TLP White: In this edition of Hacking Healthcare, we discuss a new malware-carrying phishing campaign that attempts to impersonate the Centers for Disease Control and Prevention.  We also break down the White House’s recent launch of AI.com, a central repository for all artificial intelligence initiatives and policies at the federal agency level.  We then dive into a resurgent IoT malware botnet that has worked its way into some enterprise networks.  Finally, we explore the efficacy and security risks of using phone numbers for identity authentication purposes.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.

Welcome back to Hacking Healthcare.

Hot Links –
1. Phishing Campaign Impersonates the Centers for Disease Control and Prevention.

Have you received an email from the Centers for Disease Control warning about heightened influenza activity?  If so, you might be on the receiving end of a phishing campaign that directs users to open malicious attachments in an effort to install ransomware on the target user’s computer.

Emails containing the malware claim to be from the Centers for Disease Control and warn recipients about a new flu outbreak.  Upon opening an attachment to the email, a user’s computer becomes infected with Gandcrab 5.2 ransomware, a malware variant for which free decryption mechanisms are not yet available.[1]  Interestingly, earlier this month the Chinese government began reporting instances of a similar phishing attack distributing Gandcrab 5.2 ransomware to its government departments.[2]

Ransomware clearly isn’t a new problem, and many organizations have been investing in dealing with it, both from a preventative and response perspective. Nevertheless, it remains a pervasive problem. These phishing attacks serve as a useful reminder to approach every email you receive with a discerning eye and a certain level of caution.[3]  Basic rules apply here: avoid opening attachments unless you are familiar with the sender or are expecting to receive a particular form or document.  Exercising a healthy degree of skepticism and scrutiny when engaging with your emails could save you from a costly ransomware attack. At the very least, well trained users combined with automated tools can greatly reduce the likelihood of suffering negative consequences.

 

2. White House Launches Site Dedicated to Artificial Intelligence.

Last week the White House launched AI.gov, a central website for information about federal agencies’ artificial intelligence (“AI”) projects and policies.  Projects in AI are currently being conducted by a number of government agencies, including the National Oceanic and Atmospheric Administration, the National Science Foundation, and the Department of Transportation.[4]  The site, which aims to capture information about those projects, is part of a larger AI effort called the American AI Initiative.  The initiative kicked off last month after President Trump issued an executive order emphasizing the importance of maintaining American leadership in AI.[5]

Newly released budget documents have suggested the White House wants to spend $850 million on AI research, allocating those funds between various federal agencies.[6]  However, the Executive branch has also suggested it plans to take a more fiscally prudent approach to research and development overall.[7]  Government spokespeople have stated that recent austerity measures have forced the government to narrow the scope of its R&D priorities.  Despite any such rearranging of priorities, AI remains an area of considerable focus for United States in the immediate term, along with 5G, quantum computing, and advanced manufacturing.

 

3. Strong IoT Malware Expands its Reach.

An IoT malware program that took down a record number of IoT devices in 2016 is back.  Palo Alto Networks has reported that the malicious program Mirai has been updated to allow it to reach a new generation of devices and even infiltrate enterprise networks.[8]  Mirai can now attack the newest internet-connected devices, such as smart TVs, DVRs, routers, webcams, and presentation systems.

 

The botnet works by attempting to infiltrate IoT devices with exposed Telnet ports by using common default usernames and passwords.[9]  These brute force attacks, if successful, allow the perpetrators to gain access to and control over the targeted device.  The latest Mirai attacks have intentionally sought to infiltrate smart TVs and wireless presentation systems within corporate enterprises, thereby threatening the targeted entities’ network security. [10]  Security researchers have warned companies to take note of the IoT devices on their networks and update their passwords to better protect the devices and make them less susceptible to Mirai.

Password management is an important part of every healthy business enterprise.  Employees and users of internet-connected devices should be prompted to change the passwords they use to access critical devices and protected systems on a regular schedule.  Mirai thrives off of the easily guessable or default passwords.  The threat of these attacks can be mitigated at least somewhat by enforcing healthy password practices within your enterprise.

4. Phone Numbers and Authentication: A Dangerous Game?

Some security experts have lamented businesses’ use of phone numbers to authenticate individuals online.  Beyond the fact that cell phones are regularly lost, SIM swapping attacks can allow fraudsters to take control of a target’s phone number and use it to steal sensitive information and items of value.[11]  Additionally, phone companies contribute to the problem by re-using individuals’ numbers when phone bills are not paid and when users can no longer access their phone accounts.[12]  This practice could be subjecting the original number owners to security risks, because phone numbers are often used by online services to verify individuals’ identities.  Using phone numbers to authenticate users is a fairly common practice, as “countless companies have essentially built their customer authentication around the phone number.”[13]

One way to confront the problems associated with companies’ use of phone numbers to perform verification is to keep track of the sites where you’ve synced your phone number with your account.  That way, if you lose access to your phone number for any reason, you can update your online account with the correct verification information.  This will help to limit exposure in the event any inheritors of your phone number may wish to access your personal information by plugging in your old phone number online.

