Malwarebytes-2019年网络医疗犯罪报告（英文）-2019.11-36页.pdf

November 2019CTNT REPORTCYBERCRIME TACTICS AND TECHNIQUES:the 2019 state of healthcareCybercrime tactics and techniques:the 2019 state of healthcare2Table of contentsExecutive summary.3Key takeaways.4Global healthcare threats.5US regional healthcare threats.11Top attack vectors for healthcare .20Why is healthcare a target?.22Security challenges in healthcare.27Consequences of a breach.32Future concerns.33Conclusion .36Cybercrime tactics and techniques:the 2019 state of healthcare3Executive summaryIn this special CTNT report on healthcare,we focus on the top threat categories and families that plagued the medical industry over the last year,as well as the most common attack methods used by cybercriminals to penetrate healthcare defenses.In addition,we highlight the security challenges inherent to organizations,from small private practices to enterprise health maintenance organizations(HMOs),as well as the reasons why hackers look to infiltrate their defenses.Finally,we look ahead to future biotech innovations and the need to consider security in their design and implementation.Disruptions to healthcare data,operations,productivity,and efficiency result in severe,life-threatening consequences.Yet cybercriminals show no signs of remorse.In fact,the global data Malwarebytes Labs collected from our product telemetry,honeypots,threat intelligence,and reporting efforts from October 2018 through September 2019 shows they are only ramping up efforts.Therefore,we aim to educate those in healthcare IT and security to get ahead of the curve with an ounce of preventionbefore they need a pound of breach remediation.In 2019,cybercriminals stole headlines for incessant attacks against some of the worlds most important sectors.Threat actors made no bones about targeting our schools to steal and sell childrens data while grinding instructional hours to a halt.They gleefully tormented our cities with ransomware,putting a stop to key services and vital infrastructure.And they toyed with what some might argue is our most critical industry:healthcare.3Cybercrime tactics and techniques:the 2019 state of healthcareKey takeawaysby exploiting known vulnerabilities that havent been patched for,and to use social engineering tactics such as phishing and spear phishing to deliver malicious emails,attachments,and links.The healthcare industry is a target for cybercriminals for several reasons,including their large databases of patients personally identifiable information,lack of sophisticated security model,and high number of endpoints and other devices connected to the network.In addition,the sensitive nature of patient data that threat actors can easily swoop up lends itself to a high return on investment,which positions healthcare as a juicy target for opportunistic criminals.Medical institutions are fighting an uphill security battle,as budget dollars are often diverted to research,patient care,or new technology adoption.Cybersecurity,then,is an afterthought,as doctors use legacy hardware and software,staff lack the security know-how to implement updates and patches in a timely manner,and many medical devices lack security software altogether.Consequences of a breach for the healthcare industry far outweigh any other organization,as stolen or modified patient data can put a stop to critical procedures,and devices locked out due to ransomware attack can result in halted operationsand sometimes even patient death.New innovations in Internet-connected biotech,including cloud-based biometrics,Internet of Thoughts,or even advances in prosthetics represent exciting breakthroughs for healthcare,however,development and implementation without baking security into the design could result in dire outcomes.Therefore,its important for biotech innovators to consider security in the foundation of the devices,platforms,and services themselves.The medical sector is currently ranked as the seventh-most targeted industry according to Malwarebytes telemetry gathered from October 2018 through September 2019,however,overall malware detections in this industry are on the rise.Threat detections have increased for this vertical from about 14,000 healthcare-facing endpoint detections in Q2 2019 to more than 20,000 in Q3,a growth rate of 45 percent.The healthcare industry is overwhelmingly targeted by Trojan malware,which increased by 82 percent in Q3 2019 over the previous quarter.The two most dangerous Trojans of 20182019 for all industriesEmotet and TrickBotwere mostly responsible.While Emotet detections surged at the beginning of 2019,TrickBot took over in the second half as the number one threat to healthcare today.While we captured mostly Emotet,TrickBot,exploit,and backdoor detections targeting healthcare organizations,each of these threats are known to drop ransomware payloads later in their attack chain.Therefore,in combination with intelligence gathered and news reports on high-profile hospital ransomware attacks,we