HealthISAC Heartbeat flags surge in ransomware VPN exploits across healthcare systems Industrial Cyber

pA continuous trend of cybersecurity incidents and data breaches impacting health sector organizations over the past year has been disclosed in the First Quarter 2025 HealthISAC Heartbeat While ransomware events saw a slight decrease in the third quarter of 2024 ransomware events continued to trend upward for the fourth quarter and into the first quarter of this year VPN provider vulnerabilities and compromised credentials remained a consistent theme that caused risk for organizations ppHealthISAC provided 220 Targeted Alerts to specific HealthISAC member organizations with potentially vulnerable infrastructure to help teams mitigate actively exploited vulnerabilities ppIn the first quarter of 2025 the health sector reported 158 ransomware attacks marking a slight increase from 154 in the fourth quarter of 2024 underscoring the persistent and growing threat landscape highlighted in the latest HealthISAC Heartbeat This continues the upward trend observed since the third quarter of 2024 which had recorded 109 incidents following a temporary dip from 119 attacks in the second quarter These 158 incidents in the first quarter accounted for approximately 65 percent of the 2429 total ransomware attacks reported across all sectors during the same period ppSince 2021 HealthISAC has tracked a total of 23606 breaches across sectors with the health sector alone accounting for 1370 of those breaches representing 58 percent of the overall total The vast majority of ransomware incidents in Q1 2025 targeted entities in the Americas which accounted for 806 percent of impacted organizations followed by the EMEA region at 115 percent and APAC at 79 percent These figures reflect the persistent and evolving cyber threat landscape confronting the global health sectorppThe First Quarter 2025 HealthISAC Heartbeat provides observations of ransomware cybercrime trends and malicious actor forum postings that could potentially impact health sector organizations ppThe HealthISACs Targeted Alerts warn organizations of high risks specific to their network including things like vulnerable servers cybercriminals selling access to their networks stolen intellectual property and compromised credentials In 2024 HealthISAC sent 748 Targeted Alerts to member organizations The most common themes included open and exposed databases remote access tools potentially vulnerable BeyondTrust instances and a critical authorization bypass vulnerability announced for Nextdotjs middlewareppThe HealthISAC Heartbeat identified that on March 28 this year HealthISAC in cooperation with intelligence partners was notified of several potentially vulnerable BeyondTrust instances within many member organizations environments The potentially vulnerable versions of BeyondTrust Privileged Remote Access PRA or Remote Support RS were detected within many member environment footprints potentially leaving the companys network vulnerable to attackexploitation by malicious actors ppHealthISAC delivered 62 Targeted Alerts about potentially vulnerable BeyondTrust instances during the first quarter of 2025 These alerts triggered investigations by member organization teams to determine the version and patch any vulnerable systems HealthISAC published a Threat Bulletin with additional information about this actively exploited vulnerability ppAround the same time the HealthISAC in cooperation with intelligence partners at BlueVoyant was notified of several potentially vulnerable Nextdotjs interfaces within HealthISAC member organizations environments HealthISAC lacks visibility into the specific version of Nextjs running within member environments Teams that received alerts must investigate the current version to determine whether patching is required or has already occurred ppPosing a significant potential risk to the health sector the HealthISAC Heartbeat reported that the vulnerability affects Nextjs versions 1114 through 1356 all 14x versions before 14225 and all 15x versions before 1523 HealthISAC delivered 33 Targeted Alerts for potentially vulnerable Nextjs middleware instances These alerts were delivered because the health sector relies on web applications for patient portals administrative dashboards and other critical services ppThe report also identified that threat actors frequently advertise stolen data or access to organizations systems for sale on various underground forums In some cases these posts reveal the names of organizations allegedly breached At the same time in other instances the threat actors conceal the victims identities and provide details such as the companys revenue or sector to indicate the value of the data being auctioned Payment is typically demanded in a selected cryptocurrency and sometimes these transactions are facilitated by middlemen like forum administrators ppOften threat actors share a sample of the stolen data to demonstrate its legitimacy however there are rarely any details regarding the origin of the data ppIn the first quarter of this year the HealthISAC Heartbeat said that there were multiple cases where threat actors tried to sell alleged stolen data which could have potentially impacted the health sector industry ppIn March a threat actor under the MIYAK000 handle posted an offer on BreachForums to sell compromised VPN access to an undisclosed USbased Surgery Center The actor revealed to a private sensitive source that the alleged impacted victim organization was Bradenton Surgery Center at the bradentonsuregerycenterdotcom website ppSubsequently the actor using the MIYAK000 handle posted an offer on BreachForums to sell compromised network access to an undisclosed USbased Medical Revenue Cycle Management organization The actor revealed to a private sensitive source that the alleged impacted victim organization was Health Services Integration at the hsihealthdotcom websiteppThe HealthISAC Heartbeat identified INC Ransomware also known as GOLD IONIC as a sophisticated ransomwareasaservice operation active since at least July 2023 The group is particularly notorious for targeting highvalue industries with a significant focus on the health sector Their operations are characterized by precision targeting leveraging advanced tactics techniques and procedures TTPs to maximize impact and extort substantial ransoms ppHealth sector organizations are prime targets for INC Ransomware due to the critical nature of their operations and the high value of medical data The group exploits the sectors reliance on legacy systems limited cybersecurity budgets and the critical need for operational continuity ppThe key impacts of INC Ransomware attacks on the health sector include significant operational disruption as the encryption of critical systems results in downtime that delays patient care and medical procedures These attacks also lead to data breaches involving the theft of sensitive patient information such as medical records which are highly sought after on the cybercriminal market Additionally affected organizations face substantial financial losses due to ransom payments legal expenses regulatory fines and longterm reputational damageppThe HealthISAC Heartbeat offered several recommendations to strengthen cybersecurity across the healthcare sector Organizations are urged to patch all vulnerable devices promptly and maintain uptodate data backups Raising employee awareness through continuous security training is essential Network segmentation should be implemented along with strict internet access and network controls ppThese organizations must also deploy endpoint protection tools and enforce phishingresistant multifactor authentication Regular security audits backup testing and verification should be conducted to ensure resilience Continuous monitoring for suspicious activity is critical and organizations should develop detailed incident response plans to maintain business continuity in the event of a cyberattackppLast month researchers from Forescout Technologies highlighted a troubling surge in the frequency and impact of data breaches with organizations of all sizes and across every industry under growing threat Ransomware dominates as the leading cause trailed by thirdparty compromises and phishing attacks Healthcare organizations were hit especially hard as nearly half of all breaches affecting more than 5000 individuals in 2024 targeted the healthcare sector The report identifies healthcare financial services and professional services as the three most heavily affected industriesppAll rights reserved Terms and ConditionsppPrivacy Policy Cookie Policyp