IBM Security 2020 Report Reveals 10% Increase in Cost of Healthcare Data Breaches

IBM Security just released its 2020 Cost of Data Breach Report and showed a 1.5% decrease in costs due to global data breaches, from $3.92 million in 2019 to $3.86 million per breach.

There was sizeable change in costs of data breach in various locations and industries. Companies in the U.S. had the greatest data breach costs, with a usual breach having costs at $8.64 million, greater by 5.5% from 2019.

COVID-19 Estimated to Increase the Costs of Data Breach

This is IBM Security’s 15th year of conducting the report. Ponemon Institute conducted the research and included information from 524 breached companies, and interviewed 3,200 people across 17 countries and locations and 17 industry sectors. Research for the report was done from August 2019 to April 2020.

The research was mainly done before the COVID-19 crisis, which is most likely to have an effects on data breach expenses. To check out how COVID-19 will affect the cost of a data breaches, the Ponemon Institute re-contacted study participants to inquire about their opinions. 76% of surveyrespondents believed the growth in doing remote work would grow the time it requires to determine and handle a data breach and 70% stated remote working might increase the cost of a data breach. The average cost increase because of COVID-19 was computed to be $137,000.

Healthcare Data Breaches Cost a Lot

Healthcare data breaches were the most expensive to take care of. The average price tag of a healthcare data breach is $7.13 million throughout the world and $8.6 million in America. The total cost of a data breach may have gone down throughout all countries and industry sectors, but healthcare data breach costs have gone up by 10.5% year-over-year.

The global average cost of a breach per record is $146, which went up to $150 per record at the time PII was breached, then it went up to $175 per record when PII was breached because of a malicious attack.

The average days to detect and resolve a breach is 280 days, but it takes 315 days to detect and control a malicious attack, with each growing by 1 day starting from 2019. In the U.S. the average days to identify a data breach is 186 days and 51 days to control the attack. The healthcare industry took the longest time of 236 days to identify data breaches and contain it in 93 days for a total of 329 days.

The costs of a data breach are distributed over a number of years, with 61% of costs suffered in the year 1first year, 24% in the year 2, and 15% in the year 3 and beyond. In very regulated industries for instance healthcare, the percentages were 44% (year 1), 32% (year 2), and 21% (year 3+).

For year 3, IBM Security measured the costs of mega data breaches – those impacting more than 1 million records. The cost of a breach impacting 1 million to 10 million records is $50 million on average, the cost of breaches impacting 10 million to 20 million records is an average of $176 million, and the cost of a breach impacting 50 million records is $392 million.

Most Typical Reasons for Malicious Data Breaches

  • 19% of breaches were due to malicious attacks and were mostly because of compromised credentials and cloud misconfigurations.
  • 16% of breaches were due to vulnerabilities in third-party software program
  • 14% of breaches were due to phishing
  • 10% were due to physical security compromises
  • 7% were due to malicious insiders
  • 6% were due to system errors and other misconfigurations
  • 5% were due to business email compromise attacks

Breaches that involve compromised credentials were the most expensive. Breaches resulting from vulnerabilities in third-party software program and cloud misconfigurations were the second most expensive.

Of all the attacks, 53% were financially motivated, 13% were caused by nation state hacking groups, and 13% were due to hacktivists. The threat actors responsible for 21% of the breaches were unidentified. Financially driven attacks were the least costly, with a global cost of $4.23 million on average and the most costly were attacks caused by nation state hackers, which cost an average of $4.43 million. The average cost of a malicious attack was $4.27 million. Damaging data breaches relating to ransomware cost an average of $4.4 million and damaging malware, such as wipers, cost an average of $4.52 million.

50% of data breaches in healthcare were because of malicious attacks, 23% were because of system glitches, and 27% were due to human error.

Small North Carolina Health Services Agreed to Pay $25,000 for HIPAA Security Rule Violations

The HHS’ Office for Civil Rights (OCR) reported that it has come to a $25,000 settlement deal with Metropolitan Community Health Services to resolve its HIPAA Security rule violations.

