Cyber attacks on healthcare facilities have been rising in recent years, and the pandemic has only worsened matters. With hospitals and other healthcare facilities struggling to keep up with the demand for care, they have become an easy target for cybercriminals. While this may seem like a small amount, it can be devastating for a hospital that is already stretched thin.
Research done by CyberPeace Foundation (CPF), Autobot Infosec Private Limited, along with the academic partners under CyberPeace Center of Excellence (CCoE), has found that nearly 1.9 million attack events have been recorded in 2022 till 28th November on the Healthcare based threat intelligence sensors network simulated by the research group in India.
The study is a part of CyberPeace Foundation’s e-Kawach program to implement comprehensive public network and threat intelligence sensors across the country to capture internet traffic and analyze real-time cyberattacks that a location or an organization faces. A credible intelligence on real-time threats empowers organizations or a Country to build cybersecurity policies.
“By deploying the simulated network, we can collect data on attack patterns, the different types of attack vector for the different protocols, and the recent trends of malicious activity,” – Spokesperson, CyberPeace Foundation added.
Trends noticed by the Research
Like any other critical infrastructure worldwide, the Indian Healthcare infrastructure is also vulnerable to cyber attacks involving state & non-state actors. The Healthcare based threat intelligence sensors network deployed by the CyberPeace Foundation, Autobot Infosec Private Ltd. with the CyberPeace Center of Excellence (CCoE) partners has seen a surge in the number of cyberattacks with 1846712 hits between January 2022 to November 28th 2022 from a total number of 41181 Unique IP addresses appearing from countries like Vietnam, Pakistan, China etc.
The vulnerable internet-facing systems having Remote Desktop Protocol (RDP), vulnerable SMB and Database services enabled, and old Windows server Platforms were mostly attacked. Attackers also tried to inject malicious payloads into the network. The deployed network has captured a total of 1527 unique payloads belonging to Trojan, Ransomware, etc.
Analysis of data has drawn the attention that attackers also tried to exploit DICOM/MYSQL/MSSQL protocols to access the sensitive patients data like medical images, diagnostic databases etc. DICOM is standard protocol used in most medical and healthcare facilities for the management and transmission of medical images and related data.
Research team noticed a massive brute force, dictionary attacks were performed against the protocols FTP, MYSQL and MSSQL using some common credentials like ‘root’, ‘ftp’, ‘admin’, ‘web’, ‘web!’, ‘qwerty’, ‘password1’, ‘sql2005’, ‘passw0rd’, ‘administrator’ etc. One new trend has been noticed that attackers are nowadays using long passwords, not usually mentioned in the English dictionary, for example ‘4yqbm4,m~!@~#$%^&*(),.;’ and ‘!@#$%^&*’. Some common FTP commands were also captured – “USER”, “PASS”, “PWD”, “CWD”, “PASV”, “STOR”, “PASV”, “STOR”, “PASV”, “STOR”, “PASV”, “STOR”, “PASV”, “STOR”, “PASV”, “STOR”, “TYPE”.
In an earlier report released in August 2022, CyberPeace of Foundation also mentioned that there has been an increase in the number of phishing/social engineering attacks on Indian organizations in the Healthcare business. CPF spokesperson drew attention to WhatsApp messages masquerading as an offer from Apollo Hospital with links luring unsuspecting users with the promise of medical subsidy presents making the rounds on the app.
Recently, news has been making the rounds on the internet that All India Institute of Medical Sciences (AIIMS), Delhi faced a Cyberattack probably with the injected Ransomware on their systems.
“Cyber criminals are taking advantage of the fact that healthcare organizations are under immense strain and are more likely to pay a ransom to get their systems up and running again. Organisations should ensure their systems are secured by reducing unnecessary data, improving the patch level of software, backup and restore procedures and auditing systems to build awareness of any threats,” – Spokesperson added.
The Advisory
Do not expose critical services unnecessarily to the internet.
Network firewalls should always be patched with the latest security updates.
Isolate the critical network from the public network.
Periodically perform technical audits of Healthcare Infrastructure Devices, networks and any other end-points directly or indirectly connected to it, to identify security concerns.
Run CyberAwareness Drive by Cyber Experts at regular intervals for the team.
Develop an R&D lab to enhance CyberSecurity skills among the employees.
Maintain strong Password Policy:
Use a strong password for all devices and online accounts.
Passwords should be at least 8-13 characters long.
Passwords should contain at least one upper case (A-Z), numeric character (0-9), and a special character (!@%&….).
Where possible it is recommended to use key based authentication along with passwords.
Do not use the same password for all your online accounts. All the passwords should be different for different versions.
Try avoiding a password that consists of dictionary words.
Stay away from Phishing links: Phishing is an attempt of social engineering techniques to inject malware or obtain sensitive information such as usernames, passwords, and credit card information by spreading fake links and pretending to be acting as a trustworthy entity. Please do not click on such links before verifying the authenticity of the same.
Never share or forward fake messages containing links to any social platform without proper verification.
For more details, reach out to us at [email protected].