Criminal Hackers Attacking Hospitals Using Ransomware

If you know how to search – the keywords are important, then you will find other interesting bits of information.

Talos BlogpostCisco Talos Advisory on Adversaries Targeting the Healthcare and Public Health Sector

Use keywords:  Indicators of Compromise – and cobalt strike.

Because interesting to note cobalt strike is a tool that the bad guys use to make their attacks.

check this out: cobaltstrike.com pdf  

 

 

Which has the following info and IoC (Indicator of Compromise)

“This payload resides in memory pages with RWX permissions. These memory pages are not backed by a file on disk.”

IoC info —

Extracted Strings%s <%s> (Type=%i, Access=%i, ID=’%s’)%02i was terminated by ThreadManager(2)main sort initialise …qsort [0x%x, 0x%x] done %d this %d{0x%08x, 0x%08x}Programm was started at %02i:%02i:%02ia+%02i:%02i:%02i.%04i:

**************************************************************************

Start finging of LAN hosts…Finding was fault. Unexpective errorHosts was’t found.%O2i) [%s]

<there is more, but I think this is enough to illustrate>

————————————————————

Notice the misspelling of program and finding.

Ryuk ransomware has been going on for a awhile – look at this FBI Flash:

So this Attack has been going on since May of 2019. And is still going strong.

The CISA (Cybersecurity & Infrastructure Security Agency) has put out a joint statement with FBI 10/28/20 (i.e. recently)

https://us-cert.cisa.gov/ncas/alerts/aa20-302a

Ransomware Activity Targeting the Healthcare and Public Health Sector

Key Findings

  • CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
  • These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.

TrickBot Indicators of Compromise

After successful execution of the malware, TrickBot copies itself as an executable file with a 12-character randomly generated file name (e.g. mfjdieks.exe) and places this file in one of the following directories.

  • C:\Windows\
  • C:\Windows\SysWOW64\
  • C:\Users\[Username]\AppData\Roaming\

 

This reminds me of the Zero Trust Architecture that recommends the following(from NIST pdf information):

Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.


We cannot trust the devices just because they are behind the firewall, we have to assume that the hackers are in the network.

This is my image from a previous blogpost.

Here I am showing what could be set up with different architectures. (Open, Closed or Hybrid)  I was just trying to point out even with a zero trust one should still use a firewall since it does protect against certain attacks.

 

Above I have shown the Indicators of Compromise of malware software (Ryuk and Conti uses trickbot among others)

Trickbot has certain places it deposits its attack software (directories noted above).

How can we defend against this?Having a Zero trust architecture is a good step, with a robust patch and testing system also good.  Your log system should be ready to find these Indicators of Compromise.

Contact us to discuss.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.