Metropolitan Community Health Services centered in Washington, NC is a Federally Certified Health Center which delivers integrated medical, behavioral health, dental & pharmacy assistance for grownups and kids. Working as Agape Health Services, Metro offers cheaper medical services to the underserved people residing in rural North Carolina. Metropolitan Community Health Services has close to 43 personnel and takes care of 3,100 patients annually.

On June 9, 2011, Metropolitan Community Health Services sent in a breach report to OCR about a breach of 1,263 patients’ protected health information (PHI). OCR carried out a compliance audit to find out if the breach was because of HIPAA Rules noncompliance. The OCR team found perpetual, systemic HIPAA Security Rule noncompliance.

Before the breach happened, Metropolitan Community Health Service was not able to enforce HIPAA Security Rule policies and measures, which violates 45 C.F.R. §164.316, and an adequate and detailed analysis of the potential dangers to the integrity, availability and confidentiality of ePHI was not performed, which violates 45 C.F.R. § 164.308(a)(l )(ii)(A). Even though doing business ever since 1999, the provider did not give any HIPAA security awareness and training for its employees before June 30, 2016, which violates 45 C.F.R. §164.308(a)(5).

Whenever making a decision on an acceptable settlement, OCR considered the size of the business and a few other elements. Aside from forking out a financial fine of $25,000 to settle the HIPAA Rule violations, Metropolitan Community Health Services made an agreement to undertake a effective corrective action plan and is going to be sure to execute policies and procedures in accordance with the criteria mandated by HIPAA. In a two-years period, Metropolitan Community Health Services are going to be checked if it conforms with the established corrective action plan.

This $25,000 settlement deal is the second this 2020 that an HIPAA covered entity paid off to resolve its HIPAA Rules violations. The first settlement deal in March 2020 was a $100,000 financial fine paid by Steven A. Porter, M.D with regard to risk evaluation and risk management violations.

The penalty shows that healthcare companies, big or small, need to adhere to HIPAA Regulations. Health care companies are obliged to conform with the HIPAA Regulations. When advised of possible HIPAA violations, providers should promptly solve problem areas to secure the health information of people, as per OCR Director Roger Severino.

Russian APT Group is Focusing on Institutions Engaged in COVID-19 Research

Russian APT Group is Focusing on Institutions Engaged in COVID-19 Research

The APT29 hacking gang, otherwise known as Cozy Bear, is focusing its attacks on healthcare companies, pharmaceutical suppliers, and research organizations in the United Kingdom, United States, and Canada and is seeking to gain access to research data regarding COVID-19 and the development of a vaccine.

On July 16, 2020, the National Security Agency (NSA), Canada’s Communications Security Establishment (CSE), the UK National Cyber Security Centre (NCSC) and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) published a joint bulletin to increase understanding of the danger.

APT29 is a cyber surveillance gang which is almost undoubtedly works with the Russian intelligence services. The gang generally finds diplomats, government agencies, think-tanks and energy targets so as to gain access to sensitive files. The group is remarkably active all through the COVID-19 pandemic and has carried out various attacks on organizations engaged COVID-19 study and vaccine invention.

The threat group performs extensive scanning to discover unpatched vulnerabilities and utilizes publicly available exploits to get access in vulnerable networks. The group had used exploits for the following vulnerabilities: FortiGate vulnerability CVE-2019-13379, Citrix vulnerability CVE-2019-19781,, the The Zimbra vulnerability CVE-2019-9670 and Pulse Secure vulnerability CVE-2019-11510. The group could additionally utilize other exploits.

APT29 employs various tools to get access credentials and obtain persistent access to networks and utilizes anonymizing services if applying stolen credentials. APT29 uses custom made malware variants to infiltrate entities, which include WellMail and WellMess, two types of malware that APT29 hasn’t utilized in the past.

WelMess is a lightweight type of malware created in Golang or .NET which could perform arbitrary shell commands as well as upload and download information and utilizes HTTP, DNS and TLS for correspondence. WellMail is a lightweight program that employs hard-coded client and certificate authority TLS certificates to convey messages with C2 servers. A third type of malware, referred to as SoreFang, is being employed as well. SoreFang is a first level downloader that exfiltrates files through HTTP and downloads another state malware. The attackers utilize the malware to aim for SangFor devices.

