Internet of Things Archives - Page 6 of 15

HIPAA LAW: What Does It Protect?

27.07.2023

What is HIPPA?

HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law enacted in 1996 in the United States. HIPAA’s primary aim is to safeguard the privacy, security, and confidentiality of individuals’ protected health information (PHI) by establishing a set of standards and regulations for healthcare providers, health plans, and other entities that maintain PHI.

HIPAA Privacy Rule, Explained

The HIPAA Privacy Rule grants patients’ rights over their PHI, including the right to access, request amendments, and control the sharing of their health information. It also imposes obligations on covered entities to implement safeguards to protect PHI, train their workforce on privacy practices, and obtain individual consent for certain uses and disclosures.

The Privacy Rule plays a vital role in keeping the confidentiality and security of personal health information, ensuring patients have control over their own data while allowing appropriate access for healthcare purposes.

HIPAA Security Rule, Explained

The HIPAA Security Rule is an essential part of the Health Insurance Portability and Accountability Act (HIPAA). The Security Rule sets forth administrative, physical, and technical safeguards that covered entities must implement to protect the confidentiality, integrity, and availability of ePHI.

These safeguards include measures such as risk assessments, workforce training, access controls, encryption, and contingency planning to prevent unauthorized access, use, or disclosure of ePHI. Compliance with the HIPAA Security Rule is crucial for ensuring the secure handling of electronic health information, reducing the risk of data breaches, and maintaining the trust and confidentiality of sensitive patient data.

HIPAA Covered Entities

HIPAA defines specific entities that are subject to its regulations, known as covered entities.

Covered entities include:

Healthcare Providers

Healthcare providers, such as doctors, hospitals, clinics, psychologists, and pharmacies, are considered covered entities under HIPAA. They play a vital role in the delivery of healthcare services and are responsible for maintaining the privacy and security of patients’ protected health information (PHI).

Healthcare providers must follow HIPAA regulations when electronically transmitting and overseeing PHI, implementing safeguards to protect patient data, and ensuring appropriate access and disclosures.

Health Plans

Health plans, including health insurance companies, HMOs, employer-sponsored health plans, Medicare, Medicaid, and government health programs, fall under the category of covered entities. These entities are responsible for managing health insurance coverage and must comply with HIPAA to protect the privacy of individuals’ health information.

Health plans have obligations to implement privacy policies, provide individuals with notice of their privacy practices, and set up safeguards to secure PHI against unauthorized access or disclosures.

Healthcare Clearinghouses

Healthcare clearinghouses are entities that process nonstandard health information into standardized formats. They function as intermediaries between healthcare providers and health plans, facilitating the electronic exchange of health information.

Covered healthcare clearinghouses must adhere to HIPAA’s regulations, implementing security measures and safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). They play a critical role in ensuring the secure transmission and conversion of health data, contributing to the interoperability and efficiency of electronic healthcare transactions.

Business Associates

Business associates are external entities or individuals that provide services or perform functions involving PHI, such as third-party administrators, billing companies, IT providers, and certain consultants.

Covered entities must have written agreements in place with their business associates, outlining the responsibilities and obligations regarding the protection of PHI. These agreements should address issues such as the permissible uses and disclosures of PHI, safeguards for data security, breach notification requirements, and compliance with HIPAA’s Privacy Rule.

Who is Not Required to Follow HIPAA Regulations?

Entities not required to follow HIPAA laws include:

Life Insurers

Since life insurers primarily deal with underwriting life insurance policies, they do not manage or maintain protected health information (PHI) as defined by HIPAA.

Employers

Employers, in their role as employers, are not covered by HIPAA regulations because they manage employee health information for employment-related purposes only, rather than for healthcare operations.

Workers’ Compensation Carriers

Workers’ compensation carriers are exempt from HIPAA because the health information they handle is typically related to work-related injuries or illnesses, which falls outside the scope of HIPAA’s regulations.

Most Schools and School Districts

Schools and school districts, except for those that run healthcare facilities or have specific health programs, are generally not subject to HIPAA as they primarily handle educational records and student information.

Many State Agencies

State agencies, such as child protective service agencies, often deal with sensitive information related to child welfare or social services, which are typically regulated under state-specific privacy laws rather than HIPAA.

Most Law Enforcement Agencies

Law enforcement agencies, while involved in protecting public safety, are generally exempt from HIPAA as they primarily focus on law enforcement activities rather than the provision of healthcare services.

Many Municipal Offices

Municipal offices that do not function as healthcare providers or healthcare clearinghouses are not subject to HIPAA regulations. They primarily manage administrative and governmental functions rather than healthcare-related activities.

What Information is Protected Under HIPAA?

HIPAA protects a broad range of health information, primarily focusing on individually identifiable health information known as Protected Health Information (PHI).

Under HIPAA, PHI is subject to strict privacy and security safeguards, and covered entities must obtain individual consent or authorization before using or disclosing PHI, except in certain permitted circumstances. HIPAA also allows the use and disclosure of de-identified health information, which is health information that does not identify an individual and has undergone a process to remove specific identifiers.

De-identified health information is not subject to HIPAA’s privacy and security requirements because it does not contain identifiable information that could be used to link it back to an individual. However, covered entities must follow specific guidelines and methods outlined by HIPAA to ensure that information is properly de-identified and cannot be re-identified.

Overall, HIPAA provides protection and safeguards for a wide range of health information, with a specific focus on safeguarding individually identifiable health information (PHI) and allowing for the use and disclosure of de-identified health information under certain circumstances.

When Can PHI Be Disclosed?

Under HIPAA, Protected Health Information (PHI) can be disclosed in a variety of situations, including:

General Principle for Uses and Disclosure

PHI can be disclosed for treatment, payment, and healthcare operations without explicit authorization, following the general principle that PHI should be used or disclosed based on the minimum necessary information needed to accomplish the intended purpose.

Permitted Uses and Disclosures

PHI can be shared without individual authorization for activities such as public health activities, healthcare oversight, research (with privacy safeguards), law enforcement purposes, and when required by law, including reporting certain diseases and vital events.

Authorized Uses and Disclosures

PHI can be disclosed based on the individual’s written authorization, allowing specific uses and disclosures beyond what is permitted without authorization, such as sharing PHI for marketing purposes or with third-party organizations.

PHI Uses and Disclosures Limited to the Minimum Necessary

Covered entities are required to make reasonable efforts to limit PHI uses and disclosures to the minimum necessary to accomplish the intended purpose. This means sharing only the information necessary for the specific situation, whether it is for treatment, payment, healthcare operations, or other permitted purposes.

Notice and Individual Rights

Covered entities must provide individuals with a Notice of Privacy Practices, explaining how their PHI may be used and disclosing their rights regarding their health information. Individuals have rights such as accessing their PHI, requesting amendments, and requesting restrictions on certain uses or disclosures.

Privacy Practices Notice

Covered entities must respect these rights and enable individuals to exercise them.

Notice distribution

Covered entities must make efforts to distribute the Notice of Privacy Practices to individuals, including posting it prominently in their facilities and providing a copy to individuals upon request. They should also make reasonable attempts to obtain written acknowledgment of receipt.

Acknowledgment of Notice Receipt

Covered entities should document individuals’ acknowledgment of receiving the Notice of Privacy Practices. This acknowledgment can be obtained through various means, such as a signed form or electronic confirmation, ensuring that individuals have been made aware of their rights and the entity’s privacy practices.

Access

Individuals have the right to access their PHI and obtain copies of their health records upon request, with certain exceptions and reasonable fees.

Amendment

Individuals can request amendments or corrections to their PHI if they believe it is incomplete, inaccurate, or requires updating.

Disclosure Accounting

Covered entities must provide individuals with an accounting of certain disclosures of their PHI, upon request, excluding disclosures for treatment, payment, healthcare operations, and other exceptions.

Restriction Request

Individuals have the right to request restrictions on the use or disclosure of their PHI, although covered entities are not required to agree to all requested restrictions.

Confidential Communications Requirement

Covered entities must accommodate reasonable requests from individuals to receive communications of their PHI through alternative means or at alternative locations to protect privacy.

Administrative Requirements

Covered entities must establish and implement privacy policies and procedures to ensure compliance with HIPAA’s Privacy Rule, including designating a Privacy Officer responsible for overseeing privacy practices.

Privacy Personnel

Covered entities should have designated privacy personnel responsible for developing and implementing privacy policies, handling privacy inquiries, and ensuring compliance.

Workforce Training and Management

Covered entities must provide training to their workforce members regarding privacy policies, procedures, and the protection of PHI. They should also have mechanisms in place to manage workforce members’ compliance with privacy practices.

Mitigation

Covered entities must take reasonable steps to mitigate any harmful effects resulting from the use or disclosure of PHI in violation of the Privacy Rule.

Data Safeguards

Covered entities are required to implement reasonable safeguards to protect PHI from unauthorized access, disclosure, or use.

Complaints

Covered entities must have a process in place for individuals to file complaints regarding privacy practices, and they must not retaliate against individuals who exercise their privacy rights.

Retaliation and Waiver

Covered entities cannot retaliate against individuals for exercising their privacy rights, and individuals cannot be required to waive their rights as a condition for receiving treatment or benefits.

Documentation and Record Retention

Covered entities must retain documentation related to their privacy practices and policies for at least six years.

Fully Insured Group Health Plan Exception

The Privacy Rule does not apply directly to fully insured group health plans, although the plans must follow other federal and state laws governing the privacy of health information.

These various requirements and provisions ensure that covered entities adhere to privacy practices, protect individuals’ rights, and keep the security and confidentiality of PHI.

How is PHI Protected?

PHI is protected through various measures to safeguard its confidentiality, integrity, and security:

Safeguards – Safeguards can include physical, technical, and administrative measures such as secure storage, encryption, access controls, and firewalls.
Minimum Necessary – This means that only the information needed for a particular task or situation should be accessed or shared.
Access and Authorization Controls – Covered entities must have procedures in place to control and limit who can view and access PHI. This includes implementing access controls, user authentication, and authorization processes to ensure that only authorized individuals can access and handle PHI.
Employee Training – Training ensures that employees understand their responsibilities, know how to handle PHI securely, and are aware of potential risks and safeguards.
Business Associates – Business associates, who handle PHI on behalf of covered entities, are also obligated to implement safeguards to protect PHI and comply with HIPAA regulations. This ensures that third-party entities involved in healthcare operations support the same level of privacy and security standards when handling PHI.

Get HIPAA Compliant With Our Checklist

By implementing the above-mentioned HIPAA safeguards, limiting the use and disclosure of PHI, and supplying employee training, covered entities and their business associates can work together to protect the privacy and security of individuals’ health information, and prevent improper use or disclosure. Want more tips to stay compliant? Check out our HIPAA Compliance Checklist.

Source :
https://www.perimeter81.com/blog/compliance/hipaa-law

What network ports are used by Synology DSM services?

Last updated: Aug 10, 2023

Details

The operations of DSM services require specific ports to be opened to ensure normal functionality. In this article, you can find the network ports and protocols required by DSM services for operations.