can safely conclude that ransomware is looking to penetrate healthcare organizations from several different angles.Of the four regions of the United States,the Wests healthcare institutions were most targeted by malware,leading the pack at 42 percent of Malwarebytes total US detections.The Midwest was not far behind,at 36 percent.However,the South and Northeast had far fewer detection percentages,at 15 and 7 percent respectively.The top attack methods for cybercriminals looking to penetrate healthcare networks in the last year were to compromise vulnerabilities in third-party vendor software,to take advantage of negligence or otherwise weak security postures 4Cybercrime tactics and techniques:the 2019 state of healthcareComparing all of 2018 against three quarters of 2019,Malwarebytes has observed an overall 60 percent increase of threat detections from healthcare organizations.If the trend continues,we expect to see even higher gains in a full year-over-year analysis.This increase of detections is due to notorious threat families,such as TrickBot and Emotet,as well as a slew of backdoors and exploits.These tools have been custom-built and evolved into terrible machines for mass infection of organizational networks,be it huge hospital or small local practice.With that being said,we are catching this trend at the right time.Before attacks lodged against healthcare institutes grow even more in number and severity,we can spread the word and make sure these organizations are protected from some of the most disruptive threats weve seen in the wild.How targeted is the medical industry?Healthcare represents a significant slice of the organizational pie,especially when considering the sheer number of brick-and-mortar medical practice locations throughout the world.This industry ranks as the seventh-most malware-focused business vertical over the last year.Education and manufacturing took our top two spots for highest volume of threats detected in Global healthcare threatsStatistically speaking,we can identify how much trouble the medical industry is in by examining telemetry from our business products deployed on healthcare-facing endpoints throughout the world.According to data collected from October 1,2018 through September 30,2019,medical organizations had fewer infections than the educational,manufacturing,and retail industries,ranking lower among the top 10 targeted sectors.That trend,however,is changing.the last year.Education has been a huge target due to the large number of endpoints that are accessed on a regular basis by students,staff,and others on campus combined with outdated security infrastructure and limited staff and awareness.This creates a security nightmare that leaves many education networks full of adware,Trojans,and ransomware.Manufacturing has also become a big target for attackers,as disruption of operations is almost as valuable to an attacker as being able to ransom important data.While other organizations may be able to recover from a cyberattack without losing much profit,manufacturing organizations cant afford to have their technology locked out,as it guarantees profit loss.Yet,with an uptick in threat detections through the third quarter of 2019,we expect to see the medical industry climb this list into the next year.1 Education 2 Manufacturing 3 Services 4 Retail 5 Other 6 Government 7 Medical 8 Technology 9 Marketing 10 TransportationTop industries by detection Figure 1.Medical ranked as the 7th-most targeted industry by cybercriminals.5Cybercrime tactics and techniques:the 2019 state of healthcareThreat categoriesAt a high level,we like to get a general overview of the state of an industry by looking at categories of malware and other threats targeting organizations.In doing so,were able to get a good look at the ebb How to Become Cyber Resilient:A Digital Enterprise Guide6 2018 Q1 2018 Q2 COMP 2018 Q3 COMP 2018 Q4 COMP 2019 Q1 COMP 2019 Q2 COMP 2018 Q3 COMPTrojan 227 5325 2246%6123 15%5937-3%15959 169%6652-58%12081 82%Adware 96 758 690%1297 71%3088 138%1561-49%1358-13%1816 34%Backdoor 25 342 1268%3497 923%713-80%2901 307%717-75%11-98%Ransom 4 26 550%252 869%150-40%241 61%2158 795%2480 15%Malware 0 0 0%0 0%0 0%500 0%2060 312%2206 7%Hijack 456 457 0%1076 135%666-38%660-1%334-49%661 98%Spyware 23 150 552%2101 1301%721-66%340-53%138-59%78-43%RiskWare 53 122 130%271 122%847 213%591-30%409-31%757 85%Rootkit 23 80 248%101 26%145 44%170 17%55-68%83 51%Hacktool 13 21 62%12-43 181 1480%98-46%107 9%154 44%Totals 929 7336 690%14965 104%11727-22%23154 97%14073-39%20387 45%Malwarecategory 2018 Q1 2018 Q2%Chg 2018 Q3%Chg 2018 Q4%Chg 2019 Q1%Chg 2019 Q2%Chg 2018 Q3%Chg Figure 2.Top categories of malware quarter-by-quarter,Q1 2018 Q3 2019and flow of malware trends over the last year,and identify where to“dig in”to find the most intrusive malware.Figure 2 charts detections of malware categories in each quarter from the beginning of 2018 to now,with Figure 3.Malware category detections,healthcareMedical detection