Attacks on entities associated in COVID-19 research are very likely to go on and any group engaged in COVID-19 research must regard itself as a target. Establishments were cautioned to do something to safeguard their systems and keep an eye on attacks.

Organizations ought to make certain to patch and install updates on all software program, and do first the patches for CVE-2019-9670, CVE-2019-13379, CVE-2019-11510 and CVE-2019-19781 . Antivirus software ought to be employed and updated, and routine scans ought to be performed to discover downloaded malware types.

Multi-factor authentication must be employed to avert utilizing stolen credentials to acquire access to networks. All employees must be qualified regarding the phishing threat and all personnel must be positive in their capability to recognize a phishing attack. All employees must be advised to report any suspected phishing attacks to their security organizations and reports must be investigated immediately and carefully.

Organizations were instructed to establish a security monitoring system to make sure that all essential information is obtained to assist investigations of the network intrusions. Networks must be separated, and there need to be activity to avoid and identify lateral movement after only networks.

States Begin to Make Interim COVID-19 Telehealth Changes For Good

States announced interim emergency waivers to their telehealth laws soon after the HHS’ Centers for Medicaid and Medicare Services (CMS) made a decision to widen telehealth services access and expand coverage in responding to the COVID-19 crisis. Healthcare companies and patients have accepted the adjustments to telehealth guidelines, which upgraded access to telehealth services to handle the spread of the COVID-19. There were escalating requests for making the changes fixed, and various states including Colorado, Massachusets, and Idaho have taken action to make certain the modifications proceed when the COVID-19 public health emergencyends.

On March 16, 2020, the Massachusetts Board of Registration in Medicine (BORIM) passed a new policy that declares an identical standard of care can be applied to in-person and telehealth consultations and a face-to-face setting isn’t a pre-requisite for a telehealth consultation. The policy was presented on a non permanent basis to respond to COVID-19, however on June 26, 2020, the new policy is irreversible as per BORIM. This is the very first telehealth-centered policy that BORIM followed and Massachusetts was one of the first states which acted on getting the COVID-19 telehealth policies irreversible.

At the national level, there were escalating demands to make the telehealth services access fixed and to go on with reimbursement parity for in-person and online visits even when the COVID-19 countrywide public health emergency is finished.

CMS Administrator Seema Verma has stated support for expanding telehealth services. The Senate Committee on Health, Education, Labor & Pensions (HELP) lately conducted a meeting and talked about the 30+ short-term modifications to Federal telehealth policies. The Senate Committee subsequently advised Congress to fix a few of the changes. There is a normally held viewpoint that telehealth could better patient results, help providers give a better patient care, and that telehealth could help lower the price of healthcare provision.

Two Federal policy adjustments that have pulled in substantial support are the easing of the Medicare originating site criteria to enable medical professionals to deliver telehealth services to all patients, irrespective of their location, and growing the number of telehealth services permitted under Medicare.

These and some other policies alterations have obtained support at the state level. A few other states have already taken action to boost telehealth access. This week, Colorado Governor, Jared Polis, approved a bill that removed the prerequisite by medical insurance providers that a patient must have a pre-established association with a virtual care giver. The rules, which are applicable to Medicaid and state-governed health plans, additionally forbids insurance providers from imposing supplemental location, accreditation, or licensure conditions on providers before giving telehealth reimbursement and the constraints on the technology that could be utilized to give telehealth services were at the same time taken away. Audio or video correspondence solutions simply should be in compliance with the HIPAA Security Rule.

Idaho Governor Brad Little has in the same way taken action to make the COVID-19 adjustments to telehealth rules permanent, which include the state’s short-term telehealth policy waivers that expanded the drugs that can be prescribed in telehealth appointments, the increasing of the technology that could be employed for giving telehealth services, and the shift that permits out-of-state doctors to offer virtual patient treatments.

