Tuesday, March 28, 2017

Compromised Email Credentials Behind Most Healthcare Breaches

According to Evolve IP and ID Agent, hackers breached organisations through compromised emails 63% of the time. The security firms conducted a study of the security practices of 1,000 healthcare organizations. Out of those 1,000 organizations, employees at 680 of them already lost control of their email credentials. Whoever hacked the email accounts of those from the 68% of organisation also uploaded credentials to the darknet.

Only 76% of the uploaded passwords contained immediately usable information. And even then, only 23% of the breached emails came with plaintext passwords. Darknet marketplaces and forums routinely hosted breached healthcare data in 2016, but password dumps found their way to the clearnet too. The darknet provided good cover for hackers or credential vendors last year but landed the publicity needed for a healthcare breach. As another advertisement venue many hackers took to the clearnet.

“With 68 percent of healthcare organizations having compromised credentials within the Dark Web, organizations are failing to adequately protect customers from online account takeover and data exploit,” Kevin Lancaster of ID Agen said. “To combat the growing threat, it’s important to develop an end-to-end solution to automate the process of identifying stolen credentials and proactively securing customer on-line accounts.”

The hacker, or at least the vendor of the credentials did not necessarily sell healthcare credentials on the clearnet. Instead, the clearnet’s larger media platform as served as a leveraging piece. In many cases, selling on the darknet was a last resort for the bad actor; they wanted the beach as publicised as possible. Once word spread, they sat and hoped the breached company paid the ransom for their confidential information.

The vendor on a darknet marketplace likely never mentioned the word “ransom” and, often times, may not have known the hacker’s true intentions. Another company that reported additional findings from Evolve IP and ID Agent added the so-called vendor “credential lifecycle.” Vendors noted commonalities between breaches. “Gain access to data from emails exploited by phishing, malware, data breach, social engineering and other attack forms,” the company explained.

The next step in the credential lifecycle, according to the report, fell under an analysis category. “Use obtained data to study a targeted company or individual.” With information obtained from said data, the next steps were: “gain system access,” and “establish a foothold in the system.”

And finally the hacker needed to “gain more privileges” and “move laterally through the organization and its supply chain to extract data or control system access.”

Verizon’s 2016 Data Breach investigations Report revealed that employees opened 30% of phishing emails. Another 12% opened or downloaded the payload.
“While it is virtually impossible to prevent phishing attacks, the right disaster recovery plan and (disaster recovery) services can prevent a healthcare organization from experiencing serious losses or even potentially going out of business,” Evolve IP’s David M. McCrystal said.