categories|Q3 2018 Q3 201902,0004,0006,0008,00010,00012,00014,00016,00018,0002018 Q32018 Q42019 Q12019 Q22019 Q3DETECTIONSQUARTERTrojanAdwareBackdoorRansomMalwareHijackSpywareRiskWareRootkitHackTool6Cybercrime tactics and techniques:the 2019 state of healthcareFigure 4.Top threat families targeting healthcare 2018 2019Top 10 medical threats|October 1,2018-September 30,201905001,0001,5002,0002,5003,0003,5004,0004,500DETECTIONSTrickbotEmotetExploit GenericRansom.WannaCryptBackdoor GenericTrojan.AgentTrojan.MalPack30-Sept-1831-Oct-1830-Nov-1831-Dec-1831-Jan-1928-Feb-1931-Mar-1930-April-1931-May-1930-June-1931-July-1931-Aug-19TrickbotEmotetExploit GenericRansom.WannaCryptBackdoor GenericTrojan.AgentAdware.Elex.ShrtClnHijack.ShellRiskWare.Mic.TrayTrojan.MalPackHow to Become Cyber Resilient:A Digital Enterprise Guide7quarter-over-quarter percentage changes tracked between quarters.For example,you can see that in Q3 2019,all threat categories increased by 45 percent over the previous quarter.In fact,the only categories of threats that saw declining numbers were backdoors and spyware.Trojans,hijackers,and riskware in particular each surged ahead by over 80 percent from Q2 2019.Figure 3 expresses the same data but in visual form,showing us how much greater the number of detections for Trojan malware is than for any other category.However,since Trojan is such a broad category of malware,encompassing anything from downloaders to botnet clients,it helps to identify which threat families are responsible for the uptick.Thats when we drill down another level.Threat familiesLooking at the overwhelming number of Trojans targeting the healthcare industry,we can dig into which caused the most problems for the medical industry by examining the top 10 threat families,Trojan or otherwise,that the medical industry has been fighting since October 2018.Figure 4 expresses the activity of the top 10 threat families against medical organizations,according to our detections over the last year.Here you can see why we see so much Trojan malwaremassive spikes of Emotet,which we classify as a Trojan,occurred in late 2019 and throughout Q1 2019.However,other Trojan families such as TrickBot kept the trend going.Another conclusion we can draw from this graph is that ransomware is looking to step in from several angles.Not only have many hospitals failed to patch the SMB vulnerabilities that WannaCry 7Cybercrime tactics and techniques:the 2019 state of healthcareused,but many of the Trojans leveraged against healthcare are also known to deliver ransomware payloads.For example,Emotet not only launches TrickBot as a secondary payload,but both Emotet and TrickBot often drop Ryuk ransomware in a combination attack weve come to call“the triple threat.”Ransomware payloads are also common deliverables of exploits,which weve detected aimed at healthcare since early 2019.Therefore,where Malwarebytes detection and remediation reports show us Trojans,we would expect to encounter ransomware later in the infection process if the threats were allowed to fester on.Stripping away some of the less important detections,we can dig deeper into what is happening with Emotet,TrickBot,and a couple of their“friends.”Figure 5 allows a clear look at trend activity with these families over the last year.We chose to focus on these four families not only because of their detection amounts,but also because of their potential damage and/or part in the distribution of other threats.Emotet strikes backEmotet originally started out as a banking Trojan,but has developed into a versatile harvesting and infection tool.It is a modular software package that can be easily adapted to perform several malicious tasks.One of those modules is a highly-effective spam tool that has a higher infection rate than similar malware because of its ability to spoof senders that are known to the victim.It can even hijack existing email conversations.Last year,the US Department of Figure 5.Most dangerous threat families targeting healthcareTop medical industry threats|September 2018-September 20192-Sept-182-Oct-182-Nov-182-Dec-182-Jan-192-Feb-192-Mar-192-April-192-May-192-June-192-July-192-Sept-192-Aug-19TrickBotTrickBotEmotetEmotetExploit GenericBackdoor Generic05001,0001,5002,0002,5003,0003,5004,0004,500TrickBotEmotetExploit GenericBackdoor Generic8Cybercrime tactics and techniques:the 2019 state of healthcareMalspam with attachment/URL/or PDF SCENARIO 1SCENARIO 2Malicious Word doc executes Powershell,drops Emotet Emotet drops TrickBotOpening of malicious Word doc TrickBot reachesout to C&C for modules,performs LDAP queries TrickBot spreads through network using SMB vulnerability TrickBot exfiltrates data from endpoints and sends back to C&C10101100011110101010110001111010DOChttp:/Malspam with URL Malicious Word doc executes Powershell,drops TrickBotTrickBot attack diagramHomeland Security deemed Emotet the most costly and destructive malware affecting state,local,tribal,and territorial(SLTT)governments.During Q1 2