Resolution

Setup Utilities

Type	Port Number	Protocol
Synology Assistant	9999, 9998, 9997	UDP

Backup

Type	Port Number	Protocol
Active Backup for Business	5510 (Synology NAS)¹	TCP
Active Backup for Business	443 (vCenter Server and ESXi host), 902 (ESXi host), 445 (SMB for Hyper-V host), 5985 (HTTP for Hyper-V host), 5986 (HTTPS for Hyper-V host)	TCP
Data Replicator, Data Replicator II, Data Replicator III	9999, 9998, 9997, 137, 138, 139, 445	TCP
DSM 5.2 Data Backup, rsync, Shared Folder Sync, Remote Time Backup	873, 22 (if encrypted over SSH)	TCP
Hyper Backup (destination)	6281 (remote Synology NAS), 22 (rsync with transfer encryption enabled), 873 (rsync without transfer encryption)	TCP
Hyper Backup Vault	6281, For DSM 7.0 or above: 5000 (HTTP), 5001 (HTTPS)	TCP
DSM 5.2 Archiving Backup	6281	TCP
LUN Backup	3260 (iSCSI), 873, 22 (if encrypted over SSH)	TCP
Snapshot Replication	5566 (Advanced LUNs and shared folders)	TCP
Snapshot Replication	3261 (Legacy Advanced LUNs)	TCP

Download

Type	Port Number	Protocol
BT	For DSM 2.0.1 or above: 16881, For DSM 2.0.1-3.0401 or below: 6890-6999	TCP/UDP
eMule	4662	TCP
eMule	4672	UDP

Web Applications

Type	Port Number	Protocol
DSM	5000 (HTTP), 5001 (HTTPS)	TCP

Mail Service

Type	Port Number	Protocol
IMAP	143	TCP
IMAP over SSL/TLS	993	TCP
POP3	110	TCP
POP3 over SSL/TLS	995	TCP
SMTP	25	TCP
SMTP-SSL	465	TCP
SMTP-TLS	587	TCP

File Transferring

Type	Port Number	Protocol
AFP	548	TCP
CIFS/SMB	smbd: 139 (netbios-ssn), 445 (microsoft-ds)	TCP/UDP
CIFS/SMB	Nmbd: 137, 138	UDP
FTP, FTP over SSL, FTP over TLS	21 (command), 20 (data connection in Active Mode), 1025-65535 (data connection in Passive Mode)²	TCP
iSCSI	3260, 3263, 3265	TCP
NFS	111, 892, 2049	TCP/UDP
TFTP	69	UDP
WebDAV	5005, 5006 (HTTPS)	TCP

Packages

Type	Port Number	Protocol
Audio Station	1900 (UDP), 5000 (HTTP), 5001 (HTTPS), 5353 (Bonjour service), 6001-6010 (AirPlay control/timing)	TCP/UDP
C2 Identity Edge Server	389 (LDAP), 7712 (HTTP), 8864	TCP
C2 Identity Edge Server	53	UDP
Central Management System	5000 (HTTP), 5001 (HTTPS)	TCP
CIFS Scale-out Cluster	49152-49252	TCP/UDP
CIFS Scale-out Cluster	17909, 17913, 19998, 24007, 24008, 24009-24045, 38465-38501, 4379	TCP
Cloud Station	6690	TCP
DHCP Server	53, 67, 68	TCP/UDP
DNS Server	53 (named)	TCP/UDP
LDAP Server (formerly Directory Server)	389 (LDAP), 636 (LDAP with SSL)	TCP
Download Station	5000 (HTTP), 5001 (HTTPS)	TCP
File Station	5000 (HTTP), 5001 (HTTPS)	TCP
Hybrid Share	50051 (catalog), 443 (API), 4222 (NATS)	TCP
iTunes Server	3689	TCP
Log Center (syslog server)	514 (additional port can be added)	TCP/UDP
Logitech® Media Server	3483, 9002	TCP
MailPlus Server	1344, 4190, 5000 (HTTP), 5001 (HTTPS), 5252, 8500 – 8520, 8893, 9526 – 9529, 10025, 10465, 10587, 11211, 11332 – 11334, 12340, 24245, 24246	TCP
MailPlus web client	5000 (HTTP), 5001 (HTTPS)	TCP
Mail Station	80 (HTTP), 443 (HTTPS)	TCP
Media Server	1900 (UPnP), 50001 (content browsing), 50002 (content streaming)	TCP/UDP
Migration Assistant	7400-7499 (DRBD), 22 (SSH)³	DRBD
Note Station	5000 (HTTP), 5001 (HTTPS)	TCP
Photo Station, Web Station	80 (HTTP), 443 (HTTPS)	TCP
Presto File Server	3360, 3361	TCP/UDP
Proxy Server	3128	TCP
RADIUS Server	1812, 18120	UDP
SMI-S Provider	5988 (HTTP), 5989 (HTTPS)	TCP
Surveillance Station	5000 (HTTP), 5001 (HTTPS)	TCP
Synology Calendar	5000 (HTTP), 5001 (HTTPS)	TCP
Synology CardDAV Server	8008 (HTTP), 8443 (HTTPS)	TCP
Synology Chat	5000 (HTTP), 5001 (HTTPS)	TCP
Synology Contacts	5000 (HTTP), 5001 (HTTPS)	TCP
Synology Directory Server	88 (Kerberos), 389 (LDAP), 464 (Kerberos password change)	TCP/UDP
Synology Directory Server	135 (RPC Endpoint Mapper), 636 (LDAP SSL), 1024 (RPC), 3268 (LDAP GC), 3269 (LDAP GC SSL), 49152 (RPC)⁴, 49300-49320 (RPC)	TCP
Synology Drive Server	80 (link sharing), 443 (link sharing), 5000 (HTTP), 5001 (HTTPS), 6690 (file syncing/backup)	TCP
Synology High Availability (HA)	123 (NTP), ICMP, 5000 (HTTP), 5001 (HTTPS), 1234, 9997, 9998, 9999 (Synology Assistant), 874, 5405, 5406, 7400-7999 (HA)	TCP/UDP
Synology Moments	5000 (HTTP), 5001 (HTTPS)	TCP
Synology Photos	5000 (HTTP), 5001 (HTTPS)	TCP
Video Station	1900 (UDP), 5000 (HTTP), 5001 (HTTPS), 9025-9040, 5002, 5004, 65001 (for using the HDHomeRun network tuner)	TCP/UDP
Virtual Machine Manager	2379-2382 (cluster network), ICMP, 3260-3265 (iSCSI), 5000 (HTTP), 5001 (HTTPS), 5566 (replication), 16509, 16514, 30200-30300, 5900-5999 (QEMU), 2385 (Redis Server)	TCP
VPN Server (OpenVPN)	1194	UDP
VPN Server (PPTP)	1723	TCP
VPN Server (L2TP/IPSec)	500, 1701, 4500	UDP

Mobile Applications

Type	Port Number	Protocol
DS audio	5000 (HTTP), 5001 (HTTPS)	TCP
DS cam	5000 (HTTP), 5001 (HTTPS)	TCP
DS cloud	6690	TCP
DS file	5000 (HTTP), 5001 (HTTPS)	TCP
DS finder	5000 (HTTP), 5001 (HTTPS)	TCP
DS get	5000 (HTTP), 5001 (HTTPS)	TCP
DS note	5000 (HTTP), 5001 (HTTPS)	TCP
DS photo	80(HTTP), 443 (HTTPS)	TCP
DS video	5000 (HTTP), 5001 (HTTPS)	TCP
MailPlus	5000 (HTTP), 5001 (HTTPS)	TCP
Synology Drive	5000 (HTTP), 5001 (HTTPS)	TCP
Synology Moments	5000 (HTTP), 5001 (HTTPS)	TCP
Synology Photos	5000 (HTTP), 5001 (HTTPS)	TCP

Peripheral Equipment

Type	Port Number	Protocol
Bonjour	5353	UDP
LPR	515	UDP
Network Printer (IPP)/CUPS	631	TCP
Network MFP	3240-3259	TCP
UPS	3493	TCP

System

Type	Port Number	Protocol
LDAP	389, 636 (SLAPD)	TCP
MySQL	3306	TCP
NTP	123	UDP
Resource Monitor/SNMP	161	TCP/UDP
SSH/SFTP	22	TCP
Telnet	23	TCP
WS-Discovery	3702	UDP
WS-Discovery	5357 (Nginx)	TCP

Notes:

For the backup destination of Synology NAS, Hyper-V, or physical Windows/Linux/macOS devices.
The default range varies according to your Synology product models.
For the SSH service that runs on a customized port, make sure the port is accessible.
Only Synology Directory Server version 4.10.18-0300 requires port 49152.

New SEC Cybersecurity Rules: What You Need to Know

By: Greg Young – Trendmicro
August 03, 2023
Read time: 4 min (1014 words)

The US Securities and Exchange Commission (SEC) recently adopted rules regarding mandatory cybersecurity disclosure. Explore what this announcement means for you and your organization.

On July 26, 2023, the US Securities and Exchange Commission (SEC) adopted rules regarding mandatory cybersecurity disclosure. What does this mean for you and your organization? As I understand them, here are the major takeaways that cybersecurity and business leaders need to know:

Who does this apply to?

The rules announced apply only to registrants of the SEC i.e., companies filing documents with the US SEC. Not surprisingly, this isn’t limited to attacks on assets located within the US, so incidents concerning SEC registrant companies’ assets in other countries are in scope. This scope also, not surprisingly, does not include the government, companies not subject to SEC reporting (i.e., privately held companies), and other organizations.

Breach notification for these others will be the subject of separate compliance regimes, which will hopefully, at some point in time, be harmonized and/or unified to some degree with the SEC reporting.

Advice for security leaders: be aware that these new rules could require “double reporting,” such as for publicly traded critical infrastructure companies. Having multiple compliance regimes, however, is not new for cybersecurity.

What are the general disclosure requirements?

Some pundits have said “four days after an incident” but that’s not quite correct. The SEC says that “material breaches” must be reported “four business days after a registrant determines that a cybersecurity incident is material.”

We’ve hit the first squishy bit: materiality. Directing companies to disclose material events shouldn’t be necessary before there’s a mixed record of companies making materiality for public company operation. But what kind of cybersecurity incident would be likely to be important to a reasonable investor?

We’ve seen giant breaches that paradoxically did not move stock prices, and minor breaches that did the opposite. I’m clearly on the side of compliance and disclosure, but I recognize it is a gray area. Recently we saw some companies that had the MOVEit vulnerability exploited but had no data loss. Should they report? But in some cases, their response to the vulnerability was in the millions: how about then? I expect and hope there will be further guidance.

Advice for security leaders: monitor the breach investigation and monitor the analysis of materiality. Security leaders won’t often make that call but should give guidance and continuous updates to the CxO who are responsible.

The second squishy bit is that the requirement is the reporting should be made four days after determining the incident is material. So not four days after the incident, but after the materiality determination. I understand why it was structured this way, as a small indicator of compromise must be followed up before understanding the scope and nature of a breach, including whether a breach has occurred at all. But this does give a window to some of the foot-dragging for disclosure we’ve unfortunately seen, including product companies with vulnerabilities.

Advice for security leaders: make management aware of the four-day reporting requirement and monitor the clock once the material line is crossed or identified.

Are there extensions?

There are, but not because you need more time. Instead “The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.” Note that it specifically states that the Attorney General (AG) makes that determination, and the AG communicates this to the SEC. There could be some delegation of this authority within the Department of Justice in the future, but today it is the AG.

How does it compare to other countries and compliance regimes?

Breach and incident reporting and disclosure is not new, and the concept of reporting material events is already commonplace around the world. GDPR breach reporting is 72 hours, HHS HIPAA requires notice not later than 60 days and 90 days to individuals affected, and the UK Financial Conduct Authority (FCA) has breach reporting requirements. Canada has draft legislation in Bill C-26 that looks at mandatory reporting through the lens of critical industries, which includes verticals such as banking and telecoms but not public companies. Many of the world’s financial oversight bodies do not require breach notification for public companies in the exchanges they are responsible for.

Advice to security leaders: consider the new SEC rules as clarification and amplification of existing reporting requirements for material events rather than a new regime or something that is harsher or different to other geographies.

Is breach reporting the only new rule?

No, I’ve only focused on incident reporting in this post. There’s a few more. The two most noteworthy ones are:

Regulation S-K Item 106, requiring registrants to “describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.”
Also specified is that annual 10-Ks “describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”

Bottom line

SEC mandatory reporting for material cybersecurity events was already a requirement under the general reporting requirements, however the timelines and nature of the reporting are getting real and have a ticking four-day timer on them.

Stepping back from the rules, the importance of visibility and continuous monitoring are the real takeaways. Time to detection can’t be at the speed of your least experienced analyst. Platform means unified visibility rather than a wall of consoles. Finding and stopping breaches means internal visibility must include a rich array of telemetry, and that it be continuously monitored.

Many SEC registrants have operations outside the US, and that means visibility needs to include threat intelligence that is localized to other geographies. These new SEC rules show more than ever that that cyber risk is business risk.

