Omer Dembinsky

Researchers at internationally renowned cyber-security vendor, Check Point have reported a surge in cyber-attacks targeting healthcare organizations across the globe. Since the beginning of November 2020, researchers have documented a 45% increase in cyber-attacks targeting healthcare organizations worldwide, placing the healthcare sector at the top of the hit list for cyber criminals, when compared to all other industries. Surge in cyber-attacks on the healthcare sector The surge in cyber-attacks on the healthcare sector was double the increase in cyber-attacks on all other industries during the same time period, as researchers marked only a 22% increase in attacks on all other sectors outside of healthcare. The increase in cyber-attacks involves a range of attack vectors, including ransomware, botnets, remote code execution and DDoS attacks. Ransomware showed the largest increase and poses as the most significant malware threat to healthcare organizations, when compared to other industry sectors. Cyber-attacks in global regions Cyber-attacks on the global healthcare sector are simply getting out of control" The surges in cyber-attacks on healthcare organizations occurred mostly in Central Europe (+145%), followed by East Asia (+137%), Latin America (+112%), Europe (67%) and North America (37%). As for specific countries, Canada experienced the most dramatic increase with over a 250% uptick in attacks, followed by Germany with a 220% increase. Spain saw a doubling in ransomware attacks on its healthcare sector. Omer Dembinsky, Manager of data intelligence at Check Point said, “Cyber-attacks on the global healthcare sector are simply getting out of control. This is because targeting hospitals equates to fast money for cyber criminals. These criminals view hospitals as being more willing to meet their demands and actually pay ransoms. Hospitals are completely overwhelmed with rises in coronavirus (COVID-19) patients and recent vaccine programs, so any interruption in hospital operations would be catastrophic.” Rise in ransomware attacks Omer adds, “This past year, a number of hospital networks across the globe were successfully hit with ransomware attacks, making cyber criminals hungry for more. Furthermore, the usage of Ryuk ransomware emphasizes the trend of having more targeted and tailored ransomware attacks rather than using a massive spam campaign, which allows the attackers to make sure they hit the most critical parts of the organization and have a higher chance of getting their ransom paid.” Security tips for healthcare organizations to counter cyber-attacks: Look for Trojans – Ransomware attacks don’t start with ransomware. Ryuk and other types of ransomware exploits usually start with an initial infection with a Trojan. Often this Trojan infection occurs days or weeks before the ransomware attack starts, so security professionals should look out for Trickbot, Emotet, Dridex and Cobalt Strike infections within their networks and remove them using threat hunting solutions, as these can all open the door for Ryuk ransomware attacks. Raising guard on weekends and holidays – Most ransomware attacks over the past year have taken place over the weekends and during holidays, when IT and security staff are less likely to be working. Use anti-ransomware solutions – Although ransomware attacks are sophisticated, anti-ransomware solutions with a remediation feature are effective tools that enable organizations to revert back to normal operations in just a few minutes, if an infection takes place. Educate employees about malicious emails – Training users on how to identify and avoid potential ransomware attacks is crucial. As many of the current cyber-attacks start with a targeted phishing email that does not even contain malware, just a socially-engineered message that encourages the user to click on a malicious link, or to supply specific details. User education to help identify these types of malicious emails is often considered one of the most important defenses an organization can deploy. Patch virtually – The federal recommendation is to patch old versions of software or systems, which could be impossible for hospitals as in many cases, systems cannot be patched. Therefore, it is recommended using Intrusion Prevention System (IPS) with virtual patching capability to prevent attempts to exploit weaknesses in vulnerable systems or applications. An updated IPS helps organizations stay protected.