Congress

 

Tuesday, March 26th:

–Hearings to examine implementing the 21st Century Cures Act, focusing on making electronic health information available to patients and providers. (Senate Committee on Health, Education, Labor, and Pensions)[14]

Wednesday, March 27th:

–No relevant hearings.

Thursday, March 28th:

–No relevant hearings.

 

International Hearings/Meetings

 

            EU –  No relevant hearings.

Conferences, Webinars, and Summits

–Networking Dinner with Philips and Vaiimail – Boston, MA (3/28/2019)

<https://h-isac.org/hisacevents/networking-dinner/>

–InfoSec World 2019 – Lake Buena Vista, FL (4/1/19-4/3/19)

<https://infosecworld.misti.com/>

–HSCC Joint Cybersecurity Working Group – San Diego, CA (4/3/19– 4/4/19)
<https://h-isac.org/hisacevents/hscc-joint-cybersecurity-working-group/>

–H-ISAC CYBER RX – IOMT Executive Symposium – Munich, Germany (4/15/2019–4/16/2019)

<https://h-isac.org/hisacevents/cyberrx-iomt-executive-symposium/>

–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)

<https://h-isac.org/hisacevents/health-it-summit-southern-california-2019/>

–Peer Sharing ICS Security Workshop – Singapore (4/24/2019)

<https://event.boozallen.com/ICSWorkshopSingapore>

–H-ISAC Cybersecurity Workshop – Huntsville, AL (4/25/19)

<https://h-isac.org/hisacevents/h-isac-workshop-huntsville/>

–H-ISAC Medical Device Security Workshop – Burlington, VT (5/1/19)

<https://h-isac.org/hisacevents/h-isac-md-workshop-vt/>

–2019 H-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>

–HEALTH IT Summit (Florida) – Wesley Chapel, FL (5/21/19-5/22/19)

<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>

–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)

<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>

–H-ISAC Healthcare Cybersecurity Workshop- Buffalo, NY (6/18/2019)

<https://h-isac.org/hisacevents/h-isac-cybersecurity-workshop-buffalo-ny/>

–Healthcare Cybersecurity Workshop – London, UK (7/10/19)

<https://h-isac.org/hisacevents/workshop-london/>

–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)

<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>

–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)

<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>

–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)

<https://h-isac.org/hisacevents/health-it-summit-northeast/>

–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)

<https://www.loewshotels.com/coronado-bay-resort>

Sundries –

Critical flaw lets hackers control lifesaving devices implanted inside patients

<https://arstechnica.com/information-technology/2019/03/critical-flaw-lets-hackers-control-lifesaving-devices-implanted-inside-patients/>

2 Million Emails of 350K+ Clients Possibly Exposed in Oregon DHS Data Breach

<https://www.bleepingcomputer.com/news/security/2-million-emails-of-350k-clients-possibly-exposed-in-oregon-dhs-data-breach/>

A blind spot for medical AI

<https://www.axios.com/medical-ai-vulnerability-adversarial-attack-b0d79abc-335e-4bd3-b706-d587c7c44978.html>

Here’s What It’s Like To Accidentally Expose The Data Of 230m People

<https://www.wired.com/story/exactis-data-leak-fallout/>

Facebook: hundreds of millions of passwords were stored in plaintext on internal networks

<https://www.cyberscoop.com/facebook-passwords-stored-improperly/>

Most Android Antivirus Apps Are Garbage

<https://www.wired.com/story/android-antivirus-apps-bad-fake/>

Contact us: follow @HealthISAC, and email at contact@h-isac.org

[1] https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/

[2] https://www.bleepingcomputer.com/news/security/fake-cdc-emails-warning-of-flu-pandemic-push-ransomware/

[3] https://www.informationsecuritybuzz.com/expert-comments/fake-cdc-emails-warning-of-flu-pandemic-push-ransomware/

[4] https://www.nextgov.com/emerging-tech/2019/03/white-house-launches-aigov/155668/

[5] https://www.whitehouse.gov/presidential-actions/executive-order-maintaining-american-leadership-artificial-intelligence/

[6] https://www.geekwire.com/2019/white-house-starts-flesh-ai-research-plan-raises-profile-ai-gov/

[7] https://www.nextgov.com/emerging-tech/2019/03/trumps-2020-budget-would-cut-non-defense-rd-10-billion/155645/

[8] https://arstechnica.com/information-technology/2019/03/mirai-botnet-aims-to-wrap-its-tentacles-around-a-new-crop-of-iot-devices/

[9] https://www.csoonline.com/article/3126924/here-are-the-61-passwords-that-powered-the-mirai-iot-botnet.html

[10] https://www.techradar.com/news/mirai-botnet-returns-to-target-iot-devices

[11] https://www.wired.com/story/sim-swap-attack-defend-phone/

[12] https://krebsonsecurity.com/2019/03/why-phone-numbers-stink-as-identity-proof/

[13] Ibid.

[14] https://www.help.senate.gov/hearings/implementing-the-21st-century-cures-act-making-electronic-health-information-available-to-patients-and-providers