Getty Images/iStockphoto

Dark Web Analysis: Healthcare Risks Tied to Database Leaks, Credentials

CybelAngel shows just how hackers are successfully cracking into healthcare networks: credential stuffing, vulnerable, connected devices, and databases left wide open to attackers.

A new report from CybelAngel analysts provides insight into just how hackers are getting into healthcare networks, from providers leaving databases wide open to attacks, to credential stuffing cyberattacks through third-party access points.

The Healthcare Data Actively Targeted and Sold on the Dark Web report leverages case studies on three French hospital environments, The sale of this data is highly sought after by global threat actors, with similar motivations, data types, and attack methodologies used in attacks on the US healthcare sector, as well.

The research sheds light on hackers’ planning efforts for fraud, ransomware, and other attacks through stolen credentials, leaked database files, and other elements provided from specialized sources from dark web markets.

The findings provide further insights into recent findings from CTIL, which showed demand and sale of backdoor access to healthcare networks spiked last year.

Hackers known as Initial Access Brokers (IABs) first find exposed endpoints and break into networks, then sell the access points on the dark web to the highest bidder. Access is most frequently sold to ransomware groups.

CybelAngel also observed a surge of both the search and sale of healthcare data on these underground markets, fluctuating with the global COVID-19 response efforts.

The pandemic’s strain on hospitals and cybersecurity gaps have also provided hackers with the needed resources and ability to methodically launch coordinated cyber efforts against the vulnerable sector.

“Cybercrime attacks that disable hospitals and weaponize stolen medical records are unconscionable – and particularly ruthless during a pandemic, when the uptime of every care facility and accuracy of every health record determines whether lives are saved,” said Camille Charaudeau, vice president of product strategy at CybelAngel, in a statement.

“While the volume and stakes of these attacks can feel overwhelming, our research shows that sealing off a few specific types of exposed data could have a meaningful effect by disrupting the supply chains adversaries rely on to execute these attacks,” she added.

The analysis shows attackers are culminating lists of open, exposed databases tied to healthcare entities, which are designed to be monetized by selling the data to other hackers. These exposures are found in on-premise servers, connected specialty equipment, SaaS platforms, or other cloud-based technologies.

These vulnerabilities are often coupled with access misconfigurations or poor access controls, which leave the database itself and even the network exposed to attacks.

A prime example of these exposures can be found with Picture Archiving and Communication Systems (PACS), which are used by a wide variety of healthcare provider organizations. Data has repeatedly shown that the US is notorious for leaving these vulnerable platforms online, which has led to the exposure of millions of medical images.

In fact, two providers recently reported healthcare data breaches caused by exposed PACs.

The SolarWinds security incident also spotlights the risk of third-party vendors, which researchers stressed highlights the need for healthcare organizations to employ principles of least privilege on third-party software and for vendors accessing healthcare networks.

A review of dark web markets observed screenshots and details of well-connected threat actors selling troves of employee credentials from a company contracted with a range of hospitals.

“Many breaches and ransomware attacks are traced back to compromises of third-parties the healthcare sector relies on for software, tech support, billing, and data reporting. It only takes victimizing one service provider to access or ransom many of their downstream customers,” researchers explained.

CybelAngel also noted that hackers are easily finding a vast number of cheap, network-attached storage and other high-capacity devices, which are leaving millions of healthcare records in the public domain.

Researchers found an offering of “500,000 French hospital records” for sale on the dark web, which were analyzed and found to be authentic. These files contained personally identifiable information on patients, as well as their relationships with providers, pharmacies, and the like.

This information can be readily used for fraud or for refined social-engineering themes used in ransomware and phishing attacks.

Researchers made several recommendations for bolstering defenses against these serious data risks, including a reminder to impart on all workforce members the crucial role they play in keeping the network secure, in addition to traditional security and phishing training.

Further, patch management must become a key priority for all healthcare entities. Encryption defenses are also crucial, as “encrypted data is useless to attackers, yet this powerful defense is unutilized when systems are misconfigured or have unclear ownership.”

“Healthcare relies on remote connections, but incomplete asset discovery and inventories raise the risk of abuse of privileges and widespread compromise if only one device or department is compromised,” researchers explained.

“When remote desktop protocol (RDP) and VPN access is required, it is imperative to ensure all enhanced security settings are enabled and monitor internet traffic to look for signs of abuse, like anomalous large-scale data exfiltration,” they added.

Healthcare entities should also review free resources from the Department of Health and Human Services, as well as free ransomware protection services recently offered by the nonprofit Center for Internet Security.

Dig Deeper on Cybersecurity strategies