Hackers are exploiting the very security tools providers use to protect themselves, HHS warns

The same tools that healthcare providers use to operate and maintain secure IT systems can also be weaponized by hackers. In fact, that happens fairly often, according to a cybersecurity report recently released by the Department of Health and Human Services.

The report flagged legitimate security tools that are commonly used by providers, including Cobalt Strike and PowerShell. Hackers are turning to traditional IT remote monitoring and management tools like these “for very good reasons,” according to Chris Clements, vice president of solutions architecture at cybersecurity firm Cerberus Sentinel

He pointed out that cybercriminals’ methods rely on controlling remote computers and avoiding detection.  

“There are numerous hacker malware packages that are great for controlling computers, but they run the risk of being detected and removed by endpoint protection tools like anti-virus software and endpoint detection and response software,” Clements said. “Remote monitoring and management tools by and large eliminate this possibility as they are very often deployed for legitimate IT administration purposes.”

Cobalt Strike — a tool organizations often use to simulate a cyberattack —  may be the most prolifically-exploited security tool for providers to keep an eye on. The report warned that many threat actors who specifically target the healthcare sector commonly corrupt Cobalt Strike, noting the tool “has been increasingly used for malicious purposes over the last five years.”

The tool has been leveraged by prolific ransomware gangs like Conti, Ryuk, FIN12 and Emotet, according to the report. The cybercriminals behind the infamous SolarWinds data breach of 2020 — which affected dozens of organizations, including the California Department of State Hospitals — used Cobalt Strike, the report said.

PowerShell, a Microsoft scripting language and command shell for configuration management and task automation, was another commonly used tool that HHS recommended providers be wary of. Other tools flagged in the report include Mimikatz, Sysinternals, Anydesk and Brute Ratel. 

In the report, HHS clarified that it is not suggesting healthcare organizations abandon the use of these tools altogether, but rather calling providers to evaluate their use based on the “merits and drawbacks” of each tool.

“Cobalt Strike and Brute Ratel, for example, are popular command and control packages. They are popular — and expensive — commercial packages used by legitimate offensive security teams,” Clements said. “The problem of course, is their effectiveness for legitimate security professionals make them effective for cybercriminals who crack them to remove any licensing requirements to use for free.”

Mitigating the risk associated with security tools is not as easy as simply reconfiguring an application, according to HHS. Several of the tools included in the report are resident on common IT systems, which makes it difficult to detect malicious use.

The main way providers can protect themselves is by knowing their environment, according to Clements. If an unknown security tool commands show up within a provider’s IT systems, he said it could be evidence of a cyberattack, insider threat or internal misuse.

The mitigation of cybersecurity risks is a critical priority as hospital finances remain under pressure — the average total cost of a data breach increased to $4.35 million this year, according to IBM.

Photo: Traitov, Getty Images