D I G I T A L D I A G N O S T I C S
The recent Clop ransomware attack exploited a zero-day vulnerability in GoAnywhere MFT to breach the data of more than 130 healthcare organisations . Here , Shankar Somasundaram , CEO of Asimily , addresses this breach and how companies in this sector can better protect themselves so something like this doesn ’ t happen again .
The high-profile Clop ransomware attack is a particularly urgent reminder of the risks that CISOs and their teams must navigate in securing against a never-ending wave of threats . While the most recent Clop headlines have focused on the healthcare industry , the security takeaways are largely applicable across industries .
A vulnerability in the widely used GoAnywhere MFT ’ s administrator console allowed attackers to gain access without proper authentication . Worse , more than 1,000 administrator ports have been exposed to the open Internet . These open ports can reveal information on the services running – such as FTP , a critical piece of software that many organisations use to transfer data internally – through the banner information that they publish . For this reason , attackers are constantly prodding available open ports in an attempt to run exploits against them . While Shodan brought these risks to light in a big way more than a decade ago , it ’ s not something many healthcare organisations still look at carefully . By combining the old techniques of looking for open ports , deriving some asset information on them and running different kinds of exploits against them , the Clop ransomware attack succeeded in exploiting that vulnerability .
The Clop ransomware attack has healthcare organisations using GoAnywhere MFT thoughtfully considering their next actions and examining their data breach and system lock-out risks .
Security leaders must pursue careful countermeasures
For those at risk of the GoAnywhere MFT software vulnerability , there are a few key steps to take . Mitigation should begin with immediate software patching and ensuring that all open ports to the Internet are blocked . Healthcare organisations should also isolate all the systems the software was running on ; operate on the assumption that they have been breached . Security and IT teams should then run forensic analysis on those systems and then image them . It ’ s important to be careful here , however , since imaging can sometimes fail to remove certain attacks . A particularly thorough inspection is crucial to eliminating risks .
Any systems connected to those potentially affected systems must also be evaluated . This requires pulling together and examining logs from various systems , such as network appliances , SIEMs , endpoint agents and more . Additionally , organisations should enable continuous monitoring to identify
CISO LESSONS FROM THE CLOP RANSOMWARE ATTACK TARGETING HEALTHCARE DATA
www . intelligenthealth . tech 63