13 March 2024

Healthcare was among the top sectors impacted during 2023 by mega breaches, an attack where over one million records were stolen.

Infostealers are a prominent malware family for the healthcare sector as attackers attempt to steal valuable data from organisations and patients in order to further blackmail or ransom the data. In particular, the Clopp ransomware gang was particularly active targeting healthcare and health insurance organisations, exploiting the CVE-2023-34362 MOVEit vulnerability. Healthcare was among the top sectors impacted during 2023 by mega breaches, an attack where over one million records were stolen.

Cloud delivered malware ended the year at approximately 40% of malware downloads in the healthcare sector after a peak of 50% in June which then dipped a little in the second half of the year. Healthcare trended slightly below other industries but cloud-delivered malware in the sector grew considerably year-on-year - up from just 30% a year ago. The healthcare sector appeared to have the lowest percentage of malware sourced from the cloud in the past 12 months, ranking 6th at approximately 40% of total malware downloads, behind telecoms, financial services, manufacturing, retail, technology, state and local government and education. Cloud apps are increasingly a target for malware as they give attackers the ability to evade regular security controls that rely on tools such as domain block lists and monitoring of web traffic, and such attacks impact companies that do not apply zero trust principles to routinely inspect cloud traffic.

While Microsoft OneDrive remained the most popular app in the healthcare sector, its use was significantly lower than other sectors. As a result, malware downloads through OneDrive were 12 percentage points lower than other industries. The general prevalence of OneDrive originated malware attacks reflects the merger of adversary tactics (abusing OneDrive to distribute malware) and victim behaviour (their likelihood to click on the links and download the malware) coupled with the widespread popularity of OneDrive.

Slack was second for uploads (behind OneDrive) and fifth for downloads, significantly higher than in other sectors. However, this usage trend did not correlate with the number of malware downloads from the app - it was not even in the top 10 sources. As Slack is a robust enterprise app, attackers need to use different tactics and content to target users who need to accept or share invites to external channels. This is a more complex process when compared with other consumer messaging apps like Whatsapp that could be used on a corporate device. Instead, attackers would use Slack as a command and control server, as its API provides a flexible mechanism to upload (or exfiltrate) data.

“Infostealers are among the top threats for the healthcare sector and this is reflected in the fact that during the course of 2023 many healthcare organisations were the targets of mega breaches, and among the top targets of the massive Clop campaign exploiting the CVE-2023-34362 vulnerability,” said Paolo Passeri, Cyber Intelligence Principal at Netskope. “Of course this modus operandi is unsurprising because of the types of personal data managed by these organisations but is particularly effective because attackers do not necessarily need to encrypt the data in a ransomware style attack. Instead they exfiltrate the stolen information and use it to blackmail the victim (or its customers/patients). Malware and infostealers shouldn’t be the only concern for the healthcare sector, they should also consider the vulnerability of their supply chain and apply the same zero trust strategy they would in their own organisation to third-parties in the supply chain.”