Healthcare Industry Targeted By Criminals For Fraud

This week we hear about the healthcare industry being targeted for fraud, and a new technique that disguises a RAT in a popular automation tool.

Breach

HEALTHCARE INDUSTRY TARGETED BY CRIMINALS FOR FRAUD

Healthcare operators saw millions of patient records compromised in 2014. The many reports of data breaches in the healthcare industry are increasing the awareness of and requirement for cyber security services. One such report indicated that 90 percent of healthcare organizations have had a data breach, affecting one third of the U.S. population, or approximately 120 million people.

Why is the Healthcare industry being attacked? Healthcare records provide the most complete profile on individuals. Records often include: financial data, residence information, email accounts, points of contact and family data. This provides criminals with multiple opportunities to commit fraud against victims and their family members.

Criminals’ options range from standard credit card fraud and opening fraudulent lines of credit to filing phony tax refunds. One report states that instead of $1.00 per credit card record, stolen healthcare records can return as much as $60.00 to $70.00 per record to the hacker.

The need for network monitoring will only increase as industries like healthcare continue to experience a barrage of breaches. Monitoring networks for suspicious activity increases the chance for anomalies to be detected, traced and remedied before attackers have time to fully infiltrate networks and steal data.

References: Dark Reading | Krebs on Security | Information Age

Mitigation Strategies:

  • Daily log review is needed to review system logs for malicious activity.
  • Anomaly detection and a weekly review of log and event activity on the network. 
  • Vulnerability scanning provided by Threat Manager can be used to help find and correct vulnerabilities before attackers exploit them.

Malware

MALWARE OPERATORS PROFIT FROM BITCOIN RANSOMS

In late August 2015, the popular automation tool – AutoIt – was engineered to transmit a Remote Access Trojan (RAT) to unsuspecting parties via a sophisticated phishing attack. AutoIt, which is a scripting language designed for automating the Windows GUI and general scripting, is also popularly used in Microsoft Word documents. The phishing attack was also coupled with basic social engineering tactics to trick victims to download the payload (the RAT).

Once utilized to deliver the payload, RATs maintain persistence on the host in a manner that’s similar to normal administration activity. RATs allow adversaries to fully control compromised hosts remotely to conduct malicious operations, such as exfiltrating sensitive information. The use of AutoIT is unusual and potentially a highly effective method of evading detection by traditional anti-virus technologies.

It is imperative that a layered security approach along with a proper backup procedure is used to protect the corporate enterprise. This type of approach will increase the chances of blocking or quickly catching this kind of activity.

References: Cisco Blog | Security Affairs

Mitigation Strategies:

  • Maintain an elevated security posture and train staff to recognize potential phishing attacks.
  • Intrusion Detection System (IDS) signatures to detect the malware attempting specifically observed call back information
  • Daily log review is needed to review system logs for malicious activity

Top 20 IP Addresses

46.146.146.8  – NEW 67.198.128.253  – NEW
222.186.42.164 – NEW 104.206.96.58 – NEW
192.99.47.149 – NEW 117.21.173.36 – NEW
175.44.17.134 – NEW 130.193.12.242 – NEW
82.221.128.206 162.252.172.150 – NEW
195.154.156.51 – NEW 94.242.221.68 – NEW
213.251.182.103 – NEW 88.82.108.71 – NEW
176.9.11.7 – NEW 87.97.208.38 – NEW
46.166.173.65 – NEW 79.141.166.16 – NEW
178.73.210.104 – NEW 46.17.63.169 – NEW