Cybersecurity News: February 19-25
Health and Human Services (HHS) and HIPAA compliance standards
The Office for Civil Rights annual congressional report has revealed that healthcare organizations are struggling to comply with the Health Insurance Portability and Accountability Act (HIPAA), especially when it comes to securing network servers from IT risks and hacking. The report aims to assist entities in improving their HIPAA compliance and is shared with Congress to outline the agency's investigative efforts and compliance reviews. However, due to funding constraints, HIPAA enforcement actions are being limited. The report also indicated that the reduction of penalty tiers for HIPAA violations has further impacted OCR's monetary constraints, which has resulted in a severe strain on the agency's limited staff and resources.
OCR received a 25% increase in HIPAA and HITECH violation complaints in 2021, with 78% of the 34,077 new complaints being resolved before initiating an investigation. Furthermore, just 714 corrective actions were taken against entities in 3% of the investigations. OCR did not initiate any periodic audits in 2021 as required by the HITECH Act, as the agency did not have sufficient financial resources, and is currently developing criteria for implementing future audits.
The report revealed that covered entities are struggling to comply with HIPAA Security Rule requirements, especially in risk analysis and management, IT system activity review, audit controls, and access controls. The largest category of data breaches reported to OCR in 2021 was due to hacking and IT incidents, with network servers being the most commonly affected systems. OCR is urging entities to review HIPAA Security Rule standards and implementation specifications, especially around security management process standards, to enhance prevention, detection, and correction of security violations.
Risk analysis and management are critical areas for improvement as noncompliance in this area leaves regulated entities vulnerable to unsecured ePHI breaches. Entities are also failing to review records of information system activity, including audit logs, access reports, and security incident tracking reports, which can help detect malicious activity. Early detection of malicious activity can mitigate potential breaches and reduce the potential number of affected individuals.
Coinbase Cyber Attack
Coinbase, a popular cryptocurrency exchange platform, has revealed that it was the target of a cybersecurity attack on February 5, 2023, which was aimed at its employees. Although the attacker was unable to gain direct access to the company's systems due to its cyber controls, a limited amount of data from its directory was exposed, including employee names, email addresses, and some phone numbers. The incident was the result of an SMS phishing campaign that tricked an employee into entering their login credentials on a fake page. The attacker then attempted to gain remote access to Coinbase but was unsuccessful due to multi-factor authentication.
The attacker then called the employee and tried to direct them to log into their workstation and follow a set of suspicious instructions. Coinbase was alerted to the attack within 10 minutes and prompted the employee to sever all communications with the attacker. Coinbase did not provide details of the instructions the attacker gave the employee but warned other companies to be wary of attempts to install remote desktop software and of incoming phone calls and text messages from certain providers. The company believes the attack is linked to a phishing campaign that targeted over 130 companies last year.
BitSight, a cybersecurity firm, recently reported that a highly sophisticated botnet, MyloBot, has infiltrated several systems across the globe. The botnet, which first surfaced in 2017, can download any payload onto the compromised host and was used to send extortion emails last year. While the botnet's activity has reduced, BitSight says it still records over 50,000 unique infected systems daily, with most located in India, the US, Indonesia, and Iran.
Further investigations revealed a connection between MyloBot's infrastructure and a residential proxy service called BHProxies, implying that compromised machines are being employed by the latter. The botnet employs a multi-stage sequence and sits idle for 14 days before contacting the command-and-control server. When an instruction is received, the infected computer is transformed into a proxy to handle numerous connections and relay traffic through the command-and-control server. BitSight has been sinkholing MyloBot since 2018 and continues to monitor the botnet's evolving nature.
U.S. Discusses Military Implications of Artificial Intelligence
The US has launched a new initiative in The Hague aimed at promoting responsible use of artificial intelligence (AI) in the military. Bonnie Jenkins, the State Department’s under secretary for arms control and international security, emphasized the importance of establishing strong norms for responsible behaviour in the military's use of AI, recognising that the applications of AI will change over time. The use of AI in conflicts can have a significant impact, changing the way wars are waged.
The declaration, which has 12 points, outlines the role of international law in military-related AI use, stressing the necessity of human control in all actions concerning nuclear weapons. During the conference, 60 nations, including China, called for broad cooperation in the development of AI guidelines for military use and emphasized the importance of human oversight to prevent the technology from spiralling out of control.
Norway Seizes Cryptocurrency from Lazarus Hackers
Norway's Økokrim police agency has seized approximately $5.84 million worth of cryptocurrency stolen by the Lazarus Group in March 2022 through the Axie Infinity Ronin Bridge hack. The action comes 10 months after the US Treasury Department implicated the North Korea-backed group for stealing $620 million from the Ronin cross-chain bridge.
In September 2022, the US government also recovered over $30 million worth of cryptocurrency. Økokrim collaborated with international law enforcement partners to track the money trail, making it harder for criminals to carry out money laundering activities. Elliptic has reported that a newly launched cryptocurrency mixer, Sinbad, is highly likely a rebrand of Blender, which was sanctioned by the US government in August 2022. The two mixers overlap in the wallet address used, their nexus to Russia, and how they operate. The funds siphoned from the Horizon Bridge hack and other North Korea-linked attacks were laundered through a complex series of transactions involving exchanges, cross-chain bridges, and mixers.
The Lazarus Group has recently sent a total of 1,429.6 Bitcoin worth approximately $24.2 million to Sinbad in the two months ranging from December 2022 to January 2023. Meanwhile, Lazarus has continued to evolve its behavior with a range of anti-forensic techniques designed to erase traces of its intrusions and obstruct analysis, according to AhnLab Security Emergency Response Center.