More Malicious Actors are Attacking Cloud Services in Healthcare Sector

Advanced cyberattacks on cloud services frequently make headline news, however, these attacks are not a lot. Most cyberattacks on cloud environments are carried out utilizing recognized threat actor attack tactics including making use of stolen credentials and taking advantage of security weaknesses like misconfigurations. Therefore, the best protection against cloud attacks is to give attention to basic cloud security hygiene because this will ward off attackers and will significantly decrease the chance of a cloud breach.

As per the latest Google Cloud Threat Horizons Report for Q3 of 2023, most cloud breaches started from access acquired through weak password exploitation. 54.3% of cloud breaches were because of poor or no passwords. Attacks are associated with brute forcing default accounts, the Remote Desktop Protocol (RDP), and Secure Shell (SSH). 15.2% of cyber attacks began with access obtained due to wrong configurations, and another 15.2% of attacks were because of exposure to sensitive UI or API. 10.9% of attacks began with breaches attained by taking advantage of vulnerable software programs.

The Google Cloud research and analysis team has seen continual threat actor activity attacking cloud-hosted Software-as-a-Service (SaaS) systems. Companies use more SaaS applications, which broadens the attack surface substantially. Based on the Thales 2023 Cloud Security Report, the mean number of SaaS programs utilized by companies from 2021 to 2023 increased by 41%. 55% of security executives who participated in the survey state they have encountered data breaches, malicious applications, leaks, ransomware, insider attacks, or espionage, associated with SaaS applications in the last 2 years, which signifies companies are unable to sufficiently safeguard SaaS information. This is specifically troubling because SaaS information is the least probable information to be retrieved in a ransomware attack.

There is an increasing number of malicious actors abusing public cloud services to hold their command-and-control infrastructure, instead of utilizing their infrastructure or borrowing it from some other threat actors. The threat actors gain from an inexpensive, reliable system that is respected by companies and customers, and they can conceal their actions by mixing into high quantities of legitimate visitors. Threat actors have been abusing Amazon Web Service, Microsoft Azure, and Dropbox yet they could additionally be using Google Calendar. Proof-of-concept code is posted on GitHub intended for a Google Calendar Remote Access Trojan (RAT). The researchers at Mandiant state that the code was actively distributed on underground community forums, suggesting the threat actors’ focus on the Google Calendar RAT. Because the malware uses legit infrastructure for communication as managed by Google, it is hard for defenders to identify suspicious activity.

Threat actors have been using typosquatting in their campaigns for a long time. This technique entails getting domains identical to the brand being attacked to separate careless typists. Typosquatting is right now being employed in attacks on cloud storage systems like Azure Blob, Google Cloud Storage, and Amazon S3. An arbitrary sample of ten Fortune 100 firms discovered that 60% got several typosquatted cloud storage web addresses.

The Google Cloud Threat Horizons Report for Q3 of 2023 consists of an evaluation of cloud services usage in the healthcare sector and determines a few of the typical security concerns. A study of cloud security occurrences from 2021 to 2023 discovered that healthcare companies’ cloud services are progressively being attacked and cloud services are being employed as a platform for setting up attacks. Although most of these attacks aren’t new, the team discovered that the attacks are more and more negatively impacting patient security, for instance by breaking healthcare companies’ operational capability, resulting in patients being sent to father services, and slowing down diagnosis and medication.

The attacks analyzed by Google and Mandiant showed that the majority of attacks on the healthcare sector are performed by financially driven threat actors who most often utilize stolen data for preliminary access, and to a smaller degree, phishing, denial of service attacks, third-party vulnerabilities, web exploits, and wrong configurations. The most common follow-on compromises involved ransomware and information extortion attacks, wherein the attackers try to discover and catch PHI for extortion purposes, with or without using data encryption. Credentials and information are generally stolen by targeting AWS resources like S3 Outlook, and Web Access applications. In the report, the Google Cloud team provides a number of mitigations that could help lower the risk of attacks on cloud services and stop credential and program misuse, data extraction and extortion, ransomware and data destruction, web exploits, social engineering attacks, third-party software program vulnerability exploitation, malware delivery, and DoS attacks.

The healthcare industry is a preferred target for cyber attackers. Healthcare-driven companies must understand that patient information and medical device vulnerabilities require immediate attention and security. Cybersecurity should be built into the center of healthcare procedures to guard clinical and personal information, along with patient protection. This demands a group effort, where help among healthcare companies, industry stakeholders, and the government turns into the foundation of security against these unremitting cyber adversaries.