Report warns of dangers to health services from growing cyber threat

2-Oct-2017

McAfee research claims health sector is 'opening itself up as a target' to hackers

While many healthcare data breaches are the result of accidental disclosures and human error; cyber attacks on the sector continue to increase.

This is one of the findings of a new report released this week, which examines the rise of malware and threats to key public services.

The health sector is opening itself up as a target to hackers, particularly as the value and volume of stolen healthcare data on the black market grows

The document - McAfee Labs Threats Report: September 2017 - published by McAfee, suggests five proven threat-hunting best practices, provides an analysis of the recent WannaCry and NotPetya ransomware attacks, assesses reported attacks across industries, and reveals growth trends in malware, ransomware, mobile malware, and other threats.

McAfee Labs saw healthcare surpass public sector to report the greatest number of security incidents in the second quarter of this year; while the Faceliker Trojan helped drive quarter’s 67% increase in new malware samples from the social media landscape.

The second quarter of 2017 also saw Facebook emerge as a notable attack vector, with Faceliker accounting for as much as 8.9% of the quarter’s 52 million newly-detected malware samples.

This Trojan infects a user’s browser when they visits malicious or compromised websites. It then hijacks their Facebook ‘likes’ and promotes the content without their knowledge or permission.

Doing so at scale can earn money for the malicious parties behind Faceliker given that the hijacked clicks can make a news article, video, website or ad appear more popular or trusted than it truly is.

“Faceliker leverages and manipulates the social media and app-based communications we increasingly use today,” said Vincent Weafer, vice president for McAfee Labs.

“By making apps or news articles appear more popular, accepted and legitimate among friends, unknown actors can covertly influence the way we perceive value and even truth.

“As long as there is profit in such efforts, we should expect to see more such schemes in the future.”

While overall healthcare data breaches are most likely the result of accidental disclosures and human error; cyber attacks are becoming more frequent.

The trend began the first quarter of 2016 when numerous hospitals around the world, including dozens across the UK sustained ransomware attacks. The attacks paralysed departments and, in some cases, hospitals had to postpone appointments and procedures.

Technology developers and policy makers have a part to play, working more closely with the security sector to better secure patients’ personal and sensitive data

“Whether physical or digital, data breaches in healthcare highlight the value of the sensitive personal information organisations in the sector possess,” Weafer said.

“They also reinforce the need for stronger corporate security policies that work to ensure the safe handling of that information.”

Commenting on the impact on the health sector, Raj Samani, chief scientist and fellow at McAfee, said: “The health sector is opening itself up as a target to hackers, particularly as the value and volume of stolen healthcare data on the black market grows.

Increased technology uptake in this sector is expanding the current attack surface, but steps are not being taken to ensure security measures keep up with industry innovation.

“The explosion of networked healthcare and IoT devices is just one facet of the challenges faced by the healthcare industry. Many demonstrate known vulnerabilities, but technology is outpacing its protection and leaving data exposed to cybercriminals.

Take insulin pumps – vulnerabilities have been publicly documented, but still exist. We may not have seen an attack in the wild yet, but how long will it be before this becomes a reality?

“The healthcare industry must ensure the right technologies are in place to prevent criminals from compromising the integrity of the data under its care.

“Technology developers and policy makers also have a part to play, working more closely with the security sector to better secure patients’ personal and sensitive data.”

Key finding from the report include:

• Security incidents. McAfee Labs counted 311 publicly-disclosed security incidents in Q2 of 2017, an increase of 3% over Q1
• Vertical industry targets. The health, public, and education sectors comprised more than 50% of total incidents in 2016-2017 worldwide
• In Europe, the public sector led the sectors substantially in Q2, followed by entertainment, health, finance, and technology
• Attack vectors. Account hijacking led disclosed attack vectors, followed by DDoS, leaks, targeted attacks, malware, and SQL injections
• New malware samples leaped up in Q2 to 52 million, a 67% increase. This rise is in part due to a significant increase in malware installers and the Faceliker Trojan. The latter accounted for as much as 8.9% of all new malware samples. The total number of malware samples grew 23% in the past four quarters to almost 723 million samples
• Ransomware. New ransomware samples again increased sharply, by 54%. The number of total ransomware samples grew 47% in the past four quarters to 10.7 million samples
• Mobile malware. Total mobile malware grew 61% in the past four quarters to 18.4 million samples. Global infections of mobile devices rose by 8% in Q2
• Mac malware. With the decline of a glut of adware, Mac OS malware has returned to historical levels, growing by only 27,000 in Q2. Still small compared with Windows threats; the total number of Mac OS malware samples increased by 4% in Q2
• Macro malware. New macro malware rose by 35% in Q2. 91,000 new samples raised the total overall sample count to 1.1 million
• Spam campaigns. The botnet Gamut again claims the top rank in volume during Q2, continuing its trend of spamming job-related junk and phony pharmaceuticals. The Necurs botnet was the most disruptive, pushing multiple pump-and-dump stock scams during the quarter

McAfee’s analysis of the WannaCry and NotPetya attacks builds on the organisation’s previous research by providing more insight into how the attacker creatively combined a set of relatively-simple tactics, melding a vulnerability exploit, proven ransomware, and familiar worm propagation.

McAfee notes that both attack campaigns lacked the payment and decryption capabilities to successfully extort victims’ ransoms and unlock their systems.

“It has been claimed that these ransomware campaigns were unsuccessful due to the amount of money made,” said Samani.

“However, it is just as likely that the motivation of WannaCry and NotPetya was not to make money, but something else.

The healthcare industry must ensure the right technologies are in place to prevent criminals from compromising the integrity of the data under its care

If the motive was disruption then both campaigns were incredibly effective. We now live in a world in which the motive behind ransomware includes more than simply making money, welcome to the world of pseudo-ransomware.”

The report suggests techniques to help threat hunters spot the presence of adversaries in their environment; starting with the principles of what McAfee’s Foundstone group calls the ‘three big knows’— know the enemy, know your network, know your tools.

The report offers best practices for hunting for command and control, persistence, privilege escalation, lateral movement, and exfiltration.

“One underlying assumption is that, at every moment, there is at least one compromised system on the network, an attack that has managed to evade the organisation’s preventive security measures,” said Ismael Valenzuela, principal engineer for threat hunting and security analytics at McAfee.

“Threat hunters must quickly find artefacts or evidence that could indicate the presence of an adversary in the network, helping to contain and eliminate an attack before it raises an alarm or results in a data breach.”

Companies

• McAfee