All states broadened telehealth services access for Medicaid beneficiaries subsequent to the CMS announcement regarding the enlargement of access to telehealth and heightened coverage. More and more states are presently predicted to make emergency changes for good. Nonetheless, health insurance providers need to also make changes and affirm that they are going to continue to compensate doctors for virtual appointments at the same fee as in-person appointments, if not it is probable that telehealth access will be ditched and have in-person visits exclusively.

Phishing Attacks in NC and TX Expose 30,000 Patients’ PHI

Choice Health Management Services located in Claremont, NC, a rehabilitation services provider and owner of a number of assisted living facilities in South and North Carolina, has suffered an email security breach impacting its staff, and present and old patients.

Choice Health discovered the security breach at the end of 2019 when shady activity was seen in the email accounts of several of its staff. An internal investigation confirmed on January 17, 2020 the suspicious access of 17 workers’ email accounts. Considering that it was not feasible to find out which e-mails and/or file attachments the hackers had accessed, a third-party agency was called in to help with the investigation. Though the investigation was completed on March 27, 2020 saying that the exposed accounts stored sensitive data, it was unsure which locations the impacted people had been to for treatment. It was just on May 12, 2020 that those persons were matched to a specified facility.

The breached accounts comprised a big selection of sensitive data which include names, Social Security numbers,birth dates, passport numbers, driver’s license numbers, credit card details, financial account data, employer identification number, email address and password or connected security questions, username and password or linked security questions, provider name, date of service, patient number, medical record number, medical details, diagnostic or treatment data, surgical details, prescribed medicines, and/or medical insurance data.

Choice Health mailed notification letters to the impacted patients and made sure to strengthen security to avert later data breaches. Based on the HHS’ Office for Civil Rights breach website, there were 11,650 persons impacted.

Phishing Attack on Houston Health Clinic Affects 19,000 Patients

Legacy Community Health, a Houston, TX federally eligible health center, is informing around 19,000 patients concerning the probable unauthorized access of their protected health information (PHI) by an individual who acquired access to the email account of one staff.

On April 10, 2020, a staff answered an email assuming it is a valid request and exposed credentials that granted the hacker access to his/her email account. Legacy Community Health found out about the breach on April 16, 2020 and quickly protected the email account.

Helped by an independent computer forensics agency, Legacy Community Health established that the breach impacted just one email account that was uncovered to include names of patients, dates of service, and medical information linked to the care given at its clinics.

The breach investigation is in progress and notification letters will soon be mailed to all persons whose data were compromised. At this time, there is no proof uncovered that indicate the acquisition or improper use of any patient data.

Legacy Community Health is doing the steps to strengthen email security and has made it possible for multi-factor authentication on its email accounts. More training was additionally given to personnel to help them discern and stay clear of phishing emails.

Magellan Health Ransomware Impacts More Than 364,000 Individuals

The April 2020 ransomware attack on Magellan Health is now posted on the HHS’ Office for Civil Rights breach portal. There were 6 Magellan entities affected, which already reported the incident individually. Some other entities also sent in breach reports to verify the impact on their patients and subscribers.

It is too soon to state exactly how many people were affected by the ransomware attack, nevertheless as of July 1, 2020, the total is higher than 364,000. Thus, this breach incident is right now the third largest healthcare data breach that is reported in 2020. Some entities may have not reported the breach yet.

The entities that have confirmed being impacted by the breach are detailed in the following below.

  • Magellan Healthcare, Maryland – 50,410 individuals affected
  • Magellan Complete Care of Florida – 76,236 individuals affected
  • Magellan Rx Pharmacy – 33,040 individuals affected
  • Magellan Complete Care of Virginia – 3,568 individuals affected
  • Merit Health Insurance Company – 102,748 individuals affected
  • National Imaging Associate – 22,560 individuals affected
  • University of Florida Jacksonville – 54,002 individuals affected
  • University of Florida, Health Shands – 13,146 individuals affected
  • University of Florida – 9,182 individuals affected
  • Total individuals affected were 364,892

A lot of healthcare ransomware attacks that have been reported in the past weeks used brute force attacks on remote desktop services or exploited VPN vulnerabilities. But this ransomware attack is different as it used spear phishing email that impersonated a Magellan client. The attacker sent the spear phishing email on April 6 and deployed the ransomware less than one week later.

