Cybersecurity News

Demand, Sale of Backdoor Access to Healthcare Networks Spiked in 2020

The number of hackers obtaining and selling backdoor access to healthcare networks on the dark web drastically increased in 2020 amid COVID-19.

backdoor access to healthcare entities

By Jessica Davis

- Demand for backdoor access to healthcare networks drastically increased last year, as did the number of hackers gaining and selling backdoor access on the dark web, according to CTIL research.

Hackers called Initial Access Brokers (IABs) first gain access into a victim’s network through several means, with Remote Desktop Protocol (RDP) as the most common entrypoint. RDP can be compromised through a mix of open-source reconnaissance of email formats and credential- stuffing attacks to find passwords without alerting network administrators.

Once entry is gained, it’s then sold online to the highest bidder. The IABs will most frequently sell access to ransomware groups though the dark web and other cybercriminal forums.

In total, the number of IABs selling access to healthcare and other lifesaving entities has more than doubled in the last year. The rise and proliferation of dark markers and supply chains have contributed to the ease in which hackers can gain access to healthcare entities.

The CTI League’s CTIL Dark is made up of security researchers and law enforcement personnel who monitor various cybercriminal underground networks for signs of data breaches, targeted attacks, and other cybercriminal activity that could impact healthcare or general public health.

The report breaks down the team’s findings to shed light on risks posed amid the global response to COVID-19. Overall, the attacks impacted more than 100 entities.

In 2020, five key ransomware variants affected the healthcare sector: Maze, Conti, Netwalker, REvil, and Ryuk. Maze recently disbanded and reformed as Egregor, which is actively extorting private sector entities.

Threat actors have heavily targeted healthcare with ransomware given their susceptibility and prominence amid the pandemic. Nearly two-thirds of overall healthcare cybercrime victims were in North America and Europe.

Previous Emsisoft data confirmed that at least 560 healthcare provider organizations fell victim to ransomware in 2020.

CTIL Dark predicts that ransomware attacks on the healthcare sector will only continue to thrive this year, as these entities are particularly vulnerable during the pandemic. Hackers will also continue to leak, trade, and sell databases containing protected health information stolen in these attacks.

As Coveware data shows, data exfiltration now occurs in 70 percent of all ransomware attacks. Concernedly, the data of multiple healthcare-related entities has been leaked online in the last few weeks, with some entities never receiving a ransom demand prior to the leaks.

Ransomware hacking groups have become of the most well-funded and fastest growing cybersecurity threats, with attacks becoming more targeted, extensive, and coordinated.

Perimeter vulnerabilities were the most common entry point in healthcare-related cases examined by CTIL Dark. Attackers exploited unpatched vulnerabilities and weak, reused, or default passwords in remote connection systems, such as remote desktop protocol (RDP).

“Cybersecurity issues that delay, degrade, or deny access to patient care can be deadly. Although no deaths have been conclusively linked solely to ransomware, its impacts can impact patient care,” researchers explained.

“In 2020, the CTI League learned of a cancer center ransomware victim where staff and patients had to try rebuilding treatment regimen from memory,” they continued. “Diagnostic imaging techniques greatly improve outcomes in cases such as strokes and trauma, so loss of these systems from ransomware denies these benefits.”

Meanwhile, evidence of ‘Disinformation as a Service’ (DaaS) and critical elements of disinformation also escalated in the last year. As fears around the pandemic heightened, hackers grew bolder in their attempts.

“Threat groups will continue to leverage underground message boards and other Chan forums as a way to test out different COVID-themed conspiracies before launching their surface web disinformation campaigns,” researchers explained.

“Phishing from targeted and opportunistic threat actors and from scammers will adapt to emerging COVID-themed trends to exploit target fear and curiosity,” they added.

The report follows previous data from federal agencies and security researchers that warn healthcare will remain in hackers’ crosshairs into the foreseeable future.

As such, it’s imperative entities review cybersecurity insights from the Department of Health and Human Services and Microsoft to ensure they have the right processes, policies, and tech in place to defend against and respond to ransomware attacks. A recent FBI factsheet can also shed light on the most prevalent threats.