simulation Virtually

Last week, NATO members participated in an annual simulation called “Locked Shields” to test cyber readiness against an attack on critical infrastructure, as well as their ability to combat disinformation. Locked Shields’ first iteration took place in 2018, and this year’s event was the first virtual version of the simulation and the first time the group tackled misinformation along with a cyberattack. The scenario was created and organized by the NATO Cooperative Cyber Defence Centre of Excellence.

The scenario involved the fictional NATO member country Berylia and non-NATO nation-state Crimsonia. In the scenario, Crimsonia attacked Berylia’s financial services sector, mobile networks, and water supplies. Crimsonia also targeted Berylia citizens with disinformation to create doubt in the government and public discord, a tactic that has notably been employed by Iran and Russia against various nation states and has seen impactful use during the COVID-19 pandemic. The FBI, Cisco, Microsoft, Ericsson, US European Command, the European Defence Agency, and more than 10 NATO allies – including Estonia, Sweden, Finland, UK, and Korea – participated in the simulation.

Michael Widmann, the chief of the NATO Cooperative Cyber Defence Centre of Excellence, said in a statement: “This year, the exercise featured several new dilemmas for the strategic decision-making element as well. The cyber domain and information warfare operate hand in hand in the modern environment. Strong strategic communication policies can mitigate the effects of an enemy’s information warfare campaign.”[1] Widmann’s statement recognizes that cyber threats are changing and don’t always purely involve cyber activities but are increasingly coupled with other actions like misinformation.

This year’s exercise focused on critical infrastructure, which makes sense as attacks on critical infrastructure are viewed as the most severe and can have enormous physical consequences. As we’ve seen throughout the last year, cyberattacks on the healthcare sector can cause lapses in patient care and may, in the most extreme cases, cause patient harm. While exercises like Locked Shields obviously won’t completely deter attacks, they are a step in the right direction to send a message that NATO countries have plans in place to respond to these types of attacks.

This idea of collective defense is a key part of information sharing groups like Health-ISAC, which routinely demonstrate that organizations working together are far more effective at defending and responding to attacks than when they work alone.

Action & Analysis
**Membership required**

2. Ransomware and Digital Extortion Task Force Launched

Last week, the Department of Justice formed a task force to counter ransomware cyberattacks. The task force, called the “Ransomware and Digital Extortion Task Force,” is a response to the significant increase in ransomware attacks during the COVID-19 pandemic and will aim to decrease these attacks by making the digital environment less vulnerable.

The task force will include officials from the DOJ’s National Security Division, Criminal Division, Civil Division, the Executive Office of U.S. Attorneys, and the FBI.[2] The group will increase the Justice Department’s training around pursuing cases involving ransomware, increase intelligence sharing across the agency, and increase coordination across the agency and FBI. It will also aim to strengthen public-private partnerships along with strengthening ties with international partners. Reports claim an internal memo states the federal government is planning to “pursue and disrupt” ransomware operations; what exactly that will entail is still just speculation until the DOJ itself releases more information on this initiative.[3]

Acting Deputy Attorney General John Carlin told the Wall Street Journal the following in an interview: “By any measure, 2020 was the worst year ever when it comes to ransomware and related extortion events, and if we don’t break the back of this cycle, a problem that’s already bad is going to get worse.”[4] Mr. Carlin also said in his interview that authorities have to strike a difficult balance of helping individuals and discouraging companies from paying ransom to attackers.  He went on to say that the task force is going to examine this issue and make “recommendations on how to address that tension.”[5]

Action & Analysis
**Membership required**

3. Alert on Pulse Connect Secure Vulnerability

On April 20, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert regarding Ivanti’s Pulse Connect Secure products. Pulse Connect Secure is a zero-trust remote access virtual private network (VPN) provider used by both public and private organizations – including U.S. government agencies, critical infrastructure providers, and companies of all sizes.

The alert explains that since the end of March 2021, CISA has assisted multiple organizations who had a Pulse Connect Secure product vulnerability that was exploited by a bad actor. The bad actors used three known vulnerabilities and one newly discovered fourth vulnerability to gain access to company systems. After gaining access, the threat actor placed webshells on the Pulse Connect Secure product to allow future access, including authentication bypass, multi-factor authentication bypass, password logging, and persistence even with patching. Ivanti has created a mitigation for the three original vulnerabilities and is working on a patch for the most recently discovered vulnerability.

In their alert, CISA issued the following recommendations, “CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to immediately run the Pulse Secure Connect Integrity Tool, update to the latest software version, and investigate for malicious activity.”[6] The Pulse Secure Connect Integrity Tool allows system administrators to observe the integrity of file systems by looking for duplicate or modified files.

Action & Analysis
**Membership required**

Congress

Tuesday, April 27th:

– Senate – Committee on Commerce, Science, and Transportation: Hearings to examine curbing COVID cons, focusing on warning consumers about pandemic frauds, scams, and swindles.

Wednesday, April 28th:

– No relevant hearings

Thursday, April 29th:

– No relevant hearings

International Hearings/Meetings –

– No relevant hearings

EU

Wednesday, April 28th:

– European Commission: Expert Panel on Effective Ways of Investing in Health

Conferences, Webinars, and Summits

https://h-isac.org/events/

Contact us: follow @HealthISAC, and email at contact@h-isac.org

[1] https://www.cyberscoop.com/nato-blended-cyber-disinformation-defense-locked-shields-article-v/

[2] https://thehill.com/policy/cybersecurity/549549-justice-department-convenes-task-force-to-tackle-wave-of-ransomware

[3] https://www.zdnet.com/article/new-us-justice-department-team-aims-to-disrupt-ransomware-operations/

[4] https://www.wsj.com/articles/ransomware-targeted-by-new-justice-department-task-force-11619014158

[5] https://www.wsj.com/articles/ransomware-targeted-by-new-justice-department-task-force-11619014158

[6] https://us-cert.cisa.gov/ncas/alerts/aa21-110a

This site is registered on Toolset.com as a development site.