Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: QR Code Safety
With QR (Quick Response) codes becoming more and more prevalent, it’s a good time for a reminder to maintain a healthy suspicion before pointing your mobile phone at a QR code. While QR codes can be a convenient time-saver, threat actors are exploiting the technology to direct you to spoofed websites or attempt to deploy malware on your device.
When scanning a QR code, always have a close look at the URL that is previewed on your screen before selecting it. Remember that a QR code is just a shortcut to a destination on the Internet; they aren’t inherently dangerous. Just use the same caution that you should be using before clicking on a link in an email or elsewhere online. Be extra cautious with QR codes in unsecured or public places, as they may have been tampered with or replaced with a malicious QR code. Similarly, take extra precautions before considering downloading an app or processing a payment through a QR code; if you’re not comfortable, seek an alternative means of getting the URL.
CISA and HHS release healthcare cyber toolkit
On October 25, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Health and Human Services (HHS) released a Collaborative Cybersecurity Healthcare Toolkit designed to make it easier for healthcare organizations to defend against cyber threats.
“Adversaries see healthcare and public health organizations as high value yet relatively easy targets – or what we call target rich, cyber poor. Given that healthcare organizations have a combination of personally identifiable information, financial information, health records, and countless medical devices, they are essentially a one-stop shop for an adversary,” said CISA Deputy Director Nitin Natarajan in a joint press release with the HHS.
“We have seen a significant rise in the number and severity of cyber attacks against hospitals and health systems in the last few years. These attacks expose vulnerabilities in our healthcare system, degrade patient trust, and ultimately endanger patient safety. The more they happen, and the longer they last, the more expensive and dangerous they become,” added HHS Deputy Secretary Andrea Palm.
In addition to links, tips, and a table of advisories, alerts, and supplementary information, the toolkit features three key resources:
- CISA’s Cyber Hygiene Services, which scans for known vulnerabilities
- HHS’s Health Industry Cybersecurity Practices, which outline effective cybersecurity practices healthcare organizations can adopt to become more cyber resilient
- HHS and the HSCC’s HPH Sector Cybersecurity Framework Implementation Guide, which helps organizations assess and improve their level of cyber resiliency and integration with their information security and privacy risk management activities
The cyber hygiene services are available free of charge to available to eligible critical infrastructure organizations in the United States. The other resources are freely available on the HHS website; while they are customized to the American market, they contain best practices that apply to most healthcare facilities.
Microsoft warns of Octo Tempest crime gang activities
In an October 25 blog post, Microsoft presents a detailed analysis of the threat actor group called Octo Tempest. Traditionally involved in smaller-scale hacking efforts, the crime gang now “leverages broad social engineering campaigns to compromise organizations across the globe with the goal of financial extortion. With their extensive range of tactics, techniques, and procedures (TTPs), the threat actor, from our perspective, is one of the most dangerous financial criminal groups,” according to the blog.
The blog provides details on some of the approaches used by the gang, which include:
- Social engineering attacks involving calling employees to install remote access utilities
- Calling/texting employees to direct them to a fake login portal to harvest their credentials
- Masquerading as employees, requesting password changes or MFA re-configurations
- Buying stolen credentials on dark web marketplaces for malicious access to systems
The post provides threat hunting guidance, user access configuration best practices, and encourages security awareness training on the latest threats. If you are compromised by Octo Tempest, the post also offers the practical advice to use “out-of-band” communication channels when dealing with the hackers in order to avoid disclosing additional information or defensive strategies.
Cloudflare reports record DDoS attack in Q3
n an October 26 blog post, Cloudflare revealed that they had faced one of the “most sophisticated and persistent DDoS attack campaigns in recorded history”. Cloudflare claimed to have handled thousands of “hyper-volumetric HTTP DDoS” attacks, 89 of which exceeded 100 million requests per second (rps) and with the largest peaking at 201 million rps — nearly three times higher than the previous largest attack on record (71M rps).
The report indicated that the total number of DDoS attack requests in the quarter ballooned to 8.9 trillion, up sharply from 5.4 trillion in Q2 2023 and 4.7 trillion in Q1 2023. The top five industries targeted by DDoS attacks include gaming, IT & Internet, cryptocurrency, computer software, and telecom. By country, the top five targets were the U.S., Singapore, China, Vietnam, and Canada. However, the report noted “a surge in DDoS attacks and other cyber attacks against Israeli newspaper and media websites, as well as financial institutions and government websites. Palestinian websites have also seen a significant increase in DDoS attacks.”
Over-all, the DDoS attacks seen in Q3 were largely designed to disrupt operations rather than seek a financial reward. “Approximately 8% of respondents reported being threatened or subject to Random DDoS attacks, which continues a decline we’ve been tracking throughout the year. Hopefully it is because threat actors have realized that organizations will not pay them (which is our recommendation),” observed the report.
Third-party attack still disrupting southwestern Ontario hospitals
In an October 27 media release, TransForm Shared Service Organization (TSSO) advised that recovery efforts are still underway after a cyber attack on October 23. TSSO provides services to five Windsor-Essex region hospitals, including Bluewater Health, Chatham Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital. All facilities are affected by the cyber incident.
“We expect to have updates related to the restoration of our systems in the upcoming week,” TSSO advised in the release, which urged patients not needing emergency care to attend their primary care provider or local clinic. Few other details on the nature of the incident have been disclosed.
