The recent Trustwave SpiderLabs report, Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape, offers a detailed look at the typical attack flow used in a variety of cyberattacks.
The attack flow discussed in the report focused on what a healthcare organization might face, but for the most part, attack flows stay the same regardless of the vertical being attacked. The key takeaway is the best way for an organization to stay safe is to stop the attack at this initial point.
So, let's take a look at how that can be done by drawing insights from the Trustwave SpiderLabs team. Although the details may differ in each breach or compromise, a specific sequence of events generally unfolds, starting from the initial security bypass to escalation, compromise, persistence within the network, and finally, the exfiltration or destruction of valuable data.
Additionally, we will provide actionable mitigations for organizations to implement, ensuring they can take proactive measures at each stage of the attack flow.
These recommended mitigations aim to minimize the potential risks of financial loss, damage to reputation, regulatory penalties, or physical harm that a healthcare organization may face.The typical sequence of events unfolds as follows:
What is an Initial Foothold?
This step is exactly what it sounds like, describing the time and place the attacker successfully triggers a security bypass that allows them to expand their access to suit their motives and goals. This initial foothold can take various forms, ranging from successful phishing attacks to vulnerability exploitation or even logging into public-facing systems using previously acquired credentials.
Phishing emails are by far the most prevalent form of initiating an attack. The FBI's 2022 Internet Crime Report noted 300,500 phishing attacks were reported last year, costing victims $52 million in losses. Phishing avoids having to find vulnerabilities in the software or systems on the network and instead, goes after the weakest link. The individuals operating the keyboard.
An attacker typically has one of several goals when conducting a phishing attack. Often credential theft is top of mind, and it will include an "invoice" from a customer with a link. When the link is clicked, it prompts the user for their password before "access is granted to the document." In other instances, the threat actor wants to insert malware via Powershell scripts, Javascript, or Macros. The ultimate goal is to trigger a specific type of action, such as a money wire transfer.
Attackers accomplish this task by crafting a persuasive and time-sensitive email to convince the recipient to perform an action, like clicking on a malicious link or opening a malicious attachment or following instructions to transfer funds to a purported "stranded CEO."
The attachments used in a phishing attack vary, but in the past year, those most commonly used were:
- Document files with macros
- OneNote Attachments with embedded links (Trustwave SpiderLabs research here and here)
- HTML attachments, which deliver or redirect to credential phishing sites or employ HTML smuggling to hide malware (Trustwave SpiderLabs research here and here)
- PDFs with embedded URL links
The Trustwave SpiderLabs Email Security team is dedicated to monitoring email-based threats, including opportunistic phishing, targeted/spear-phishing, and Business Email Compromise (BEC). Over the last year, our team flagged both Emotet and Qakbot as the most common trend among phishing attacks targeting healthcare organizations.
Using a Valid Account to Gain Entry
The easiest way to gain access is to have the correct credentials. There are a variety of methods an attacker can use to accomplish this task. They search for old, unchanged, or unsecured passwords, use a brute force attack to break simple passwords, discover passwords stored in plaintext, or just reach into their wallet and buy the credentials on a Dark Web forum.
SpiderLabs analysts often encounter administrative accounts that have passwords that are more than a year old. Remember, the longer a password remains unchanged, the greater the chance those credentials may be exposed, compromised, or targeted by brute-force attacks. When conducting investigations for our healthcare clients, we discovered that 30% of our findings were connected to legitimate accounts.
Sadly, many organizations make it easy for threat groups to gain access.
Login credentials stored in an unsecured fashion, such as in plaintext files, scripts, or custom applications passing credentials in cleartext in environments, are found 22% of the time by Trustwave's Threat Hunt team.
Lax password management policies in organizations, healthcare and others, also help open the door for an attacker. SpiderLabs found brute forcing passwords, trying combinations until one works, was among the most common methods of gaining access. Organizations simplify this task for attackers by allowing their workers to use extremely simple passwords, like "Password123."
An even more egregious mistake is not changing admin passwords. When an organization adds a new piece of equipment or software, it often comes with a preset password that is supposed to be immediately changed, but this step is often overlooked. Admin credentials are generally well known, and there are even repositories for them that attackers can find with a quick Internet search making it a simple matter for any threat actor to find.
Webshells are also often used. Webshells are typically inserted into compromised webservers to provide persistent access and are also for sale on the Dark Web. Webshells can often be found for sale on Dark Web markets, sometimes for the low, low price of $160. For this small expenditure, the seller promised access to the organization's Active Directory with Local Admin privileges.
Vulnerabilities and Supply Chain as Access Points
Using vulnerabilities housed within an organization system is another threat vector, with attackers exploiting issues like Apache Log4J (CVE-2021-44228). Attackers prefer to use vulnerabilities specific to their target. For example, the danger is expanded in the healthcare sector because it uses custom applications designed for healthcare organizations that often lack adequate security testing and code auditing, leading to undiscovered vulnerabilities. And the healthcare industry typically has a higher number of connected physical devices, such as heart monitors and imaging hardware, which often prioritize functionality over software security.
Healthcare organizations are often hesitant to implement changes quickly due to concerns about compliance with oversight agencies and compatibility issues with existing software and hardware. Additionally, their focus on patient safety and avoiding unexpected disruptions, like system crashes, leads healthcare organizations to be more cautious about adopting software patches or making changes that could jeopardize patient care.
Supply chain attacks are also increasingly on the rise. In these cases, instead of directly targeting multiple major organizations, attackers focus on trusted third-party partners frequently used by these entities. This approach, known as "the Domino Risk," aims to bring down one domino, triggering a chain reaction that impacts multiple others.
Given the increasing prevalence of this strategy and the alarming compromise incidents frequently making headlines, think SolarWinds, the return on investment for this type of attack is substantial.
As we have seen, attackers have a myriad of methods at their disposal to gain entry, but the good news is organizations, both on their own or in conjunction with a trusted partner, can block an attack before it gets started.
Initial Foothold Mitigation Efforts:
- Train staff to be aware of suspicious emails and then test to ensure the lessons are learned. Utilize an email security solution like MailMarshal.
- Regularly rotate passwords (e.g., every quarter) to mitigate issues related to valid accounts.
- Implement password complexity requirements to enhance security.
- Enable multi-factor authentication (MFA) to provide an additional layer of protection for accounts.
- Securely store credentials in programs like KeePass to prevent credential abuse.
- Promptly patch critical vulnerable systems.
- Disable Internet access for servers that do not require it.
- To the best of your ability, ensure suppliers are using proper cybersecurity procedures.
- Recognize that the security of the ecosystem is dependent on the strength of its weakest link.