Category Archives: Hacking

In April, the FBI released its annual Internet Crime Report, evaluating all complaints logged via its Internet Crime Complaint Center (IC3). The Bureau’s analysis revealed that losses connected to cybercrime complaints reached $12.5 billion in 2023. This figure represents a $2 billion increase from the previous year and more than triple the amount recorded in 2019, even though the number of complaints has not doubled in comparison to four years prior.

As illustrated in the accompanying chart from Statista, based on data from the report, reported cybercrime losses have increased significantly from 2021 onwards. While 2021 saw a year-over-year increase of roughly $700 million despite a surge in complaints, the jump in losses from 2021 to 2022 was markedly more pronounced. This trend suggests that criminals were able to extract larger sums of money per breach.

The majority of funds were lost due to investment fraud and hacked business email addresses. These two attack vectors accounted for around 60 percent of all reported stolen money. Although these figures are substantial, the actual numbers may be much higher since the FBI only analyzes cases reported through its platform.

The data also shows a clear bias in geographical distribution. The United States filed 521,652 complaints, while the United Kingdom filed 288,355. In the U.S., most complaints originated in California, Texas, and Florida. California also ranked first in terms of money lost, with $2.1 billion, representing 17 percent of the reported worldwide total. Besides the U.S. and the UK, Canada (6,601), India (3,405), and Nigeria (1,779) had the highest complaint prevalence.

The rising financial impact of cybercrime underscores the need for enhanced security measures and greater awareness to combat these threats effectively.

On May 8, 2024, Ascension, one of the largest health systems in the country, experienced a ransomware attack that has significantly impacted its operations nationwide. Ascension Michigan, a key entity within this system, announced on May 15 that the cyberattack has disrupted its retail pharmacies, preventing them from filling prescriptions.

Impact on Ascension Rx Pharmacies

Ascension Michigan’s retail pharmacies are currently unable to fill prescriptions due to the cyberattack. In a public release, Ascension advised patients to ask their doctors to send their prescriptions to alternative pharmacies while efforts are underway to restore their systems. For patients who cannot access another pharmacy and are running out of medication, Ascension Rx pharmacies may provide a short-term supply if patients bring their current prescription bottles.

Initially, Ascension Michigan attempted to manage the situation by filling prescriptions for those who brought their prescription bottles to the pharmacies. However, they faced additional challenges as they could not process credit card payments due to the ongoing system outages.

Scope of the Ransomware Attack

Ransomware attacks involve unauthorized parties gaining access to an organization’s cyber network, often encrypting data and demanding a ransom for its release. This attack has caused widespread disruptions across Ascension’s facilities in Michigan and beyond. The impact has necessitated a partial return to manual and paper-based patient documentation and records, particularly affecting pharmacies, emergency departments, physician offices, and diagnostic testing sites.

Ascension operates numerous pharmacies and healthcare facilities in southeast Michigan, including eight hospitals in key locations such as Novi, Rochester Hills, Southfield, Madison Heights, Warren, Detroit, East China Township, and Grand Blanc. Despite the attack, all hospitals and care sites remain open, although some are experiencing intermittent service disruptions.

Ongoing Challenges and Patient Advisories

Due to the reliance on manual systems, Ascension advises patients to bring detailed notes on their symptoms, lists of current prescriptions, or their prescription bottles to doctor appointments and elective surgeries. Most appointments are proceeding as scheduled, but patients will be notified directly if rescheduling is necessary.

For the latest updates, Ascension directs patients to their cybersecurity event page at https://about.ascension.org/cybersecurity-event/regional-pages/michigan. The organization has not provided a timeline for when all systems will return to normal operation.

Investigation and Data Security Concerns

Ascension is currently investigating whether patients’ personal information was compromised in the attack, with assistance from the FBI. Affected patients will be notified if their information has been breached. This proactive communication aims to maintain transparency and manage patient concerns regarding data security.

Future Outlook and Joint Venture

The cyberattack comes at a critical time for Ascension Michigan, as it is in the midst of a joint venture with Henry Ford Health. This venture will integrate Ascension’s eight southeast Michigan hospitals and an addiction treatment facility in Brighton into the Henry Ford Health system. Announced last fall, this partnership is expected to be finalized by summer 2024 and will operate under the Henry Ford Health brand. Despite the current cybersecurity challenges, the venture remains on track.

Conclusion

The ransomware attack on Ascension Michigan highlights the critical need for robust cybersecurity measures in the healthcare sector. As healthcare organizations increasingly rely on digital systems, they must prioritize protecting these systems from cyber threats. Patients and healthcare providers alike are reminded of the importance of preparedness and resilience in the face of such disruptive events.

The MITRE ATT&CK Framework is becoming an excellent source to understand the adversary tactics and techniques. The framework provides native Windows tools and commands that are used by an adversary to perform man action to include “Remote System Discovery” T1018.

Mitre:
Examples of tools and commands that acquire this information include “ping” or “net view” using net. The contents of the C:\Windows\System32\Drivers\etc\hosts file can be viewed to gain insight into the existing hostname to IP mappings on the system.

2 Primary Tools used for Remote System Discovery:

• ping
• net

There is another method not very known to most folks but has been used by adversaries when ping & net are unavailable to them.

tracert (TraceRoute)
The TRACERT diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. (From Microsoft)

Slow but effective!

C:\Users\admin>ping 192.168.1.1
Access is denied.

The example above is of a system that has prohibited ping & net command, but an adversary can use the tracert command to find live hosts and help map out the network.