To learn more about cyber risk management, check out the following resources:

Source :
https://www.trendmicro.com/en_us/research/23/h/sec-cybersecurity-rules-2023.html

Cybersecurity Threat 1H 2023 Brief with Generative AI

By: Trend Micro
August 08, 2023
Read time: 4 min (1020 words)

How generative AI influenced threat trends in 1H 2023

A lot can change in cybersecurity over the course of just six months in criminal marketplaces. In the first half of 2023, the rapid expansion of generative AI tools began to be felt in scams such as virtual kidnapping and tools by cybercriminals. Tools like WormGPT and FraudGPT are being marketed. The use of AI empowers adversaries to carry out more sophisticated attacks and poses a new set of challenges. The good news is that the same technology can also be used to empower security teams to work more effectively.

As we analyze the major events and patterns observed during this time, we uncover critical insights that can help businesses stay ahead of risk and prepare for the challenges that lie ahead in the second half of the year.

AI-Driven Tools in Cybercrime

The adoption of AI in organizations has increased significantly, offering numerous benefits. However, cybercriminals are also harnessing the power of AI to carry out attacks more efficiently.

As detailed in a Trend research report in June, virtual kidnapping is a relatively new and concerning type of imposter scam. The scammer extorts their victims by tricking them into believing they are holding a friend or family member hostage. In reality, it is AI technology known as a “deepfake,” which enables the fraudster to impersonate the real voice of the “hostage” whilst on the phone. Audio harvested from their social media posts will typically be used to train the AI model.

However, it is generative AI that’s playing an increasingly important role earlier on in the attack chain—by accelerating what would otherwise be a time-consuming process of selecting the right victims. To find those most likely to pay up when confronted with traumatic content, threat groups can use generative AI like ChatGPT to filter large quantities of potential victim data, fusing it with geolocation and advertising analytics. The result is a risk-based scoring system that can show scammers at a glance where they should focus their attacks.

This isn’t just theory. Virtual kidnapping scams are already happening. The bad news is that generative AI could be leveraged to make such attacks even more automated and effective in the future. An attacker could generate a script via ChatGPT to then convert to the hostage’s voice using deepfake and a text-to-speech app.

Of course, virtual kidnapping is just one of a growing number of scams that are continually being refined and improved by threat actors. Pig butchering is another type of investment fraud where the victim is befriended online, sometimes on romance sites, and then tricked into depositing their money into fictitious cryptocurrency schemes. It’s feared that these fraudsters could use ChatGPT and similar tools to improve their conversational techniques and perhaps even shortlist victims most likely to fall for the scams.

What to expect

The emergence of generative AI tools enables cybercriminals to automate and improve the efficiency of their attacks. The future may witness the development of AI-driven threats like DDoS attacks, wipers, and more, increasing the sophistication and scale of cyberattacks.

One area of concern is the use of generative AI to select victims based on extensive data analysis. This capability allows cybercriminals to target individuals and organizations with precision, maximizing the impact of their attacks.

Fighting back

Fortunately, security experts like Trend are also developing AI tools to help customers mitigate such threats. Trend pioneered the use of AI and machine learning for cybersecurity—embedding the technology in products as far back as 2005. From those early days of spam filtering, we began developing models designed to detect and block unknown threats more effectively.

Trend’s defense strategy

Most recently, we began leveraging generative AI to enhance security operations. Companion is a cybersecurity assistant designed to automate repetitive tasks and thereby free up time-poor analysts to focus on high-value tasks. It can also help to fill skills gaps by decoding complex scripts, triaging and recommending actions, and explaining and contextualizing alerts for SecOps staff.

What else happened in 1H 2023?

Ransomware: Adapting and Growing

Ransomware attacks are becoming sophisticated, with illegal actors leveraging AI-enabled tools to automate their malicious activities. One new player on the scene, Mimic, has abused legitimate search tools to identify and encrypt specific files for maximum impact. Meanwhile, the Royal ransomware group has expanded its targets to include Linux platforms, signaling an escalation in their capabilities.

According to Trend data, ransomware groups have been targeting finance, IT, and healthcare industries the most in 2023. From January 1 to July 17, 2023, there have been 219, 206, and 178 successful compromises of victims in these industries, respectively.

Our research findings revealed that ransomware groups are collaborating more frequently, leading to lower costs and increased market presence. Some groups are showing a shift in motivation, with recent attacks resembling those of advanced persistent threat (APT) groups. To combat these evolving threats, organizations need to implement a “shift left” strategy, fortifying their defenses to prevent threats from gaining access to their networks in the first place.

Vulnerabilities: Paring Down Cyber Risk Index

While the Cyber Risk Index (CRI) has lowered to a moderate range, the threat landscape remains concerning. Smaller platforms are exploited by threat actors, such as Clop ransomware targeting MOVEIt and compromising government agencies. New top-level domains by Google pose risks for concealing malicious URLs. Connected cars create new avenues for hackers. Proactive cyber risk management is crucial.

Campaigns: Evading Detection and Expanding Targets

Malicious actors are continually updating their tools, techniques and procedures (TTP) to evade detection and cast a wider net for victims. APT34, for instance, used DNS-based communication combined with legitimate SMTP mail traffic to bypass security policies. Meanwhile, Earth Preta has shifted its focus to target critical infrastructure and key institutions using hybrid techniques to deploy malware.

Persistent threats like the APT41 subgroup Earth Longzhi have resurfaced with new techniques, targeting firms in multiple countries. These campaigns require a coordinated approach to cyber espionage, and businesses must remain vigilant against such attacks.

To learn more about Trend’s 2023 Midyear Cybersecurity Report, please visit: https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/stepping-ahead-of-risk-trend-micro-2023-midyear-cybersecurity-threat-report

Source :
https://www.trendmicro.com/en_us/research/23/h/cybersecurity-threat-2023-generative-ai.html

The Journey to Zero Trust with Industry Frameworks

By: Alifiya Sadikali – Trendmicro
August 09, 2023
Read time: 4 min (1179 words)

Discover the core principles and frameworks of Zero Trust, NIST 800-207 guidelines, and best practices when implementing CISA’s Zero Trust Maturity Model.

With the growing number of devices connected to the internet, traditional security measures are no longer enough to keep your digital assets safe. To protect your organization from digital threats, it’s crucial to establish strong security protocols and take proactive measures to stay vigilant.

What is Zero Trust?

Zero Trust is a cybersecurity philosophy based on the premise that threats can arise internally and externally. With Zero Trust, no user, system, or service should automatically be trusted, regardless of its location within or outside the network. Providing an added layer of security to protect sensitive data and applications, Zero Trust only grants access to authenticated and authorized users and devices. And in the event of a data breach, compartmentalizing access to individual resources limits potential damage.

Your organization should consider Zero Trust as a proactive security strategy to protect its data and assets better.

The pillars of Zero Trust

At its core, the basis for Zero Trust is comprised of a few fundamental principles:

Verify explicitly. Only grant access once the user or device has been explicitly authenticated and verified. By doing so, you can ensure that only those with a legitimate need to access your organization’s resources can do so.
Least privilege access. Only give users access to the resources they need to do their job and nothing more. Limiting access in this way prevents unauthorized access to your organization’s data and applications.
Assume breach. Act as if a compromise to your organization’s security has occurred. Take steps to minimize the damage, including monitoring for unusual activity, limiting access to sensitive data, and ensuring that backups are up-to-date and secure.
Microsegmentation. Divide your organization’s network into smaller, more manageable segments and apply security controls to each segment individually. This reduces the risk of a breach spreading from one part of your network to another.
Security automation. Use tools and technologies to automate the process of monitoring, detecting, and responding to security threats. This ensures that your organization’s security is always up-to-date and can react quickly to new threats and vulnerabilities.

A Zero Trust approach is a proactive and effective way to protect your organization’s data and assets from cyber-attacks and data breaches. By following these core principles, your organization can minimize the risk of unauthorized access, reduce the impact of a breach, and ensure that your organization’s security is always up-to-date and effective.

The role of NIST 800-207 in Zero Trust

NIST 800-207 is a cybersecurity framework developed by the National Institute of Standards and Technology. It provides guidelines and best practices for organizations to manage and mitigate cybersecurity risks.

Designed to be flexible and adaptable for a variety of organizations and industries, the framework supports the customization of cybersecurity plans to meet their specific needs. Its implementation can help organizations improve their cybersecurity posture and protect against cyber threats.

One of the most important recommendations of NIST 800-207 is to establish a policy engine, policy administrator, and policy enforcement point. This will help ensure consistent policy enforcement and that access is granted only to those who need it.

Another critical recommendation is conducting continuous monitoring and having real-time risk-based decision-making capabilities. This can help you quickly identify and respond to potential threats.

Additionally, it is essential to understand and map dependencies among assets and resources. This will help you ensure your security measures are appropriately targeted based on potential vulnerabilities.

Finally, NIST recommends replacing traditional paradigms, such as implicit trust in assets or entities, with a “trust but verify” methodology. Adopting this approach can better protect your organization’s assets and resources from internal and external threats.

CISA’s Zero Trust Maturity Model

The Zero Trust Maturity Model (ZMM), developed by CISA, provides a comprehensive framework for assessing an organization’s Zero Trust posture. This model covers critical areas including:

Identity management: To implement a Zero Trust strategy, it is important to begin with identity. This involves continuously verifying, authenticating, and authorizing any entity before granting access to corporate resources. To achieve this, comprehensive visibility is necessary.
Devices, networks, applications: To maintain Zero Trust, use endpoint detection and response capabilities to detect threats and keep track of device assets, network connections, application configurations, and vulnerabilities. Continuously assess and score device security posture and implement risk-informed authentication protocols to ensure only trusted devices, networks and applications can access sensitive data and enterprise systems.
Data and governance: To maximize security, implement prevention, detection, and response measures for identity, devices, networks, IoT, and cloud. Monitor legacy protocols and device encryption status. Apply Data Loss Prevention and access control policies based on risk profiles.
Visibility and analytics: Zero Trust strategies cannot succeed within silos. By collecting data from various sources within an organization, organizations can gain a complete view of all entities and resources. This data can be analyzed through threat intelligence, generating reliable and contextualized alerts. By tracking broader incidents connected to the same root cause, organizations can make informed policy decisions and take appropriate response actions.
Automation and orchestration: To effectively automate security responses, it is important to have access to comprehensive data that can inform the orchestration of systems and manage permissions. This includes identifying the types of data being protected and the entities that are accessing it. By doing so, it ensures that there is proper oversight and security throughout the development process of functions, products, and services.

By thoroughly evaluating these areas, your organization can identify potential vulnerabilities in its security measures and take prompt action to improve your overall cybersecurity posture. CISA’s ZMM offers a holistic approach to security that will enable your organization to remain vigilant against potential threats.

Implementing Zero Trust with Trend Vision One

Trend Vision One seamlessly integrates with third-party partner ecosystems and aligns to industry frameworks and best practices, including NIST and CISA, offering coverage from prevention to extended detection and response across all pillars of zero trust.

Trend Vision One is an innovative solution that empowers organizations to identify their vulnerabilities, monitor potential threats, and evaluate risks in real-time, enabling them to make informed decisions regarding access control. With its open platform approach, Trend enables seamless integration with third-party partner ecosystems, including IAM, Vulnerability Management, Firewall, BAS, and SIEM/SOAR vendors, providing a comprehensive and unified source of truth for risk assessment within your current security framework. Additionally, Trend Vision One is interoperable with SWG, CASB, and ZTNA and includes Attack Surface Management and XDR, all within a single console.

Conclusion

CISOs today understand that the journey towards achieving Zero Trust is a gradual process that requires careful planning, step-by-step implementation, and a shift in mindset towards proactive security and cyber risk management. By understanding the core principles of Zero Trust and utilizing the guidelines provided by NIST and CISA to operationalize Zero Trust with Trend Vision One, you can ensure that your organization’s cybersecurity measures are strong and can adapt to the constantly changing threat landscape.

To read more thought leadership and research about Zero Trust, click here.

Source :
https://www.trendmicro.com/en_us/research/23/h/industry-zero-trust-frameworks.html

ChatGPT Highlights a Flaw in the Educational System

By: William Malik – Trendmicro
August 14, 2023
Read time: 4 min (1014 words)

Rethinking learning metrics and fostering critical thinking in the era of generative AI and LLMs

I recently participated in a conversation about artificial intelligence, specifically ChatGPT and its kin, with a group of educators in South Africa. They were concerned that the software would help students cheat.

