US Healthcare organizations are being targeted by major Ransomware attacks

skywatch-alert

The following article published in The Hackernews, October 29th, covers US Federal Bureau of Investigation (FBI), Departments of Homeland Security (DHS), and Health and Human Services (HHS) joint alert this Wednesday.  GLESEC has been equally on-alert to respond to this threat.

“Our approach is both pro-active as well as responsive”, said Sergio Heker, GLESEC’s CEO. “The pro-active approach is by on-going multi-vector breach and attack simulation validation of how Ransomware can penetrate, compromise the endpoints and propagate within the organization; the responsive is by our advanced detection and response capabilities; our SOCs are alerted and conduct threat hunting, when activated, we have all the countermeasures to handle the incident”, commented Heker.

GLESEC’s Orchestration of security processes for threat mitigation and vulnerability handling play together to address these threats in the most cost-effective manner.

FBI, DHS WARN OF POSSIBLE MAJOR RANSOMWARE ATTACKS ON HEALTHCARE SYSTEMS

The US Federal Bureau of Investigation (FBI), Departments of Homeland Security, and Health and Human Services (HHS) issued a joint alert Wednesday warning of an “imminent” increase in ransomware and other cyberattacks against hospitals and healthcare providers.

“Malicious cyber actors are targeting the [Healthcare and Public Health] Sector with TrickBot malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services,” the Cybersecurity and Infrastructure Security Agency said in its advisory.

The infamous botnet typically spreads via malicious spam email to unsuspecting recipients and can steal financial and personal data and drop other software, such as ransomware, onto infected systems.

It’s worth noting that cybercriminals have already used TrickBot against a major healthcare provider, Universal Health Services, whose systems were crippled by Ryuk ransomware late last month.

TrickBot has also seen a severe disruption to its infrastructure in recent weeks, what with Microsoft orchestrating a coordinated takedown to make its command-and-control (C2) servers inaccessible.

“The challenge here is because of the attempted takedowns, the TrickBot infrastructure has changed and we don’t have the same telemetry we had before,” Hold Security’s Alex Holden told The New York Times.

Although the federal report doesn’t name any threat actor, the advisory makes a note of TrickBot’s new Anchor backdoor framework, which has been recently ported to Linux to target more high-profile victims.

“These attacks often involved data exfiltration from networks and point-of-sale devices,” CISA said. “As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.”

As The Hacker News reported yesterday, Anchor_DNS is a backdoor that allows victim machines to communicate with C2 servers via DNS tunneling to evade network defense products and make their communications blend in with legitimate DNS traffic.

Also coinciding with the warning is a separate report by FireEye, which has called out a financially-motivated threat group it calls “UNC1878” for the deployment of Ryuk ransomware in a series of campaigns directed against hospitals, retirement communities, and medical centers.

Urging the HPH sector to patch operating systems and implement network segmentation, CISA also recommended not paying ransoms, adding it may encourage bad actors to target additional organizations.

“Regularly back up data, air gap, and password protect backup copies offline,” the agency said. “Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.”

Source: The Hackernews, October 29th, 2020

About GLESEC®

GLESEC is a security powerhouse that has been delivering world-class information security since 2003 to organizations across the Americas. GLESEC’s portfolio offers a full suite of auditing, regulatory compliance, monitoring, protection, and countermeasure services using best-of-breed, emerging technologies, and managed and intelligence security services. Having consolidated this unique set of capabilities under a single umbrella service, organization, and the proprietary technology platform, we reduce the inherent risk of disjointed teams and bring about the expertise and capabilities that our clients deserve. GLESEC, a privately held company, has Worldwide Headquarters in Orlando, Florida. GLESEC operates in both the United States and Latin America. Our clients’ range from large organizations to multinationals across the Americas.

SkyWatchSM Alert Legend

  • small-bell

    Warning

  • active-threat0-lt-green

    Active Threat

  • malware-lt-green

    Malware

  • ransome-lt-green

    Ransomware

  • warning-green

    Phishing

  • file-green

    Network/IOT

Glesec Information Sharing Protocol

GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).

  • TLP-White

    Disclosure is Not Limited.

  • TLP-Green

    Limited Disclosure, Restricted Only to the Community.

  • TLP-Amber

    Limited Disclosure, restricted to the Participant's Organization.

  • TLP-Red

    Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.

Discover Glesec.

Authority. Consistency.

Sign-up today for SkywatchSM Alerts.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.