The DHB has called in external help and says it refuses to pay any ransom demanded while clinical services are left scrambling
Hackers of Waikato District Health Board (DHB) are believed to have gained access to their systems via an email attachment opened by a staff member. They have caused disruption to all clinical services in a bid to extort a ransom payment.
This follows a similar attack on the Irish health system in the form of ransomware, just a few days ago. AUT Computer Science Professor Dave Parry explains that in this sort of attack, the attacker manages to get some of their software onto the victim’s network and this encrypts files, making them unreadable. The attacker then offers to give the victim the key to unlock the encryption in return for money – usually in the form of bitcoin or other cryptocurrency.
Melbourne’s Eastern Health was also targeted back in March. Vectra APJ Director of Security Engineering, Chris Fisher says that while the organisation was quick to reassure and confirm that patients were not at risk, the incident highlighted major security vulnerabilities, resulting in significant disruption to the hospital’s network including the cancellation of elective surgeries.
Ransomware activity has risen steeply recently, causing significant impact to a number of organisations around the world including the high profile attack on the Colonial Pipeline in the US. The company reportedly paid the hackers $5 million for the restoration of their IT services. Parry says this will probably have encouraged more attacks.
“Attackers are proving increasingly bold in targeting large scale infrastructure like hospitals, wreaking havoc on overburdened healthcare systems at time when they are needed most,” Fisher says.
“The vectors of attacks have remained the same, however the speed at which the attackers can pivot through an organisation’s network and the coverage they are able to achieve has greatly increased. This highlights that current prevention tools are no longer enough to mitigate risk.”
Recognising the risks
In today’s digitally driven environment, smart technologies are crucial in improving operational efficiencies.
One of the largest containment measures implemented globally during the pandemic was the massive shift to remote working, which rapidly accelerated the adoption of hybrid cloud to improve business agility and respond to changing customer needs. Technology and collaboration tools, such as Microsoft Office 365 applications, meant work and life could continue.
“Unfortunately, the speed and scale of cloud adoption has also presented transitional gaps and opportunities for adversaries to exploit,” Fisher says.
“A recent global study by Vectra AI revealed that 71% of Microsoft Office 365 deployments suffered an average of seven malicious account takeovers in the 12 months to February 2021. The fact that three in four companies have experienced malicious account takeover attacks highlights the need to track and secure identities as they move from on-prem to the cloud.
“With the new work-from-home paradigm, proliferation of data-driven applications, and advancement of technologies such as artificial intelligence (AI) and Internet of Things (IoT) in the enterprise, cybercriminals too are using more advanced tools and sophisticated methods to attack organisations and breach privacy.
“User account takeover in Office 365 is the most effective way for an attacker to move laterally inside an organisation’s network.
“Cybercriminals rarely act alone – from sharing infrastructure to being part of entire syndicates dedicated to sabotage, forcing organisations to constantly review and renew their security policies.
“Attackers will continue to exploit human behaviours, social engineering, and identity theft to infiltrate enterprise networks and steal data in every type of organisation.”
A collective responsibility
In this landscape, Fisher says enterprises are coming to realise that cyber threat defence and mitigation against increasingly sophisticated attacks are beyond the scope of a cybersecurity team alone.
“Constantly evolving threats means a round-the-clock effort and highly specialised skills to bolster enterprise cybersecurity, particularly within a hybrid cloud environment.
“Typically, most organisations have lean IT teams and lack the cybersecurity expertise required to pre-empt and mitigate sophisticated threats, placing enormous strain on what is potentially an already limited resource.”
Vectra’s survey revealed that 96% of Australia and New Zealand survey respondents indicated their organisation’s cybersecurity risk had increased in the 12 months to February 2021.
As a result of increased Microsoft Office 365 usage during COVID-19, their main security concern is now the risk of data being compromised and the ability for hackers to hide their tracks by using legitimate Microsoft tools, such as Power Automate and e-Discovery.
“At a time when remote working is here for the long-term, the cyber threat attack surfaces (such as personal devices) and landscapes (new vulnerabilities) are getting wider, building a security-minded culture becomes a collective responsibility,” says Fisher.
“Senior leadership teams in any industry may be guilty of assuming that cybersecurity issues are the sole remit of their firm’s cybersecurity team. But that is no longer true in a digital economy, when data breaches or DDoS attacks can damage business, reputation and customer loyalty.
“Building digital trust comprises an entire ecosystem – from suppliers to customers, business partners to employees and so much more.
“Focusing on attacker behaviour on the network and not relying on signature-based technology is the key weapon in the fight against ransomware.
“Organisations need solutions that provide clear signals without noise providing contextual information to enable quick, informed decisions empowering security analysts. To better protect an organisation from inside and external threats, I’d like to share some best practice tips:
- Apply a mix of subject matter experts and technology
It’s not enough to just invest in the tools but it matters to build knowledge and establish stringent governance frameworks. That’s where vendors with true cybersecurity expertise drive value, helping organisations not only to draw upon expertise and intelligent, AI-driven detection tools but to also gain deep visibility into security and compliance gaps.
- Understand your threat landscape
It is imperative that organisations truly understand their new enterprise network. We have seen perimeters of the network vanish during 2020 as organisations have shifted to the cloud; the modern enterprise network is now Datacentre, IaaS, SaaS and PaaS. It is vital that the enterprise has visibility into all of these networks and be able to track attackers as they pivot through these environments. We must build detection and response capabilities that can shine a light into all these environments and track attacker behaviour as they attempt to move laterally through them.
- Prioritise and respond at speed and scale
It is not only critical to identify attackers as they pivot through the modern network, but also to have the ability to respond rapidly and in a consistent way across all network stacks be that IaaS, SaaS, PaaS, or Datacentre. The only way to achieve this is via prioritisation of incidents leveraging AI and automation. This will bolster the limited capacity of the security operations centre giving it the best chance to drive down metrics such as mean time to remediation, therefore reducing the impacts of attackers and reducing the risk of a widespread breach.”
Building a secure organisation for the future
Combatting cybercrime is not only a priority for enterprises, but rapidly became a matter of national interest and security. With global rollouts of COVID-19 vaccines in progress, never has this become more crucial as new cyber threats to supply chains become prevalent.
Research has found that countries with established digital economies, including Australia, Japan, Singapore, and New Zealand have the highest exposure to cyber risks and their governments are taking active measures to invest in and implement cyber defence strategies.
Unidentified cyber threats can have huge financial and reputation repercussions as more attackers seek to exploit ongoing COVID-19 challenges across industries. With scarcity of talent, many organisations struggle with experience shortfalls in their cybersecurity team.
Fisher says entities need to focus on their networks and maintain good cyber hygiene to drive down the noise coming into security operation centres.
“Unless security investments are made into response capabilities, attacker responder gap will continue to grow. How quickly an entity responds to a breach and identifies the attacks quickly and effectively will determine who succeeds in this fast-changing time.”
Chris Fisher, Director of Security Enigineering APJ
Chris Fisher is the Head of Security Engineering for Vectra.ai in the Asia Pacific and Japan Markets. As a leader for the APJ business Chris’s key responsibility is to ensure that Vectra customers have the security foundation to embrace new technology and lines of business, allowing them to digitally transform whilst reducing business risk and improving their security posture.
Chris has over 15 years of cybersecurity experience from practitioner through to strategic advisor for large organizations. He has vast experience in SCADA environments working in the mining and energy sectors for several years. Recently Chris has been helping customers transition to cloud environments securely.