We discussed two possible alternatives to ChatGPT: First, teachers could require that students submit handwritten homework. This would force students to at least read the material once before submitting it; Second, teachers could grade the paper submissions no higher than 89 percent (or a “B”), but that to get an “A,” the student would have to stand in front of the class and verbally discuss the material, their research, their conclusion, and answer any questions the teacher or other classmates might ask. (With that verbal defense of the ideas, the teacher might even waive the requirement for paper submission at all!)

The fundamental problem is that the grading system depends on homework. If education aims to teach an individual both a) a body of knowledge and b) the techniques of reasoning with that knowledge, then the metrics proving that achievement is misaligned.

One of the most quoted management scientists is Fredrick W. Taylor. He is most known for saying, “If you can’t measure it, you can’t manage it.” Interestingly, he never said that – which is fortunate because it is entirely wrong. People always manage things without metrics – from driving a car to raising children. He said: “If you measure it, you’ll manage it” – and he intended that as a warning. Whenever you adopt a metric, you will adjust your assessment of the underlying process in terms of your chosen metric. His warning is to be very careful about which metrics you choose.

Sometime in the past forty years, we decided that the purpose of education is to do well on tests. Unfortunately, that is also wrong. The purpose of education is to teach people to gather evidence and to think clearly about it. Students should learn how to judge various forms of evidence. They should understand rhetorical techniques (in the classical sense – how to render ideas clearly). They should be aware of common errors in thinking – the cognitive pitfalls we all fall into when rushed or distracted and logical fallacies which rob our arguments of their validity.

Large Language Models (LLMs) aggregate vast troves of text. Those data sources are not curated, so LLMs reflect the biases, logical limitations, and cognitive distortions in so much of what’s online. We are all familiar with early chatbots that were easily corrupted – the Microsoft chatbot Tay was perverted into being a racist resonator. (See “Twitter taught Microsoft’s AI Chatbot to be a Racist A**hole in Less than a Day” from The Verge, March 24, 2016, at https://www.theverge.com/2016/3/24/11297050/tay-microsoft-chatbot-racist accessed Aug 2023.)

LLMs do not think. They scan as much material as possible, then build a set of probabilities about which word is most likely to follow another word. If the word “pterodactyl” occurs in a text, then the next most likely word might be “soaring,” and “flying” might be in second place. If ChatGPT gets the word “pterodactyl” as input, it will put “soaring” next to it. This may look plausible to a person reading the output, but it cannot be correct. Correctness implies some kind of comprehension and judgment. ChatGPT does neither. It merely arranges words based on their statistical likelihood in the LLM’s database. We are now learning that LLMs that ingest computer-generated content become even more skewed – augmenting the likelihood of one word following another by rescanning the previous output. Over time, LLMs fed AI-generated content will drift farther and farther from actual human writing. The oft-mentioned hallucinations that LLMs generate will become more common as the distillation and amplification of the more likely subset of words leads to a contracted pool of possible machine-generated responses. Eventually – if we are not able to prevent LLMs from ingesting already-processed content – the output of ChatGPT will become more and more constrained, which, taken to the extreme, will yield one plot, one answer, one painting, and one outcome regardless of the specific input. Long before then, people will have abandoned LLM-based efforts for any activity that requires creativity.

Where can LLMs help? By sorting through bounded sets of information. That means an LLM trained on protein sequences could rapidly develop a most likely model for a protein that could attack a particular disease or interrupt an allergic reaction. In that case, the issue isn’t seeking creativity but rapidly scanning a set of nearly identical data overreactions to find the few that stand out enough to make a difference. A human doing this kind of work would quickly grow bored and likely make errors. LLMs can help science move quickly through vast quantities of data in closed domains. But when looking at an unbounded domain (art, poetry, fiction, movies, music, and the like), LLMs can only build average content, filling in the space between works. Artists seek to reach beyond the space their prior work defined.

The core problem with LLMs may be unsolvable. At this point, various organizations are exploring ways to tag AI-generated content (written and graphic) so humans can spend a moment assessing the accuracy and validity of the material. Of course, message digests can be corrupted and watermarks forged. A bad actor might maliciously tag authentic content as AI-generated. Recent developments include malicious ChatGPT variants designed to create BEC and phishing email content,

Students will always look for a shortcut, and that habit is difficult to overcome. In business, it will also be tempting for bureaucrats to use tools to simplify their tasks. How will your firm incorporate LLMs safely into your business processes? Organizations should consider how they will audit their internal procedures to ensure that LLM outputs are incorporated appropriately into communications. Imagine the potential for harm if some publicly traded company was found to have used an LLM to develop its annual financial report!

What do you think? Let me know in the comments below, or contact me @wjmalik@noc.social

Source :
https://www.trendmicro.com/en_us/research/23/h/chatgpt-flaw.html

OT Security is Less Mature but Progressing Rapidly

By: Kazuhisa Tagaya – Trendmicro
August 14, 2023
Read time: 2 min (638 words)

The latest study said that OT security is less mature in several capabilities than IT security, but most organizations are improving it.

e asked participants whether OT security for cybersecurity capabilities is less mature or more mature than IT in their organizations with reference to the NIST CSF.

As an average of all items, 39.5% answered that OT has a lower level of maturity. (18% answered OT security is more mature, and 36.4% at the same level)

Categorizing security capabilities into the five cores of the NIST CSF and aggregating them for each core, the most was that Detect is lower maturity in OT security than in IT. (42%)

Figure1: What security capabilities in OT are lower than IT (NIST CSF 5 Core)

Furthermore, looking at the specific security capabilities, the score of “Cyber event detection” is the most(45.7%).

Figure2: What security capabilities in OT are lower than IT (detail)

The OT environment has more diverse legacy assets, and protocol stacks dedicated to ICS/OT, making it difficult to implement sensors to detect malicious behavior or apply the patches on the assets. The inability to implement uniform measures in the same way as IT security is an obstacle to increasing the maturity level.

Detection in OT: Endpoint and Network

The survey asked respondents about their Endpoint Detection and Response (EDR) and Network Security Monitoring (NSM) implementations to measure their visibility in their OT environments. They answered whether EDR (including antivirus) was implemented in the following three places.

Server assets running commercial OS (Windows, Linux, Unix): 41%
Engineering (engineering workstations, instrumentation laptops, calibration and test equipment) assets running commercial OS (Windows, Unix, Linux): 34%
Operator assets (HMI, workstations) running commercial OS (Windows, Linux, Unix): 33%

In addition, 76% of organizations that have already deployed EDR said they plan to expand their deployment within 24 months.

We also asked whether NSM (including IDS) was implemented at the following levels referring to the Purdue model.

Purdue Level 4 (Enterprise): 30%
Purdue Level 3.5 (DMZ): 36%
Purdue Level 3 (Site or SCADA-wide): 38%
Purdue Level 2 (Control): 20%
Purdue Levels 1/0 (Sensors and Actuators): 8%

Like EDR, 70% of organizations that have already implemented NSM said they have plans to expand implementation within 24 months.

In this survey, EDR implementation rates tended to vary depending on the respondent’s industry and size of organization. The implementation rate of NSM was relatively high in DMZ and Level 3, and the implementation rate decreased according to the lower layers. But I think it is not appropriate to conclude the decisive trend from the average value in the questions, because there are variations in the places where they are implemented EDR and NSM depending on the organization. The implementation rate shown here is just a rough standard. Where and how much to invest depends on the environment and decision-making of the organization. Asset owners can use the result as a reference to see where to implement EDR and NSM and evaluate their implementation plans.

To learn about how to assess risk in your OT environment to invest appropriately, please refer to our practices of risk assessment in smart factories.

Reference:
Breaking IT/OT Silos with ICS/OT Visibility – 2023 SANS ICS/OT visibility survey

Source :
https://www.trendmicro.com/en_us/research/23/h/ot-security-2023.html

Top 10 AI Security Risks According to OWASP

By: Trend Micro
August 15, 2023
Read time: 4 min (1157 words)

The unveiling of the first-ever Open Worldwide Application Security Project (OWASP) risk list for large language model AI chatbots was yet another sign of generative AI’s rush into the mainstream—and a crucial step toward protecting enterprises from AI-related threats.

For more than 20 years, the Open Worldwide Application Security Project (OWASP) top 10 risk list has been a go-to reference in the fight to make software more secure. So it’s no surprise developers and cybersecurity professionals paid close attention earlier this spring when OWASP published an all-new list focused on large language model AI vulnerabilities.

OWASP’s move is yet more proof of how quickly AI chatbots have swept into the mainstream. Nearly half (48%) of corporate respondents to one survey said that by February 2023 they had already replaced workers with ChatGPT—just three months after its public launch. With many observers expressing concern that AI adoption has rushed ahead without understanding of the risks involved, the OWASP top 10 AI risk list is both timely and essential.

Large language model vulnerabilities at a glance

OWASP has released two draft versions of its AI vulnerability list so far: one in May 2023 and a July 1 update with refined classifications and definitions, examples, scenarios, and links to additional references. The most recent is labeled ‘version 0.5’, and a formal version 1 is reported to be in the works.

We did some analysis and found the vulnerabilities identified by OWASP fall broadly into three categories:

Access risks associated with exploited privileges and unauthorized actions.
Data risks such as data manipulation or loss of services.
Reputational and business risks resulting from bad AI outputs or actions.

In this blog, we take a closer look at the specific risks in each case and offer some suggestions about how to handle them.

1. Access risks

Of the 10 vulnerabilities listed by OWASP, four are specific to access and misuse of privileges: insecure plugins, insecure output handling, permissions issues, and excessive agency.

According to OWASP, any large language model that uses insecure plugins to receive “free-form text” inputs could be exposed to malicious requests, resulting in unwanted behaviors or the execution of unauthorized remote code. On the flipside, plugins or applications that handle large language model outputs insecurely—without evaluating them—could be susceptible to cross-site and server-side request forgeries, unauthorized privilege escalations, hijack attacks, and more.

Similarly, when authorizations aren’t tracked between plugins, permissions issues can arise that open the way for indirect prompt injections or malicious plugin usage.

Finally, because AI chatbots are ‘actors’ able to make and implement decisions, it matters how much free reign (i.e., agency) they’re given. As OWASP explains, “When LLMs interface with other systems, unrestricted agency may lead to undesirable operations and actions.” Examples include personal mail reader assistants being exploited to propagate spam or customer service AI chatbots manipulated into issuing undeserved refunds.

In all of these cases, the large language model becomes a conduit for bad actors to infiltrate systems.

2. Data risks

Poisoned training data, supply chain vulnerabilities, prompt injection vulnerabilities and denials of serviceare all data-specific AI risks.

Data can be poisoned deliberately by bad actors who want to harm an organization. It can also be distorted inadvertently when an AI system learns from unreliable or unvetted sources. Both types of poisoning can occur within an active AI chatbot application or emerge from the large language model supply chain, where reliance on pre-trained models, crowdsourced data, and insecure plugin extensions may produce biased data outputs, security breaches, or system failures.

With prompt injections, ill-meaning inputs may cause a large language model AI chatbot to expose data that should be kept private or perform other actions that lead to data compromises.

AI denial of service attacks are similar to classic DOS attacks. They may aim to overwhelm a large language model and deprive users of access to data and apps, or—because many AI chatbots rely on pay-as-you-go IT infrastructure—force the system to consume excessive resources and rack up massive costs.

3. Reputational and business risks

The final OWASP vulnerability (according to our buckets) is already reaping consequences around the world today:overreliance on AI. There’s no shortage of stories about large language models generating false or inappropriate outputs from fabricated citations and legal precedents to racist and sexist language.

OWASP points out that depending on AI chatbots without proper oversight can make organizations vulnerable to publishing misinformation or offensive content that results in reputational damage or even legal action.
Given all these various risks, the question becomes, “What can we do about it?” Fortunately, there are some protective steps organizations can take.

