US hospitals lack new technologies and best practices to defend against threats, new report says.

Some 93 major cyberattacks hit healthcare organizations this year, up from 57 in 2015, new research shows.

TrapX Labs, a division of TrapX Security, found this 63% increase in attacks on the healthcare industry for the period between January 1, 2016 and December 12. Some may have been ongoing prior to Jan. 1, but for consistency, researchers only used official reporting dates to the Department of Health and Human Services, Office of Civil Rights (HHS OCR).

Among the largest attacks were those on Banner Health (3.6M records), Newkirk Products (3.4M records), 21^st Century Oncology (2.2M records), and Valley Anesthesiology Consultants (0.88M records).

Sophisticated attackers are now responsible for 31% of all major HIPAA data breaches reported this year, a 300% increase over the past three years, according to the report. Cybercriminals were responsible for 10% of all major data breaches in 2014 and 21% in 2015.

Despite the rise in attacks, the number of records breached dropped to about 12,057,759. That said, so many millions of health records have been stolen that the value of individual records decreased this year, TrapX reported.

Researchers pinpointed two major trends from 2016: the continued discovery and evolution of medical device hijacking, which TrapX calls MEDJACK and MEDJACK.2, and the increase of ransomware across a variety of targets.

MEDJACK involves the use of backdoors in medical devices like diagnostic or life-support equipment. Hackers use emailed links, malware-equipped memory sticks, and corrupt websites to load tools into these devices, most of which run standard/older operating systems and proprietary software.

"Once inside the network, these attackers move laterally in search of high-profile targets from which they can ultimately exfiltrate intellectual property and patient data," says Moshe Ben-Simon, co-founder and VP of services at TrapX Labs.

One successful penetration is often enough to give hackers access to the network, where they can find unprotected devices to host attacks, chat with humans, and access information. It's difficult to mitigate the effects of MEDJACK; many hospitals don't even know it happens.

"Unfortunately, hospitals do not seem to be able to detect MEDJACK or remediate it," Simon explains. "The great majority of existing cyber-defense suites do not seem able to detect attackers moving laterally from these compromised devices."

Ransomware attacks on large and mid-sized healthcare organizations have also become more diverse. The financial depth and criticality of operations make them easy targets. It's one thing to close a business for one day; it's entirely different to force a hospital shutdown.

A July 2016 survey conducted by Solutionary discovered healthcare is the industry most frequently targeted by malware, accounting for 88% of all detections in Q2. Hackers target healthcare because organizations will usually pay ransom for valuable patient data.

TrapX researchers predict ransomware will reach "unprecedented levels" next year as quick ROI, and easy access to untraceable money such as Bitcoin, make it easier for hackers to launch more attacks at once

In the spirit of the holiday season and after a weekend marathon of watching the greatest Christmas movies ever made, I offer the following observations for my fellow cybersecurity friends and those chartered with defending critical assets.

CISO Ralphie Parker wants only one thing for Christmas: a Red Ryder Carbine Action 200-shot Range Model malware BB gun. Ralphie's desire is rejected by his CIO, his CFO, and even a department store Santa Claus security consultant, all of whom give him the same warning: "You'll shoot your eye out."

Christmas morning arrives, and Ralphie dives into his presents, opening a bunch of new cybersecurity tools. Although he receives some tools he enjoys, Ralphie is ultimately disappointed that he did not receive the one thing he wanted more than anything. After Ralphie thinks that all the presents have been opened, his father and CEO directs him to look at one last gift that he had hidden. Ralphie opens it to reveal the coveted Red Ryder malware BB gun.

Ralphie takes his new malware gun outside and fires it at the latest malware of the day. However, the BB ricochets back at Ralphie and knocks his SIEM glasses off his face. While searching for them, thinking he has indeed shot his eye out, Ralphie accidentally steps on his glasses and breaks them. To cover up the incident, Ralphie tells his CIO that a falling icicle was responsible for the cybersecurity breach.

We have all seen leadership become fascinated with the latest cybertool of the day and decide to throw it into the mix of existing tools, only to have things quickly go awry. Visibility, manageability, and interoperability are not often the primary goals when adding a new capability, making a difficult situation more complex.