In the substitute breach notification letter of Magellan sent to the California Attorney General’s Office, it was mentioned that the attacker downloaded malware that was meant to take login credentials and passwords, and get access to one of Magellan’s corporate server and stole worker details. The attackers stole data associated with present workers and included the following details: Address, employee ID number, and W-2 or 1099 details that include Social Security number or Taxpayer ID number. For some employees, the attacker also got their usernames and passwords.

The notice of security incident posted on the Magellan Health websites confirms that Magellan Health patients and its subsidiaries and affiliates were likewise impacted. The following types of data were exposed: Treatment data, health insurance account details, member ID, other data related to health, phone numbers, email addresses, and physical addresses. Social Security numbers were also affected in particular instances.

On the June 12, 2020 website notice, there is no mention made whether there was a theft of protected health information (PHI) in the attack. In all incidents, Magellan Health states there is no evidence uncovered to date that suggests the misuse of any patient or personnel information.

Not Enough Visibility and Poor Access Management are Big Contributors to Cloud Data Breaches

More businesses today are working on their digital transformations and are using the versatility, scalability, and cost savings offered by public cloud spaces. However, the security of public clouds can pose a big challenge.

One of the primary issues that has hindered businesses from using the public cloud is security. Security teams frequently feel that securing an on-site data center is a lot easier than securing information in public clouds, though many are realizing it is also easy to secure public clouds.

Public cloud providers today give a variety of security tools that could help businesses protect their cloud spaces. Although these offerings could definitely make cloud security more straightforward, organizations must still make sure that their cloud services are configured properly, identities and access rights are properly managed, and they have total visibility into all of their cloud workloads.

Cloud security vendor Ermetic not long ago commissioned IDC to perform a survey of CISOs to look into the difficulties connected with cloud safety and see how companies were doing at protecting their public clouds. Over 300 CISOs and IT decision makers responded to the survey.

79% of survey respondents stated they had encountered a cloud data breach in the last 18 months. 43% of survey participants stated they had encountered 10+ cloud data breaches in the same period, firmly indicating the hard time companies are having when securing their public cloud environments.

When asked regarding the biggest security pitfalls, here are the results:

  • 67% stated they were worried about security misconfigurations
  • 64% stated not enough visibility into access configurations and activities was a crucial element contributing to cloud data breaches
  • 61% stated access management and permission errors were a big breach risk

The intricacy of public cloud environments makes security hard to deal with. The flexibility of the cloud implies it is simple to immediately have more options on demand, but what usually happens is cloud deployments turn into a maze of interconnected devices, users, programs, services, and containers. If companies do not have total visibility into their public cloud environments, it is hard to make certain of proper permissions and the principle of least privilege is properly applied.

Establishing and handling access policies is a big obstacle. Access policies must be altered regularly, yet 80% of survey respondents stated they couldn’t properly handle increased data access for IaaS and PaaS. Too Much permissions are typically abused by cybercriminals, who utilize them for various malicious activities like data theft, data deletion, and deploying malware or ransomware.

Ermetic explained that most high-profile cybersecurity occurrences in recent times were due to the failure of customers to correctly configure their cloud environments, or giving too much or incorrect access permissions to cloud services, instead of the cloud provider’ failure to perform its commitments.

Regarding questions on the main cloud security concerns, the survey result is as follows:

  • 78% of respondents stated compliance monitoring
  • 75% answered authorization and permission management
  • 73% stated security configuration management

71% of survey respondents answered one of the biggest issues was detection of excessive permissions, nevertheless, only 20% of respondents said they can identify circumstances when employees were given excessive permissions.

The survey verified that excessive permissions are a big issue in healthcare. 31.25% of healthcare companies stated they had determined a situation where employees were given excessive permissions.

There were a lot of cases where security misconfigurations caused the exposure of sensitive data, with misconfigured Elasticsearch cases and AWS S3 buckets a prevalent reason for data breaches, however it is likewise essential to make sure that identities and permissions are correctly managed.

