New APT Groups Targeting Healthcare and Essential Services

healthcare log management

The year of 2020 has been a tough time for many and will be remembered for a while given this global pandemic where we have not seen anything like it in over 100 years. The impacts of COVID-19 will be talked about for many years to come.

Given the nature of the modern world and how we are all interconnected, the bad guys waste no time in coming up with new and innovative ideas on how to scam or cause havoc with peoples personal lives as well as finding new ways to extort money from individuals and businesses. The COVID-19 pandemic is just another way they attack everyone for some form of gain. There are been hundreds of phishing attempts and ransomware attacks trying to gain access to peoples and business.

The US Cert put out a recent announcement on the 5th of May 2020  https://www.us-cert.gov/ncas/alerts/AA20126A that details some of the new APT threats that exist for the healthcare and essential services industry. All industries need to keep a heightened awareness of what is going on with their environments. Obviously and cyber incidents to the healthcare industry would severely impact the critical care they provide to the populations of the world during this pandemic. Many of the systems that are used for critical care run on windows-based platforms which can be susceptible to malware and ransomware attacks. Some regions have already seen these impacts not long ago which caused large number of systems and services to be shutdown.

The CERT advisory has many good recommendations and mitigations that all businesses need to review and check that they are doing enough in these areas. They are worth reading for everyone:

A number of other mitigations that can be of used in defending against the campaigns detailed in this CERT advisory are as follow:

While most of this is good cyber hygiene it may highlight some weakness with the corporate environment that needs to be addressed. In particular, Snare are specialists in security monitoring capabilities. We often see organisations that only collect logs from a small subset of systems. Often some server infrastructure is not even monitored. As many know the end user is often the weakest link in the corporate network and their systems are not monitored at all. Users can receive emails and attachments from various sources and click on things they should not. While security awareness campaigns, anti-malware protection and other technical controls help, things often happen that were unexpected which then allows the bad guys in. Anti-malware protection and technical controls are not infallible, and threats get through. In the case of healthcare systems like MRI scanners, ultrasound, respirators etc. they are often running older operating systems and not fully patched and won’t allow anti-malware tools to be loaded as the vendors won’t warrant the system if things change on the system, it could impact on its performance or operation. Then there are the business and finance systems which are also connected to the corporate networks and can be vulnerable. In years long past this may have been an acceptable risk but now with everything connected to the corporate network it allows for easy propagation of worms and ransomware and other APT threats. Many healthcare systems have been impacted on this. Upgrading this technology is expensive when compared to IT systems but so it the mass disabling of the systems from an incident as the impacts are much larger when peoples’ lives are at stake. APTs often gain access and sit quietly for months or years before they activate and quietly trickle information out of the business.

At Snare we have many technologies to help customers make sure they can monitor as much of their environment as possible. Having the forensics to help in any incident or APT threats that are trying or have gained access to the business systems is a critical part of any incident management and response. We need to know:

  • how they got in – via networks, VPN, system remote access, web server, database, application exploit, lost user id and password information, etc.
  • what they did – did they just read data, change it, ex-filtrate and steal intellectual property (IP), what commands they ran, etc.
  • when they did it- what was the sequence of events and actions they performed, how did they pivot from system to system to get to the target, this also means having accurate time and using things like NTP from a trusted source on all systems.
  • the why – often this can be financial like ransomware to encrypt your systems then ransom your for money, if it’s for stealing your IP then its espionage related if you are a research company which is often financial in a way as they think it’s easier to steal then invent on their own.

Businesses in the healthcare industry may also have HIPAA and other regulatory requirements depending if they operate in the USA or other parts of the world. For more information refer to https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html. However, in general the controls need to cover various technical security requirements are:

  • Access Controls
  • Audit Controls
  • Integrity Controls
  • Transmission Security

So Snare agents and Snare Central are core components to our solution to help with the forensic collection of audit log data from servers, databases, desktops and other syslog devices like firewalls, routers, switches then keep them in Snare Central for long term storage, reporting and analysis. The access to the data is secure and away from the system that generated the data. The integrity of the data is monitored and reported on if changed, and the transmission security of the audit log data is protected with encryption. We can collect all the core operational security events and other application data for all systems in an enterprise. Having this data all collected and stored away from the systems that generate the event is critical in managing the cyber operations of businesses. By collecting the log data in near real time there is less opportunity for the bad guys to delete all the activity they performed on the system. Once they fully compromise the system via some exploit or zero-day vulnerability they can do whatever they like. But if the data was collected up until the point they break the system, it gives the security teams evidence of what happened and how they got access to the system. Snare Central allows the customer to store the logs for as long as they need, and they can grow the system at any time to use more disk as needed with no additional cost.

From other aspects of monitoring user activity Snare can track critical files and registry settings, Snare SQL agent monitors all MSSQL activity in a database to see which users accessed or changed any data in the MSSQL database. Besides all user activity all commands like select, insert, update, delete and table calls, like create, drop, truncate, etc. can all be tracked. We have some good white papers on how to setup FIM, FAM, RIM and RAM settings using Snare.

https://www.snaresolutions.com/products/snare-agents/

https://www.snaresolutions.com/products/snare-central/

https://www.snaresolutions.com/portfolio-item/how-snare-makes-fim-easier/

https://www.snaresolutions.com/portfolio-item/complying-with-iso-27001/

So, if your healthcare environment has gaps in its cyber security logging posture and you want to do more to monitor your systems or your research organisation then please contact our friendly sales representative in your region.