Original research from CybelAngel takes a look at how cybercriminals plan healthcare-related fraud, ransomware and other attacks by obtaining stolen credentials, leaked database files and other materials from specialized sources in the cybercrime underground. In the new paper, “Healthcare Data Actively Targeted and Sold on the Dark Web,” Analysts describe how the ongoing COVID-19 pandemic’s strain on hospitals, coupled with the healthcare industry’s porous cybersecurity defenses, give criminals ample ability and resources to methodically launch lucrative intrusions jeopardizing patient safety.

“While the volume and stakes of these attacks can feel overwhelming, our research shows that sealing off a few specific types of exposed data could have a meaningful effect by disrupting the supply chains adversaries rely on to execute these attacks," said Camille Charaudeau, Vice President of Product Strategy at CybelAngel.

A few key findings from the research include:

• Open databases mean hospitals often leak the data used against them: In underground forums, analysts observed savvy brokers amassing lists of open, exposed databases inside healthcare organizations, which they seek to monetize by selling to attackers and other parties. Exposed databases can lie in on-premises servers and connected specialty equipment, or exist in SaaS or other cloud-based platforms where misconfigurations or poor access controls leave data and network inroads visible.
• Attackers combine credential-stuffing with third-party access to beat detection: The ongoing SolarWinds breach response is a reminder that privileged third-party software and partners are effective ways to bypass victims’ otherwise rigorous security controls. The same holds true for healthcare sector threats. The research includes screenshots and detail of reputedly well-connected actors selling a file containing thousands of employee credentials from “a company that works with many (if not all) hospitals.” Many breaches and ransomware attacks are traced back to compromises of third-parties the healthcare sector relies on for software, tech support, billing, and data reporting. It only takes victimizing one service provider to access or ransom many of their downstream customers.
• Sharing medical records comes at the cost of control: The proliferation of cheap network-attached storage and other high-capacity devices means that both authorized and hidden, shadow IT systems alike are discoverable by bad actors and leave millions of sensitive health records in the public domain. A common example in CybelAngel’s latest research is a vetted actor’s offering “500,000 French hospital records” on an underground marketplace. Analysts examined disclosed portions of the records and assesses them to be likely authentic. While not referencing COVID-19, the stolen records list personally identifiable information (PII) for patients and their relationships with specific physicians, nurses and pharmacies, making the cache potentially useful for fraud or refining social-engineering themes used for phishing and ransomware.