Making sure that users, apps, and services get access only to the cloud information and cloud resources that are required for their valid purposes was reported as the greatest cloud data protection problem by respondents to the survey.

Software Error in Telehealth App Allowed Patients to Access Videos of Other Patients’ Consultations

A chatbot and telehealth startup company located in the UK has sustained an embarrassing privacy breach this week. Babylon Health made a telehealth application that general practitioners could utilize for virtual consultations with patients. The app permits users to make consultations with their physicians, make use of an AI-based chatbot for triage, and conduct voice and video meetings with their doctor by means of the app.

On June 9, 2020, a patient utilizing the app to get his prescribed medications saw the video clips of 50 patients’ consultation sessions in the archive area of the app. The files included video replays of meetings between patients and doctors, exposing private and, possibly, very sensitive data.

The patient shared the discovery on Twitter. Getting access to video appointments of patients in the application is an extensive data breach with more than 50 video clips.

Babylon Health gave a statement stating that the incident was because of a glitch in the applicatioin and not a malicious attack. Babylon Health mentioned that it found out about the error prior to the patient’s announcement of the data breach on Twitter and stated that the problem was fixed in several hours.

Based on the investigation, three patients got access to the video clips of other patients, nevertheless in two instances, the patients didn’t see any of the video footage. The glitch just occurred in the UK app version and did not impact its global operations. The glitch was introduced during the app udate to enable switching between video and audio while a patient is on a conference with a doctor.

Babylon Health already filed a report of the data breach to the UK Information Commissioner’s Office as ordered by the EU’s General Data Protection Regulation and will publish complete details concerning the data breach.

In this incident the software problem doesn’t seem to have compromised a lot of patients’ meetings, however it causes worry considering the highly sensitive health data compromised using the app. There are presently roughly 2.3 million application users in the United Kingdom, hence the breach can potentially grow a lot worse.

Telehealth services had a big expansion in the U.S. due to the COVID-19 pandemic. The HHS’ Centers for Medicare and Medicaid Services (CMS) increased coverage for reimbursable telehealth services throughout the COVID-19 pandemic and the HHS’ Office for Civil Rights (OCR) gave a notice of enforcement discretion for telehealth services, enabling healthcare organizations to employ communications solutions that might not be completely HIPAA compliant.

Given the growth in telehealth services, and the wide selection of apps being utilized to offer telehealth services, this may well be only the initial of a number of privacy breaches that involve telehealth services this 2020.

Although no financial penalties might be issued because of privacy and security concerns linked to the honest offering of telehealth services at this time of COVID_19 public health crisis, care must still be exercised whenever picking a telehealth service. A lot of video conferencing platforms were not created with adequate security protections to make sure patient information is appropriately secured, which puts patient privacy in jeopardy. As this occurrence shows, data leaks could transpire even with purpose-built health apps.

To make certain to secure patient privacy , every new technology must have security check. Now that the COVID-19 pandemic is more under control, it is the appropriate time to perform a check of any telehealth apps and other program which was introduced to make certain there are enough protections of patient data.

It is additionally worth noting the advice to switch to a HIPAA-compliant healthcare telehealth solution that has extensive data privacy and security controls. TigerTouch is a provider of telehealth solutions that enable healthcare organizations to quickly message with care team members and do telehealth consultations with patients from home using the same app. The solution follows all HIPAA requirements, integrates a lot of safety measures to make certain patient data is safe, and the platform permits the sharing of files, photos, and ePHI immediately and securely. View an on-demand webinar here to know more regarding the app.

Fake VPN Warnings Employed as Bait in Office 365 Information Phishing Campaign

A phishing campaign was known to use bogus VPN notifications as a bait so that remote personnel would disclose their Office 365 information.

Healthcare organizations are performing more telehealth services at this time of the COVID-19 public health crisis to help avoid the propagation of COVID-19 and make certain that healthcare companies can keep on providing services to patients while self-quaratining at home.

Virtual private networks (VPNs) are utilized to assist telehealth services and offer them safe access to their system and patient information. A few vulnerabilities were found in VPNs which hackers are taking advantage of to obtain access to company systems to steal sensitive files and install malware and ransomware. Immediate patching is hence crucial for VPN systems and install updates to VPN clients on worker laptops. Personnel may consequently get updates to their VPN.