Security researchers at Check Point have seen a global increase in cyber-attacks against education and research institutions, after conducting a research study on organizations in the USA, Europe and Asia regions. The USA saw the highest increase in education- and research-related attacks, according to Check Point researchers. In July and August 2020, the average number of weekly attacks per organization in the USA education sector increased by 30%, from 468 cyber-attacks to 608, when compared to the previous two months. Cyber-attacks targeting all other sectors increased by only 6.5%. The primary attack method against the USA education is distributed denial-of-service (DDoS) attacks. A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. A recent example involved a teen hacker in Florida who paralyzed the nation’s largest school districts for its first three days of virtual classes. Information disclosure attempts In Europe, there was also a substantial increase in the number of cyber-attacksIn Europe, there was also a substantial increase in the number of cyber-attacks, noticeably in the form of information disclosure attempts. The average number of weekly attacks per organization in the European academic sector in July-August increased by 24% from 638 to 793 in the previous two months. The general increase in the number of attacks against all other sectors in Europe was just 9%. Information disclosure attempts are a type of attack aimed at acquiring system specific information about a web site, including software distribution, version numbers and patch levels. The acquired information might also contain the location of backup files or temporary files. Most web sites will disclose some amount of information. The more information that an attacker learns about a web site, the easier the system will be to compromise. Asian education sector In Asia, the increase in attacks was seen mainly in several types of vulnerability exploits: Denial of Service, Remote Code Execution and Information Disclosure. During July and August 2020, the average weekly attacks per organization in the Asian education sector increased by 21%, from 1322 to 1598, when compared to the previous two months. The general increase in the number of attacks against all sectors in Asia was only 3.5%. Targeting virtual classes I strongly urge students, parents and institutions to be extra careful these next few months" Omer Dembinsky, Manager of Data Intelligence at Check Point said:  “The coronavirus pandemic has forced the transition to remote work and remote learning. These attack numbers show an ominous trend:  hackers are eyeing students returning to virtual classes as easy targets. These attacks can include malicious phishing emails, “Zoombombs” and even ransomware. The recent cyber attack on the Miami-Dade public school system is just one example. Human beings are always the weakest link when it comes to cyber security. I strongly urge students, parents and institutions to be extra careful these next few months, as I believe the attack numbers and methods will only get worse. As remote learning stays, hackers also stay.” Check Point researchers have provided the following security tips for students, parents and schools: Tips for Students Cover one’s webcam. Turn off or block cameras and microphones when class is not in session. Also, be sure that no personal information is in the camera view. Only click on links from trusted sources. When in the remote school collaboration platform, only click on links that are shared by the host or co-hosts, when directed to do so. Login directly. Always be sure to log in directly to one’s schools’ remote school portals; do not rely on email links, be aware of lookalike domains on public tools. Use strong passwords. Hackers often attempt to crack passwords, especially short and simple ones and adding complexity into one’s password prevents that. Never share confidential information. Students should not be asked to share confidential information via online tools. They should keep all personal information off cloud storage platforms. Tips for Parents Talk to one’s kids about phishing. Teach one’s children to never click on links in email messages before they first check with oneself. Call out cyberbullying. Explain to one’s children that hurtful comments or pranks delivered online are not OK. Tell them that they should immediately come to you if they experience or see someone else experience cyberbullying. Explain that devices should never go unattended. Your kids will need to understand that leaving a device for unwanted hands can be detrimental. Hackers can login to one’s devices assume one’s child’s identity online. Set parental controls. Set the privacy and security settings on websites to one’s comfort level for information sharing. Increase awareness. Cybersecurity literacy is an important skill set, even for the youngest schoolchildren. Invest the time, money and resources to ensure one’s child is aware on cyber security threats and precautions. Tips for Schools Get anti-virus software. Make sure one’s children’s laptops and other devices are protected by antivirus software prevents them from accidentally downloading malware. Turn on automatic updates for that anti-virus software. Establish a strong online perimeter. Schools should establish strong boundary firewalls and internet gateways to protect school networks from cyber-attacks, unauthorized access and malicious content. Check third party providers thoroughly. Schools should ensure they vet thoroughly all third party platform providers they use. Monitoring the system, constantly. Schools must monitor all of their systems continuously and analyze them for unusual activity that could indicate an attack. Invest in online cyber security education. Ensure that members of staff understand the risks. Conduct regular sessions for students so they are aware of the latest cyber security threats.    

