TLP White: This week, Hacking Healthcare begins with a breakdown of some high-level findings from the Cyber Threat Intelligence League’s (CTIL) first ever Darknet Report. We analyze the report and extrapolate it into a discussion about indirect threats to the healthcare sector. Next, we examine some alarming news that a malicious entity’s remote access to a water treatment facility in Florida could have resulted in making the water toxic. Finally, we emphasize that healthcare organizations should ensure they are appropriately securing their health apps by detailing a new report that found significant vulnerabilities in a number of widely used mobile health apps and APIs.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare.
1. Cyber Threat Intelligence League Releases 2021 Darknet Report
As the COVID-19 pandemic kicked off, it quickly became clear that cyber criminals and even nation-state actors would not refrain from targeting the healthcare sector, despite some early suggestions that they might. With healthcare sector security and IT already stretched thin, and with various governments overwhelmed from the fallout of COVID-19, a group of cybersecurity researchers and law enforcement personnel came together to form the CTIL. The organization’s stated goal is to provide “support [for] its healthcare and law enforcement partners” and “reduce the likelihood and impact of cybersecurity-related issues so that caregivers can continue serving global public health goals.”[1] To this end, they have recently released their first Darknet Report, “cataloging criminal activity related to healthcare and the COVID pandemic.”[2]
The 26-page report provides key insights, CTIL’s assessment of what to expect going forward, and a breakdown of seven specific threats: Ransomware, Initial Access Brokers, Opportunistic Cybercriminals, Disinformation Campaigns, Scammers, Phishing, and Databases. CTIL’s top level insights include:[3]
- – The top five ransomware variants that impacted healthcare in 2020 are Maze, Conti, Netwalker, REvil, and Ryuk, affecting over 100 organizations that they are aware of.
- – Nearly two-thirds of healthcare cybercrime victims were in North America and Europe, though victims spanned every continent.
- – Threat actors moved to target the healthcare industry with ransomware because of healthcare organizations’ increased prominence during the pandemic and their high susceptibility to attacks.
- – The proliferation of dark markets and supply chains significantly lowered the barrier to entry for cybercriminals to affect healthcare.
- – The threat actors that deploy ransomware as part of their attack method will almost certainly increasingly target the healthcare sector as it has emerged as one of the most vulnerable industries during the pandemic.
- – The business of Initial Access Brokers (IAB) has boomed in the year 2020. From Q2 2020 to Q4 2020, the number of IABs compromising and selling access to healthcare organizations and other life-saving organizations has more than doubled.
While not much of the information provided by CTIL is groundbreaking, the Darknet Report does provide another data point confirming emerging cyber threat trends targeting the healthcare sector. The breakdown provided in the report is also useful due to its broad approach. By examining not just the criminal and nation-state threats that directly target healthcare organizations, but also those that target the general population, the report does an admirable job of providing context for just how varied malicious cyber activities against the healthcare sector can be.
2. Hacker Breached Florida Water Treatment Facility
On February 5th at a water treatment plant in Oldsmar, Florida, a yet-to-be-named hacker broke into a water treatment plant’s computer system and temporarily increased the amount of sodium hydroxide (lye) in the water to a dangerous level. Luckily, no one was harmed in the attack, as the lye levels were quickly reversed by astute personnel at the plant. While the entire population of Oldsmar (15,000 people) was at risk from this attack, Sheriff Bob Gualtieri stated the following in a press release: “At no time was there a significant adverse effect on the water being treated. Importantly, the public was not in danger.”[4] City officials have also noted that even if the increased lye levels had not been caught immediately, the toxic water would have taken 24 to 36 hours to reach the city’s population, and an automated PH testing safeguard would have caught the increased level of lye, triggered an alarm, notifying personnel of the change before anyone could be harmed.
The bad actor was able to infiltrate the Oldsmar Water Treatment Facility’s computer system through remote access software typically used by operators for IT maintenance. The remote access software, TeamViewer, has since been disabled.[5] Attributing the attack to a specific bad actor has been a challenge; currently, it is unknown if the attack was carried out by a domestic or foreign actor. Oldsmar is conducting a forensic investigation on the attack in conjunction with the Federal Bureau of Investigation (FBI) and Secret Service.