Abnormal Security research specialists discovered a phishing campaign which impersonates a user’s corporation and remarks there is a situation with the VPN setting that have to be dealt with to let the user to go on using the VPN to get access to the system.

The email messages look like they were dispatched by the IT Support personnel and has a link that has to be clicked to set up an update. The end user is advised in the email message that they have to provide their username and security password to get access to execute the update.

This focus of the campaign are particular establishments and spoofs an internal email account to make it look like that the message came from a known domain. The link comes with anchor text linked to the user’s firm to disguise the right destination URL to make it look reputable. In case the end user clicks the url in the message, they are going to be sent to a web page having a real looking Office 365 sign in prompt. The phishing page is managed on a legit Microsoft .NET platform and so it has has a reasonable safety certification.

The attacker could grab the login information inputted on the web page and use it to acquire access to the person’semail account and get sensitive information in email messages and file attachments, including other information utilizing the Office 365 information via single sign-on.

Abnormal Security identified several phishing emails that make use of several versions of this communication, which were dispatched from various IP addresses. Given that the destination phishing link is identical in each email account, it indicates that the email messages are a section of a similar campaign delivered by just one attacker.

Russian Sandworm Hacking Group Exploits Exim Mail Servers

A Russian hacking group named Sandworm (Fancy Bear) is taking advantage of an Exim Mail Transfer Agent vulnerability, which is typically employed for Unix-based systems. The vulnerability, monitored as CVE-2019-10149, is a remote code execution vulnerability which was found in Exim version 4.87.

An update to resolve the vulnerability was made available on June 5, 2019, nevertheless numerous businesses still didn’t update Exim and stayed vulnerable to hackers.

The vulnerability could be taken advantage of by transmitting a uniquely made email which permits the completion of commands having root privileges. Subsequent to the flaw exploitation, an attacker could install software programs, execute code they pick, alter data, make new accounts, and possibly get access to saved information.

As per the latest National Security Agency (NSA) notification, Sandworm hackers exploit the vulnerability by means of adding a malicious code in an SMTP message’s MAIL FROM field. Attackers can exploit businesses by using insecure Exim versions which possess internet-facing mail transfer agents.

Following the vulnerability exploitation, the attackers obtain a shell script from a networked server and utilize it to create privileged users, change SSH settings to enable remote access, turn off network defense settings, and implement another script to enable further exploitation. This would likely permit the attackers to acquire total control of the email server. When that occurs, all inbound and outbound e-mail messages can be intercepted and exfiltrated.

Sandworm is one of Russia’s General Staff Main Intelligence Directorate, also identified as GRU. The hackers have formerly performed attacks on European and the United States nations. The group has carried out a few cyberattacks on foreign government authorities that are alleged to have affected Russia’s 2016 presidential election.

The NSA has advised mitigations to avert flaw exploitation. The most important advice is updating Exim to version 4.93 or a new release without delay. The update will resolve the CVE-2019-10149 vulnerability along with other vulnerabilities which hackers may likely exploit. After upgrading, administrators must be certain that software updates are checked on a regular basis and updated the instant new versions are available. Exim Mail Transfer Agent software could be updated using the Linux distribution’s package manager or straight from Exim.

When it isn’t possible to update quickly, it might be likely to spot and deter exploit efforts. For example, “Snort 3 rule 1-50356 warns about exploit attempts automatically for enlisted Snort Intrusion Detection System (IDS) users. Administrators need to also consistently confirm that there are no suspicious system changes for example added accounts and SSH keys. Alterations would point out a breach.

The NSA proposes reducing user access privileges whenever setting up public-facing mail transfer agents and system segmentation ought to be employed to differentiate functions and prerequisites. It is crucial to keep public mail transfer agents distinguished from sensitive internal resources in a DMZ enclave, and firewall rules must be set to stop unexpected traffic from being able to access trusted internal resources. It is additionally necessary to only allow mail transfer agents to transmit outgoing traffic to essential ports. All other ports need to be stopped up.