Cyber security firm lifts lid on healthcare sector cyber threats

Expert describes how incident may have played out

Cyber security firm lifts lid on healthcare sector cyber threats


By Daniel Wood

On Wednesday afternoon, the health insurer Medibank Private announced a new development following last week’s cyberattack. The insurer said it had received messages from a group wishing to negotiate concerning the alleged removal of customer data.

After last week’s cyberattack, a Medibank statement reported “unusual activity” on its network but “no evidence that any sensitive data, including customer data, has been accessed.” However, in response to last week’s incident, the firm temporarily took its ahm and international student policy management systems offline.

“The cyber threats facing the healthcare sector are both severe and concerning,” said Nick Lowe (pictured above), director of Falcon OverWatch with CrowdStrike, a global cyber security firm.

A recent report by this firm found that the healthcare space is the object of a rising number of cyberattacks. The CrowdStrike 2022 OverWatch Report said the volume of attempted “interactive intrusions” against the healthcare industry, many of them ransomware, has doubled year-over-year.

“A significant majority of these threats can be attributed to financially motivated cybercriminals, known as eCriminals,” said Sydney-based Lowe who has more than 15 years’ experience in cyber security. “In fact, eCrime made up over a third of all intrusions against the healthcare sector in APJ [the Asia Pacific and Japan].”

“The growth in ransomware across all industry sectors is, in large part, tied to the proliferation of ransomware-as-a-service models whereby ransomware developers commoditise their product and sell it to affiliate groups for use in ransomware attacks,” said Lowe.

He said this model “opens the door” to less technically proficient criminals and complicates the work of threat hunters like his firm.

“Indeed, this is what makes the threat hunters’ job so complex, different affiliate groups often use distinct tradecraft to deploy the same tooling,” said Lowe.

The cyber security expert painted a picture that could suggest what the attack reported by Medibank may have looked like.

“CrowdStrike’s managed threat hunting team, OverWatch, recently identified an interactive ‘Phobos’ ransomware affiliate in the early stages of an attempted intrusion against a major healthcare organisation,” he said. “The first sign of an issue was a high volume of unsuccessful logons, followed by a successful logon, indicative of a brute-force attack.”

Lowe said this attack, that happened before Medibank’s last week, enabled the affiliate to gain access under a local administrator account.

“They then proceeded to use a remote desktop protocol to extend their foothold to additional hosts, quickly gaining access to multiple Windows servers,” he added. “Fortunately, at the earliest sign of trouble, upon identifying the brute-force attack, OverWatch threat hunters alerted both the victim organisation and CrowdStrike’s managed detection and response analysts in Falcon Complete who were able to contain the intrusion before ransomware was executed.”

Lowe said his firm also supported this unnamed healthcare organisation to remove the threat from their environment and recommended follow-up actions to mitigate against a return attack.

The cyber expert from CrowdStrike had a warning for insurers, however.

“One of the biggest mistakes any organisation can make is not paying attention to global threats impacting their industry vertical, or even beyond their vertical,” he said. “Criminally motivated activity is largely opportunistic in nature.”

Lowe said this analysis is reflected in the data he has seen.

“This means that the tradecraft leveraged to execute data breaches overseas are highly likely to be replicated to execute attacks locally,” he said.

Lowe said a cyberattack technique that worked against a healthcare organisation in the US is likely to be reused for targeting healthcare organisations in Australia.

“Because of this, having access to global threat intelligence is an imperative for any healthcare organisation looking to get on the front-foot against cybercrime,” he said.

Last month, Ismael Valenzuela, vice president of Threat Research and Intelligence at BlackBerry, said a Cyber Insurance Coverage study by his company is further evidence that the cyber insurance industry “is really immature” when it comes to insurance.

“There’s immaturity both from the side of the organisations demanding these policies for protection and also immaturity from the insurance industry in terms of their knowledge about what is happening in the industry,” said the New Jersey-based Valenzuela.

In another development on Wednesday, one of the largest cyber insurance providers in Australia officially showcased a new offering in Sydney. The London headquartered cyber team from CFC Underwriters showcased the cyber offering to local broker partners and underwriters while cruising the harbour.

“We’re basically offering a fully integrated, start to finish, in-house claim solution in Australia,” said international cyber team leader, Philippa Davis. “We’ve built an entire team who focus on preventing cyberattacks for clients and it’s the largest specialist team in the world that does this.”

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!