While it is paramount that businesses and governments remain agile and competitive in our new reality, they also need to stay within acceptable levels of operational risk. Three overarching challenges continue to drive security strategies:

1. There is more to defend, and the information footprint has expanded beyond the control of IT. We have gone from 25 to over 500,000 new threats per day in the last decade. Users are bypassing IT with cloud services and personal devices; many “users” are IoT and other specialized endpoints; more traffic is encrypted and invisible to IT; and massive amounts of data are moving to the cloud.
2. We cannot move fast enough, despite seemingly significant efforts and investment. It is not unusual to take months or even years to detect a security breach. Containing and remediating a breach can take a long time, giving adversaries too much leeway to achieve their objective and inflict financial and reputational damage.
3. Workforce resources are not keeping pace with the increased volume of attacks and sophistication of adversaries. More than 60% of organizations report that their security department is understaffed. Within four years, we will have a shortfall of nearly 2 million qualified cybersecurity professionals.

We recently surveyed over 2,000 IT security decision-makers around the world, and when asked what it would take to overcome these security challenges, they split roughly in half into two very different groups:

One group favored a best-of-breed approach, believing that self-integration of disparate technologies with manual processes delivers the best security outcomes. This is the traditional “defense in depth” school of thought, assuming that technology diversity drives a better overall security posture using human capital to make the parts into a system.

The other group favored an integrated platform approach, believing that an open and integrated security framework enabling consolidation and automation yields better overall security results. This group sees efficiency as a key component to success.

When you run the numbers, it becomes clear that we cannot solve the growing complexity and risk equation by throwing more people at the problem. Not only is there not enough grey matter to go around, the speed and scale of the problem demands the combined advantages of human and machine processing. Automation and orchestration will be essential components of security in 2017, and Ralphie needs to rewrite his Christmas list. 

Ask just about anyone the question “What distinguishes an automated (bot) session from a human-driven session?” and you'll almost always get the same first answer: “Speed.” And no wonder - it's our first intuition. Computers are just faster.

If you focus the question on credential brute-forcing, then it's even more intuitive. After all, the whole purpose of a brute-force attack is to cover as many options as possible, in the shortest possible time. Working quickly is just elementary, right?

Well, it turns out that this is not always the case. Most defenders, if not all, are already looking at speed and have created volumetric detections that are nothing more than time-based signatures. And that works, most of the time. But the attackers are getting smarter every day, and changing their attack methods. Suddenly, checking speed is no longer enough.

On the first week of October, we detected a credentials brute-force attack on one of our customers that commenced around 03:30am UTC. The attack, which lasted a few minutes shy of 34 hours, spanned a whopping 366,000 login attempts. Sounds like an easy case - 366K over 34 hours is over 10,000 attempts per hour. 

But an easy catch? Not by existing volumetric detections, because the attack did not originate from one single IP address. In fact, we discovered that well over 1,000 different IP addresses participated in this attack. Let's look at the distribution of attempts:

Image Source: PerimeterX

Of all the participating IP addresses, the vast majority (over 77%) of them appeared up to 10 times only, during the entire attack. While the minority may trigger a volumetric detection, 77% percent of the attacking IP addresses would go unnoticed.

One can argue that counting failed login attempts would come in handy here. And it indeed could, except that many of the brute-force attacks don't actually enumerate on passwords tirelessly. Instead, they try username/password pairs that were likely obtained from leaked account databases, gathered from other vulnerable and hacked sites. Since many people use the same password in more than one place, there is a good chance that some, if not many, of the login attempts will actually be successful. 

How Motivated Attackers Adapt
On a different attack we observed, nearly 230,000 attempts at logging in over 20 minutes were performed from over 40,000 participating IP addresses. The vast majority of IP addresses were the origin point of 10 or fewer attempts. A volumetric detection would simply miss this attack.

In comparison, a common volumetric detector is usually set to between 5 and 30 as a minimum, depending on the site’s specific behavior. Our data suggest that motivated attackers will adapt and adjust their numbers to your threshold, no matter how low it is. We also observed that the attack was incredibly concentrated within a very short detection window of only about 20 or 25 seconds.

Fake User Creation Attack
Let's look at one last distributed attack, on yet another client. This time, the attack is not about credentials brute-forcing but rather fake user creation. In this example, the largest groups of IP addresses used per attempt count were those that committed only 1 or 2 attempts:

Image Source: PerimeterX

The entire attack was conducted in less than six hours.