What enterprises can do about large language model vulnerabilities

From our perspective at Trend Micro, defending against AI access risks requires a zero-trust security stance with disciplined separation of systems (sandboxing). Even though generative AI has the ability to challenge zero-trust defenses in ways that other IT systems don’t—because it can mimic trusted entities—a zero-trust posture still adds checks and balances that make it easier to identify and contain unwanted activity. OWASP also advises that large language models “should not self-police” and calls for controls to be embedded in application programming interfaces (APIs).

Sandboxing is also key to protecting data privacy and integrity: keeping confidential information fully separated from shareable data and making it inaccessible to AI chatbots and other public-facing systems. (See our recent blog on AI cybersecurity policies for more.)

Good separation of data prevents large language models from including private or personally identifiable information in public outputs, and from being publicly prompted to interact with secure applications such as payment systems in inappropriate ways.

On the reputational front, the simplest remedies are to not rely solely on AI-generated content or code, and to never publish or use AI outputs without first verifying they are true, accurate, and reliable.

Many of these defensive measures can—and should—be embedded in corporate policies. Once an appropriate policy foundation is in place, security technologies such as endpoint detection and response (EDR), extended detection and response (XDR), and security information and event management (SIEM) can be used for enforcement and to monitor for potentially harmful activity.

Large language model AI chatbots are here to stay

OWASP’s initial work cataloguing AI risks proves that concerns about the rush to embrace AI are well justified. At the same time, AI clearly isn’t going anywhere, so understanding the risks and taking responsible steps to mitigate them is critically important.

Setting up the right policies to manage AI use and implementing those policies with the help of cybersecurity solutions is a good first step. So is staying informed. The way we see it at Trend Micro, OWASP’s top 10 AI risk list is bound to become as much of an annual must-read as its original application security list has been since 2003.

Next steps

For more Trend Micro thought leadership on AI chatbot security, check out these resources:

Source :
https://www.trendmicro.com/en_us/research/23/h/top-ai-risks.html

The Current Security State of Private 5G Networks

By: Trend Micro
August 18, 2023
Read time: 3 min (931 words)

Private 5G networks offer businesses enhanced security, reliability, and scalability. Learn more about why private 5G could be the future of secure networking.

Source :
https://www.trendmicro.com/en_us/research/23/h/private-5g-network-security.html

The five-day job: A BlackByte ransomware intrusion case study

July 6, 2023

As ransomware attacks continue to grow in number and sophistication, threat actors can quickly impact business operations if organizations are not well prepared. In a recent investigation by Microsoft Incident Response (previously known as Microsoft Detection and Response Team – DART) of an intrusion, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization.

Our investigation found that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives. These techniques included:

Exploitation of unpatched internet-exposed Microsoft Exchange Servers
Web shell deployment facilitating remote access
Use of living-off-the-land tools for persistence and reconnaissance
Deployment of Cobalt Strike beacons for command and control (C2)
Process hollowing and the use of vulnerable drivers for defense evasion
Deployment of custom-developed backdoors to facilitate persistence
Deployment of a custom-developed data collection and exfiltration tool

BlackByte 2.0 ransomware attack chain by order of stages: initial access and privilege escalation, persistence and command and control, reconnaissance, credential access, lateral movement, data staging and exfiltration, and impact. — Figure 1. BlackByte 2.0 ransomware attack chain

In this blog, we share details of our investigation into the end-to-end attack chain, exposing security weaknesses that the threat actor exploited to advance their attack. As we learned from Microsoft’s tracking of ransomware attacks and the cybercriminal economy that enables them, disrupting common attack patterns could stop many of the attacker activities that precede ransomware deployment. This case highlights that common security hygiene practices go a long way in preventing, identifying, and responding to malicious activity as early as possible to mitigate the impact of ransomware attacks. We encourage organizations to follow the outlined mitigation steps, including ensuring that internet-facing assets are up to date and configured securely. We also share indicators of compromise, detection details, and hunting guidance to help organizations identify and respond to these attacks in their environments.

Forensic analysis

Initial access and privilege escalation

To obtain initial access into the victim’s environment, the threat actor was observed exploiting the ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on unpatched Microsoft Exchange Servers. The exploitation of these vulnerabilities allowed the threat actor to:

Attain system-level privileges on the compromised Exchange host
Enumerate LegacyDN of users by sending Autodiscover requests, including SIDs of users
Construct a valid authentication token and use it against the Exchange PowerShell backend
Impersonate domain admin users and create a web shell by using the New-MailboxExportRequest cmdlet
Create web shells to obtain remote control on affected servers

The threat actor was observed operating from the following IP to exploit ProxyShell and access the web shell:

185.225.73[.]244

Persistence

Backdoor

After gaining access to a device, the threat actor created the following registry run keys to run a payload each time a user signs in:

Registry key	Value name	Value data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	MsEdgeMsE	rundll32 C:\Users\user\Downloads\api-msvc.dll,Default
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	MsEdgeMsE	rundll32 C:\temp\api-msvc.dll,Default
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	MsEdgeMsE	rundll32 C:\systemtest\api-system.png,Default

The file api-msvc.dll (SHA-256: 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e) was determined to be a backdoor capable of collecting system information, such as the installed antivirus products, device name, and IP address. This information is then sent via HTTP POST request to the following C2 channel:

hxxps://myvisit[.]alteksecurity[.]org/t

The organization was not using Microsoft Defender Antivirus, which detects this malware as Trojan:Win32/Kovter!MSR, as the primary antivirus solution, and the backdoor was allowed to run.

An additional file, api-system.png, was identified to have similarities to api-msvc.dll. This file behaved like a DLL, had the same default export function, and also leveraged run keys for persistence.

Cobalt Strike Beacon

The threat actor leveraged Cobalt Strike to achieve persistence. The file sys.exe (SHA-256: 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103), detected by Microsoft Defender Antivirus as Trojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike Beacon and was downloaded directly from the file sharing service temp[.]sh:

hxxps://temp[.]sh/szAyn/sys.exe

This beacon was configured to communicate with the following C2 channel:

109.206.243[.]59:443

AnyDesk

Threat actors leverage legitimate remote access tools during intrusions to blend into a victim network. In this case, the threat actor utilized the remote administration tool AnyDesk, to maintain persistence and move laterally within the network. AnyDesk was installed as a service and was run from the following paths:

C:\systemtest\anydesk\AnyDesk.exe
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
C:\Scripts\AnyDesk.exe

Successful connections were observed in the AnyDesk log file ad_svc.trace involving anonymizer service IP addresses linked to TOR and MULLVAD VPN, a common technique that threat actors employ to obscure their source IP ranges.

Reconnaissance

We found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration using the following file names:

netscan.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)
netapp.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)

Additionally, execution of AdFind (SHA-256: f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e), an Active Directory reconnaissance tool, was observed in the environment.

Credential access

Evidence of likely usage of the credential theft tool Mimikatzwas also uncovered through the presence of a related log file mimikatz.log. Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.

Lateral movement

Using compromised domain admin credentials, the threat actor used Remote Desktop Protocol (RDP) and PowerShell remoting to obtain access to other servers in the environment, including domain controllers.

Data staging and exfiltration

In one server where Microsoft Defender Antivirus was installed, a suspicious file named explorer.exe was identified, detected as Trojan:Win64/WinGoObfusc.LK!MT, and quarantined. However, because tamper protection wasn’t enabled on this server, the threat actor was able to disable the Microsoft Defender Antivirus service, enabling the threat actor to run the file using the following command:

explorer.exe P@$$w0rd

After reverse engineering explorer.exe, we determined it to be ExByte, a GoLang-based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. This tool is capable of enumerating files of interest across the network and, upon execution, creates a log file containing a list of files and associated metadata. Multiple log files were uncovered during the investigation in the path:

C:\Exchange\MSExchLog.log

Analysis of the binary revealed a list of file extensions that are targeted for enumeration.

Figure-2.-Binary-analysis-showing-file-extensions-enumerated-by-explorer.exe_ — Figure 2. Binary analysis showing file extensions enumerated by *explorer.exe*

Forensic analysis identified a file named data.txt that was created and later deleted after ExByte execution. This file contained obfuscated credentials that ExByte leveraged to authenticate to the popular file sharing platform Mega NZ using the platform’s API at:

hxxps://g.api.mega.co[.]nz

Figure 3. Binary analysis showing explorer.exe functionality for connecting to file sharing service MEGA NZ

We also determined that this version of Exbyte was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address.

ExByte execution flow

Upon execution, ExByte decodes several strings and checks if the process is running with privileged access by reading \\.\PHYSICALDRIVE0:

If this check fails, ShellExecuteW is invoked with the IpOperation parameter RunAs, which runs explorer.exe with elevated privileges.

After this access check, explorer.exe attempts to read the data.txt file in the current location:

If the text file doesn’t exist, it invokes a command for self-deletion and exits from memory:

C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 10 > nul & Del <PATH>\explorer.exe /F /Q

If data.txt exists, explorer.exe reads the file, passes the buffer to Base64 decode function, and then decrypts the data using the key provided in the command line. The decrypted data is then parsed as JSON below and fed for login function:

{ “a”:”us0”, “user”:”<CONTENT FROM data.txt>”}

Finally, it forms a URL for sign-in to the API of the service MEGA NZ:

hxxps://g.api.mega.co[.]nz/cs?id=1674017543

Data encryption and destruction

On devices where files were successfully encrypted, we identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64/BlackByte!MSR, with the following names:

wEFT.exe
schillerized.exe

The files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. The binaries require an 8-digit key number to encrypt files.

Two modes of execution were identified:

When the -s parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on.
When the -a parameter is provided, the ransomware conducts enumeration and uses an Ultimate Packer Executable (UPX) packed version of PsExec to deploy across the network. Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network.

Depending on the switch (-s or -a), execution may create the following files:

C:\SystemData\M8yl89s7.exe (UPX-packed PsExec with a random name; SHA-256: ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f)
C:\SystemData\wEFT.exe (Additional BlackByte binary)
C:\SystemData\MsExchangeLog1.log (Log file)
C:\SystemData\rENEgOtiAtES (A vulnerable (CVE-2019-16098) driver RtCore64.sys used to evade detection by installed antivirus software; SHA-256: 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)
C:\SystemData\iHu6c4.ico (Random name – BlackBytes icon)
C:\SystemData\BB_Readme_file.txt (BlackByte ReadMe file)
C:\SystemData\skip_bypass.txt (Unknown)

BlackByte 2.0 ransomware capabilities

Some capabilities identified for the BlackByte 2.0 ransomware were:

Antivirus bypass
- The file rENEgOtiAtES created matches RTCore64.sys, a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read or write to arbitrary memory
- The BlackByte binary then creates and starts a service named RABAsSaa calling rENEgOtiAtES, and exploits this service to evade detection by installed antivirus software
Process hollowing
- Invokes svchost.exe, injects to it to complete device encryption, and self-deletes by executing the following command:
  - cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del “PATH_TO_BLACKBYTE” /F /Q
Modification / disabling of Windows Firewall
- The following commands are executed to either modify existing Windows Firewall rules, or to disable Windows Firewall entirely:
  - cmd /c netsh advfirewall set allprofiles state off
- - cmd /c netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes
  - cmd /c netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes
Modification of volume shadow copies
- The following commands are executed to destroy volume shadow copies on the machine:
  - cmd /c vssadmin Resize ShadowStorge /For=B:\ /On=B:\ /MaxSize=401MB
  - cmd /c vssadmin Resize ShadowStorage /For=B:\ /On=B:\ /MaxSize=UNBOUNDED
Modification of registry keys/values
- The following commands are executed to modify the registry, facilitating elevated execution on the device:
  - cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
- - cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  - cmd /c reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
Additional functionality
- Ability to terminate running services and processes
- Ability to enumerate and mount volumes and network shares for encryption
- Perform anti-forensics technique timestomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00)
- Ability to perform anti-debugging techniques

Recommendations

To guard against BlackByte ransomware attacks, Microsoft recommends the following:

Ensure that you have a patch management process in place and that patching for internet-exposed devices is prioritized; Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools like Microsoft Defender Vulnerability Management
Implement an endpoint detection and response (EDR) solution like Microsoft Defender for Endpoint to gain visibility into malicious activity in real time across your network
Ensure antivirus protections are updated regularly by turning on cloud-based protection and that your antivirus solution is configured to block threats
Enable tamper protection to prevent components of Microsoft Defender Antivirus from being disabled
Block inbound traffic from IPs specified in the indicators of compromise section of this report
Block inbound traffic from TOR exit nodes
Block inbound access from unauthorized public VPN services
Restrict administrative privileges to prevent authorized system changes

Conclusion

BlackByte ransomware attacks target organizations that have infrastructure with unpatched vulnerabilities. As outlined in the Microsoft Digital Defense Report, common security hygiene practices, including keeping systems up to date, could protect against 98% of attacks.

