Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/14/2019
02:10 PM
100%
0%

Attacks on Healthcare Jump 60% in 2019 - So Far

Well-known Trojans Emotet and Trickbot are cybercriminals' favorite weapons in their campaigns.

Cybercriminals are increasingly targeting hospitals, doctors' offices, and other healthcare organizations, with attacks using Trojan malware climbing by 82% between the second and third quarters of this year.

Cyberattacks against healthcare organizations jumped 60% in the first nine months of the year, compared to all of 2018, according to a report published this week by anti-malware firm Malwarebytes. 

While the healthcare industry is currently the seventh-most targeted industry by online malware, attackers seem to be aiming to infect more organizations, especially via Trojan malware focused on compromising and controlling computers. While Malwarebytes saw a growth rate of 45% in threats between Q3 and Q2 this year, Trojan attacks climbed by 82%, according to the firm's Cybercrime Tactics and Techniques: The 2019 State of Healthcare report.

"We were able to determine that healthcare is one of the top sectors that is being affected by cybercrime," says Adam Kujawa, the director of Malwarebytes Labs. "You think about some of the attacks we've seen, such as what happened with WannaCry and the UK's National Health Service ... and you figure they would have focused more on security." 

While attacks on local government agencies and public schools continue to make headlines, healthcare has been under constant attack since 2016, when Hollywood Presbyterian Medical Center acknowledged a ransomware attack had infected its systems. The healthcare group's lack of preparedness forced them to pay $17,000 — an inexpensive lesson, compared to today's ransoms. 

Other threats, such as security research focusing on attacking medical devices and medical breaches, has forced other segments of the industry to pay attention to its security as well. 

The Malwarebytes report may signal that healthcare companies have to continue to focus on cybersecurity. 

"Medical institutions are fighting an uphill security battle, as budget dollars are often diverted to research, patient care, or new technology adoption," the report says. "Cybersecurity, then, is an afterthought, as doctors use legacy hardware and software, staff lack the security know-how to implement updates and patches in a timely manner, and many medical devices lack security software altogether."

In particular, attackers have targeted organizations with flexible programs that compromise systems and then allow attackers to infect the system with even more malicious code. Malwarebytes' software detected, and blocked, more than 12,000 attempted installations of Trojan software in Q3, dominating other types of malware. Ransomware, the No. 2 threat, accounted for less than 2,500 attempted installations during the third quarter, the report stated.

Trickbot & Emotet

The main culprit recently is Trickbot, a Trojan that aims to compromise bank accounts and steal credentials. More recent versions of Trickbot have been used to spread ransomware and cryptocurrency mining software. The Trojan surged during the summer and fall of 2019, becoming the top threat to healthcare organizations, according to Malwarebytes' telemetry data. 

"Trickbot has not slowed down around the world," Kujawa says. "But we are seeing it focused on the medical industry right now."

Emotet, another former banking Trojan, surged at the beginning of 2019, according to Malwarebytes report. The malware is a modular framework that can be tailored to different attacks. It can drop additional programs such as ransomware, but also has spam functionality, hijacking e-mail conversations to make phishing attempts seem more real.

In 2018, attacks against enterprises using Trickbot and Emotet surged. The US Department of Homeland Security deemed it the most destructive threat to state, local, tribal, and territorial (SLTT) governments.

"Emotet continues to be among the most costly and destructive malware affecting SLTT governments," a 2018 DHS advisory stated. "Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate." 

Because they perform a critical service for a nation's citizens, healthcare organizations need to improve their cybersecurity against the threat, Malwarebytes Kujawa says.

"Unfortunately, healthcare has treated cybercrime as an afterthought," he says. "These organizations, across the board, do not seem ready for — not even what was out there yesterday — nevermind what is out there now or what is coming down the future." 

While the report focused on healthcare, Malwarebytes found that the education sector continues to be the top target of attackers. In 2016, security firm BitSight used external signs of compromise to identify the education sector as the most compromised

Related Content

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Poll Results: Maybe Not Burned Out, But Definitely 'Well Done'

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11565
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
CVE-2020-11558
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.