Netskope Threat Labs: Infostealers target healthcare sector data

Netskope Threat Labs has published its latest research report, revealing that the infostealers were the primary malware and ransomware families used to target the healthcare sector. Healthcare was among the top sectors impacted during 2023 by mega breaches, an attack where over one million records were stolen.

The report also examined the continued increase in cloud app adoption in the healthcare sector as well as malware trends across the sector. 

Key findings include:

  • Key target for infostealer attacks: Infostealers are a prominent malware family for the healthcare sector as attackers attempt to steal valuable data from organisations and patients in order to further blackmail or ransom the data. 
    • In particular, the Clopp ransomware gang was particularly active targeting healthcare and health insurance organisations, exploiting the CVE-2023-34362 MOVEit vulnerability.
    • Healthcare was among the top sectors impacted during 2023 by mega breaches, an attack where over one million records were stolen.
  • Malware downloads increased in 2023 but plateaued in H2: Cloud delivered malware ended the year at approximately 40% of malware downloads in the healthcare sector after a peak of 50% in June which then dipped a little in the second half of the year. Healthcare trended slightly below other industries but cloud-delivered malware in the sector grew considerably year-on-year – up from just 30% a year ago.
    • Notably, the healthcare sector appeared to have the lowest percentage of malware sourced from the cloud in the past 12 months, ranking 6th at approximately 40% of total malware downloads, behind telecoms, financial services, manufacturing, retail, technology, state and local government and education.
    • Cloud apps are increasingly a target for malware as they give attackers the ability to evade regular security controls that rely on tools such as domain block lists and monitoring of web traffic, and such attacks impact companies that do not apply zero trust principles to routinely inspect cloud traffic.
  • Bucking the Microsoft OneDrive malware trend: While Microsoft OneDrive remained the most popular app in the healthcare sector, its use was significantly lower than other sectors. As a result malware downloads through OneDrive were 12 percentage points lower than other industries.
    • The general prevalence of OneDrive originated malware attacks reflects the merger of adversary tactics (abusing OneDrive to distribute malware) and victim behaviour (their likelihood to click on the links and download the malware) coupled with the widespread popularity of OneDrive. 

Slack’s popularity in healthcare: The app was second for uploads (behind OneDrive) and fifth for downloads, significantly higher than in other sectors. However, this usage trend did not

  • correlate with the number of malware downloads from the app – it was not even in the top 10 sources.
    • As slack is a robust enterprise app, attackers need to use different tactics and content to target users who need to accept or share invites to external channels. This is a more complex process when compared with other consumer messaging apps like Whatsapp that could be used on a corporate device. Instead, attackers would use Slack as a command and control server, as its API provides a flexible mechanism to upload (or exfiltrate) data.

Speaking on the findings, Paolo Passeri, Cyber Intelligence Principal at Netskope said;

“Infostealers are among the top threats for the healthcare sector and this is reflected in the fact that during the course of 2023 many healthcare organisations were the targets of mega breaches, and among the top targets of the massive Clop campaign exploiting the CVE-2023-34362 vulnerability.

“Of course this modus operandi is unsurprising because of the types of personal data managed by these organisations but is particularly effective because attackers do not necessarily need to encrypt the data in a ransomware style attack. Instead they exfiltrate the stolen information and use it to blackmail the victim (or its customers/patients).

“Malware and infostealers shouldn’t be the only concern for the healthcare sector, they should also consider the vulnerability of their supply chain and apply the same zero trust strategy they would in their own organisation to third-parties in the supply chain.”

The report is based on anonymised usage data collected about a healthcare sector subset of Netskope’s 2,500+ customers, all of whom give prior authorisation for their data to be analysed in this manner.

For the full report, please visit here.