The attack was mentioned during a federal Committee on Homeland Security hearing titled “Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience” last week. Hearing witness Chris Krebs, Former Director of the Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security, stated during the hearing that this attack could be an insider or disgruntled employee, but it is also possible it was a foreign actor. Another hearing witness, Michael Daniel, President and CEO of the Cyber Threat Alliance, said he thought the attack came from overseas due to the commonalities between this attack and a previous attack on Israel’s water system by Iran. Krebs underlined at the hearing that tens of thousands of water treatment facilities across the country need to invest in software updates.
Action & Analysis
**Membership required**
3. Report Raises Healthcare Mobile Health App Security Concern
During 2020, COVID-19 underscored how vital it is for individuals across the globe to have access to digital products and services. Unfortunately, the rush to capitalize on that need led to some high-profile instances of cybersecurity and privacy best practices becoming less of a priority (or even ignored altogether). While communication applications like Zoom grabbed early headlines for less than stellar security, the healthcare sector has had its own mishaps. A recent report on healthcare app security is a sobering reminder that achieving adequate security and privacy is not an easy task for even the most highly resourced and well-intentioned organizations.
The healthcare sector is increasingly looking to digital products and services to reach both patients during the response to COVID-19 as well as underserved communities for whom in-person healthcare is a logistical challenge. This fact is partially responsible for the estimated 318,000 mobile health applications that exist in major app stores today.[6] The growing popularity of such applications led mobile app API security company Approov to sponsor cybersecurity marketing firm Knight Ink to investigate the security of 30 such health apps for vulnerabilities that could expose sensitive health and identity information.[7] The apps tested were not limited to small, unknown entities, and while the identities of those tested were kept anonymous, the average number of downloads for the apps tested was 772,619.[8]
The report’s findings were disheartening, but also useful in underscoring just how difficult the task of securing health apps can be and what kinds of problems organizations should ensure they address. Key findings included:[9]
- – Out of all thirty mHealth apps tested, 77% contained hardcoded API keys, some which don’t expire, and 7% even contained hardcoded usernames and passwords.
- – Out of the API endpoints tested, 100% of them were vulnerable to Broken Object Level Authorization (BOLA) attacks leading to unauthorized access to full patient records, downloadable lab results and x-ray images, blood work, allergies, and personally identifiable information (PII).
- – 27% of the apps tested were not secured against reverse engineering through code obfuscation.
- – 100% of the apps tested failed to implement certificate pinning, man-in-the-middle attacks against the app.
- – 50% of the APIs tested allowed access to the pathology, x-rays, and clinical results of other
The author of the study concluded that “mHealth companies need to implement more of a zero-trust approach to the security of their apps and APIs” and that “[t]here is a clear lack of static code analysis and penetration testing that would have mitigated many of the ’low hanging fruit’.”[10]
Action & Analysis
**Membership required**
Congress –
Tuesday, February 16th:
– No relevant hearings
Wednesday, February 17th:
– No relevant hearings
Thursday, February 18th:
– No relevant hearings
International Hearings/Meetings –
– No relevant hearings
EU –
– No relevant hearings
Conferences, Webinars, and Summits –
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://cti-league.com/blog/darknet-report-2021/
[2] https://cti-league.com/blog/darknet-report-2021/
[3] https://cti-league.com/blog/darknet-report-2021/
[4] https://www.cyberscoop.com/florida-hacker-water-plant-sodium-hydroxide/
[5] https://www.cyberscoop.com/florida-hacker-water-plant-sodium-hydroxide/
[6] https://www.mobius.md/2019/03/20/11-mobile-health-statistics/
[7] https://www.mobihealthnews.com/news/report-patient-info-risk-due-rampant-api-vulnerabilities-among-major-mobile-health-apps
[8] https://approov.io/mhealth/hacking/
[9] https://approov.io/mhealth/hacking/
[10] https://approov.io/mhealth/hacking/