How do the attackers get so many IP addresses to attack from? The answer lies in analyzing the IP addresses themselves. Our research shows that 1% were proxies, anonymizers or cloud vendors, and the other 99% were private IP addresses of home networks, likely indicating that the attacks were performed by some botnet (or botnets) of hacked computers and connected devices. Furthermore, the residential IP addresses constantly change (as in any home) rendering IP blacklisting irrelevant, and even harmful for the real users' experience.

Suspicious Indicators
We included in this post just a few representative examples (out of many more we detected) of large-scale attacks originating from thousands of IP addresses over a short time span. In the majority of these cases, detection was achieved by examining how users interacted with the website. The suspicious indicators included users accessing only the login page, filling in the username and password too fast or not using the mouse.

The implication of these attacks vary. They include theft of user credentials as well as fake user account creation, which in turn leads to user fraud, spam, malware distribution and even layer-7 DDoS on the underlying web application.

In conclusion, volumetric detections are simple and useful, but they are not sufficient. The attackers continue to improve their techniques, bypassing old-fashioned defenses. The new frontier in defense is in distinguishing bot behavior from human behavior – and blocking the bots.

Inbar Raz has been teaching and lecturing about Internet security and reverse engineering for nearly as long as he’s been doing that himself: He started programming at the age of 9 and reverse engineering at the age of 14. Inbar specializes in outside-the-box approaches to analyzing security and finding vulnerabilities; the only reason he's not in jail right now is because he chose the right side of the law at an earlier age. These days, Inbar is the principal researcher at PerimeterX, researching and educating the public on automated attacks on websites.

'Methbot' is a sophisticated cybercrime scheme that has hit major US advertisers and publishing brands and pilfered millions of dollars per day.

Cybercriminals out of Russia are behind a newly discovered massive online advertising fraud operation hiding in plain site that steals up to $5 million per day from big-name US advertisers by posing as some 6,000 major US media sites including The Huffington Post, Fortune, ESPN, CBS Sports, and Fox News, and generating fake ad impressions.

Researchers at White Ops recently spotted the so-called "Methbot" operation pilfering anywhere from $3 million to $5 million per day in what they say is the largest and most profitable online ad fraud operation in history. Methbot has been operating for three years under cover by a Russian cybercrime group that White Ops has dubbed "AFK14," with a unique twist: its own internal botnet infrastructure runs and automates the click-fraud rather than the traditional ad fraud model of infecting unsuspecting consumers to do the dirty work.

US advertisers in October alone lost a whopping $17.7 million to the criminal hackers, according to White Ops, and AFK13 made some $10.6 million.

AFK13, which is based in Russia, also employs data centers in Dallas and Amsterdam, to run its botnet via spoofed IP addresses that help them evade blacklists. The cybercrime gang created its own Web browser in order to better hide its tracks, as well as its own HTTP library.

"This is the largest operation ever discovered in digital ad fraud," says Eddie Schwartz, president and COO of White Ops, an ad fraud detection firm, which published its findings on AFK13 and its Methbot infrastructure today. "This one is unique in that they went to the trouble of writing their own browser code … They game everything across the entire value chain" of online advertising, he says.

The Methbot network basically drives video and other ad impressions that appear to be humans clicking on them. But video ad "watching" is actually via its botnet of automated Web browsers of more than a half-million Internet addresses using phony IP registrations posing as large ISPs such as Verizon, Comcast, AT&T, Cox, and CenturyLink.

The botnet generates phony impressions for up to 300 million of these ads daily and sends them via 6,111 Internet domains posing as actual ad inventory on brand-name websites, according to White Ops.  

"Ad companies are losing because they're paying the bill" for phony impressions, White Ops' Schwartz says.

Methbot until recently was able to operate under the radar because the Russian cybergang behind it has apparently studied how to avoid detection, including reverse-engineering and duping ad-fraud measures and spoofing fraud verification data so the advertiser sees Methbot's ad impressions as legit, even though they're phony.

AFK13's Methbot has tallied some 200 million to 300 million phony video-ad impressions daily, making an average of $13.04 per CPM, or around $4 million in phony ad inventory revenue each day.

The Russian hackers even have built the bots to imitate mouse movements and social media login information so they appear to be human-generated activity. "They're making the traffic look like residential humans," Schwartz says.

He says the forged and compromised domains made them appear legit to the advertising exchange services that broker ad space inventory for publishers. The exchanges were fooled into believing they were handing the subsequent ad impressions to the publishers, but that phony yet billable traffic instead went to Methbot.