Criminals have been known to take advantage of favorable conditions; nature, with its elementary but timeless rules, teaches us that the predatory animal relies on two characteristics: dexterity and vulnerability. The same is true, outside the metaphor, for cybercriminals. During the Covid pandemic, a circumstance of extreme and innovative collective vulnerability, cyber attacks increased exponentially; then, in the case that the target of the malicious attack is a health care agency, the attacker was able to exploit a unique set of vulnerabilities.
Health care agencies had to cope with “a sudden change in the organization of everyday work activities, introducing new tools (e.g., VPN) on a generalized basis to allow, on the one hand, the possibility of smart and remote working, and, on the other hand, seamlessly enabling the performance of tasks in favor of the very high number of individuals impacted by the virus.”
The case that is the subject of this article (see the decision of the Italian Data Protection Authority of September 28, 2023, Doc. Web no. 9941232) is a symptomatic example from which insights can be drawn to better calibrate one’s defenses against data breach hypotheses.
A local health care agency suffered a ransomware attack that resulted in a serious impact on its operational activities.
Taking advantage of stolen user credentials posted on the dark web, the malicious hackers carried out a series of abusive logins, via VPN from foreign IPs to the company’s internal network and, soon after, proceeded to elevate their privileges to those of system administrators. The theft of passwords was facilitated by their creation using Microsoft’s active directory mode according to the following rules: at least 8 characters, presence in the key of uppercase, lowercase and number characters, as well as automatic expiration after a period of time after release.
Acquiring credentials using the system administrator profile enabled the criminals to open new access routes and spread remote command and control tools (Cobalt Strike). They then implemented massive collection of documents and findings residing on employee devices, which were then exfiltrated (so-called harvesting or data extraction).
CONSIDERATIONS: It is a well-established practice that cyber criminals attack those with the greatest vulnerabilities: this allows them to consume fewer resources for the same result. Not very dissimilar to what occurs in nature between predator and prey. In most cases, the breach is triggered by the misuse of an ordinary user’s credentials – acquired through phishing operations or (as in this case) available cheaply on the dark web. Access to the victim’s internal network is preparatory to the “quantum leap” achieved by switching the attacker’s role from mere “user” to “Administrator,” either by maliciously acquiring credentials with privileges or by directly obtaining the elevation of one’s initial privileges. By doing so, the attacker can aspire to gain control of the network, often operating for extended periods of time without interference. Compliance with the provisions contained in the 2008 and 2009 Italian Data Protection Authority’s measures on system administrators [Doc. Web No. 1577499 and Doc. Web No. 1626595] is a good safeguard against such occurrences.