- Sophisticated malware threats that appear to be leveraging stolen administrative credentials may affect numerous industries, including healthcare, according to a recent National Cybersecurity and Communications Integration Center (NCCIC) warning.
NCCIC said the campaign has been happening since at least May 2016, and uses multiple malware implants.
“Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments,” NCCIC stated on its website. “Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.”
Several IT service providers continue to be affected by the malware campaign, the agency explained. IT service providers typically utilize a common core infrastructure “that should be logically isolated to support multiple clients.”
Once a malicious user has gained access to credentials, that user could potentially gain access to customer environments within the provider network.
“User impersonation via compromised credentials is the primary mechanism used by the adversary,” NCCIC stated. “However, a secondary technique to maintain persistence and provide additional access into the victim network is the use of malware implants left behind on key relay and staging machines.”
“In some instances, the malware has only been found within memory with no on-disk evidence available for examination.”
Some of the deployed malware families and variants are not currently detected by anti-virus signatures, NCCIC warned. The observed malware is based on existing malware code, but it has been modified to become more effective and avoid detection.
IT service providers should evaluate their infrastructure to see if related malicious activity has occurred, NCCIC urged. This includes performing network traffic active monitoring for the indicators of compromise (IOCs), behavior analysis for similar activity, and frequency analysis “to determine any unusual fluctuation in bandwidth indicative of a potential data exfiltration.”
Private organizations and government agencies should also include the IOCs provided in their normal intrusion detection systems, according to NCCIC.
“Organizations which leverage external IT service providers should validate with their providers that due diligence is being conducted to validate if there are security concerns with their specific provider,” the warning explained.
A layered mitigation approach, also known as defense-in-depth, is the best way to defend against potential network attacks, NCCIC advised.
“There is no single or set of defensive techniques or programs that will completely avert all malicious activities,” NCCIC maintained. “Multiple defensive techniques and programs should be adopted and implemented in a layered approach to provide a complex barrier to entry, increase the likelihood of detection, and decrease the likelihood of a successful compromise.”
NCCIC also made the following best practices recommendations for organizations to protect against potential malware threats:
- Implement a vulnerability assessment and remediation program.
- Encrypt all sensitive data in transit and at rest.
- Create an insider threat program.
- Assign additional personnel to review logging and alerting data.
- Complete independent security (not compliance) audit.
- Create an information sharing program.
- Complete and maintain network and system documentation to aid in timely incident response, including:
- network diagrams,
- asset owners,
- type of asset, and
- an up-to-date incident response plan
Healthcare organizations can take note from numerous US-CERT guidelines to improve their PHI security measures and overall network security.
OCR’s April cybersecurity newsletter cited US-CERT recommendations as key points for healthcare when it comes to implementing end-to-end connection security on internet transactions using Secure Hypertext Transport Protocol (HTTPS).
These security measures are typically used in against man-in-the-middle (MITM) attacks, which are typically used to inject malicious code, intercept or expose sensitive information, and modify trusted information.
“HTTPS interception products…work by intercepting the HTTPS network traffic and decrypting it, reviewing it, then re-encrypting it,” OCR stated. “To do so, HTTPS interception products must install trusted certificates on client devices to perform the HTTPS inspection without presenting warnings.”
US-CERT recommends the following approaches to help reduce MITM attack vulnerability:
- Update Transport Layer Security and Secure Socket Layer (TLS/SSL)
- Utilize Certificate Pinning
- Implement DNS-based Authentication of Named Entities (DANE)
- Use Network Notary Servers
However, OCR also noted that poorly implementing HTTPS interception products could actually reduce end-to-end security and even introduce new vulnerabilities.