As new tools are being developed by threat actors, a modern threat protection solution like Microsoft 365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms. Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents.

To understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/MicrosoftIR.

Microsoft 365 Defender detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

Trojan:Win32/Kovter!MSR
Trojan:Win64/WinGoObfusc.LK!MT
Trojan:Win64/BlackByte!MSR
HackTool:Win32/AdFind!MSR
Trojan:Win64/CobaltStrike!MSR

Microsoft Defender for Endpoint

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

‘CVE-2021-31207’ exploit malware was detected
An active ‘NetShDisableFireWall’ malware in a command line was prevented from executing.
Suspicious registry modification.
‘Rtcore64’ hacktool was detected
Possible ongoing hands-on-keyboard activity (Cobalt Strike)
A file or network connection related to a ransomware-linked emerging threat activity group detected
Suspicious sequence of exploration activities
A process was injected with potentially malicious code
Suspicious behavior by cmd.exe was observed
‘Blackbyte’ ransomware was detected

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

CVE-2021-34473
CVE-2021-34523
CVE-2021-31207
CVE-2019-16098

Hunting queries

Microsoft 365 Defender

Microsoft 365 Defender customers can run the following query to find related activity in their networks:

ProxyShell web shell creation events

DeviceProcessEvents

| where ProcessCommandLine has_any ("ExcludeDumpster","New-ExchangeCertificate") and ProcessCommandLine has_any ("-RequestFile","-FilePath")

Suspicious vssadmin events

DeviceProcessEvents

| where ProcessCommandLine has_any ("vssadmin","vssadmin.exe") and ProcessCommandLine has "Resize ShadowStorage" and ProcessCommandLine has_any ("MaxSize=401MB"," MaxSize=UNBOUNDED")

Detection for persistence creation using Registry Run keys

DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where (RegistryKey has @"Microsoft\Windows\CurrentVersion\RunOnce" and RegistryValueName == "MsEdgeMsE") or (RegistryKey has @"Microsoft\Windows\CurrentVersion\RunOnceEx" and RegistryValueName == "MsEdgeMsE") or (RegistryKey has @"Microsoft\Windows\CurrentVersion\Run" and RegistryValueName == "MsEdgeMsE")| where RegistryValueData startswith @"rundll32"| where RegistryValueData endswith @".dll,Default"| project Timestamp,DeviceId,DeviceName,ActionType,RegistryKey,RegistryValueName,RegistryValueData

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.

Indicators of compromise

The table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

Indicator	Type	Description
4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e	SHA-256	api-msvc.dll (Backdoor installed through RunKeys)
5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103	SHA-256	sys.exe (Cobalt Strike Beacon)
01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd	SHA-256	rENEgOtiAtES (Vulnerable driver RtCore64.sys created by BlackByte binary)
ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f	SHA-256	[RANDOM_NAME].exe (UPX Packed PsExec created by BlackByte binary)
1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e	SHA-256	“netscan.exe”, “netapp.exe (Netscan network discovery tool)
f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e	SHA-256	AdFind.exe (Active Directory information gathering tool)
hxxps://myvisit[.]alteksecurity[.]org/t	URL	C2 for backdoor api-msvc.dll
hxxps://temp[.]sh/szAyn/sys.exe	URL	Download URL for sys.exe
109.206.243[.]59	IP Address	C2 for Cobalt Strike Beacon sys.exe
185.225.73[.]244	IP Address	Originating IP address for ProxyShell exploitation and web shell interaction

NOTE: These indicators should not be considered exhaustive for this observed activity.

Appendix

File extensions targeted by BlackByte binary for encryption:

.4dd	.4dl	.accdb	.accdc	.accde	.accdr	.accdt	.accft
.adb	.ade	.adf	.adp	.arc	.ora	.alf	.ask
.btr	.bdf	.cat	.cdb	.ckp	.cma	.cpd	.dacpac
.dad	.dadiagrams	.daschema	.db	.db-shm	.db-wal	.db3	.dbc
.dbf	.dbs	.dbt	.dbv	. dbx	. dcb	. dct	. dcx
. ddl	. dlis	. dp1	. dqy	. dsk	. dsn	. dtsx	. dxl
. eco	. ecx	. edb	. epim	. exb	. fcd	. fdb	. fic
. fmp	. fmp12	. fmpsl	. fol	.fp3	. fp4	. fp5	. fp7
. fpt	. frm	. gdb	. grdb	. gwi	. hdb	. his	. ib
. idb	. ihx	. itdb	. itw	. jet	. jtx	. kdb	. kexi
. kexic	. kexis	. lgc	. lwx	. maf	. maq	. mar	. masmav
. mdb	. mpd	. mrg	. mud	. mwb	. myd	. ndf	. nnt
. nrmlib	. ns2	. ns3	. ns4	. nsf	. nv	. nv2	. nwdb
. nyf	. odb	. ogy	. orx	. owc	. p96	. p97	. pan
. pdb	. pdm	. pnz	. qry	. qvd	. rbf	. rctd	. rod
. rodx	. rpd	. rsd	. sas7bdat	. sbf	. scx	. sdb	. sdc
. sdf	. sis	. spg	. sql	. sqlite	. sqlite3	. sqlitedb	. te
. temx	. tmd	. tps	. trc	. trm	. udb	. udl	. usr
. v12	. vis	. vpd	. vvv	. wdb	. wmdb	. wrk	. xdb
. xld	. xmlff	. abcddb	. abs	. abx	. accdw	. and	. db2
. fm5	. hjt	. icg	. icr	. kdb	. lut	. maw	. mdn
. mdt

Shared folders targeted for encryption (Example: \\[IP address]\Downloads):

Users	Backup	Veeam	homes	home
media	common	Storage Server	Public	Web
Images	Downloads	BackupData	ActiveBackupForBusiness	Backups
NAS-DC	DCBACKUP	DirectorFiles	share

File extensions ignored:

.ini	.url	.msilog	.log	.ldf	.lock	.theme	.msi
.sys	.wpx	.cpl	.adv	.msc	.scr	.key	.ico
.dll	.hta	.deskthemepack	.nomedia	.msu	.rtp	.msp	.idx
.ani	.386	.diagcfg	.bin	.mod	.ics	.com	.hlp
.spl	.nls	.cab	.exe	.diagpkg	.icl	.ocx	.rom
.prf	.thempack	.msstyles	.icns	.mpa	.drv	.cur	.diagcab
.cmd	.shs

Folders ignored:

windows	boot	program files (x86)	windows.old	programdata
intel	bitdefender	trend micro	windowsapps	appdata
application data	system volume information	perflogs	msocache

Files ignored:

bootnxt	ntldr	bootmgr	thumbs.db
ntuser.dat	bootsect.bak	autoexec.bat	iconcache.db
bootfont.bin

Processes terminated:

teracopy	teamviewer	nsservice	nsctrl	uranium
processhacker	procmon	pestudio	procmon64	x32dbg
x64dbg	cff explorer	procexp	pslist	tcpview
tcpvcon	dbgview	rammap	rammap64	vmmap
ollydbg	autoruns	autorunssc	filemon	regmon
idaq	idaq64	immunitydebugger	wireshark	dumpcap
hookexplorer	importrec	petools	lordpe	sysinspector
proc_analyzer	sysanalyzer	sniff_hit	windbg	joeboxcontrol
joeboxserver	resourcehacker	fiddler	httpdebugger	dumpit
rammap	rammap64	vmmap	agntsvc	cntaosmgr
dbeng50	dbsnmp	encsvc	infopath	isqlplussvc
mbamtray	msaccess	msftesql	mspub	mydesktopqos
mydesktopservice	mysqld	mysqld-nt	mysqld-opt	Ntrtscan
ocautoupds	ocomm	ocssd	onenote	oracle
outlook	PccNTMon	powerpnt	sqbcoreservice	sql
sqlagent	sqlbrowser	sqlservr	sqlwriter	steam
synctime	tbirdconfig	thebat	thebat64	thunderbird
tmlisten	visio	winword	wordpad	xfssvccon
zoolz

Services terminated:

CybereasonRansomFree	vnetd	bpcd	SamSs	TeraCopyService
msftesql	nsService	klvssbridge64	vapiendpoint	ShMonitor
Smcinst	SmcService	SntpService	svcGenericHost	Swi_
TmCCSF	tmlisten	TrueKey	TrueKeyScheduler	TrueKeyServiceHelper
WRSVC	McTaskManager	OracleClientCache80	mfefire	wbengine
mfemms	RESvc	mfevtp	sacsvr	SAVAdminService
SepMasterService	PDVFSService	ESHASRV	SDRSVC	FA_Scheduler
KAVFS	KAVFS_KAVFSGT	kavfsslp	klnagent	macmnsvc
masvc	MBAMService	MBEndpointAgent	McShield	audioendpointbuilder
Antivirus	AVP	DCAgent	bedbg	EhttpSrv
MMS	ekrn	EPSecurityService	EPUpdateService	ntrtscan
EsgShKernel	msexchangeadtopology	AcrSch2Svc	MSOLAP$TPSAMA	Intel(R) PROSet Monitoring
msexchangeimap4	ARSM	unistoresvc_1af40a	ReportServer$TPS	MSOLAP$SYSTEM_BGC
W3Svc	MSExchangeSRS	ReportServer$TPSAMA	Zoolz 2 Service	MSOLAP$TPS
aphidmonitorservice	SstpSvc	MSExchangeMTA	ReportServer$SYSTEM_BGC	Symantec System Recovery
UI0Detect	MSExchangeSA	MSExchangeIS	ReportServer	MsDtsServer110
POP3Svc	MSExchangeMGMT	SMTPSvc	MsDtsServer	IisAdmin
MSExchangeES	EraserSvc11710	Enterprise Client Service	MsDtsServer100	NetMsmqActivator
stc_raw_agent	VSNAPVSS	PDVFSService	AcrSch2Svc	Acronis
CASAD2DWebSvc	CAARCUpdateSvc	McAfee	avpsus	DLPAgentService
mfewc	BMR Boot Service	DefWatch	ccEvtMgr	ccSetMgr
SavRoam	RTVsc screenconnect	ransom	sqltelemetry	msexch
vnc	teamviewer	msolap	veeam	backup
sql	memtas	vss	sophos	svc$
mepocs	wuauserv

Drivers that Blackbyte can bypass:

