Cyber Intelligence Alert – Oct 28, 2020

Current Threat Landscape Awareness for Healthcare Sector

Following the FBI’s notification of the Healthcare sector being targeted by malicious actors, we are reaching out to you to provide an update. Prior to reading further, please note that this is nothing new however it is indicative of a new mode of operation. if you are doing proper security patching (i.e., your organization is not 3 to 6 months behind), regularly checking your backup recovery process, have 24/7 security threat monitoring (threat hunting) with correct use cases in place, up-to-date end-point detection, and a cyber incident response plan – then this can be treated as another threat vector to treat with vigilance.

Importantly, this is a good time to let your user workforce know that they should watch out for suspicious emails with attachments. We are more than happy to work with you and to provide you with email samples, which we have used with our clients (in the capacity of CISO-as-a-service).

Threat Vector Intelligence

1. There has been a major uptake with phishing attacks, credential harvesting, Word attached malicious emails. The big news is that the ransomware group (RYUK) is preparing to encrypt systems at possibly hundreds of medical centers/hospitals. The group is claiming that they have fully automated the process from days to hours to encrypt the entire network. So what does this mean exactly?

  1. Be prepared to receive a spike in phishing attempts, with some likely getting through your SPAM filter. It is extremely important to send your users a communication to stay vigilant. It is also important that your 24/7 SOC provider or internal IT/security keep an eye on your SPAM filter and endpoint protection technology stack. If you are interested in finding out how to properly carry this out from a central management perspective, we can connect with you off-line and provide guidance.
  2. Further below we’ve included links to Indicator of Compromise (IOCs). Disclaimer: do not just block everything. Yes, most are malicious sites, but do validate with your IT team before applying a blanket block.

2. The known spread of RYUK has not changed over the last year, however they are now automating the attacks using Pass the Hash AND WMI shares. APT group UNC1878 has merged to form a new group UNC2352 – taking the infection or system encryption time from days to hours. Administrative shares and unsecure SMB communications are used by known services, so risks are associated with blocking these services in an enterprise network and a proper risk assessment should be conducted. Below are useful links.

  1. https://support.microsoft.com/en-ca/help/954422/how-to-remove-administrative-shares-in-windows-server-2008
  2. SMB Signing – https://support.microsoft.com/en-ca/help/887429/overview-of-server-message-block-signing

3. An article posted on October 21st by CISA outlines the top external attacks by CSV and suggests you review your organization’s exposure. See article below.

Below are known Indicators of Compromise:

Lastly, to those who are leveraging our 24/7 Healthcare Security Operations Center (SOC) / SIEM, your network is being monitored and we will provide regular updates. To those who are not – please feel free to reach out to raheel.qureshi@isecurityconuslting.com or kees.pouw@isecurityconsulting.com and we will add you to our distribution list.

We will also provide updates to organizations we are servicing through our Incident Response Retainer.

Do not panic but stay safe and protected. We can always connect with you 1-on-1 to provide better guidance on how to gain better visibility into your controls, network, dark web, privileged user access protection and active threat hunting. The landscape around ransomware has evolved as the Healthcare sector is willing to pay ransom and malicious threat actors are now stronger than ever.

Please go ahead and share this with your peers.

For any other questions or concerns, please feel free to reach out to info@isecurityconsulting.com.

Best Regards,

The iSecurity Team