During late afternoon Wednesday, October 28th several federal agencies, including HHS and the FBI, issued a joint cybersecurity advisory that cited "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers." The advisory warned of Russian criminal groups targeting American hospitals with Ryuk ransomware. The threat advisory is consistent with attack activity observed by CyberMaxx over the past weeks. All indicators point to an uptick in ransomware attacks targeting healthcare providers. The attacks also coincide with a nation-wide surge in COVID-19 cases.
CyberMaxx is tracking all available indicators of attack and incorporating them into our services. MAXX Network clients currently leveraging CyberMaxx's blocking capabilities have protection through the use of signatures and IOA/IOC domain and IP blocks. Additionally, MAXX VRM clients may also leverage their Tenable solution to identify vulnerabilities such as ZeroLogon in their environment.
The joint cybersecurity advisory contains details of threat actors targeting healthcare organizations with Trickbot, which is often leveraged to deploy ransomware in target environments. Recent campaigns have observed threat actors deploying Ryuk ransomware using Group Policy or PsExec.
Trickbot initially began as a banking trojan in 2016 but has since developed into a dropper of other malware. Its modular structure has added various functionalities over the years and now provides threat actors with capabilities such as credential harvesting, detection evasion, and lateral movement. In recent campaigns, Trickbot or BazaLoader/KEGTAP was leveraged by threat actors to gain initial access into an environment. Threat actors were then able to harvest credentials or exploit vulnerabilities and move laterally throughout the environment. After obtaining privileged credentials and compromising domain controllers, threat actors distributed Ryuk or other ransomware payloads using Group Policy or PsExec.
Because these actors often attempt to exploit known security vulnerabilities and brute-force RDP, we strongly recommend organizations patch for recent vulnerabilities such as CVE-2020-1472 (ZeroLogon) and to disable Remote Desktop Services for systems that do not require it. TCP Port 3389 (RDP) should also be blocked on the firewall, if possible. Organizations should also continue to employ security best practices, such as but not limited to:
- Enabling multi-factor authentication
- Avoiding the use of privileged accounts to run services or scheduled tasks
- Following the '3-2-1' rule for system/data backups: At least three copies, on two devices, and one offsite. Test the restoration process often.
- Evaluate business continuity plans to identify and address gaps
- Reinforce security awareness to remind users to refrain from opening attachments/links from unknown sources
- Disable macros for documents received via email
- Block traffic to any indicators of compromise associated with this threat.
For more information, please visit:
If you have questions, please contact your CyberMaxx Account Manager or our Security Operations Center at 888-468-1418.