360avflt.sys	360box.sys	360fsflt.sys	360qpesv.sys	5nine.cbt.sys
a2acc.sys	a2acc64.sys	a2ertpx64.sys	a2ertpx86.sys	a2gffi64.sys
a2gffx64.sys	a2gffx86.sys	aaf.sys	aalprotect.sys	abrpmon.sys
accessvalidator.sys	acdriver.sys	acdrv.sys	adaptivaclientcache32.sys	adaptivaclientcache64.sys
adcvcsnt.sys	adspiderdoc.sys	aefilter.sys	agentrtm64.sys	agfsmon.sys
agseclock.sys	agsyslock.sys	ahkamflt.sys	ahksvpro.sys	ahkusbfw.sys
ahnrghlh.sys	aictracedrv_am.sys	airship-filter.sys	ajfsprot.sys	alcapture.sys
alfaff.sys	altcbt.sys	amfd.sys	amfsm.sys	amm6460.sys
amm8660.sys	amsfilter.sys	amznmon.sys	antileakfilter.sys	antispyfilter.sys
anvfsm.sys	apexsqlfilterdriver.sys	appcheckd.sys	appguard.sys	appvmon.sys
arfmonnt.sys	arta.sys	arwflt.sys	asgard.sys	ashavscan.sys
asiofms.sys	aswfsblk.sys	aswmonflt.sys	aswsnx.sys	aswsp.sys
aszfltnt.sys	atamptnt.sys	atc.sys	atdragent.sys	atdragent64.sys
aternityregistryhook.sys	atflt.sys	atrsdfw.sys	auditflt.sys	aupdrv.sys
avapsfd.sys	avc3.sys	avckf.sys	avfsmn.sys	avgmfi64.sys
avgmfrs.sys	avgmfx64.sys	avgmfx86.sys	avgntflt.sys	avgtpx64.sys
avgtpx86.sys	avipbb.sys	avkmgr.sys	avmf.sys	awarecore.sys
axfltdrv.sys	axfsysmon.sys	ayfilter.sys	b9kernel.sys	backupreader.sys
bamfltr.sys	bapfecpt.sys	bbfilter.sys	bd0003.sys	bddevflt.sys
bdfiledefend.sys	bdfilespy.sys	bdfm.sys	bdfsfltr.sys	bdprivmon.sys
bdrdfolder.sys	bdsdkit.sys	bdsfilter.sys	bdsflt.sys	bdsvm.sys
bdsysmon.sys	bedaisy.sys	bemk.sys	bfaccess.sys	bfilter.sys
bfmon.sys	bhdrvx64.sys	bhdrvx86.sys	bhkavka.sys	bhkavki.sys
bkavautoflt.sys	bkavsdflt.sys	blackbirdfsa.sys	blackcat.sys	bmfsdrv.sys
bmregdrv.sys	boscmflt.sys	bosfsfltr.sys	bouncer.sys	boxifier.sys
brcow_x_x_x_x.sys	brfilter.sys	brnfilelock.sys	brnseclock.sys	browsermon.sys
bsrfsflt.sys	bssaudit.sys	bsyaed.sys	bsyar.sys	bsydf.sys
bsyirmf.sys	bsyrtm.sys	bsysp.sys	bsywl.sys	bwfsdrv.sys
bzsenspdrv.sys	bzsenth.sys	bzsenyaradrv.sys	caadflt.sys	caavfltr.sys
cancelsafe.sys	carbonblackk.sys	catflt.sys	catmf.sys	cbelam.sys
cbfilter20.sys	cbfltfs4.sys	cbfsfilter2017.sys	cbfsfilter2020.sys	cbsampledrv.sys
cdo.sys	cdrrsflt.sys	cdsgfsfilter.sys	centrifyfsf.sys	cfrmd.sys
cfsfdrv	cgwmf.sys	change.sys	changelog.sys	chemometecfilter.sys
ciscoampcefwdriver.sys	ciscoampheurdriver.sys	ciscosam.sys	clumiochangeblockmf.sys	cmdccav.sys
cmdcwagt.sys	cmdguard.sys	cmdmnefs.sys	cmflt.sys	code42filter.sys
codex.sys	conduantfsfltr.sys	containermonitor.sys	cpavfilter.sys	cpavkernel.sys
cpepmon.sys	crexecprev.sys	crncache32.sys	crncache64.sys	crnsysm.sys
cruncopy.sys	csaam.sys	csaav.sys	csacentr.sys	csaenh.sys
csagent.sys	csareg.sys	csascr.sys	csbfilter.sys	csdevicecontrol.sys
csfirmwareanalysis.sys	csflt.sys	csmon.sys	cssdlp.sys	ctamflt.sys
ctifile.sys	ctinet.sys	ctrpamon.sys	ctx.sys	cvcbt.sys
cvofflineflt32.sys	cvofflineflt64.sys	cvsflt.sys	cwdriver.sys	cwmem2k64.sys
cybkerneltracker.sys	cylancedrv64.sys	cyoptics.sys	cyprotectdrv32.sys	cyprotectdrv64.sys
cytmon.sys	cyverak.sys	cyvrfsfd.sys	cyvrlpc.sys	cyvrmtgn.sys
datanow_driver.sys	dattofsf.sys	da_ctl.sys	dcfafilter.sys	dcfsgrd.sys
dcsnaprestore.sys	deepinsfs.sys	delete_flt.sys	devmonminifilter.sys	dfmfilter.sys
dgedriver.sys	dgfilter.sys	dgsafe.sys	dhwatchdog.sys	diflt.sys
diskactmon.sys	dkdrv.sys	dkrtwrt.sys	dktlfsmf.sys	dnafsmonitor.sys
docvmonk.sys	docvmonk64.sys	dpmfilter.sys	drbdlock.sys	drivesentryfilterdriver2lite.sys
drsfile.sys	drvhookcsmf.sys	drvhookcsmf_amd64.sys	drwebfwflt.sys	drwebfwft.sys
dsark.sys	dsdriver.sys	dsfemon.sys	dsflt.sys	dsfltfs.sys
dskmn.sys	dtdsel.sys	dtpl.sys	dwprot.sys	dwshield.sys
dwshield64.sys	eamonm.sys	easeflt.sys	easyanticheat.sys	eaw.sys
ecatdriver.sys	edevmon.sys	ednemfsfilter.sys	edrdrv.sys	edrsensor.sys
edsigk.sys	eectrl.sys	eetd32.sys	eetd64.sys	eeyehv.sys
eeyehv64.sys	egambit.sys	egfilterk.sys	egminflt.sys	egnfsflt.sys
ehdrv.sys	elock2fsctldriver.sys	emxdrv2.sys	enigmafilemondriver.sys	enmon.sys
epdrv.sys	epfw.sys	epfwwfp.sys	epicfilter.sys	epklib.sys
epp64.sys	epregflt.sys	eps.sys	epsmn.sys	equ8_helper.sys
eraser.sys	esensor.sys	esprobe.sys	estprmon.sys	estprp.sys
estregmon.sys	estregp.sys	estrkmon.sys	estrkr.sys	eventmon.sys
evmf.sys	evscase.sys	excfs.sys	exprevdriver.sys	failattach.sys
failmount.sys	fam.sys	fangcloud_autolock_driver.sys	fapmonitor.sys	farflt.sys
farwflt.sys	fasdriver	fcnotify.sys	fcontrol.sys	fdrtrace.sys
fekern.sys	fencry.sys	ffcfilt.sys	ffdriver.sys	fildds.sys
filefilter.sys	fileflt.sys	fileguard.sys	filehubagent.sys	filemon.sys
filemonitor.sys	filenamevalidator.sys	filescan.sys	filesharemon.sys	filesightmf.sys
filesystemcbt.sys	filetrace.sys	file_monitor.sys	file_protector.sys	file_tracker.sys
filrdriver.sys	fim.sys	fiometer.sys	fiopolicyfilter.sys	fjgsdis2.sys
fjseparettifilterredirect.sys	flashaccelfs.sys	flightrecorder.sys	fltrs329.sys	flyfs.sys
fmdrive.sys	fmkkc.sys	fmm.sys	fortiaptfilter.sys	fortimon2.sys
fortirmon.sys	fortishield.sys	fpav_rtp.sys	fpepflt.sys	fsafilter.sys
fsatp.sys	fsfilter.sys	fsgk.sys	fshs.sys	fsmon.sys
fsmonitor.sys	fsnk.sys	fsrfilter.sys	fstrace.sys	fsulgk.sys
fsw31rj1.sys	gagsecurity.sys	gbpkm.sys	gcffilter.sys	gddcv.sys
gefcmp.sys	gemma.sys	geprotection.sys	ggc.sys	gibepcore.sys
gkff.sys	gkff64.sys	gkpfcb.sys	gkpfcb64.sys	gofsmf.sys
gpminifilter.sys	groundling32.sys	groundling64.sys	gtkdrv.sys	gumhfilter.sys
gzflt.sys	hafsnk.sys	hbflt.sys	hbfsfltr.sys	hcp_kernel_acq.sys
hdcorrelatefdrv.sys	hdfilemon.sys	hdransomoffdrv.sys	hdrfs.sys	heimdall.sys
hexisfsmonitor.sys	hfileflt.sys	hiofs.sys	hmpalert.sys	hookcentre.sys
hooksys.sys	hpreg.sys	hsmltmon.sys	hsmltwhl.sys	hssfwhl.sys
hvlminifilter.sys	ibr2fsk.sys	iccfileioad.sys	iccfilteraudit.sys	iccfiltersc.sys
icfclientflt.sys	icrlmonitor.sys	iderafilterdriver.sys	ielcp.sys	ieslp.sys
ifs64.sys	ignis.sys	iguard.sys	iiscache.sys	ikfilesec.sys
im.sys	imffilter.sys	imfilter.sys	imgguard.sys	immflex.sys
immunetprotect.sys	immunetselfprotect.sys	inisbdrv64.sys	ino_fltr.sys	intelcas.sys
intmfs.sys	inuse.sys	invprotectdrv.sys	invprotectdrv64.sys	ionmonwdrv.sys
iothorfs.sys	ipcomfltr.sys	ipfilter.sys	iprotect.sys	iridiumswitch.sys
irongatefd.sys	isafekrnl.sys	isafekrnlmon.sys	isafermon	isecureflt.sys
isedrv.sys	isfpdrv.sys	isirmfmon.sys	isregflt.sys	isregflt64.sys
issfltr.sys	issregistry.sys	it2drv.sys	it2reg.sys	ivappmon.sys
iwdmfs.sys	iwhlp.sys	iwhlp2.sys	iwhlpxp.sys	jdppsf.sys
jdppwf.sys	jkppob.sys	jkppok.sys	jkpppf.sys	jkppxk.sys
k7sentry.sys	kavnsi.sys	kawachfsminifilter.sys	kc3.sys	kconv.sys
kernelagent32.sys	kewf.sys	kfac.sys	kfileflt.sys	kisknl.sys
klam.sys	klbg.sys	klboot.sys	kldback.sys	kldlinf.sys
kldtool.sys	klfdefsf.sys	klflt.sys	klgse.sys	klhk.sys
klif.sys	klifaa.sys	klifks.sys	klifsm.sys	klrsps.sys
klsnsr.sys	klupd_klif_arkmon.sys	kmkuflt.sys	kmnwch.sys	kmxagent.sys
kmxfile.sys	kmxsbx.sys	ksfsflt.sys	ktfsfilter.sys	ktsyncfsflt.sys
kubwksp.sys	lafs.sys	lbd.sys	lbprotect.sys	lcgadmon.sys
lcgfile.sys	lcgfilemon.sys	lcmadmon.sys	lcmfile.sys	lcmfilemon.sys
lcmprintmon.sys	ldsecdrv.sys	libwamf.sys	livedrivefilter.sys	llfilter.sys
lmdriver.sys	lnvscenter.sys	locksmith.sys	lragentmf.sys	lrtp.sys
magicbackupmonitor.sys	magicprotect.sys	majoradvapi.sys	marspy.sys	maxcryptmon.sys
maxproc64.sys	maxprotector.sys	mbae64.sys	mbam.sys	mbamchameleon.sys
mbamshuriken.sys	mbamswissarmy.sys	mbamwatchdog.sys	mblmon.sys	mcfilemon32.sys
mcfilemon64.sys	mcstrg.sys	mearwfltdriver.sys	message.sys	mfdriver.sys
mfeaack.sys	mfeaskm.sys	mfeavfk.sys	mfeclnrk.sys	mfeelamk.sys
mfefirek.sys	mfehidk.sys	mfencbdc.sys	mfencfilter.sys	mfencoas.sys
mfencrk.sys	mfeplk.sys	mfewfpk.sys	miniicpt.sys	minispy.sys
minitrc.sys	mlsaff.sys	mmpsy32.sys	mmpsy64.sys	monsterk.sys
mozycorpfilter.sys	mozyenterprisefilter.sys	mozyentfilter.sys	mozyhomefilter.sys	mozynextfilter.sys
mozyoemfilter.sys	mozyprofilter.sys	mpfilter.sys	mpkernel.sys	mpksldrv.sys
mpxmon.sys	mracdrv.sys	mrxgoogle.sys	mscan-rt.sys	msiodrv4.sys
msixpackagingtoolmonitor.sys	msnfsflt.sys	mspy.sys	mssecflt.sys	mtsvcdf.sys
mumdi.sys	mwac.sys	mwatcher.sys	mwfsmfltr.sys	mydlpmf.sys
namechanger.sys	nanoavmf.sys	naswsp.sys	ndgdmk.sys	neokerbyfilter
netaccctrl.sys	netaccctrl64.sys	netguard.sys	netpeeker.sys	ngscan.sys
nlcbhelpi64.sys	nlcbhelpx64.sys	nlcbhelpx86.sys	nlxff.sys	nmlhssrv01.sys
nmpfilter.sys	nntinfo.sys	novashield.sys	nowonmf.sys	npetw.sys
nprosec.sys	npxgd.sys	npxgd64.sys	nravwka.sys	nrcomgrdka.sys
nrcomgrdki.sys	nregsec.sys	nrpmonka.sys	nrpmonki.sys	nsminflt.sys
nsminflt64.sys	ntest.sys	ntfsf.sys	ntguard.sys	ntps_fa.sys
nullfilter.sys	nvcmflt.sys	nvmon.sys	nwedriver.sys	nxfsmon.sys
nxrmflt.sys	oadevice.sys	oavfm.sys	oczminifilter.sys	odfsfilter.sys
odfsfimfilter.sys	odfstokenfilter.sys	offsm.sys	omfltlh.sys	osiris.sys
ospfile_mini.sys	ospmon.sys	parity.sys	passthrough.sys	path8flt.sys
pavdrv.sys	pcpifd.sys	pctcore.sys	pctcore64.sys	pdgenfam.sys
pecfilter.sys	perfectworldanticheatsys.sys	pervac.sys	pfkrnl.sys	pfracdrv.sys
pgpfs.sys	pgpwdefs.sys	phantomd.sys	phdcbtdrv.sys	pkgfilter.sys
pkticpt.sys	plgfltr.sys	plpoffdrv.sys	pointguardvista64f.sys	pointguardvistaf.sys
pointguardvistar32.sys	pointguardvistar64.sys	procmon11.sys	proggerdriver.sys	psacfileaccessfilter.sys
pscff.sys	psgdflt.sys	psgfoctrl.sys	psinfile.sys	psinproc.sys
psisolator.sys	pwipf6.sys	pwprotect.sys	pzdrvxp.sys	qdocumentref.sys
qfapflt.sys	qfilter.sys	qfimdvr.sys	qfmon.sys	qminspec.sys
qmon.sys	qqprotect.sys	qqprotectx64.sys	qqsysmon.sys	qqsysmonx64.sys
qutmdrv.sys	ranpodfs.sys	ransomdefensexxx.sys	ransomdetect.sys	reaqtor.sys
redlight.sys	regguard.sys	reghook.sys	regmonex.sys	repdrv.sys
repmon.sys	revefltmgr.sys	reveprocprotection.sys	revonetdriver.sys	rflog.sys
rgnt.sys	rmdiskmon.sys	rmphvmonitor.sys	rpwatcher.sys	rrmon32.sys
rrmon64.sys	rsfdrv.sys	rsflt.sys	rspcrtw.sys	rsrtw.sys
rswctrl.sys	rswmon.sys	rtologon.sys	rtw.sys	ruaff.sys
rubrikfileaudit.sys	ruidiskfs.sys	ruieye.sys	ruifileaccess.sys	ruimachine.sys
ruiminispy.sys	rvsavd.sys	rvsmon.sys	rw7fsflt.sys	rwchangedrv.sys
ryfilter.sys	ryguard.sys	safe-agent.sys	safsfilter.sys	sagntflt.sys
sahara.sys	sakfile.sys	sakmfile.sys	samflt.sys	samsungrapidfsfltr.sys
sanddriver.sys	santa.sys	sascan.sys	savant.sys	savonaccess.sys
scaegis.sys	scauthfsflt.sys	scauthiodrv.sys	scensemon.sys	scfltr.sys
scifsflt.sys	sciptflt.sys	sconnect.sys	scred.sys	sdactmon.sys
sddrvldr.sys	sdvfilter.sys	se46filter.sys	secdodriver.sys	secone_filemon10.sys
secone_proc10.sys	secone_reg10.sys	secone_usb.sys	secrmm.sys	secufile.sys
secure_os.sys	secure_os_mf.sys	securofsd_x64.sys	sefo.sys	segf.sys
segiraflt.sys	segmd.sys	segmp.sys	sentinelmonitor.sys	serdr.sys
serfs.sys	sfac.sys	sfavflt.sys	sfdfilter.sys	sfpmonitor.sys
sgresflt.sys	shdlpmedia.sys	shdlpsf.sys	sheedantivirusfilterdriver.sys	sheedselfprotection.sys
shldflt.sys	si32_file.sys	si64_file.sys	sieflt.sys	simrep.sys
sisipsfilefilter	sk.sys	skyamdrv.sys	skyrgdrv.sys	skywpdrv.sys
slb_guard.sys	sld.sys	smbresilfilter.sys	smdrvnt.sys	sndacs.sys
snexequota.sys	snilog.sys	snimg.sys	snscore.sys	snsrflt.sys
sodatpfl.sys	softfilterxxx.sys	soidriver.sys	solitkm.sys	sonar.sys
sophosdt2.sys	sophosed.sys	sophosntplwf.sys	sophossupport.sys	spbbcdrv.sys
spellmon.sys	spider3g.sys	spiderg3.sys	spiminifilter.sys	spotlight.sys
sprtdrv.sys	sqlsafefilterdriver.sys	srminifilterdrv.sys	srtsp.sys	srtsp64.sys
srtspit.sys	ssfmonm.sys	ssrfsf.sys	ssvhook.sys	stcvsm.sys
stegoprotect.sys	stest.sys	stflt.sys	stkrnl64.sys	storagedrv.sys
strapvista.sys	strapvista64.sys	svcbt.sys	swcommfltr.sys	swfsfltr.sys
swfsfltrv2.sys	swin.sys	symafr.sys	symefa.sys	symefa64.sys
symefasi.sys	symevent.sys	symevent64x86.sys	symevnt.sys	symevnt32.sys
symhsm.sys	symrg.sys	sysdiag.sys	sysmon.sys	sysmondrv.sys
sysplant.sys	szardrv.sys	szdfmdrv.sys	szdfmdrv_usb.sys	szedrdrv.sys
szpcmdrv.sys	taniumrecorderdrv.sys	taobserveflt.sys	tbfsfilt.sys	tbmninifilter.sys
tbrdrv.sys	tdevflt.sys	tedrdrv.sys	tenrsafe2.sys	tesmon.sys
tesxnginx.sys	tesxporter.sys	tffregnt.sys	tfsflt.sys	tgfsmf.sys
thetta.sys	thfilter.sys	threatstackfim.sys	tkdac2k.sys	tkdacxp.sys
tkdacxp64.sys	tkfsavxp.sys	tkfsavxp64.sys	tkfsft.sys	tkfsft64.sys
tkpcftcb.sys	tkpcftcb64.sys	tkpl2k.sys	tkpl2k64.sys	tksp2k.sys
tkspxp.sys	tkspxp64.sys	tmactmon.sys	tmcomm.sys	tmesflt.sys
tmevtmgr.sys	tmeyes.sys	tmfsdrv2.sys	tmkmsnsr.sys	tmnciesc.sys
tmpreflt.sys	tmumh.sys	tmums.sys	tmusa.sys	tmxpflt.sys
topdogfsfilt.sys	trace.sys	trfsfilter.sys	tritiumfltr.sys	trpmnflt.sys
trufos.sys	trustededgeffd.sys	tsifilemon.sys	tss.sys	tstfilter.sys
tstfsredir.sys	tstregredir.sys	tsyscare.sys	tvdriver.sys	tvfiltr.sys
tvmfltr.sys	tvptfile.sys	tvspfltr.sys	twbdcfilter.sys	txfilefilter.sys
txregmon.sys	uamflt.sys	ucafltdriver.sys	ufdfilter.sys	uncheater.sys
upguardrealtime.sys	usbl_ifsfltr.sys	usbpdh.sys	usbtest.sys	uvmcifsf.sys
uwfreg.sys	uwfs.sys	v3flt2k.sys	v3flu2k.sys	v3ift2k.sys
v3iftmnt.sys	v3mifint.sys	varpffmon.sys	vast.sys	vcdriv.sys
vchle.sys	vcmfilter.sys	vcreg.sys	veeamfct.sys	vfdrv.sys
vfilefilter.sys	vfpd.sys	vfsenc.sys	vhddelta.sys	vhdtrack.sys
vidderfs.sys	vintmfs.sys	virtfile.sys	virtualagent.sys	vk_fsf.sys
vlflt.sys	vmwvvpfsd.sys	vollock.sys	vpdrvnt.sys	vradfil2.sys
vraptdef.sys	vraptflt.sys	vrarnflt.sys	vrbbdflt.sys	vrexpdrv.sys
vrfsftm.sys	vrfsftmx.sys	vrnsfilter.sys	vrsdam.sys	vrsdcore.sys
vrsdetri.sys	vrsdetrix.sys	vrsdfmx.sys	vrvbrfsfilter.sys	vsepflt.sys
vsscanner.sys	vtsysflt.sys	vxfsrep.sys	wats_se.sys	wbfilter.sys
wcsdriver.sys	wdcfilter.sys	wdfilter.sys	wdocsafe.sys	wfp_mrt.sys
wgfile.sys	whiteshield.sys	windbdrv.sys	windd.sys	winfladrv.sys
winflahdrv.sys	winfldrv.sys	winfpdrv.sys	winload.sys	winteonminifilter.sys
wiper.sys	wlminisecmod.sys	wntgpdrv.sys	wraekernel.sys	wrcore.sys
wrcore.x64.sys	wrdwizfileprot.sys	wrdwizregprot.sys	wrdwizscanner.sys	wrdwizsecure64.sys
wrkrn.sys	wrpfv.sys	wsafefilter.sys	wscm.sys	xcpl.sys
xendowflt.sys	xfsgk.sys	xhunter1.sys	xhunter64.sys	xiaobaifs.sys
xiaobaifsr.sys	xkfsfd.sys	xoiv8x64.sys	xomfcbt8x64.sys	yahoostorage.sys
yfsd.sys	yfsd2.sys	yfsdr.sys	yfsrd.sys	zampit_ml.sys
zesfsmf.sys	zqfilter.sys	zsfprt.sys	zwasatom.sys	zwpxesvr.sys
zxfsfilt.sys	zyfm.sys	zzpensys.sys

