The Health Sector Cybersecurity Coordination Center (HC3) at the Department of Health and Human Services has issued a DDoS guide for the healthcare sector that includes information on the threat and recommended mitigations to limit the severity and impact of DDoS attacks.
Distributed-Denial-of-Service (DDoS) attacks are a type of resource exhaustion flooding attack that involves consuming the resources of a server, service, or network to prevent legitimate use. These attacks typically involve the use of botnets of compromised computers and IoT devices, which flood the targeted IP address with traffic to cause the server, service, or network to become overwhelmed. These attacks can result in a denial-of-service to normal traffic due to the log jam the huge volume of malicious traffic creates. These attacks typically cause disruption for several hours, although attacks can continue for several days.
These attacks usually only cause temporary disruption to services and do not, by themselves, typically involve data theft or cause hardware damage. Attacks may, however, be conducted as a smokescreen to distract security teams. While the security team is dealing with the DDoS attack, the threat actor attempts a simultaneous attack – for example, port scanning, malware delivery, a phishing attack, or data exfiltration.
DDoS attacks may also be conducted as part of an extortion attack, where a ransom demand is issued and payment is required to stop the attack. HC3 says these ransom DDoS attacks are becoming more common and have increased by 24% quarter-over-quarter and 67% year-over-year. These ransom DDoS attacks are typically conducted on web applications, such as patient portals, webmail, patient monitoring applications, and telehealth services.
The healthcare and public health (HPH) sector is currently being targeted by a pro-Russian hacktivist group called Killnet. Killnet has been conducting DDoS attacks in countries that are providing support to Ukraine, with a particular focus on hospitals and medical organizations. While the group has threatened to steal and publicly release sensitive patient data, these claims may simply be attention-seeking behavior. The DDoS attacks conducted by the group in recent weeks do not appear to have involved any other malicious activity other than causing a denial-of-service on websites and web applications.
While it is difficult to prevent targeted DDoS attacks, several steps can be taken to limit the severity and impact of DDoS attacks. Since these attacks typically target websites and web applications, security controls should be implemented to protect these assets. “Healthcare organizations should sanitize, increase resource availability, implement cross-site scripting (XSS) and cross-site request forgery (XSRF) protections, implement Content Security Policy (CSP), and audit third party code,” suggest HC3. “Additional steps include running static and dynamic security scans against the website code and system, deploying web application firewalls, leveraging content delivery networks to protect against malicious web traffic, and providing load balancing and resilience against high amounts of traffic.” Since threat actors typically use User Data Protocol (UDP), SYN (synchronize), and Transmission Control Protocol (TCP) to perpetuate DDoS attacks, these should also be a focus for network defenders.
The alert includes several other recommendations for preventing attacks, assessing and mitigating attacks in progress, and improving defenses and incident response processes to limit the harm caused by future attacks.