CISO lessons from the Clop ransomware attack targeting healthcare data  

CISO lessons from the Clop ransomware attack targeting healthcare data  

The recent Clop ransomware attack exploited a zero-day vulnerability in GoAnywhere MFT to breach the data of more than 130 healthcare organisations. Here, Shankar Somasundaram, CEO of Asimily, addresses this breach and how companies in this sector can better protect themselves so something like this doesn’t happen again.  

The high-profile Clop ransomware attack is a particularly urgent reminder of the risks that CISOs and their teams must navigate in securing against a never-ending wave of threats. While the most recent Clop headlines have focused on the healthcare industry, the security takeaways are largely applicable across industries.  

A vulnerability in the widely used GoAnywhere MFT’s administrator console allowed attackers to gain access without proper authentication. Worse, more than 1,000 administrator ports have been exposed to the open Internet. These open ports can reveal information on the services running – such as FTP, a critical piece of software that many organisations use to transfer data internally – through the banner information that they publish. For this reason, attackers are constantly prodding available open ports in an attempt to run exploits against them. While Shodan brought these risks to light in a big way more than a decade ago, it’s not something many healthcare organisations still look at carefully. By combining the old techniques of looking for open ports, deriving some asset information on them and running different kinds of exploits against them, the Clop ransomware attack succeeded in exploiting that vulnerability.  

The Clop ransomware attack has healthcare organisations using GoAnywhere MFT thoughtfully considering their next actions and examining their data breach and system lock-out risks. 

Security leaders must pursue careful countermeasures 

 
For those at risk of the GoAnywhere MFT software vulnerability, there are a few key steps to take. Mitigation should begin with immediate software patching and ensuring that all open ports to the Internet are blocked. Healthcare organisations should also isolate all the systems the software was running on; operate on the assumption that they have been breached. Security and IT teams should then run forensic analysis on those systems and then image them. It’s important to be careful here, however, since imaging can sometimes fail to remove certain attacks. A particularly thorough inspection is crucial to eliminating risks.  

Any systems connected to those potentially affected systems must also be evaluated. This requires pulling together and examining logs from various systems, such as network appliances, SIEMs, endpoint agents and more. Additionally, organisations should enable continuous monitoring to identify any abnormal activity in the network and catch anything that might have been missed. 

Zero-day vulnerabilities are rapidly increasing  

Last year, Mandiant found that 40% of all zero-day attacks in the previous ten years occurred in 2021 alone. It’s a safe bet that a new report will soon confirm 2022 as a record-breaking year for zero-day threats as well. More zero-day vulnerabilities are being recognised now than ever before, and it will only get worse as new exploits get released. With the corresponding increase in black market Exploit-as-a-Service offerings, attackers are multiplying and are easily equipped to leverage zero-day vulnerabilities. 

Identifying and managing zero-day threats 

To mitigate zero-day risks, healthcare organisations should begin by comprehensively studying their inventory: devices, services, applications, connectivity, etc. Understanding those assets is the first requirement for securing them. 

Organisations then need to then understand the potential attack vectors in their environment. Open ports communicating externally, unsecured running services and employees’ dangerous behaviour are all important risk vectors to identify and address. Because these threats change across devices, across healthcare facilities and over time, organisations should automate exploit analysis to better understand the paths that attackers could take to compromise their environments. The same attack paths are often reused over and over again, even while the underlying application or service exploited is different. A clear, predetermined strategy and process for regular system patching is also critical. Unless healthcare organisations block those attack paths, they’ll perpetually be playing catch up to the next vulnerability.  

Network segmentation is also critical, whenever possible to achieve network isolation. But organisations must first understand their potential attack vectors: those that segment networks without first understanding ‘why’ and where to prioritise their focus will find their efforts far less effective. Networks must also be continuously monitored for anomalies. This process should include the ability to set network rules, easily comb through data and receive insights that indicate key issues and threats. 
Forensic analysis action plans must also be part of any threat identification and mitigation playbook. The ability to collect data at the time of an incident is critical. Policies and procedures should be thoughtfully maintained and businesses should perform tabletop exercises regularly to ensure their plans remain appropriate and optimised.  

Secure devices from start to finish 

Last but certainly not least, healthcare organisations should start at the source by evaluating the security of any new Internet-connected devices and equipment during the onboarding process. Identifying any risks to newly procured devices will pay dividends when it comes to mitigating ongoing risks in the long term. By enlisting the methods outlined above to achieve greater visibility and prepare effective mitigations, healthcare organisations can more successfully navigate around zero-day exploits that will inevitability put their security to the test.