What is HIPPA?

HIPAA Privacy Rule, Explained

HIPAA Security Rule, Explained

HIPAA Covered Entities

Healthcare Providers

Health Plans

Healthcare Clearinghouses

Business Associates

Who is Not Required to Follow HIPAA Regulations?

Life Insurers

Employers

Workers’ Compensation Carriers

Most Schools and School Districts

Many State Agencies

Most Law Enforcement Agencies

Many Municipal Offices

What Information is Protected Under HIPAA?

When Can PHI Be Disclosed?

General Principle for Uses and Disclosure

Permitted Uses and Disclosures

Authorized Uses and Disclosures

PHI Uses and Disclosures Limited to the Minimum Necessary

Notice and Individual Rights

Privacy Practices Notice

Notice distribution

Acknowledgment of Notice Receipt

Access

Amendment

Disclosure Accounting

Restriction Request

Confidential Communications Requirement

Administrative Requirements

Privacy Personnel

Workforce Training and Management

Mitigation

Data Safeguards

Complaints

Retaliation and Waiver

Documentation and Record Retention

Fully Insured Group Health Plan Exception

How is PHI Protected?

Get HIPAA Compliant With Our Checklist

Details

Contents

Resolution

Setup Utilities

Backup

Download

Web Applications

Mail Service

File Transferring

Packages

Mobile Applications

Peripheral Equipment

System

Further reading

Forensic analysis

Initial access and privilege escalation

Persistence

Reconnaissance

Credential access

Lateral movement

Data staging and exfiltration

Data encryption and destruction

Recommendations

Conclusion

Microsoft 365 Defender detections

Hunting queries

Indicators of compromise

Appendix

Further reading