In the past three two weeks, Check Point researchers have documented an average of 192,000 Coronavirus-related cyberattacks per week, marking a 30% increase compared to previous weeks. Researchers found that a majority of these attacks start with phishing emails in which criminals impersonate the WHO, United Nations, Zoom, Microsoft or Google to try and trick users into clicking on links or opening infected documents. High rate of malware attacks The World Health Organization’s name and logo is a popular choice for hackers to impersonate The World Health Organization’s name and logo is a popular choice for hackers to impersonate. Recently, cyber criminals sent malicious emails posing as the WHO from the domain ‘who.int’ with the email subject ‘Urgent letter from WHO: First human COVID-19 vaccine test/result update’ with a malicious document attached.  The document contained the infamous Agent Tesla malware, a password stealing program that comes with a key logger for hackers to gather usernames and passwords from a victim’s device. Victims who clicked on the file ended up downloading the malware. In addition, Check Point researchers found two examples of extortion emails allegedly sent by the United Nations (UN) and WHO that requested for funds to be sent to compromised bitcoin wallets. Zoom-like fake domain registrations In the last 3 weeks, around 2,449 new Zoom-related domains were registered, in which 1.5% were malicious (32) and 13% suspicious (320). Since January 2020 to date, a total of 6,576 Zoom-like domains have been registered globally.  This means that nearly 37% of Zoom-related domains were registered in the last 3 weeks alone, since the advent of coronavirus pandemic. Both Microsoft Teams and Google Meet are also being used to lure people into traps. Recently, many victims fell prey to phishing emails that came with the subject ‘You’ve been added to a team in Microsoft Teams’. The emails contained a malicious URL and victims ended up downloading malware when clicking on the ‘Open Microsoft Teams’ icon that led to this URL. Researchers also found fake Google Meets domains which were first registered on April 27, 2020. The link did not lead victims to an actual Google website. Coronavirus-related domain registrations In the past three weeks, almost 20,000 (19,749) new Coronavirus-related domains were registered, of which 2% of these domains are malicious (354) and another 15% are deemed suspicious (2,961). Since the beginning of the outbreak, a total of 90,284 new Coronavirus-related domains have been registered globally. Hackers have gone into over-drive to take advantage of the Coronavirus pandemic" Check Point’s Manager of Data Research, Omer Dembinsky said, “We’ve noticed a change in criminals’ tactics over the last three weeks. Hackers have gone into over-drive to take advantage of the Coronavirus pandemic. If you unpack these latest cyberattacks, the theme of impersonation is a clear and strong one, especially using the WHO, the UN and Zoom as a cover for phishing”. Omer adds, “For example, the number of Zoom-like domain registrations in the past three weeks alone is staggering. More than ever, it is important to beware of lookalike domains and to be extra cautious of unknown email senders.” Themes and trends of Coronavirus-related domain registrations As researchers analyzed the new Coronavirus-related domains registered, they observed that the domains reflected the chronology of different stages of the pandemic outbreak. At the beginning of the outbreak, domains related to live maps (tracking geographic areas that saw a rise in coronavirus cases) were very common, as well as domains related to coronavirus symptoms. Towards the end of March, the focus shifted to relief packages and stimulus payments due to the economic plans executed by several countries. Post March, domains related to life after the coronavirus became more common, as well as domains about a possible second wave of the virus. Along the entire pandemic timeframe, domains related to tests kits and vaccines remain very common, with slight increases as time goes on. To stay safe, Check Point recommends the following guidelines: Beware of lookalike domains. Watch for spelling errors in emails or websites, and unfamiliar email senders. Beware of unknown senders. Be cautious with files received via email from unknown senders, especially if they prompt for a certain action one would not usually do. Use authentic sources. Ensure you are ordering goods from an authentic source. One way to do this is to NOT click on promotional links in emails, and instead, Google your desired retailer and click the link from the Google results page. Beware of ‘special’ offers. ‘An exclusive cure for Coronavirus for US$ 150’ is usually not a reliable or trustworthy purchase opportunity. At this point of time there is no cure for the coronavirus and even if there was, it definitely would not be offered to one via an email. Do not reuse passwords. Make sure one does not re-use passwords between different applications and accounts.