Following the FBI’s notification of the Healthcare sector being targeted by malicious actors, we are reaching out to you to provide an update. Prior to reading further, please note that this is nothing new however it is indicative of a new mode of operation. if you are doing proper security patching (i.e., your organization is not 3 to 6 months behind), regularly checking your backup recovery process, have 24/7 security threat monitoring (threat hunting) with correct use cases in place, up-to-date end-point detection, and a cyber incident response plan – then this can be treated as another threat vector to treat with vigilance.
Importantly, this is a good time to let your user workforce know that they should watch out for suspicious emails with attachments. We are more than happy to work with you and to provide you with email samples, which we have used with our clients (in the capacity of CISO-as-a-service).
1. There has been a major uptake with phishing attacks, credential harvesting, Word attached malicious emails. The big news is that the ransomware group (RYUK) is preparing to encrypt systems at possibly hundreds of medical centers/hospitals. The group is claiming that they have fully automated the process from days to hours to encrypt the entire network. So what does this mean exactly?
2. The known spread of RYUK has not changed over the last year, however they are now automating the attacks using Pass the Hash AND WMI shares. APT group UNC1878 has merged to form a new group UNC2352 – taking the infection or system encryption time from days to hours. Administrative shares and unsecure SMB communications are used by known services, so risks are associated with blocking these services in an enterprise network and a proper risk assessment should be conducted. Below are useful links.
3. An article posted on October 21st by CISA outlines the top external attacks by CSV and suggests you review your organization’s exposure. See article below.
Below are known Indicators of Compromise:
Lastly, to those who are leveraging our 24/7 Healthcare Security Operations Center (SOC) / SIEM, your network is being monitored and we will provide regular updates. To those who are not – please feel free to reach out to raheel.qureshi@isecurityconuslting.com or kees.pouw@isecurityconsulting.com and we will add you to our distribution list.
We will also provide updates to organizations we are servicing through our Incident Response Retainer.
Do not panic but stay safe and protected. We can always connect with you 1-on-1 to provide better guidance on how to gain better visibility into your controls, network, dark web, privileged user access protection and active threat hunting. The landscape around ransomware has evolved as the Healthcare sector is willing to pay ransom and malicious threat actors are now stronger than ever.
Please go ahead and share this with your peers.
For any other questions or concerns, please feel free to reach out to info@isecurityconsulting.com.
Best Regards,
The iSecurity Team
