In the last hours the attacks on the ASL are monopolizing the news, in reality it is a dangerous trend that has been going on for months. The layman might think that this is a strategy adopted by a malevolent actor to bring essential services to their knees in a critical moment like the one we are experiencing, unfortunately the reasons for the defeat are quite different. Without going too far in time, let’s focus on the events of the last few hours starting from the attack on ULSS6 Euganea di Padova. Behind most of these attacks are groups that specialize in ransomware attacks, therefore with an undisputed financial motivation.
The aim of these criminals is to hit as many infrastructures as possible and bend them to their economic demands after encrypting data and threatening victims to publish them in case of non-payment. However, it must be said that some gangs have always declared themselves against targeting health care companies at a time when the world is confronted with a pandemic that continues to keep us in check. Returning to ULSS6 Euganea di Padova, behind the attack we find one of the main ransomware gang known as LockBit 2.0.
The group released health company data over the weekend as the ransom was not paid. As happens in all scenarios of double extortion ransomware attacks, once the attack has taken place, a deadline is established beyond which, if the ransom is not paid by the victims, the information stolen from the victims is published on a site hosted in the Tor network. In the case of ULSS6 Euganea di Padova, the deadline for payment had been extended to January 18, but evidently the criminal group, certain of the failure of the deal, released the information over the weekend. The published folders, showing the dates of the alleged intrusion (ie 6 and 7 December), are full of documents, according to the media as many as 9,300 files of various types, such as Office and PDF.
The information contained therein is the most diverse, from the results of the COVID19 screening on medical staff, to staff rostering and the paychecks of employees of the affected facility. The volume of information relating to patients, including reports and diagnoses of various kinds, is also of concern. It must be said that the volume of information published is lower than expected, and this may have two explanations, either the criminals believe that the publication can put a deal back on its feet to avoid the release of the remainder, or the ransomware gang is already trying to sell. information in the numerous specialized underground forums.
But let’s move on to another case, the attack on ASL Napoli 3 Sud, which I analyzed with my colleague Dario Fadda, cyber security expert and security blogger.
To date, the Campania ASL had not provided information relating to the type of attack suffered, in the press releases that followed only serious problems caused by an IT intrusion were mentioned. In fact, the inefficiencies seem to have been important, the complex machine for managing quarantines has gone haywire due to the unavailability of the systems used for recording the results of the swabs. Many families locked up in quarantine at home awaiting the outcome of the swab that would certify their recovery.
What could have happened? Many immediately thought of a ransomware attack given the problems that occurred in the aftermath of the accident. On January 14 came the claim of a ransomware gang called Sabbath (54bb47h) which also published a sample demonstrating the attack.
Once again we are faced with an archive full of sensitive data whose disclosure has important repercussions on the privacy and security of users. In fact, a multitude of sensitive files for the privacy and health of the citizen, as well as for the safety of the health facility itself, ended up in unauthorized hands. In the case of the Campania ASL, the attackers managed to penetrate the IT infrastructure after compromising a provider of technological services for which the Campania Region is the contractor. This aspect is very worrying and brings to mind what happened to the Lazio Region last year. An attack on a service provider can have a dramatic impact on all other structures (public or private) that rely on that service provider. In the case of ASL Napoli 3 SUD, the name of the supplier was not disclosed. Another technical detail that emerged following the claim concerns the datacenter of the targeted supplier, to which 42 servers containing 240 Virtual Machines, which hosted the data of their customers, including those of ASL Napoli 3 Sud, were encrypted.
This infrastructure was protected by a PaloAltoNetworks technology called IDS Cortex XDR, evidently not properly configured. Going into the details of this second attack, in the 1.5 GB archive released there are personal, non-work documents, citizen data saved in normal Excel files without any protection, information relating to bookings of medical visits, medical prescriptions, pay slips and a multitude of internal documents. For the more curious, I refer you to a detailed analysis of the contents released by the gang and published by Fadda on his blog.
All this data was available on individual workstations at the mercy of anyone, evidence of low awareness of cyber threats and cyber risks. The involvement of a third party service provider highlights the importance of ensuring the safety of the entire supply chain. This attack could have repercussions on various structures that are obviously easy targets even for the poor security measures implemented. Unfortunately, the problem lies in the management of most healthcare facilities, often without an IT expert and a CISO to be entrusted with the task of ensuring the security of the infrastructure. Healthcare systems are an easy target for criminal groups who manage to capitalize on their efforts in a number of ways, from ransomware attacks to the resale of information from the dark web. As we said at the beginning, this is not a targeted strategy, very often health facilities are easily identifiable online thanks to “aftermath” analyzes conducted by criminal groups in search of vulnerable exposed systems exposed on the net.
It is equally simple to find in the various archives available in the many hacking forums, the data of the personnel of these structures, information that can be used to access their systems. The data emerging from the Clusit 2021 Report, annually drawn up by the Italian Association for Information Security, according to which attacks in the health sector increased by 19% in the period January-June confirms the attractiveness of companies in the health sector. 2021. According to the Clusit, this is the sector most affected globally, after the Public Administration.
Are we really going to stand and watch? Obviously not. The national agencies in charge of cyber defense are in full swing, it is a race against time, however a change of approach to security by public bodies and private organizations is necessary, I will never tire of emphasizing that spending on security is a investment and not a cost to be reduced.
.