Should Healthcare Systems Be Concerned About Hidden Cobra?

Another week, another IT security threat with a conveniently catchy name: the U.S. Department of Health and Human Services late last week released a warning about a new threat, or series of threats, that could impact healthcare systems. Hidden Cobra is the FBI’s name for series of North Korea-linked malevolent threats that include distributed denial of service (DDoS) attacks, malware, and remote access capabilities.

Hidden Cobra isn’t new, per se, and unlike WannaCry it refers more to a group of threats (and those developing them) than to a specific attack itself. It’s been on the United States Computer Emergency Readiness Team’s (US-CERT) radar since 2009, but perhaps following WannaCry’s unfortunate success, that division of the Department of Homeland Security felt compelled to issue a Technical Alert (TA) about what they called “North Korea’s DDoS Botnet Infrastructure.”

Those involved “will continue to use cyber operations to advance their government’s military and strategic objectives,” according to the TA, released jointly with the FBI.

The Department of Health and Human Services also released a statement regarding the threats, believing the group’s efforts to target the “critical infrastructure in the United States” open the possibility of a threat to healthcare systems.

“Of note” the report mentions, “Is another vulnerability in the Server Message Block (SMB) protocol which was exploited in the WannaCry attack, and in this case can be remotely exploited via the Windows Search service.” Such SMB exploitation, they say, is often exploited by “foreign nature state cyber actors.”

The DHS TA, as well as a report released by Microsoft, point to vulnerabilities within Windows that could potentially be exploited, particularly on systems running older and unsupported versions of the operating system. Hidden Cobra is also known to use Adobe Flash Player and Microsoft Silverlight vulnerabilities to gain entry into user systems, recommending that enterprises update and patch the vulnerable versions, or remove them from systems if they are unnecessary.

The TA includes 7 recommendations that it says “can prevent as many as 85 percent of targeted cyber intrusions”:

• Patch applications and operating systems to mitigate vulnerabilities
• Use application whitelisting to prevent unwanted applications from being able to run
• Restrict administrative privileges to prevent such unwanted applications from imposing their will
• Segment networks and segregate them into security to prevent the potential of malware spreading
• Validate input to protect against security flaws
• Use stringent file reputation settings to stop a wider variety of malignant files
• Understand firewalls to make your network less susceptible to attack

The barrage of warnings and statements come as healthcare IT breaches are receiving exponentially more press than they may have even a few months ago, thanks perhaps to WannaCry. The Wall Street Journal ignited some debate with a story this week asserting that many ransomware attacks on hospitals go unreported to the Office of Civil Rights (OCR), which handles such matters. The story cites many examples from 2016, though OCR guidelines were updated in July of that year to mandate such attacks be reported unless the breached organization can prove PHI has been compromised. TheWSJ argues that's a “loophole,” an assertion some experts disagree with. The implications and distinctions between various cyber threats can at times be murky, but it is clear that the threat evolves daily, and is now receiving very necessary attention.